Android’s lack of sense of security

In the wake of setting up secure e-mail communication as written in my previous article, if you are a smartphone user and run your own mail server, you probably want to set up IMAP and SMTP in a secure way, in order to protect your mail communication from being wiretapped, and your mail server from being hacked and misused, for example as a spam relay. The proper way of doing this is setting up SSL / TLS for IMAP and SMTP, and use proper authentication for both protocols. There are many good HOWTO documents on-line for this task so I’m not going into much detail how to set this up for your specific mail server, except saying that you probably want to use non-standard TCP ports for both protocols.

Using non-standard ports is kind of security by obscurity, but given that the average script kiddie is not going to run full-range 64k port scans against your public IP address (it just takes too much time) and will instead stick to the well-known ports 143 and 993 for IMAP and 25, 465, and 587 for SMTP, using a port in the 50-60k range will usually protect your mail server from being found too quickly for quite a while. I haven’t seen many port scans in this range so far. Surveillance authorities may not need to stick to only scanning well-known ports, though. Their use case is different, and moving your public TCP ports elsewhere is not going to help.

(If you fear surveillance authorities, though, you are not going to use a smartphone for your e-mail anyway. No, you are not. It is a safe assumption, and not overly paranoid if you ask me, to expect Google, Apple, and sorts to know much about your smartphone communication.)

The next question is, are you going to set up an SSL certificate signed by one of the public certificate authorities (CA) or a self-signed certificate. A CA-signed certificate is definitely required if you want to offer a public service, like a web site, a public mail server or something. If you run the mail server just for yourself, i.e. for accessing your mail while travelling, there is no need to set up a chargable CA-signed certificate, and you can just as well roll your own, without any lack of security, since you know your own certificate (fingerprint, etc.).

So let’s assume you set up your mail server properly, and you are using a self-signed SSL certificate for your IMAP and SMTP connects. The next step is setting up the mail account on your smartphone. Let’s assume you use an Android device, just like me.

If you set up SSL/TLS or STARTTLS, you can use the default setting, or „accept all certificates“. Using the default setting, the Android mail app will certainly not accept your self-signed certificate, but it will do this if you select „accept all certificates“. Done.

Sadly, there is a lack of sense of security on the Android side. There is no way of explicitly accepting a specific SSL certificate e.g. by fingerprint or something. Android does not offer you this option. So, if someone hijacks your IP address or DNS name, she or he can easily plant a fake SSL certificate on you at any time, and you have no way of knowing this. The perfect man in the middle attack. (Note to self: I need to check if Android warns you of a changed certificate. I bet it does not).

This is less likely to happen if you are John Doe, but if you are a person or organization that wants to be trustworthy, and offer trustworthy services to your peers (e.g. an investigative journalist, a medical doctor, a priest, or a rebel in a dictatorship), you are definitely in danger of being tapped. The only solution for now is using a CA-signed SSL certificate, which in case of the rebel may not be feasible…

So, dear Android folks, please add some code to allow for checking of the SSL certificate properties. It can’t be that complicated.

Maybe this is also a playfield for the CyanogenMods and other alternative ROMs on this planet.

As a workaround, you can use the app „Home Network SSL Checker“ from Google Play. This app checks an HTTPS URL in regular intervals, and deactivates the connection to the given server if the check fails. This way, you can be sure sensitive data like passwords are never sent to the wrong server. The author is Olaf Titz – a long-year open source and network security veteran who knows how to do things right.

An even better workaround may be to install your self-signed certificate on your Android device and make it known to the system using the Android Certificate Installer. I couldn’t make it work yet but I didn’t try hard yet.

By any means, do not use a self-signed certificate and set your Android app to „accept all certificates“. It’s a shame on the Google side that this option is offered at all.

Update: Andrea Arcangeli pointed me to the k9 mail app. k9 is supposed to handle self-signed certificates just fine. Gotta give it a test and report back here.

Update 2: Yup, k9 appears to work fine. It displays the self-signed certificate and asks you to accept or reject it. Check. The UI looks and feels fine as well. Check. New k9 user.

Dieser Beitrag wurde unter Security veröffentlicht. Setze ein Lesezeichen auf den Permalink.

Kommentar verfassen

Trage deine Daten unten ein oder klicke ein Icon um dich einzuloggen:

Du kommentierst mit Deinem Abmelden / Ändern )


Du kommentierst mit Deinem Twitter-Konto. Abmelden / Ändern )


Du kommentierst mit Deinem Facebook-Konto. Abmelden / Ändern )

Google+ Foto

Du kommentierst mit Deinem Google+-Konto. Abmelden / Ändern )

Verbinde mit %s