Ensure security and privacy on your Android Tablet or Smartphone with LineageOS

BACK

The original post was written in German and translated to English!

The creation of this article began in 2017 and this was expanded and adapted again and again until May 2021. Based on the first test by LineageOS on a Samsung SM-T585 tablet in 2018, Samsung A5 2017 (SM-A520F) mobile phones have now been purchased. At around 250 € a bargain and then IP68 waterproof and protected against dust.

Subsequently, using Fairphone 3+ is planned, as this is up to date and the battery can be removed in this model to really turn off the phone.

LineageOS, an alternative Android operating system for tablet and phone!

LineageOS is an operating system for smartphones and tablet computers. It is a modification of the free Android operating system developed by Google and the successor to the discontinued custom ROM CyanogenMod. LineageOS is free software and is developed by a community of volunteers who provide the operating system for free download. More information on the Wikipedia page ( https://de.wikipedia.org/wiki/ LineageOS )

A prerequisite is a device that is officially supported ( https://wiki.lineageos.org/devices / ) or a Custom Rom, e.g. from https: //forum.xda -developers.com/ exists.

IMPORTANT: Doing this will invalidate your warranty, destroy your device and no one will help you. I am describing the process of my migration here and under no circumstances do I encourage you to carry out the process on your device. If you do it, then you are on your own and in the event that you destroy the device you are solely responsible. Nobody, and certainly not me, is responsible for things you do with your device!

The problem

Not really happy with devices on which some of the necessary software, e.g. Tor, does not work, or has been banned by Producer, I started looking for an alternative in 2017. The prerequisites were clear and immovable:

  • There must be no registration with the manufacturer for commissioning. To put it mildly, it is a joke that manufacturers prohibit the device from being used without registration. The first step of collecting data must already be stopped
  • It must be possible to install a firewall, ala IPTables, PF, IPFW or similar. The entire traffic of the device must be controllable in such a way that data collectors cannot establish a connection.
  • An open source VPN client is compulsory, preferably OpenVPN.
  • In addition, a sensible RDP client is required to be able to access the Linux RDP Terminal Server via RDP. In the business area, this also guarantees access to Windows systems.
  • Tor must work as a service, including Hidden Services and Tor Browser
  • Email, calendar and contacts have to work properly with ActiveSync, IMAP, CalDAV, CardDAV, PGP encryption.
  • Element as Matrix Messenger Client must be available. This guarantees secure E2E encrypted communication without additional readers.
  • Different browsers and addons are required. Firefox with NoScript and Ublock, Midori Browser and DuckDuckGo Privacy Browser would be the minimum requirements. For privacy it is extremely necessary to distribute your accesses, especially those with login and without login, to different browsers.
  • No software may be installed that transmits data to third parties and thus transmits content, processes or, even worse, data of the device to third parties. All data may only be exchanged with your own servers. Manufacturer bloatware must be uninstallable or not installed at all. If possible, all software components should be open source.
  • In addition, a correct backup of the applications and settings, including a separate and complete restore, must be possible. It must be possible to transfer all settings to a new device using the backup.

The Device

For the test, a Samsung SM-T585 Galaxy Tab A tablet was purchased in 2018 and a test was made with the preinstalled Android. After a short time it turned out that such a tablet or phone would not meet the requirements under any circumstances. Quite apart from the fact that the manufacturer prevents you from becoming the system administrator (rooting), there is no way to use IPTables, a reasonable backup and much more.

If you install a package called a firewall, without rooting but only a VPN, you can at least see that the pre-installed software from Google and Samsung calls home endlessly and transmits undefined data.

All in all, although long attempts have been made to deactivate and uninstall this software, no solution. The manufacturer blocks the deinstallation or deactivation so that services are always running in the background that you do not want to have. At least if you don’t want to be forensic data feed and place a high value on your privacy.

It was clear that something else had to be done, but these Android tablets have advantages over notebooks in terms of size, suspend and resume and a lot more.

After months of research, it was clear that the Samsung tablet should be operated with LinageOS. Since the device is not yet officially supported, I had to use a custom rom from XDA-Developers.

Even at the turn of 2020, the test device is still running very stable, started with LineageOS 14.1, now with LineageOS 16.0 and a second device was also purchased for daily use. Due to the very positive, long-lasting and inexpensive uses, all smartphones have now been upgraded to LineageOS 17.1 (Android 10) and all tablets to LineageOS 16.0 (Android 9) and there are no problems in daily operation.

You have to know

Read through the installation instructions for the device on LinaegeOS.org, read several times so that you know beforehand which steps you will need. Especially “wiper kings” can avoid a lot of problems with it.

Most devices can be booted differently. Something like how you can boot a PC into the BIOS. This process is controlled by phone buttons and on the Samsung these are:

  • HOME + volume + + power boots in the so-called recovery mode. Here we then work with the TWRP package. Something like the bios with a few extra functions.
  • HOME + Volume + Power boots in download mode. We need this once to load the custom recovery package. Recovery mode will not work without this.
  • USB debugging must be turned on on the device. Details can be found in the individual instructions. Essentially, this works everywhere with 7 times, via Settings-About the device build number, tap on the build number. The developer menu is then visible.

TIP Some devices have in the developer menu - “Enable Custom OEM unlocking”. Be sure to turn it up, otherwise the device could never boot again.

TIP Buy an extra 32GB Micro SD card for this process. Details on this later. It will make everything a lot easier! Stinginess is never cool !

Installation of adb and fastboot

adb is the Android Debugging Bridge and this is necessary for communication between PC and Android device. Good installation instructions can be found here:

https://wiki.lineageos.org/adb_fastboot_guide.html

TIP I don’t use Windows myself anymore and with Debian Linux the packages adb and fastboot are available in the package directory. Only adb is required for the Samsung tablet, as further steps are carried out with heimdall.

TIP The package also installs the udev settings. Nevertheless, adb had to be run as root for adb devices to recognize the tablet. Since I only loaded the Custom Recovery Package and everything else was done with the SD card, no real problem.

Then install the heimdall suite for the respective operating system for the Samsung tablet. Downloads can be found here:

https://glassechidna.com.au/heimdall/#downloads

Custom recovery can then be installed on the tablet with the heimdall Suite. To do this, after the device has been booted into download mode (HOME + volume + power), on the Samsung the command:

heimdall flash –RECOVERY twrp-xxx-x-gtleeilte.img –no-reboot

IMPORTANT The twrp file will have a different name depending on the device, but the –noreboot is absolutely necessary! If the image is in an archive, be sure to extract it beforehand!

After that, you must immediately boot into recovery mode (HOME + volume + + power) otherwise the system will overwrite the image again!

The whole thing should look something like this:

If not, repeat the process until the boot process is clean and the menu appears.

Now it becomes easy. After it became clear that the Custom Recovery is essentially nothing more than a BIOS with extra functions, especially for partition management and partition backup, the further instructions could be changed.

I then copied the LineageOS ROM to the SD card and performed the backup from here using the menu. The backup is in the TWRP folder and below it in folders marked with the date and time. It’s easy to return if problems arise.

Via Install you can easily install the Lineage-ROM-Zip file via the SD card without a PC connection. A time saver and much easier.

It is always important to back up all partitions of the original system, to perform the wipe (deletion of the partitions) according to the instructions using the Advanced function and to actually read all messages on the screen. If you don’t understand something, it’s best to search the XDA-Developers forum or ask questions.

After the installation or after the setup with LineageOS, a wipe of the Dalvik cache helps with problems. For me, the Bluetooth keyboard only worked in English, after the wipe the switch to German was very clean.

To get by without the Google Play Store, install the F-Droid apk, which is available from the F-Droid Store ( https://f-droid.org/ ) can be loaded. Since it usually doesn’t work without programs (apps) from the Google Play Store, you can install the “Yalp Store” via F-Droid. This loads programs (apps) from there without registering with Google. Optional for anonymization also via Tor.

Interesting programs (apps) are:

  • TermUX
  • ConnectBot
  • Orbot / Orfox and the new Tor Browser (Beta)
  • Firefox with NoScript and Ublock Addon
  • Midori Browser
  • DuckDuckGo Privacy Browser

The standard mail, calendar and contacts apps work very well against our mail server, which provides ActiveSync under FreeBSD. No additional programs should therefore be necessary here. Alternatively, K9 Mailer and DavX5.

To connect to my own owncloud server, the owncloud client. This means that photos can be uploaded to the server as soon as they are created. With your own OwnCloud, of course, so that the photo is never saved on other servers on the Internet.

Not to forget, even if connected with a certain learning curve, AFWall + as a firewall frontend for IPTables use and Titanium Backup for a professional backup, which you can also store on the SD card. If you copy the SD card to the PC often, you have an additional backup in case the device is stolen or fails.

To use AFWall + and Titanium, root must be activated. Simply hammer again on the build number 7 times and then allow root for ADB and APPS in the developer settings.

In the end it will look something like this:

Of course, the OpenVPN client for the VPN at home must be installed, which authenticates itself against the open source PFSense firewall with 4096 bit certificates and password. This means that you are always able to access your data at home or in the office without sending data to third parties. Privacy as it should be!

Based on the first tests, the following was installed

  • Keepass2Android with WebDAV support (via Developer Site)
  • Navit offline navigation software (gets its own blog entry)
  • Traccar and Traccar Manager as a replacement for Owntracks (runs without Google Libraries), Manager via Developer Site
  • K9 Mailer with PGP support Openkeychain
  • xBrowserSync Bookmark Syncer (against my own server)
  • FreeOPT as a client for 2FA authentication
  • OwnCloud Client for access to my own cloud, including fully automatic photo upload and sync between the devices
  • LinPhone SIP client as an extension for my Asterisk server

Update 20200702 Greentooth

To further secure the device, Bluetooth should generally be deactivated. Of course, this is never done manually and therefore I recommend installing:

Automatically deactivates the Bluetooth module with an adjustable period after disconnecting the last device. This means that the device can no longer be attacked via Bluetooth.

Secure with a firewall and limit to IP addresses!

Custom script to allow global access to your own IP addresses and rules to anonymize necessary traffic

AFWall + as a firewall already enables or blocks apps for data traffic, but the problem is always that when you activate an app for data traffic, it can connect to the entire Internet and not just to your own servers and Services.

In addition, we want to forbid system services from accessing the Internet and anonymize any remaining data traffic over the Tor network. When it comes to Tor, don’t let the ignorant tell you any horror stories. Tor is an overlay network like other VPNs, but it can do much better anonymization. Tor saves journalists and other professional groups in critical areas personal freedom and often life. Tor is of course completely legal and allowed. Talk to professionals, not people who are telling you something you heard from someone who heard something.

steps:

  • Prohibit all incoming and outgoing traffic
  • Allow all apps globally to access their own servers and services
  • Allow other apps that are absolutely necessary to have anonymized access to the Internet

You need the Orbot package from the F-Droid Store. Do not enable Orbot’s VPN mode. The pure service is enough, the rerouting of the packets via Tor is achieved by AFWALL +.

IMPORTANT IMPORTANT IMPORTANT

In Orbot tap the three dots in the top right corner:

  • Select "Settings"
  • Scroll down to section "Debug"
  • Tap on "Tor TransProxy Port"
  • remove "auto" and type "9040"
  • Press "OK"
  • Tap on "Tor DNS Port"
  • remove "auto" and type "5400"
  • Press "OK"
  • Return to Orbot main screen
  • tap the three dots in the top right corner. Select "Exit"
  • Start Orbot again and connect to Tor.
  • Now Tor control in AFWall should work flawlessly.
  • Orbot should be activated in the settings so that Orbot starts automatically when LineageOS starts.

configure AFWALL + and set up custom scripts

First, the separate management of VPN and Tor must be activated in the AFWALL Settings.

AFWALL + create custom script

Now we need a script that contains the appropriate iptable entries for accessing your own server. I generally prefer self-hosting in-house, but the procedure is the same for a rented VPS.

The script should look like this:

# Load in AFWALL with
#. / pathoscript / script
# the "." is required
# Necessary at the beginning of each script!
IP6TABLES = / system / bin / ip6tables
IPTABLES = / system / bin / iptables
 
# Rules for KMJ
# https://github.com/ukanth/afwall/wiki/CustomScripts
 
# Deny IPv6 only connections
$ IP6TABLES -P INPUT DROP
$ IP6TABLES -P FORWARD DROP
$ IP6TABLES -P OUTPUT DROP
 
# Block all IPv6 in IPv4 communication (for native IPv6 connections only!)
# This must be done in our IPv4 tables!
$ IPTABLES -A INPUT -p 41 -j DROP
$ IPTABLES -A FORWARD -p 41 -j DROP
 
# Drop normal multicast addresses
$ IPTABLES -A INPUT -s 224.0.0.0/4 -j DROP
$ IPTABLES -A INPUT -d 224.0.0.0/4 -j DROP
$ IPTABLES -A INPUT -s 240.0.0.0/5 -j DROP
$ IPTABLES -A INPUT -d 240.0.0.0/5 -j DROP
$ IPTABLES -A INPUT -s 0.0.0.0/8 -j DROP
$ IPTABLES -A INPUT -d 0.0.0.0/8 -j DROP
$ IPTABLES -A INPUT -d 239.255.255.0/24 -j DROP
$ IPTABLES -A INPUT -d 255.255.255.255 -j DROP
 
# DNS over Tor
# allow connections to p5400 then nat
# Force dns to use orbots port 5400 for rmnet [*] interface
$ IPTABLES -A "afwall" -d 127.0.0.1 -p udp --dport 5400 -j ACCEPT
$ IPTABLES -t nat -I OUTPUT -o rmnet + -p tcp --dport 53 -j DNAT --to-destination 127.0.0.1:5400
$ IPTABLES -t nat -I OUTPUT -o rmnet + -p udp --dport 53 -j DNAT --to-destination 127.0.0.1:5400
# END DNS over Tor
 
# Allow Tor trans proxy port
# set port in orbot from auto to 9040
$ IPTABLES -A "afwall" -d 127.0.0.1 -p tcp --dport 9040 -j ACCEPT
 
# Always allow connections to our own blocks, no matter the interface
# change to your ip block or addresses
$ IPTABLES -A "afwall" --destination "my.ip.block.one/29" -j RETURN
$ IPTABLES -A "afwall" --destination "my.ip.block.two / 24" -j RETURN
 
# We add our home nets if we are on wifi
# we never connect to foreign wifi's
$ IPTABLES -A "afwall-wifi" --destination "192.168.1.0/24" -j RETURN
# allow special IPs out via LAN
$ IPTABLES -A "afwall-wifi" --destination "special.ip.out.one" -j RETURN

Save the script as afwall.sh on the internal or SD memory and add the script in the settings - & gt; Add script like this:

. /path/zumscript/afwall.sh 

Important, it has to be with one. and start with a space , followed by the path and the script name. “Apply rules” in AFWALL + must not generate any errors and the rules must be visible with Show rules. ONLY CONTINUE THEN !!

The AFWALL + can now be set up. All apps that access their own servers and services, e.g. e-mail, Element Matrix Messenger, Mastodon Client, Owncloud, and much more do not require activation of the data traffic in the AFWALL + firewall, since access to their own servers, and really only to this is permitted in the script. This means that in the event of a faulty app or an attack, the app cannot send data to others. It also prevents tracking and much more.

A complete configuration looks like this:

The settings are called in detail,

  • With the kernel, time server, media storage, updater and Android system, Internet access is redirected and anonymized via Tor.
  • F-Droid and Aurora Store only need Tor permission, as Tor support is in the app
  • The DuckDuckGo, Fennec and Firefox browsers can only be accessed via Tor
  • The IBKR program is allowed on the Internet without anonymization
  • The Riot.im (Element Messenger) appears here because 3 Riot accounts are installed on this device and one of them accesses the Matrix.org server. Because of this, 2 Riot do not appear (access allowed in the script) and the third account is anonymized by Tor and directed to Matix.org
  • All other traffic is blocked in and out

Update 2020-12:

In the last configurations the access for Linux Kernel, NTP and Android system was deactivated. In addition, the wifi and LTE authorization has been removed from the apps routed via Tor, so that only Tor has a tick. So far it’s all without any problems.

Update to LineageOS 17.1 and prevent possible DNS leaks

Upgrade to LineageOS 17.1 (Android 10 based) and custom script extension to route the DNS outside the home WLAN via Orbot (Tor)). In the meantime, LineageOS can also be operated as a virtual machine ( https://kmj.at/betrieb-einer-virtuellen-maschine-vm-mit-lineageos-android-unter-proxmox/ ). </ strong >

Now we want to prevent any DNS leak outside the home WLAN and redirect the DNS queries via Tor.

steps:

  • The best way to back up apps and data is with Titanium
  • Installation of LineageOS 17.1 according to the project website on the device
  • Set up Magisk to root the device
  • Setup of Afwall + and Orbot
  • Restoring apps and settings with e.g. Titanium

The entire process was absolutely unproblematic. There was just one problem that created a problem. AFWall + version 3.4.x is available in the F-Droid Store and this version has problems with LineageOS 17.1 on the mobile interface. The installation of the 3.5.x package which is available on Github ( https://github.com / ukanth / afwall / releases ) is available, solved the problem and now all core and system processes are really without internet access.

Thanks to the custom script, all apps have access to my servers (static IPs) and do not require approval in AFWall +! All browsers and the updater only receive Tor as approvals, so all traffic is routed through Tor (Orbot).

A few exceptions receive WiFi and mobile and can go directly to the Internet.

This means that the device is very well protected. Only a DNS leak risk remains as soon as we are in the mobile data network (3G, 4G, 5G). In the home WiFi we are well protected with Pi-Hole and Pfsense, including DNS-over-TLS forwarding to our own external DNS servers. In the mobile data network, we are dependent on the respective network provider, which can assign DNS and also set up a transparent DNS proxy with read function. We want to prevent this.

Redirect DNS on rmnet [*] via Orbot DNS port 5400

The mobile data interface is called rmnet0. We now have to redirect the outgoing packets that leave our device via rmnet0 to an IP and its port 53 so that we use the DNS offered by Orbot on 127.0.0.1 port 5400. This is then sent encrypted via Tor.

AFWALL + Custom Script expand

We change the script from part 4, which contains the appropriate iptable entries for accessing your own server. I generally prefer self-hosting in-house, but the procedure is the same for a rented VPS.

The changes are already integrated in the custom script above!

# DNS over Tor
# allow connections to p5400 then nat
# Force dns to use orbots port 5400 for rmnet [*] interface
$ IPTABLES -A "afwall" -d 127.0.0.1 -p udp --dport 5400 -j ACCEPT
$ IPTABLES -t nat -I OUTPUT -o rmnet + -p tcp --dport 53 -j DNAT --to-destination 127.0.0.1:5400
$ IPTABLES -t nat -I OUTPUT -o rmnet + -p udp --dport 53 -j DNAT --to-destination 127.0.0.1:5400
# END DNS over Tor

For me it is a pretty perfect solution as privacy is now secured again and all functions are working properly. In this form, Android can also be used by companies with smart employees.

And, of course, a solution geared towards security and privacy requires the will to develop further and to invest a certain amount of effort in protecting one’s own privacy. Don’t listen to people who only know where to click or swipe, listen to specialists who really understand the functionality in detail. Only if someone can explain to you in detail how things work and what happens or should happen when you click or swipe in the background, the information is worth something and the person can be classified as a specialist.

Paranoia

Anyone who thinks they have nothing to hide should watch the following film before making a statement in this direction:

“Nothing to Hide (2017)”

Links:

We look forward to active participation in the EURAFRI project and ask you to also visit the EURAFRI reception in the matrix.

https://matrix.to/#/#eurafri-reception:matrix.ctseuro.com

Your EURAFRI TEAM

Author: Karl M. Joch

BACK