Android Security or Obfuscation?

I have an Android phone. I used to have an iPhone but I switched to Android because I wanted more control over my phone. I wanted something that was open and provided more freedom of choice. Today, three Android phones down the road, I won’t switch to Android for those reasons.

The issue is that my phone is no longer mine. It belongs to large corporations, I’m only leasing the phone. I mostly don’t care. I’ve gotten used to deactivating and removing Googleware, I avoid using features that collect my data and I generally try to reduce my data footprint. All-in-all, a kind of phone self-censorship.

Secondly, Android isn’t open anymore. Sure it’s still open source, I can read the source code. But what I mean by open is that I can control the phone without jumping through hoops. To illustrate, I’ll describe something I experienced recently while trying to debug an App on my phone.

It starts with a trial version of a mobile App for which I purchased a license. Unfortunately entering the license did not activate the App, instead always failing with a nondescript error message. I contacted the Apps’ support but got no help, not even a suggestion what I could do to fix it.

So I decided to investigate with the intention of providing the App developers a more detailed bug report than “it doesn’t work”!

Step one to debugging this is to introspect the traffic that is going between my device and their servers. Having worked with mitmproxy before and having a Raspberry Pi, I followed this excellent guide on setting up a wireless network that is monitored by mitmproxy.

Next step was installing the mitmproxy Certificate Authority (CA) certificate on my phone. No problem that’s three steps: download certificate, confirm that certificate should be installed, enter pass/fingerprint/pattern, done. (Why the CA is necessary and what it does is explained by the mitmproxy documentation.)

But when I tried it out on my device, I got errors that TLS certificates can not be trusted because they were signed by a non-trusted CA. What? Of course it’s trustworthy, I just installed it after all. Then I discovered this mitmproxy issue, which lead me to this Android Security team blog post from 2016. In a nutshell, starting with Android version 7 (Nougat), user installed CAs are no longer trusted by the device. Ah, OK. Why?

The reasoning of the Android Security team is that application data must be protected. But that is only half true. It would be 100% true if applications only received data. However the data that an application sends is my data, about me, my activity. Why should this data be protected? In the eyes of the Android Security team, my data should be protected from me!

Besides this, I have another issue with this decision. That is that there very real ways of getting around this limitation. From the original Github issue, I found: recompile the APK, install the CA with adb or root your phone.

So instead of simply trusting the installed CA, I now have to jump through hoops. I can only conclude that this isn’t about security, it’s about obfuscation. Making my life harder, wasting more of my time when all I really want is to use my App.

Having tried various ways of getting mitmproxy working, I was left with rooting my phone. The rabbit hole just got longer.

Ok, since I can’t seem to let go, lets see how hard it is to root a Huawei phone, can’t be rocket science right?

First I found this article on fastboot and using it to unlock the bootloader. This presented me with this error:

prompt> fastboot oem unlock
FAILED (remote: 'check password failed!')
Finished. Total time: 0.009s

What, wait! A password? Hm. What could this be? More ddg’ing and I found this page with a link to a website where I could generate the bootloader password. Hm, Link dead. More ddg’ing and a few shady websites promising me all sorts of wonders if only I enter my IMEI. Where is this going…

More ddg’ing (should really be pronounced digging) and I found this forum post with this quote:

No bootloader unlock code provided by Huawei anymore
I had a confirmation by email from Huawei consumer services.
Huawei doesn't provide any bootloader unlock code because... Well they don't want to.
Does anyone have another solution to obtain this bootloader unlock code?
Can anyone provide an example of this code?

Right. Ok. Move on, nothing to see here. WAIT! How can this be? So basically Huawei is telling me: “The phone that you purchased does not belong to you. It’s ours. And we’ll do everything to prevent you from stopping us from collecting your data.” Surely this can’t be true. Have I become a data-beacon blinking data back to the corporations of the data economy?

So I mailed their support and asked them for a password:

This information has been made public via our social media channels and unfortunately I can no longer send you the bootloader code, as we generally do not give it out any more.

I replied asking why this should be the case and got this answer:

Unfortunately I can't send you this code because I'm not authorized to do so and we can't give it out because it doesn't exist.

I wrote them another email pointing out that if I wanted to void the warranty on my phone, then surely that would be my business. Huawei replied with:

In reference to your query, we would like to inform you that our goal is to ensure customers have the best and safest possible experience on their Huawei device.

I feel safer already.

I think I now realise what’s going on. The fact that rooting/jailbreaking is actually illegal in some parts of the world, Huawei can’t give me a password since that might be aiding me in committing a crime. And since they’re too lazy to find out where I live, I can’t get a password.

But why have a password in the first place? Simply to prevent users from replacing the version of Android on their phone? I wonder how this plays with the right to repair?

Anyway, I dug some more and discovered yet another possibility. This one involves downloading a new firmware onto the SD-card, then typing *#*#2846579#*#* into the number pad and updating from the SD-card. I didn’t try this but if that does work, it does ask the question why have a password in the first place.

I really don’t understand why all of this is made so difficult. In a world where Governments are buying zero day exploits to backdoor our electronic devices, why bother about whether I can install a CA or not? As long as there is a black market for 0day exploits, there is really little or no point in “pretending” everything is secure, it becomes obfuscation. Security is presented as a game of cat and mouse, good guys versus bad guys, when in fact, it’s the cat chasing its own tail.

On the process of installing a user-defined CA itself, as described above, it requires three steps including password entry to install a user defined CA. This isn’t something someone will normally do unless they know exactly what they are doing. And if that’s not enough, why not add an additional developer option to make user CAs usable by default? After all, I can activate USB debugging which basically allows anyone with a computer to access my phone.

Another sorry truth is whether all of the 200+ CAs pre-installed on my phone are trustworthy? For example DarkMatter? And who determines which CAs are trustworthy?

In addition, Apps can also protect themselves by using certificate pinning, which basically means that App doesn’t trust any installed CA.

Happily I did get my license to work. I installed an older version of the App which did do license verification, then upgraded and now I have a full working version of the App. Coincidentally, at the exact same time I downgraded and got it working, the App developers emailed me that they had changed something to make it work … Hm.

Software Developer & Architect.