11 comments to Auditing Android Security (Investigating Unauthorized Screenshots)

  • Just Curious

    How/why does running as root grant a process access to `/data/system_ce/`?

  • Jahh

    I guess that’s why signal never shows message content in the switch screen menu

  • Phh


    Some additional informations:

    Root-ing tools use sepolicy-inject a lot.
    You'll find a prebuilt in my SU https://github.com/phhusson/super-bootimg/tree/master/libs/armeabi, but it can be built (and is built) with NDK ( https://github.com/phhusson/sepolicy-inject ), no need to download full AOSP.

    But Magisk also includes its own sepolicy-inject (but that's inside magisk binary that does everything, not just sepolicy-inject, so that's more annoying).

    For your original issue, Nexus 5X originally was running Android 6.0, which per Android CDD "the full-disk encryption MUST be enabled by default at the time the user has completed the out-of-box setup experience."
    So you shouldn't have been able to read your /data. This is tested by CTS. So any "real life" device has it.
    If Lineage doesn't have it, it's on purpose, they explicitly chose to reduce user's security.

    Also, for the question of re-selling, the CDD is also explicit "Devices MUST provide users with a mechanism to perform a "Factory Data Reset" that allows logical and physical deletion of all data. This MUST satisfy relevant industry standards for data deletion such as NIST SP800-88."
    Though this part isn't tested by CTS, so OEMs could have badly implemented it.

    Please note that if you have Full-Disk Encryption, the key location on the disk is always the same, and will be overriden, so even if the factory data reset doesn't work properly, even if the user has no pincode or anything, the data will be unreadable because the key will have been lost.

    • Michael

      @Phh thanks for the info. Indeed, I'm using Lineage 15.1, and the persisted snapshots uncovered in this post are fully encrypted. The DiskDigger app only had access to break out of its sandbox and access the decrypted files in '/data/' because I explicitly gave it root access.

      I look forward to investigating more into sepolicy-inject in the future!

  • AFAIK, the issue was known for years, and above all, you should NEVER keep use your device in a rooted mode. Step back to get back security.

    • Michael

      afaik, the use of root isn't inherently insecure, but it could be a risk depending on the apps to which you grant the root access

  • StanK

    It may be worth to check the FLAG_SECURE on One Plus devices (at least on the 6). The device is just ignoring the flag.

  • Ben Barka

    Thanks for the article! I'm not a tech nerd but I'm concerned about mobile security... Since using Vigilante on an unrooted LG V30 to track camera, mic, etc usage I have detected 2 unauthorised camera uses and I'm digging about that... greetings

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>