Android phone security for the paranoid

[WyomingKnott]

Well, I drank the Kool-aid and bought an Android phone (Samsung Galaxy S4). I've now handed over all the details of my life to Google; privacy is a thing of the past.

It burns my butt that all of those applications require access to the camera and microphone. Why would it need a microphone to browse the Internet? So most of these apps, which can't even be uninstalled, can listen to my bedroom at night or follow me around. I don't care if they are doing it with bad intentions, with good intentions, or not at all: the fact that they can is annoying to me.

With that rant over, is there a way to change or install something so that I have more detailed control over which apps can access the camera, contacts, accounts (why should I give access to all my logins and passwords in exchange for finding good fried chicken wherever I am)? Either limit which ones can actually access these devices or prompt me each time? Any way to get rid of the umpty-seven trash apps that came with it?

I am pretty ignorant in the world of Android. I am aware of rooting and jailbreaking, but only barely. I also know that at least one of those acts makes it impossible to download and update to the next version of Android when it comes out. I would prefer to avoid that.

So please guide this nearly clueless newbie. I understand computers well, but this particular ecosytem is entirely new to me. Well, I have an Android tablet, but it doesn't have cellular data, and I put tape over the camera and microphone.

 

[Apanzee]

Root on a phone is the exact same as it is on any Linux OS - the administrator. Once you have, and only with root access, can you remove those apps that came with the device.

When Google makes a new version of Android it goes to the OEMs first - Samsung, HTC, Nokia, etc. They custom tailor it for each device and check compatibility. They then send this stock version of the ROM to the phone carriers (T-mobile, AT&T, and so on), who add their own apps - mobile TV, account information, etc. The carriers then send out the update to the customers, usually by alerting them via email or text message and supplying a download link.

When the ROM arrives from the carrier, you as a user are granted virtually no access or administrative privileges. Some people choose to root the ROM via software tools and simply remove the bloatware. Others prefer to download a pre-rooted version and flash it instead. Some even prefer to flash a new ROM altogether.

Developers from communities like XDA make their own ROMs, with improvements over the stock version. CyanogenMod for example, is one of the most common and most favored. I even use it myself.

Rooting/flashing does prevent you from upgrading directly from the carrier, however you can always update to another rooted version of the ROM of your choice when released. Sometimes this can be quite delayed due to the fact that a new exploit must be found in order to root the new version.

Rooting and unlocking are two very different things, and for the most part rooting is pretty simple. Unlocking is a nightmare, but it's illegal in the States anyway so you don't have to worry about that

If you decide you want to try and root the device, let me know and I'll try and walk you through it as best I can from my desk.

 

[WyomingKnott]

I'll be in touch when I have some time. Is there installable software that will let me control access to the resources I mentioned, in the case where I really want to use an app and it requires a permission that I don't want to give it? If not, would any of the mod ROMs support that?

I remember reading, in many places, that once you install a modified OS (called jailbreaking?) you can't ever install one of the official versions again - they just won't install. Not being able to fall back to the default position frightened me away from this.

 

[Apanzee]

No, you can absolutely go back to the stock ROM.

Just like a PCs BIOS, there's a basic input/output system on smart phones, called the HBOOT menu. This menu allows you command line access to debugging utilities. It also allows you to revert to the factory ROM installation in cases where the OS gets corrupted or the phone stops working altogether due to a software bug.

Hackers/modders/rooters take advantage of this, and flash a custom HBOOT which allows the flashing of any ROM, stock or otherwise. The stock ROM can always be re-installed through the HBOOT menu if you ever needed to send the phone in for physical repairs after installing your own Android version.

There are apps that allow you to restrict access to certain resources. Some ROMs have this feature embedded by default.

Check out the XDA forums and read a few of the threads on rooting/flashing for your specific device.

 

[WyomingKnott]

Ah, I remember reading XDA in the past. Will do. I think I want to do the bare minimum that will allow me to keep those pesky things from my microphone, camera, contacts list, and accounts.

 

[WyomingKnott]

Holy crap, that's not useful at all. Everything seems to assume that I know how to get a command line once I've enabled USB debugging mode, that I know whether or not I have the OTA MF3. Did anyone ever write an introduction over there? I can't even follow the FAQ.

(end of frustrated rant. Links to introductions for noobs would be GREATLY appreciated.)

EDIT: Found several noob threads. Almost all are linked from http/forum.xda-developers.com/showthread.php?p=42320391 .

 

[Apanzee]

Lol. It's just like anything else tech. I bet you had no idea what a batch file was or how to work the Windows registry before you got into PCs. There is a learning curve involved.


In order to actually help you, what exact model phone you have? Go find the box it came in and in the space with the serial number and MEID number. There will be a model number there. Depending on region and/or carrier this model number can vary slightly, and the rooting procedures vary along with it. For S4s purchased in North America, that number should start with one of the following: GT, SCH, SGH, SPH.

 

[WyomingKnott]

SGH-I337. Yes, that was pretty basic information. Red, if it matters.

 

[Apanzee]

In the "about phone" menu in the Settings app, what version of Android are you running?

 

[WyomingKnott]

Android version 4.3
Build number ends in MK2, not the dreaded MF3.

 

[Zasmatic]

Hey there, This is from a rooted s4's owners perspective. When your rooted you can download applications that can block certain privileges that apps get, so you can block them from accessing the microphone, causing problems or not. To root you first need to install the Samsung Kies application, Get a hold of odin ( an app that allows for high control of the phone ) and then you can back up and install new ROMs. This does void your warranty etc, but in my opinion its worth it. However if your after changing permissions then rootings all thats needed. Odin should sort you out with rooting.
P.s. be aware of the flash counter

 

[WyomingKnott]

When your rooted you can download applications that can block certain privileges that apps get, so you can block them from accessing the microphone, causing problems or not.

Can you point me to any such apps, especially one that you have had success with.

 

[Zasmatic]

Sorry apologies, this doesn't require any root access. I haven't personally used this but im fairly confident this is exactly what your looking for https/play.google.com/store/apps/details?id=mobi.infolife.permission

However i cannot check it on a stock android device since my s4 is running a custom rom. Hope this helps

 

[Zasmatic]

Just an update on what i linked you too. So i was tinkering around with it, seeing what i could lock my self out of. So far it has failed the voice test (blocking me out of recording voice) This is with the camera and a 3rd party voice recorder. However on the app it says that they never actually used the voice permission. This is including the 2 cameras i have installed. However i can block the cameras from accessing the camera. So i have a feeling that the voice permissions may be either wrapped in with the camera its self or its using the dialer permissions. Either way i am sorry if its not what you were after. Btw i tested it using Fox Hound Diamand Dogs ROM version 3.5 on a i9505.

 

[WyomingKnott]

Tnx.

 

[WyomingKnott]

I posted the following screed in the Stupid Questions thread for the phone on XDA. My two biggest issues are
1) I seem to have to unload the bootloader to do a full device backup, since I have to install a new recovery partition.
2) Still haven't identified the perfect security app

You can tell that I prefer to have all my ducks in a row before I start, rather than tinkering. A PC I can always re-OS. I don't want to have to shell out hundreds to replace a phone.
--------------------

I have read, I have Googled, I have pondered. What I think I should do is below. Am I on a good track? Have I totally missed important points? My goal, as I've stated before, is to get rid of bloatware, have tighter control over app permissions because I am paranoid, and still be able to apply OTA updates, or at least revert the phone to stock.

Process:
Download and install tools.
Root phone.
Complete backup with CWM ir TWRP. Will this require unlocking the bootloader?
Use Titanium Backup to freeze apps that I don't want.

Play with assorted permission management apps. I want to find one that allows per-app control and, preferably, the ability to set "prompt (or notify) when used" in addition to Allow and Deny.

Download:

ODIN
Lets me flash a ROM from my PC. The mobile version can flash from the internal or external SD card. The I337 isn't on the model list for the mobile version, although the I337M is. Does this mean "try it" or does it mean "No?"

Samsung KIES
Needed for USB drivers. Possibly use this link instead: http/forum.xda-developers.com/showthread.php?t=2038555 .

ADB
Assorted tools that I may need later. Includes the ability to run the command prompt from the PC instead of the phone, which is important for those of us with large fingers. Or who can touch-type on a keyboard.

CWM Backup Manager.
It's my understanding that this will let me do a full backup of everything on the phone and, if I really mess things up, use the backup to put things back as they were. Is that correct?
Failing that as a full reset, there's this on Safestrap: http/forum.xda-developers.com/showpost.php?p=42320414&postcount=2 .

(Possibly TWRP, to make the backup of the entire phone. This replaces my recovery partition.)

Titanium Backup Root
Lets me back up any individual thing. I can use its "apps freezer" instead of my previously proposed method of renaming / removing the .apk files.
For applications that establish data directories (Nook, Kindle, manga readers) will it back up the data directories also? If not, can I back them up separately? Will it back up and restore application settings?

Motochopper
Use Motochopper according to the video from TheSmokingAndroid here: http/forum.xda-developers.com/showthread.php?t=2283918

Fastboot:
A tool I may need to use later, if I go with a custom image.



Questions:

In my version of Android (4.3 on the phone), the Apps Manager has a Disable button for each app, even the bloatware. Is this as good as deleting the files or using the freeze feature of Titanium Backup?

I put in a 32-GB microSD card. Can I get Android to use it as part of the internal storage, for a total pool size of 48 GB? Is that the purpose of DirectoryBind or FolderMount, on a directory-by-directory basis?

Will OTA upgrades install after this? If not, how can I get them?

Is it possible to restore it to exactly the original condition so that ATT will service the phone under warranty?

 

[WyomingKnott]

Well, that was a bust. After reading a ton on the XDA forum, I tried two methods that both failed. Now I have a phone with no root that clearly shows a "custom" message during boot, probably voiding my warranty.

 

[Zasmatic]

What methods did you try?
And check out this http/www.droidviews.com/root-att-samsung-galaxy-s4-sgh-i337-on-ucuamf3-firmware/

 

[WyomingKnott]

I tried motochopper here: http/forum.xda-developers.com/showthread.php?t=2283918 . I don't have the message, but one popped up on my phone to the effect that system access had been denied to something.

I also tried Saferoot: http/forum.xda-developers.com/showthread.php?t=2565758 .

I had previously tried the method that you linked to, but the two executable files came out without execute permission and I could not do a chmod on them, either with the MicroSD card in the phone or in my PC using Cygwin. No execute permissions, no execute, no run.

EDIT: Not that exact version, because I am not cursed with the MF3 version. Will that version work with MK2?

 

[Zasmatic]

What happened when you tried safe root?

That's really strange that it would not execute. I would have thought that it should have worked with MF2 aswell since most of them work for both versions.

By any chance do you have super user app installed and have you tried a root checker app?