Security of data and passwords when phone is lost/stolen

Hi,

I'm in the process of setting up a Google Nexus 5 with ubports for somebody else. And I keep wondering, what are the security implications of running ubports on a device with unlocked boot-loader?

In case the phone is lost or stolen, will any new "owner" of the device be able to access the WiFi passwords, IMAP passwords and all data, photos etc. stored on the phone by just connecting USB cable and running adb/fastboot to dump the flash?

Are passwords stored on the device encrypted with the unlock passcode?

What precautions can/should be done to secure the data on a phone running ubports?

Thanks for any insights,
cheers,

Dave

Hi,

I sort of start feeling old, trying to participate in UBports: An open source project without a mailing list and without IRC channel does not really integrate with the modes of communication I'm used to use.

Just tried to make a telegram account (via web.telegram.org), however it needs a phone number, and (one of my) "landline" SIP-based phone numbers is not accepted ("incorrect phone number"). I'm not really willing to give my cell phone number to an untrusted 3rd party to participate in an open-source project. I mean, if I were, then I probably would just be using Google Android and not bothering with UBports, would I ?

So I guess I'll have to stay at the outside for now.

cheers,

Dave

Hi,

just to give some more data point: ordered a BQ M10 FHD Ubuntu Edition tablet, arrived yesterday. Installed ubports-installer on a Ubuntu 17.10 linux PC. Tablet initially not detected by the installer, but after setting developer mode, some reboots, trying a different USB port, and manually running "adb" to list connected devices, it "suddenly" started working (hat no prior experience with adb, never used it before).

After detection, installation just completed flawlessly (I configured it to wipe the tablet during installation).

So for now very happy with the device and the software. Next step will be to install some ubuntu desktop applications using the information found here:

https://docs.ubports.com/en/latest/userguide/dailyuse/libertine.html

Anybody here knows which libertine container types are supported by ubuntu 15.04r3 on BQ M10 FHD?

Looking forward to replacing my aging firefox-os phone with some new phone running ubports.

cheers,

Dave

Just to document some findings, in case somebody is looking for the same answer: This is how I am using and "integrating" normal Ubuntu and other 3rd-party applications into the launcher:

Creating a libertine image, as documented here.
Example:

libertine-container-manager create -i legacy -n "Legacy"
libertine-container-manager install-package -i legacy -p gnome-terminal
libertine-container-manager install-package -i legacy -p openjdk-8-jre

Now from the OpenStore install package "Desktop Apps". Enable the "Desktop Apps" scope in the launcher. Now swiping left on the Launcher should bring up the "Desktop Apps" scope. After running the commands above it lists just two items: "OpenJDK Java 8 Policy Tool" and "Terminal" . To add other custom launchers (for example to launch some manually installed Java GUI application), you can add more items to the Desktop Apps by creating files inside the libertine container at /usr/share/applications/*.desktop.

Example:

libertine-container-manager install-package -i legacy -p joe
libertine-container-manager install-package -i legacy -p vim
libertine-launch -i legacy  /bin/bash
cp /usr/share/applictions/terminal.desktop /usr/share/applictions/myapp.desktop
joe /usr/share/applications/myapp.desktop

For example to launch a java application installed in /home/phablet/.local/share/libertine-container/user-data/legacy/myapp.jar , edit myapp.desktop and change the line

Exec=/usr/bin/java -jar /home/phablet/myapp.jar

(Note how the container's directory /home/phablet corresponds to the absolute path /home/phablet/.local/share/libertine-container/user-data/legacy/myapp.jar when accessed outside the container)

Dave

Hi @advocatux ,

I ran into the same "signature error", attempting to update my Aquaris 10 FHD tablet. As I don't mind breaking the tablet (as opposed to my phone), I just attempted to upgrade using the development channel, which worked (i.e. no signature error), then once that was running switched back to the stable image, and this time no signature error as well.

Working nicely now, no problems, some bugs I encountered with 15.04 seem to be fixed with that release. Very happy. Will attempt the same procedure on my phone.

Dave

Unfortunately I cannot copy-paste the lengthly error message shown in the "Yikes!" message window. Attempting to (partially) transcribe it here:

Error: unhandled rejection [..] promise [..] Fetch Error: request to https://ubports.open-cuts.org/graphql failed, reason: Hostname/IP does not match certificate's altnames: Host: ubports.open-cuts.org is not in the cert's altname: DNS: *.wpmudev.host, DNS:wpmudev.host

(I merely wanted to report that the installation passed flaw-lessly, when the act of reporting that fact triggered the "Yikes!" modal)

I just realized that a Volla phone used by family members is stuck on OTA-18 and does not upgrade at all. Always claims that there are no updates.

Though the channel selection drop-down is empty, indicating that something is off.

Running

sudo system-image-cli -v -p 0 --progress dots

shows SSL errors:

[..]
[systemimage] Oct 16 23:07:32 2023 (6497) Reactor error: https://system-image.ubports.com/channels.json:SSL ERROR
[systemimage] Oct 16 23:07:32 2023 (6497) uncaught exception in state machine
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/systemimage/state.py", line 133, in __next__
    step()

Manual download from an ssh session on that phone shows a certificate error:

$ wget -O- https://system-image.ubports.com/channels.json
--2023-10-16 23:08:00--  https://system-image.ubports.com/channels.json
Resolving system-image.ubports.com (system-image.ubports.com)... 172.67.150.210, 104.21.0.97, 2606:4700:3033::ac43:96d2, ...
Connecting to system-image.ubports.com (system-image.ubports.com)|172.67.150.210|:443... connected.
ERROR: cannot verify system-image.ubports.com's certificate, issued by ‘CN=E1,O=Let's Encrypt,C=US’:
  Issued certificate has expired.

I guess the quickest possible fix is to try to reinstall that phone using the ubports installer?

cheers,

Dave

Hi,

given the lack of VoLTE support on Volla phones, if I now buy a new phone for Ubuntu Touch, which one would have the highest chance to (eventually?) work with VoLTE?

Feels like it becomes increasingly more difficult to stay connected on a non-VoLTE phone nowadays.

Alternatively, has anybody tested how well Linphone works on Ubuntu Touch? Having a well-integrated SIP telephony solution may make the current situation more bearable: providers like sipgate.de even appear to allow one to receive calls for a mobile number just via their SIP network.

cheers,

Dave

@kugiigi no it's not urgent, but I would be glad if ubports did not lose support for japanese in the long run. I also know some people who will not be able to upgrade to focal, unless japanese input is restored, but they may not mind to wait a little longer.

Hi,

I just updated a Volla 22 phone from whatever firmware it shipped with to 20.04 via the ubports installer (and wiping it in the process).

I had set it to "japanese" before (with the original firmware provided by Volla), but now the new welcome screen does not list japanese any more.

It still does support configuring a japanese keyboard, however the japanese keyboard is also broken now. When selecting e.g. hiragana letter あ it used to pop up the 4 neighbouring hiragana い、う、え、お to the top/left/right/bottom sides of the pressed key. Now those are not displayed any more (but can still be pressed if you remember where they used to pop up).

This is quite bad for me, as I type japanese messages and internet search queries from time to time. What would be the right (gitlab?) project to report this bug to?

cheers,

Dave

Unfortunately I cannot copy-paste the lengthly error message shown in the "Yikes!" message window. Attempting to (partially) transcribe it here:

Error: unhandled rejection [..] promise [..] Fetch Error: request to https://ubports.open-cuts.org/graphql failed, reason: Hostname/IP does not match certificate's altnames: Host: ubports.open-cuts.org is not in the cert's altname: DNS: *.wpmudev.host, DNS:wpmudev.host

(I merely wanted to report that the installation passed flaw-lessly, when the act of reporting that fact triggered the "Yikes!" modal)

This seems to be a general problem with IPv6 access to cloudflare CDN from my location.

Same things happens e.g. for linux.die.net, too

$ wget -6 https://linux.die.net -O/dev/null
--2023-07-12 11:16:32--  https://linux.die.net/
Resolving linux.die.net (linux.die.net)... 2606:4700:20::ac43:45bb, 2606:4700:20::681a:5e, 2606:4700:20::681a:15e
Connecting to linux.die.net (linux.die.net)|2606:4700:20::ac43:45bb|:443... connected.
GnuTLS: Error in the pull function.
Unable to establish SSL connection.

both system-image.ubports.com and linux.die.net appear to be hosted via cloudflare CDN.

@arubislander It appears the current version of webber in the open store does have problems on newer devices or maybe related to 20.04, as mentioned in the review comments.

I also failed to make it work on a Volla 22 with ubports 20.04.

When clicking "share" on a website, Webber does not appear in the list.

Just to reiterate, this is a stochastic problem. The majority of SSL connection attempts just work. For reference, here is the wget output and a (truncated) tcpdump for the case where it happens to work:

$ https_proxy= wget https://system-image.ubports.com//20.04/arm64/android9plus/stable/mimameid/version-1.tar.xz.asc
--2023-07-11 09:30:56--  https://system-image.ubports.com//20.04/arm64/android9plus/stable/mimameid/version-1.tar.xz.asc
Resolving system-image.ubports.com (system-image.ubports.com)... 2606:4700:3033::ac43:96d2, 2606:4700:3030::6815:61, 104.21.0.97, ...
Connecting to system-image.ubports.com (system-image.ubports.com)|2606:4700:3033::ac43:96d2|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/plain]
Saving to: ‘version-1.tar.xz.asc.10’

version-1.tar.xz.as     [ <=>                ]     488  --.-KB/s    in 0s      

2023-07-11 09:30:56 (19.1 MB/s) - ‘version-1.tar.xz.asc.10’ saved [488]

 $ tcpdump -r workingip6-2.dump
reading from file workingip6-2.dump, link-type LINUX_SLL (Linux cooked v1), snapshot length 262144
09:30:56.330881 IP6 mosquito-public-ip.33520 > 2606:4700:3033::ac43:96d2.https: Flags [S], seq 2471135345, win 64440, options [mss 1432,sackOK,TS val 4074644192 ecr 0,nop,wscale 7], length 0
09:30:56.353850 IP6 2606:4700:3033::ac43:96d2.https > mosquito-public-ip.33520: Flags [S.], seq 3615166120, ack 2471135346, win 64704, options [mss 1360,sackOK,TS val 1553849798 ecr 4074644192,nop,wscale 13], length 0
09:30:56.354269 IP6 mosquito-public-ip.33520 > 2606:4700:3033::ac43:96d2.https: Flags [.], ack 1, win 504, options [nop,nop,TS val 4074644215 ecr 1553849798], length 0
09:30:56.356973 IP6 mosquito-public-ip.33520 > 2606:4700:3033::ac43:96d2.https: Flags [P.], seq 1:518, ack 1, win 504, options [nop,nop,TS val 4074644216 ecr 1553849798], length 517
09:30:56.380014 IP6 2606:4700:3033::ac43:96d2.https > mosquito-public-ip.33520: Flags [.], ack 518, win 7, options [nop,nop,TS val 1553849824 ecr 4074644216], length 0
09:30:56.382855 IP6 2606:4700:3033::ac43:96d2.https > mosquito-public-ip.33520: Flags [.], seq 1:1349, ack 518, win 8, options [nop,nop,TS val 1553849827 ecr 4074644216], length 1348
[..]

looking at the packet contents in wireshark, I cannot spot any difference in what my host sends out between the cases where it works vs. where it does not work (i.e. I don't think that wget or my firewall is to blame).

Hi,

forums.ubports.com currently fails to work for me, when using a HTTPS proxy, as the proxy appears to be less smart than Firefox in not quickly falling back to IPv4 when the IPv6 connection stalls.

This is easily reproduced via wget:

$ https_proxy= wget --timeout=5 -O/dev/null https://forums.ubports.com
--2023-07-11 09:48:29--  https://forums.ubports.com/
Resolving forums.ubports.com (forums.ubports.com)... 2a03:b0c0:2:d0::ebb:7001, 134.122.62.36
Connecting to forums.ubports.com (forums.ubports.com)|2a03:b0c0:2:d0::ebb:7001|:443... failed: Connection timed out.
Connecting to forums.ubports.com (forums.ubports.com)|134.122.62.36|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 138582 (135K) [text/html]
Saving to: ‘/dev/null’

If you do not support IPv6 operation, you maybe should not publish an AAAA record in your DNS!

$ dig forums.ubports.com AAAA
[..]
forums.ubports.com.	210	IN	AAAA	2a03:b0c0:2:d0::ebb:7001

cheers,

Dave

Hi,

running the ubports installer on saturday I had stochastic download errors ("ECONNRESET") that made it impossible to finish installation, until I disabled my IPv6 internet support alltogether.

Right now I can reproduce the problem, a significant percentage of SSL connection attempts die after the TLS client hello due to the server sending a RST packet.

https_proxy= wget https://system-image.ubports.com//20.04/arm64/android9plus/stable/mimameid/version-1.tar.xz.asc
--2023-07-11 09:31:51--  https://system-image.ubports.com//20.04/arm64/android9plus/stable/mimameid/version-1.tar.xz.asc
Resolving system-image.ubports.com (system-image.ubports.com)... 2606:4700:3030::6815:61, 2606:4700:3033::ac43:96d2, 172.67.150.210, ...
Connecting to system-image.ubports.com (system-image.ubports.com)|2606:4700:3030::6815:61|:443... connected.
GnuTLS: Error in the pull function.
Unable to establish SSL connection.

This is the corresponding tcpdump:

$ tcpdump -r brokenip6-2.dump 
reading from file brokenip6-2.dump, link-type LINUX_SLL (Linux cooked v1), snapshot length 262144
09:31:51.904786 IP6 mosquito-public-ip.40400 > 2606:4700:3030::6815:61.https: Flags [S], seq 1137994465, win 64440, options [mss 1432,sackOK,TS val 1525877974 ecr 0,nop,wscale 7], length 0
09:31:51.924352 IP6 2606:4700:3030::6815:61.https > mosquito-public-ip.40400: Flags [S.], seq 346910756, ack 1137994466, win 64704, options [mss 1360,sackOK,TS val 1056910065 ecr 1525877974,nop,wscale 13], length 0
09:31:51.924464 IP6 mosquito-public-ip.40400 > 2606:4700:3030::6815:61.https: Flags [.], ack 1, win 504, options [nop,nop,TS val 1525877994 ecr 1056910065], length 0
09:31:51.925039 IP6 mosquito-public-ip.40400 > 2606:4700:3030::6815:61.https: Flags [P.], seq 1:518, ack 1, win 504, options [nop,nop,TS val 1525877995 ecr 1056910065], length 517
09:31:51.945671 IP6 2606:4700:3030::6815:61.https > mosquito-public-ip.40400: Flags [R], seq 346910757, win 0, length 0

This is running on a Devuan-Linux server connected via DSL directly on a PPPoE modem. So no middle-boxes (NAT etc.) involved (not that I'd expect any NAT to happen on IPv6).

Though this could still be my internet provider doing shenanigans.

Can you collect packet captures on your side, so we can compare where those RST packets are injected?

Note also, that forums.ubports.com is currently broken when running via a IPv6 connection. Maybe your browser's Happy Eyeballs implementation hides the problem from you, but with a HTTPS proxy currently any connection attempts time out for me.

cheers,

Dave