-1- Practical Paranoia: Android Security Essentials Marc Mintz Copyright © 2015, 2016 by Marc Louis Mintz Notice of Rights: All rights reserved No part of this document may be reproduced or transmitted in any form by any means without the prior written permission of the author For information on obtaining permission for reprints and excerpts, contact the author at marc@mintzit.com, +1 888.479.0690 Notice of Liability: The information in this document is presented on an As Is basis, without warranty While every precaution has been taken in the preparation of this document, the author shall have no liability to any person or entity with respect to any loss or damage caused by or alleged to be caused directly or indirectly by the instructions contained in this document, or by the software and hardware products described within it It is provided with the understanding that no professional relationship exists and no professional security or Information Technology services have been offered between the author or the publisher and the reader If security or Information Technology expert assistance is required, the services of a professional person should be sought Trademarks: Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks Where those designations appear in this book, and the author was aware of a trademark claim, the designations appear as requested by the owner of the trademark All other product names and services identified in this document are used in editorial fashion only and for the benefit of such companies with no intention of infringement of trademark No such use, or the use of the trade name, is intended to convey endorsement or other affiliation within this document Editions: 1.0: 7/2015 • 1.01: 7/2015 • 1.02: 7/2015 • 2.0: 10/2015 • 2.1 11/2015 • 2.2: 1/2016 Cover design by Ed Brandt ISBN-10: 1519333943 ISBN-13: 978-1519333940 -2- Dedication To Candace, without whose support and encouragement this work would not be possible My great thanks to Anthony Galczak, our Android Guru, who painstakingly assisted with the research for this project -3- Contents At A Glance Dedication Contents At A Glance Contents In Detail Introduction 15 Vulnerability: Passwords 25 Vulnerability: System Updates 57 Vulnerability: App Updates 91 Vulnerability: Play Store 97 Vulnerability: Window Pinning (Whitelisting) 107 Vulnerability: Screen Timeout 117 Vulnerability: Device Hardware 135 Vulnerability: SELinux & SEForAndroid 177 Vulnerability: Malware 207 10 Vulnerability: Data Loss 221 11 Vulnerability: When It Is Time To Say Goodbye 249 12 Vulnerability: Network 259 13 Vulnerability: Google Account 283 14 Vulnerability: Web Browsing 309 15 Vulnerability: Email 351 16 Vulnerability: Instant Messaging 421 17 Vulnerability: Voice and Video Communications 439 18 Vulnerability: Documents 461 19 Vulnerability: Emergency Situation 497 20 Vulnerability: Internet Activity 509 21 Vulnerability: Google Wallet and Credit Cards 533 The Final Word 563 Mintz InfoTech, Inc Android Security Checklist 565 Index 569 Your Virtual CIO & IT Department Mintz InfoTech, Inc when, where, and how you want IT 573 Practical Paranoia Security Essentials Workshops & Books Android, iOS, OS X, Windows 575 -5- Review Answers 577 -6- Contents In Detail Dedication Contents At A Glance Contents In Detail Introduction 15 Who Should Read This Book 16 What is Unique About This Book 17 Why Worry? 19 Reality Check 20 About the Author 22 Practical Paranoia Updates 23 Practical Paranoia Book Upgrades 24 Vulnerability: Passwords 25 The Great Awakening 26 Passwords 27 Assignment: Create a Screen Lock using a Pattern Lock 29 Assignment: Create a Screen Lock Using a Password 34 LastPass 40 Assignment: Install LastPass 40 Assignment: Add a Site to LastPass 47 Challenge Questions 54 Review Questions 55 Vulnerability: System Updates 57 System Updates 58 Assignment: Check for and Install Android Updates 59 Assignment: Update Android System Software with Backups 62 Assignment: Update Android System Software Using Smart Switch 76 Assignment: Restore Data Using Smart Switch 84 Review Questions 89 Vulnerability: App Updates 91 App Updates 92 Assignment: Update all Apps 92 Review Questions 96 -7- Contents In Detail Vulnerability: Play Store 97 App Purchases 98 Assignment: Require Authentication for App Purchases 98 Unauthorized Apps 102 Assignment: Secure Play Store from Unauthorized Apps 102 Review Questions 105 Vulnerability: Window Pinning (Whitelisting) 107 Window Pinning (Whitelisting) 108 Assignment: Window Pinning (Whitelisting) 108 Review Questions 116 Vulnerability: Screen Timeout 117 Require Password After Screen Timeout 118 Screen Timeout 118 Assignment: Configure Screen Timeout 119 Lock Screen Notifications 122 Assignment: Restrict Lock Screen Notifications 122 Do Not Disturb Mode 129 Assignment: Turn On Do Not Disturb Mode 129 Review Questions 134 Vulnerability: Device Hardware 135 SIM Card Lock 136 Assignment: Set Up a SIM Card Lock 136 Device Encryption 143 Assignment: Encrypt Your Device 143 Smart Lock 150 Assignment: Adding a Trusted Bluetooth Device 151 Assignment: Adding a Trusted Place 158 Assignment: Add a Trusted Voice 164 Assignment: Use On-Body Detection 171 Review Questions 176 Vulnerability: SELinux & SEForAndroid 177 Warning Will Robinson 178 SELinux & SEForAndroid 179 KNOX Active Protection / KNOX 181 Assignment: Activate Samsung KNOX Active Protection 182 My KNOX Workspace 187 -8- Contents In Detail Assignment: Installing My KNOX Workspace 187 Assignment: Administer Your Own KNOX Workspace 195 Assignment: Using your KNOX Workspace 198 Review Questions 205 Vulnerability: Malware 207 Anti-Malware 208 Assignment: Install & Configure Bitdefender 208 Assignment: Scan for Malware with Bitdefender 214 Assignment: Restrict Access to Apps using Bitdefender’s App Lock 216 Review Questions 220 10 Vulnerability: Data Loss 221 Sources of Data Loss 222 Assignment: Backup to Google 223 Assignment: Verify the Google Backup via a Computer 228 Assignment: Data Recovery from Google 230 Bitdefender Anti-Theft 234 Assignment: Activate and Configure Bitdefender Anti-Theft 234 Assignment: Find a Device from a Computer 238 Assignment: Activate Find My Mobile with a Samsung Account 240 Assignment: Use Find My Mobile on a PC to Locate Your Device 244 Review Questions 248 11 Vulnerability: When It Is Time To Say Goodbye 249 Preparing a Device for Sale or Disposal 250 Assignment: Secure Erase an Android Device 250 Assignment: Format the SD Card 253 Review Questions 257 12 Vulnerability: Network 259 Wi-Fi Encryption Protocols 260 Assignment: Use Wi-Fi Analyzer to Determine Wi-Fi Encryption Protocol 261 Routers: An Overview 262 Firewall 264 NoRoot Firewall 265 Assignment: Install and Configure NoRoot Firewall for Android 265 Assignment: Allow an App Access with NoRoot Firewall 270 Assignment: Use Global Filters and Access Log with NoRoot Firewall 274 -9- Contents In Detail Review Questions 281 13 Vulnerability: Google Account 283 Google Account 284 Assignment: Create a Google Account 285 Assignment: Implement Two-Step Verification for Your Google Account 293 Review Questions 308 14 Vulnerability: Web Browsing 309 HTTPS 310 Assignment: Install HTTPS Everywhere 312 Browser Security Settings 314 Assignment: Configure Google Chrome Settings 314 Assignment: Google Incognito Mode 323 Safer Internet Searches with DuckDuckGo 325 Assignment: Install DuckDuckGo Search & Stories 325 Assignment: Use DuckDuckGo to Search and Display in an External Browser 327 TOR 333 Assignment: Install Firefox 335 Assignment: Install and Configure Orbot 337 Review Questions 349 15 Vulnerability: Email 351 The Killer App 352 Phishing 353 Email Encryption Protocols 354 TLS and SSL 355 Assignment: Configure Email to Use TLS or SSL 355 Web Mail 365 Assignment: Configure Browser Email to Use HTTPS 365 End-To-End Secure Email With SendInc 367 Assignment: Create a SendInc Account 368 Assignment: Create an Encrypted SendInc Email 370 Assignment: Receive and Respond to a SendInc Secure Email 372 End-To-End Secure Email With S/MIME 374 Assignment: (Windows) Acquire a Free Class S/MIME Certificate for Personal Use 375 - 10 - LastPass 28, 40, 41, 42, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53 Linux 333 Local Area Network 262 Lock Screen Notifications 122, 565 LogMeIn 530 Loyalty Card 545 malware 19, 207, 208, 214, 215, 222, 234, 566 Manischewitz 53 Mintz’s extrapolation of Sturgeon’s Revelation 18 modem 262 My KNOX Workspace 187 National Security Agency 26 Near Field Communications 534, 556 Newsletter 23 NFC534, 535, 540, 545, 551, 556, 557, 559 Noodle Koogle 332 NoRoot 264, 265, 266, 268, 270, 274, 275, 280 NoRoot Firewall 264, 265, 266, 268, 270, 274, 275, 280 NSA 17, 26, 419, 512, 529, 563 On-Body Detection 171 Orbot 334, 335, 337, 338, 341, 342, 344, 347, 348 Ostel 441 passphrase 28 Password 27, 28, 29, 34, 37, 38, 44, 49, 118, 147, 239, 253, 284, 310, 355, 365, 367, 368, 381, 464, 477, 489, 490 Pattern 29, 32, 34, 39, 253 Pattern lock 29, 34, 39 PGP 374 phishing .19, 208 PIN 29, 33, 37, 218, 219, 253, 534, 539, 540, 561 Play Store 42, 92, 95, 97, 98, 101, 102, 208, 209, 223, 265, 284, 292, 325, 335, 337, 338, 395, 423, 471, 521, 536, 565 Power surges 222 Practical Paranoia Book Upgrades 24 Practical Paranoia Updates 23 Private Key 401 Private Mode 463, 467, 469 Proxy 334, 338, 344, 346 Public Key 374 rooted 208 Rooting 208, 264 router 262, 263 S/MIME 367, 374, 375, 381, 383, 384, 389, 395, 398, 400, 401, 406, 412, 414, 415, 416, 419, 480, 484 Sabotage 222 Screen Lock 29, 31, 34, 36 Screen Timeout 117, 118, 119, 120, 121, 565 SD card 215, 223, 250, 253, 256, 474, 475, 487, 489, 491, 492, 494 Secure Erase 250, 483 Secure Socket Layer 310 SEForAndroid 177, 178, 179, 566, 579 SELinux 177, 179, 180, 566 SendInc 367, 368, 369, 370, 372, 373 Seneca 57 SIM Card Lock 136 Skype 440, 441 sleep 510 Smart Lock 150, 151, 156, 161, 167, 173 - 571 - Smart Switch 76 SoftCard 534, 535 software 27, 28, 208, 368 SOS Messages.498, 499, 500, 504, 567 SSL 310, 355, 367 Static electricity 222 switch 262 Symantec 19 System Software 62 System Updates 57, 58, 565 Tails 333, 334 Tap and Pay 551, 555, 559, 561 Terrorist activities 222 The Guardian 26 theft 222 Theodore Sturgeon 18 TKIP 261 TLS 354, 355, 367 TOR 333, 334, 335, 338, 342, 344, 347, 348 trojan horses 19, 208 Trusted Voice 164, 170 two-step authentication 293 Two-Step Verification 284, 293 Unauthorized Apps 102 USB debugging 68, 70 US-CERT 58, 92 Virtual Private Network 260, 311, 510 viruses 19 VPN 260, 264, 268, 280, 311, 312, 510, 511, 512, 513, 515, 524, 528, 529, 530 VPNArea 515, 522, 523, 524 Water damage 222 WEP 260 Whitelisting 107, 108, 565 Wickr 422, 423, 424, 425, 426, 427, 428, 429, 430, 431, 432, 433, 434 Wi-Fi 234, 260 WiFi Analyzer 261 William Hazlitt 283 Window Pinning 107, 108 Windows 333, 513 worms 19, 208 WPA 260, 261 WPA2 260, 261 zero-day exploits 20 - 572 - Your Virtual CIO & IT Department Mintz InfoTech, Inc when, where, and how you want IT Technician fixes problems Consultant delivers solutions Technician answers questions Consultant asks questions, revealing core issues Technician understands your equipment Consultant understands your business Technician costs you money Consultant contributes to your success Let us contribute to your success Mintz InfoTech, Inc is uniquely positioned to be your Virtual CIO and provide comprehensive technology support Our mission is to provide small and medium businesses with the same Chief Information and Technology Officer resources otherwise only available to large businesses Mintz InfoTech, Inc Toll-free: +1 888.469.0690 • Local: +1 505.814.1413 Email: info@mintzIT.com • https://mintzIT.com - 573 - Practical Paranoia Security Essentials Workshops & Books Android, iOS, OS X, Windows This is an age of government intrusion into every aspect of our digital lives, criminals using your own data against you, and teenagers competing to see who can crack your password the fastest Every organization, every computer user, every one should be taking steps to protect and secure their digital lives The Practical Paranoia: Security Essentials Workshop is the perfect environment in which to learn not only how, but to actually the work to harden the security of your OS X and Windows computers, and iPhone, iPad, and Android devices Workshops are available online and instructor-led at your venue, as well as tailored for on-site company events Each Book is designed for classroom, workshop, and self-study Includes all instructor presentations, hands-on assignments, software links, security checklist, and review questions and answers Available from Amazon (both print and Kindle format), and all fine booksellers, with inscribed copies available from the author Call for more information, to schedule your workshop, or order your books! Mintz InfoTech, Inc Toll-free: +1 888.479.0690 • Local: +1 505.814.1413 info@mintzIT.com • http://thepracticalparanoid.com - 575 - Review Answers Vulnerability: Passwords Q: When were the NSA documents of legal and illegal eavesdropping on US citizens released? A: June, 2013 Q: Any and every password can be broken (True or False) A: True Q: What is the URL for a website that can test for password strength? A: https://www.grc.com/haystack.htm Q: LastPass can synchronize passwords between Windows, Android, Linux, and OS X, but not iOS (True or False) A: False Q: Challenge Questions should always have a truthful Challenge Answer (True or False) A: False Vulnerability: System Updates Q: US-CERT recommends that all users update all systems within _ of an update release A: 48 hours Q: The three fundamental reasons for updates and upgrades are: _, _, and _ A: Bug fixes, monetization, security patches Vulnerability: App Updates Q: By default, Google Play app automatically update (True or False) A: False Q: Where you go to configure auto-updates? A: Play Store > Settings > Auto-update apps - 577 - Vulnerability: Play Store Q: Where you go to require authentication for app purchases? A: Play Store > Settings > Require authentication for purchases Q: Where you go to set your device to prompt whenever it identifies an app trying to run/install from an unknown source? A: Settings > Lock screen and security > Unknown sources Vulnerability: Window Pinning Q: Window Pinning can be used as a simple whitelisting (True or False) A: True Q: Where you go to enable Window Pinning? A: Settings > Lock screen and security > Other security settings > Pin windows Vulnerability: Screen Timeout Q: Where you go to enable Screen Timeout? A: Settings > Display > Screen timeout Q: Where you go to restrict Lock Screen notifications? A: Settings > Sounds and notifications > Lock screen and security Q: Where you go to enable Do Not Disturb? A: Settings > Sounds and notifications > Do not disturb Vulnerability: Device Hardware Q: With a SIM card lock, you are prompted for a PIN when waking from sleep (True or False) A: False Q: Where you go to set a SIM card lock? A: Settings > Lock screen and security > Other security settings > Set up SIM card lock > Lock SIM card Q: Where you go to enable device encryption? A: Settings > Lock screen and security > Other security settings > Encrypt device - 578 - Q: Where you go to add a Trusted Place? A: Settings > Lock screen and security > Secure lock settings > Smart Lock Trusted places > Add trusted place Vulnerability: SELinux & SEForAndroid Q: DAC stands for A: Discretionary Access Control Q: DAC allows _ A: Anyone who is granted root privileges can grant root privileges to another user or subject (a process or thread) Q: MAC stands for A: Mandatory Access Control Q: How does MAC determine who/what can work with a file? A: MAC consults a central authority (a security policy) whenever access is attempted as opposed to ownership Q: SELinux enforcing mode is defined as A: SELinux policy is enforced SELinux denies access based on SELinux policy rules Q: SELinux permissive mode is defined as A: SELinux policy is not enforced SELinux does not deny access, but denials are logged for actions that would have been denied if running in enforced mode Q: SELinux disabled mode is defined as A: SELinux is disabled Q: SELinux was introduced to Android in version A: 4.3 Jelly Bean Q: What is KNOX? A: KNOX is a virtual machine that allows compartmentalization of personal data and applications from the workspace’s data and applications 10 Q: Attempting to authenticate to the KNOX workspace incorrectly _ times results in it being automatically wiped A: 10 - 579 - 11 Q: Where you activate KNOX? A: Settings > Lock screen and security > Device security > KNOX active protection Vulnerability: Malware Q: There is no need to install antivirus software because Android has it built in (True or False) A: False Q: According to a 2014 report from Kaspersky.com, there may be _ infected apps impacting Android A: 10,000,000 Q: After anti-malware is installed on Android, the next important step to take is A: Scan for malware 10 Vulnerability: Data Loss Q: Best Practices call for at least backup, and at least backup A: local, online Q: A Google cloud-based backup includes applications, text messages, and data on the SD card (True or False) A: False 11 Vulnerability: When It Is Time To Say Goodbye Q: Performing a factory reset will erase the SD card data (True or False) A: False Q: Where you go to manually format the SD card? A: Settings > Storage > Format SD card > Format SD card 12 Vulnerability: Network Q: Cellular networking is strongly encrypted (True or False) A: No Encrypted, yes, but weak - 580 - Q: The WEP Wi-Fi encryption protocol should be used whenever possible (True or False) A: False Q: The WPA Wi-Fi encryption protocol should be used whenever possible (True or False) A: False Q: The WPA2 Wi-Fi encryption protocol should be used whenever possible (True or False) A: True Q: Of the two encryption algorithms–TKIP and AES–which should be used? A: AES Q: The network hardware that decodes and modulates the signal from your Internet provider to your cable or telephone jack is called a _ A: Modem Q: The network hardware that allows hundreds of devices to interact between the local network and Internet is called a _ A: Router Q: The network hardware or software that inspects data traffic between the Internet and local network devices is called a _ A: Firewall Q: The network hardware that allows multiple devices to connect and interact with each other and the router is called a _ A: Network Switch 10 Q: The network hardware that allows tens or hundreds of wireless devices to connect to a network is called a _ A: Access Point 11 Q: What app can be used to determine the encryption protocol of a Wi-Fi network? A: WiFi Analyzer - 581 - 12 Q: A _ address includes a unique manufacture code and a unique device code A: MAC 13 Vulnerability: Google Account Q: To use two-step authentication requires a phone number capable of receiving texts (True or False) A: True 14 Vulnerability: Web Browsing Q: HTTPS uses _ encryption protocol A: SSL Q: To ensure your browser goes to https even if entering http, install the plug-in A: HTTPS Everywhere Q: To ensure your browser doesn’t store browsing history, passwords, user names, list of downloads, cookies, or cached files, enable _ mode A: Private Q: By default, any two people will have the same results for a given Google search (True or False) A: False Q: By default, any two people will have the same results for a given DuckDuckGo search (True or False) A: True Q: TOR is based on the _ browser A: Firefox Q: It is OK to install browser plug-ins to TOR (True or False) A: False 15 Vulnerability: Email Q: The attempt to acquire your personal or sensitive information by appearing as a trustworthy source is called _ A: Phishing - 582 - Q: Three common protocols to encrypt email between email server and user are A: TLS (Transport Layer Security), SSL (Secure Socket Layer), and HTTPS (Hypertext Transport Layer Secure.) Q: The encryption protocol used for web-based email is _ A: HTTPS Q: Email encrypted with either PGP or GPG can be decrypted with either (True or False) A: True Q: S/MIME Class certificate is designed for business use (True or False) A: False 16 Vulnerability: Instant Messaging Q: The instant messaging app included with Android–Messages–is secure (True or False) A: False Q: Wickr is both cross-platform and secure (True or False) A: True 17 Vulnerability: Voice and Video Communications Q: Facebook messenger is secure (True or False) A: False Q: Google Hangouts is secure (True or False) A: False Q: Skype is secure (True or False) A: False Q: OStel is secure (True or False) A: True Q: _ is the app used with OStel on Android A: CSipSimple - 583 - 18 Vulnerability: Documents Q: Private mode blocks the file system from accessing targeted files (True or False) A: False Q: Crypt4All Lite uses 128-bit encryption (True or False) A: False Q: Where you go to encrypt the SD card? A: Settings > More > Security > Encrypt external SD card Q: What are the minimum requirements for screen lock password in order to encrypt an SD card? A: Minimum characters in length, including at least number 19 Vulnerability: Emergency Situation Q: When activating SOS Messages, what information is gathered and transmitted? A: Front picture, back picture, five-second audio clip, and GPS location Q: Where you go to activate SOS Messages? A: Settings > Personal > Privacy and safety > Send SOS Messages 20 Vulnerability: Internet Activity Q: VPN stands for A: Virtual Private Network Q: VPN encrypts all of your network and Internet traffic (True or False) A: True Q: VPN hides your true IP address and geographical location (True or False) A: True Q: Switzerland has among the strictest national data protection laws to protect your private data (True or False) A: True - 584 - 21 Vulnerability: Google Wallet and Credit Cards Q: In 2014, there were over _ million credit card thefts in the United States A: 500 Q: According to cyber security experts, the real answer to credit card theft is A: Preventing the merchant from storing the customer credit card data that is usable by anyone but the individual owner Q: NFC stands for A: Near Field Communications Q: What data does the merchant get from the customer during a credit card transaction? A: A one-time use code Q: Google Wallet supports major loyalty cards (True or False) A: True Q: Google Wallet is installed by device on all Android and higher devices (True or False) A: False - 585 - ... 55 1 Assignment: Use Google Wallet in Stores 55 9 Review Questions 56 2 The Final Word 56 3 Mintz InfoTech, Inc Android Security Checklist 56 5 Index... and how you want IT 57 3 Practical Paranoia Security Essentials Workshops & Books Android, iOS, OS X, Windows 57 5 -5- Review Answers 57 7 -6- Contents In Detail Dedication... 54 Review Questions 55 Vulnerability: System Updates 57 System Updates 58 Assignment: Check for and Install Android Updates 59 Assignment: Update Android