Security of data and passwords when phone is lost/stolen

Hi,

I'm in the process of setting up a Google Nexus 5 with ubports for somebody else. And I keep wondering, what are the security implications of running ubports on a device with unlocked boot-loader?

In case the phone is lost or stolen, will any new "owner" of the device be able to access the WiFi passwords, IMAP passwords and all data, photos etc. stored on the phone by just connecting USB cable and running adb/fastboot to dump the flash?

Are passwords stored on the device encrypted with the unlock passcode?

What precautions can/should be done to secure the data on a phone running ubports?

Thanks for any insights,
cheers,

Dave

Hi,

I sort of start feeling old, trying to participate in UBports: An open source project without a mailing list and without IRC channel does not really integrate with the modes of communication I'm used to use.

Just tried to make a telegram account (via web.telegram.org), however it needs a phone number, and (one of my) "landline" SIP-based phone numbers is not accepted ("incorrect phone number"). I'm not really willing to give my cell phone number to an untrusted 3rd party to participate in an open-source project. I mean, if I were, then I probably would just be using Google Android and not bothering with UBports, would I ?

So I guess I'll have to stay at the outside for now.

cheers,

Dave

Hi,

just to give some more data point: ordered a BQ M10 FHD Ubuntu Edition tablet, arrived yesterday. Installed ubports-installer on a Ubuntu 17.10 linux PC. Tablet initially not detected by the installer, but after setting developer mode, some reboots, trying a different USB port, and manually running "adb" to list connected devices, it "suddenly" started working (hat no prior experience with adb, never used it before).

After detection, installation just completed flawlessly (I configured it to wipe the tablet during installation).

So for now very happy with the device and the software. Next step will be to install some ubuntu desktop applications using the information found here:

https://docs.ubports.com/en/latest/userguide/dailyuse/libertine.html

Anybody here knows which libertine container types are supported by ubuntu 15.04r3 on BQ M10 FHD?

Looking forward to replacing my aging firefox-os phone with some new phone running ubports.

cheers,

Dave

Just to document some findings, in case somebody is looking for the same answer: This is how I am using and "integrating" normal Ubuntu and other 3rd-party applications into the launcher:

Creating a libertine image, as documented here.
Example:

libertine-container-manager create -i legacy -n "Legacy"
libertine-container-manager install-package -i legacy -p gnome-terminal
libertine-container-manager install-package -i legacy -p openjdk-8-jre

Now from the OpenStore install package "Desktop Apps". Enable the "Desktop Apps" scope in the launcher. Now swiping left on the Launcher should bring up the "Desktop Apps" scope. After running the commands above it lists just two items: "OpenJDK Java 8 Policy Tool" and "Terminal" . To add other custom launchers (for example to launch some manually installed Java GUI application), you can add more items to the Desktop Apps by creating files inside the libertine container at /usr/share/applications/*.desktop.

Example:

libertine-container-manager install-package -i legacy -p joe
libertine-container-manager install-package -i legacy -p vim
libertine-launch -i legacy  /bin/bash
cp /usr/share/applictions/terminal.desktop /usr/share/applictions/myapp.desktop
joe /usr/share/applications/myapp.desktop

For example to launch a java application installed in /home/phablet/.local/share/libertine-container/user-data/legacy/myapp.jar , edit myapp.desktop and change the line

Exec=/usr/bin/java -jar /home/phablet/myapp.jar

(Note how the container's directory /home/phablet corresponds to the absolute path /home/phablet/.local/share/libertine-container/user-data/legacy/myapp.jar when accessed outside the container)

Dave

Hi @advocatux ,

I ran into the same "signature error", attempting to update my Aquaris 10 FHD tablet. As I don't mind breaking the tablet (as opposed to my phone), I just attempted to upgrade using the development channel, which worked (i.e. no signature error), then once that was running switched back to the stable image, and this time no signature error as well.

Working nicely now, no problems, some bugs I encountered with 15.04 seem to be fixed with that release. Very happy. Will attempt the same procedure on my phone.

Dave

@magnargj See also this topic that I just created:

https://forums.ubports.com/topic/10388/volla-phone-22-replacing-a-broken-display

I contacted Volla directly via their website's contact form and they offered to sell me a screen. Though I'm now waiting for roughly a week for them to reply to my last email, following up on my request to actually place the order.

Also I asked in one of the shops that are listed as Gigaset service partners here:

https://phone-service.de/gigaset/

and they appear to be able to repair the Volla 22 phone, as that is the same (?) hardware as the Gigaset GS5. Though there is still the question whether the latest ubports firmware is recent enough to support the newer screens which appear to require newer driver support compared to the stock screens (see the new thread that I linked above).

Unfortunately I cannot copy-paste the lengthly error message shown in the "Yikes!" message window. Attempting to (partially) transcribe it here:

Error: unhandled rejection [..] promise [..] Fetch Error: request to https://ubports.open-cuts.org/graphql failed, reason: Hostname/IP does not match certificate's altnames: Host: ubports.open-cuts.org is not in the cert's altname: DNS: *.wpmudev.host, DNS:wpmudev.host

(I merely wanted to report that the installation passed flaw-lessly, when the act of reporting that fact triggered the "Yikes!" modal)

@chris_bavaria said in One method to encrypt /home/phablet:

Has anyone experienced similar issues with OT-5 or knows of a more reliable way to restart LightDM without the screen staying black? Any help or tips would be greatly appreciated!

Thanks in advance!

I've always been using an encrypted home setup similar to what you are trying with my Volla 22 on OTA-4. I'm using the below restart sequence after remounting /home.

RUN THE BELOW CODE AT YOUR OWN RISK, AND ONLY IF YOU FULLY UNDERSTAND IT AND KNOW WHAT YOU ARE DOING. YOU MAY e.g. BRICK YOUR PHONE OR LOOSE DATA. ABSOLUTELY NO WARRANTY.

for i in \
    dconf-service \
    media-hub-server \
    history-daemon \
    address-book-service \
    evolution-addressbook-factory \
    evolution-calendar-factory \
    evolution-source-registry \
    gnome-keyring-daemon \
    mpris-proxy \
    mission-control ; do
    su phablet -c "killall $i" || true
done

pid="$(cat /var/run/lightdm.pid)"
sudo kill $pid

edit sept. 17: I think the above script snippet needs to be modified to include media-hub-server in the list of services to restart. Otherwise passing data between applications fails after remounting /home/phablet (and restart of lightdm). E.g. configuring a background image by selecting a photo in the gallery.

It used to be much simpler on 16.04.

That said, I'd really like for ubports to have a better integrated support for encryption.

Also note that nowadays ext4 filesystem natively supports per-directory encryption which may allow a more efficient and better integrated way to encrypt /home. This github project has more details. I'm using Ubuntu's fscrypt package on a Ubuntu laptop to add another layer of encryption between different users.

I managed to break the display on my Volla Phone 22. Now there are replacement screens, but the repair shop advised me that I need at least Android 12 for the new screen to be supported.

Here in the ubports forums, there was this related discussion, about new replacement screens requiring Halium 12:

https://forums.ubports.com/topic/9149/screen-replacement-on-volla-phone-22

At that time (July 2023) the latest ubports firmware was still based on Halium 11 so the replacement screens would not work.

Has this changed in the mean time? I.e. is the latest ubports firmware (20.04 OTA-4) already based on Halium 12?

thanks for any info,

cheers,

Dave

@Dave said in UBports firmware for device "Volla Phone 22 with new display (mimameid_h12)" does not boot when using the "stable" or "rc" channels.:

Installing the 20.04/devel channel does infact result in a booting Phone!!

I now did run 20.04/devel mimameid_h12 firmware (r766, build date 2024/09/07) for over a week. It mostly works, but I did run into occasional problems:

Problems Encountered

• telephony sometimes gets stuck in a state, where phone-calls do not have any audio into neither direction. this could not be fixed by toggeling flight-mode on/off, only a full reboot helped. I haven't yet found out what triggers this. For me this happens on average after a few phone calls.
• I had an SMS problem once, where after sending an SMS, it spun endlessly, then after a few minutes the transmitted SMS was marked as "failed" (I'm running the Japanese locale, it said 失敗 in red below the SMS).
• keeping cellular data connected all the time. however, when not having used internet in a while, starting the morph-browser it errs out with "err_disconnected" or similar. toggling cellular data on/off fixes the issue.
• recording video via the photo app does not work at all. the photo app just gets stuck, when trying to record a video. taking photos works, though.

What did work

• GPS did work when I tested it once (using uNav)
• wifi connects without problems here (5 GHz network)
• web browsing appears stable via cellular data and wifi
• no crashes encountered so far
• battery usage appears to be good to me

Not tested yet

• bluetooth

Also note that nowadays ext4 filesystem natively supports per-directory encryption which may allow a more efficient and better integrated way to encrypt /home.

replying to myself: this is called filesystem-based encryption. Here is the relevant documentation for the part living inside the Linux kernel.

Appears that Android nowadays also uses this for providing user-data encryption (albeit with a different user-space tooling).

As this allows very fine-grained encryption of specific directories only, it may be easier to integrate with LightDM, i.e. maybe not requiring a full restart of LightDM after unlocking just some of the more privacy-relevant directories.

Both recent LUKS versions and fscrypt userspace can process the disk encryption password via Argon 2. If you choose sufficiently CPU-intensive parameters for Argon 2 (e.g. multi-second execution time, 4 CPU threads, 512 MB of RAM), then even a password with 40 bits of entropy will be very costly to break using a GPU based brute-force atttack.

If one believes the (pretty outdated) claims on the argon2-gpu gitlab page, then the Argon2 settings that I use with LUKS on my Volla22:

	PBKDF:      argon2id
	Time cost:  12
	Memory:     500000
	Threads:    4

only allow for roughly 8 password attempts per seconds when brute-forcing on a NVIDIA Tesla K20X. That's only 2^28 password attempts per year and GPU!?

Note that Argon2 support in LUKS is not available on the older 16.04 version of UBports, you need 20.04 (focal).

@RandomUser said in Which useragent uses Ubuntu Touch?:

Most will think you're running Android because they're either lazy, incompetent, or ignorant.

That's actually quite a problem for me. I'm using a web-based audiobook store, and while it works on my PC with Firefox, it refuses to work on my Volla phone. On the Volla phone, the website refuses to let me use the web-based player and tells me to get the Android App.

There is this some "desktop mode" setting in the Morph browser, but I think that didn't even help.

Googeling for the issue, I find various morph-browser github issues relating to the user agent setting. But that was never rolled out?

https://github.com/ubports/morph-browser/issues/324
https://github.com/ubports/morph-browser/pull/368

Does any of the alternate browsers in the Open Store help here?

@oya-g said in Japanese!!:

Channel Update → 20.04Development has Japanese. My device is Pixel3a, so it is 4G compatible.

The "development" channel is maybe not meant for day-to-day use, as it may be buggy and/or unstable. So really looking forward to japanese support arriving in stable.

Note that even with a 4G compatible phone, you will not be able to do any phone calls inside japan, as the 4G protocol stack does not by itself support telephony. It only supports data.

For telephony, you need VoLTE support, which is quite a messy affair, as it requires various firmware and software components to cooperate properly for calls to be routed over the 4G data layer (i.e. as VoIP call). UBports does not support that currently.

Installing the 20.04/devel channel does infact result in a booting Phone!!

This is the installer output for the 20.04/devel install:

info: UBports Installer restarting...
info: device selected: mimameid_h12
info: Installing Ubuntu Touch on your Volla Phone 22 with new display (mimameid_h12)
info: configuring...
info: settings: {"bootstrap":true,"channel":"20.04/arm64/android9plus/devel"}
info: Downloading 10 files
info: Downloaded file 1 of 10
info: Downloaded file 2 of 10
info: Downloaded file 3 of 10
info: Downloaded file 4 of 10
info: Downloaded file 5 of 10
info: Downloaded file 6 of 10
info: Downloaded file 7 of 10
info: Downloaded file 8 of 10
info: Downloaded file 9 of 10
info: Downloaded file 10 of 10
info: All done! Your device will now reboot and complete the installation. Enjoy exploring Ubuntu Touch!

So is it a good idea to run 20.04/devel on Volla 22 phone for daily productive use?

Now I wonder about the expected timeframe for those magic changes in "devel" to trickle down into a "stable" release to use on my Volla phone...

cheers,

Dave

The above installation used the "20.04/stable" channel.

Doing the install with the "20.04/rc" channel, results in the same stuck boot problem. For reference, this is the terminal log output when installing the 20.04/rc channel:

info: Welcome to the UBports Installer version 0.10.0!
[4470:0907/222034.679356:ERROR:object_proxy.cc(622)] Failed to call method: org.freedesktop.DBus.StartServiceByName: object_path= /org/freedesktop/DBus: org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.
info: device detected: k69v1_64_k419
warn: The device k69v1_64_k419 is not supported!
info: device selected: mimameid_h12
info: Installing Ubuntu Touch on your Volla Phone 22 with new display (mimameid_h12)
info: configuring...
info: settings: {"bootstrap":true,"channel":"20.04/arm64/android9plus/rc"}
info: Downloading 7 files
info: Downloaded file 1 of 7
info: Downloaded file 2 of 7
info: Downloaded file 3 of 7
info: Downloaded file 4 of 7
info: Downloaded file 5 of 7
info: Downloaded file 6 of 7
info: Downloaded file 7 of 7
info: All done! Your device will now reboot and complete the installation. Enjoy exploring Ubuntu Touch!

@Dave said in Japanese!!:

Unfortunately with 20.04 the japanese input keyboard is broken (see this post) and the japanese translation not available any more.

I just installed the "devel" channel firmware of UBports 20.04 on a Volla Phone 22, and it now does offer japanese language localization ("日本語") in the initial configuration wizard (that shows at first boot, as I had the phone fully wiped during installation). What a pleasant surprise!

The firmware version is shown as 20.04 r766. (build date appears to be yesterday).

edit: but the japanese keyboard is still broken. Note that it is only broken "visually". If you still remember how the keyboard worked in UBports 16.04, you can just use it typing "blindly".

Hi,

I had the display on my Volla Phone 22 replaced at a phone repair shop. The new display is not compatible with the stock Volla 22 UBports image, as was pointed out here in the forum. I.e. Android 12 (resp. Halium 12) is required for the new screen to function. Also the phone repair shop warned me about that issue.

The UBports installer offers a corresponding device image called Volla Phone 22 with new display (mimameid_h12) which appears to exist solely for these repaired Volla 22 phones to function again.

I flashed my phone with that image multiple times, even before the display was replaced, and the phone always refused to boot with that firmware image.

The boot just gets stuck at the initial greeter showing volla~~~ in white letters on black screen. Short press of the power button than switches off the phone.

The installation otherwise ran through just as normal. And the phone can be rebooted into the fastboot mode just as usual.

The ubports installer terminal log output shows this:

info: Welcome to the UBports Installer version 0.10.0!
info: device selected: mimameid_h12
info: Installing Ubuntu Touch on your Volla Phone 22 with new display (mimameid_h12)
info: configuring...
info: settings: {"bootstrap":true,"channel":"20.04/arm64/android9plus/stable"}
info: Downloading 7 files
info: Downloaded file 1 of 7
info: Downloaded file 2 of 7
info: Downloaded file 3 of 7
info: Downloaded file 4 of 7
info: Downloaded file 5 of 7
info: Downloaded file 6 of 7
info: Downloaded file 7 of 7
info: All done! Your device will now reboot and complete the installation. Enjoy exploring Ubuntu Touch!

After that final log line, the phone reboots into the installer showing the UBports logo and the "installing system update" text. I.e. so far everything works as usual. That installer screen is then shown for a few more minutes, then the phone reboots again just to be stuck in the volla~~ startup greeter.

Any ideas how to proceed with getting UBports installed onto my repaired phone? Is there any way I can collect more detailed information about that problem? If required I would even borrow my phone to any developers here that know how to debug this kind of issue. In the current state the phone is just a (pretty expensive) "brick" anyways.

cheers,

Dave

The Phone Service Berlin shop today replaced the display of my Volla22 phone. The display appears to work, as far as can be judged by looking at the fastboot screen or recovery image screen, or the installation screen ("installing system image").

However, the installed Volla Phone 22 with new display (mimameid_h12) firmware does not boot. After installation, and whenever I switch on the phone, the phone is stuck in the bootup greeting screen showing volla~~~ in white letters on black screen.

In that stuck state, a short press on the power button just switches off the phone. Is this the Volla phone's boot loader?

Note that this problem cannot be explained by phone damage. Before the screen was replaced, the phone did boot and work "normally" with the standard Volla firmware image. And the same "stuck at boot" problem already happened when installing the "Volla Phone 22 with new display" firmware on the not yet repaired phone. Just at that time I attributed the failing boot to the firmware not being compatible with the old display (see post above).

edit: the phone now booted, after installing the "devel" channel of the Volla Phone 22 with new display (mimameid_h12) firmware.

I also created a dedicated topic for the problems concerning the Volla Phone 22 with new display (mimameid_h12) firmware image:

https://forums.ubports.com/topic/10395/ubports-firmware-for-device-volla-phone-22-with-new-display-mimameid_h12-does-not-boot

@chris_bavaria said in One method to encrypt /home/phablet:

Has anyone experienced similar issues with OT-5 or knows of a more reliable way to restart LightDM without the screen staying black? Any help or tips would be greatly appreciated!

Thanks in advance!

I've always been using an encrypted home setup similar to what you are trying with my Volla 22 on OTA-4. I'm using the below restart sequence after remounting /home.

RUN THE BELOW CODE AT YOUR OWN RISK, AND ONLY IF YOU FULLY UNDERSTAND IT AND KNOW WHAT YOU ARE DOING. YOU MAY e.g. BRICK YOUR PHONE OR LOOSE DATA. ABSOLUTELY NO WARRANTY.

for i in \
    dconf-service \
    media-hub-server \
    history-daemon \
    address-book-service \
    evolution-addressbook-factory \
    evolution-calendar-factory \
    evolution-source-registry \
    gnome-keyring-daemon \
    mpris-proxy \
    mission-control ; do
    su phablet -c "killall $i" || true
done

pid="$(cat /var/run/lightdm.pid)"
sudo kill $pid

edit sept. 17: I think the above script snippet needs to be modified to include media-hub-server in the list of services to restart. Otherwise passing data between applications fails after remounting /home/phablet (and restart of lightdm). E.g. configuring a background image by selecting a photo in the gallery.

It used to be much simpler on 16.04.

That said, I'd really like for ubports to have a better integrated support for encryption.

Also note that nowadays ext4 filesystem natively supports per-directory encryption which may allow a more efficient and better integrated way to encrypt /home. This github project has more details. I'm using Ubuntu's fscrypt package on a Ubuntu laptop to add another layer of encryption between different users.