Uncategorized

copperheadOS: Samsung missing security features needed for Android Verified Boot

Tweets from CopperheadOS, a security-centric Android-based distribution, are a good source of Android security news, since they’re stretching the boundaries of the open source android release.

Samsung Galaxy S9 / S9+ is missing hardware-backed key rollback resistance, per-profile encryption keys (lacks file-based encryption), A/B updates and Android Verified Boot 2.0.

It's very telling that anything Google doesn't make into a hard requirement doesn't get implemented.

— CopperheadOS (@CopperheadOS) April 12, 2018

Uncategorized

CopperheadOS on Android Verified Boot 2.0 docs

Documentation on using AVB (Android Verified Boot 2.0) on the Pixel 2 landed with some modifications:https://t.co/RBTcHinewf https://t.co/oFO4dnxhJ1

No longer need to find the flash handler for 'fastboot flash avb_custom_key' in the bootloader disassembly to make use of it…

— CopperheadOS (@CopperheadOS) January 12, 2018

https://android.googlesource.com/platform/external/avb/#device-specific-notes

Here's the pull request documenting it to make this far easier to the next person trying to figure it out: https://t.co/9O3dD93vtk.

— CopperheadOS (@CopperheadOS) January 6, 2018

https://android-review.googlesource.com/c/platform/external/avb/+/582100

Uncategorized

CopperheadOS: business model concerns

CopperheadOS is “A security and privacy focused mobile operating system compatible with Android apps.“.

It appears the company is having problems trying to monetize an open sourced operating system. I hope they can solve things, they’re doing interesting security things with Android.

https://t.co/OUf86TcH7Y Since they built illegitimate businesses on the *official releases*, it doesn't matter that any checks we implement will be open source code…

— CopperheadOS (@CopperheadOS) November 14, 2017

Users on devices that were sold illegally will be able to contact us to purchase a commercial license to have the device whitelisted. Many of these devices will have been sold with potentially malicious apps / device managers installed and we'll be able to help with that too.

— CopperheadOS (@CopperheadOS) November 14, 2017

https://t.co/h8hjRbvOT5

No, they steal our work and use it against the terms of the licensing forbidding commercial usage. They download our Nexus releases, flash them onto phones, add their apps and sell them to organized crime.

Why should we keep offering downloads for them?

— CopperheadOS (@CopperheadOS) November 12, 2017

They can take our sources and even our unaltered releases and sell refurbished phones as new to organized crime. Our license forbids it and we're willing to enforce that in court but they have bigger legal issues than us.

It's not possible to expect people to act in good faith.

— CopperheadOS (@CopperheadOS) November 12, 2017

The only thing we're committed to doing is honoring our update / support commitments to customers. We're not locked into doing this for the rest of our lives if we decide it's not working out and the way we do it is in flux and needs to change based on what does and doesn't work.

— CopperheadOS (@CopperheadOS) November 12, 2017

Giving everything away for free under permissive licensing wasn't ever going to work out.

Our expectation of being able to make money on support and custom work on open source software was extremely far from the mark.

Rather than giving up, we've kept adapting to keep on going.

— CopperheadOS (@CopperheadOS) November 12, 2017

We've enabled over-the-air updates again to avoid impacting our remaining customers on Nexus devices and other legitimate users. However, downloads on the site will no longer be available and we'll be making changes to the update client for Nexus devices. https://t.co/jJTI6fpy5b

— CopperheadOS (@CopperheadOS) November 11, 2017

https://copperhead.co/android/
https://github.com/copperheados/

Uncategorized

Copperhead OS blocked by missing Google Nexus blobs

Copperhead OS is a hardened verison of Android, including PaX and other security features beyond ASOP, mainly targetting Google Nexus devices. It appears they’re having some problems with availability of ASOP blobs from Google on some new Nexus devices:

Support for the Nexus 5X and Nexus 6P is on hold until Google feels like providing official blobs. Not wasting more time hacking around it.

— Copperhead (@CopperheadSec) January 15, 2016

@cipheranthem Support for any new devices is on hold. The Nexus 5X is the next device on the roadmap. It's blocked on Google at the moment.

— Copperhead (@CopperheadSec) January 15, 2016

The @googlenexus vendor blobs were never published for the Nexus 5X and Nexus 6P. There's no official way to build AOSP for those devices.

— Copperhead (@CopperheadSec) January 15, 2016

The public code for updating the Nexus 5X bootloader is broken. It needs missing edify script functions (lge_bullhead_{update,restore}_gpt).

— Copperhead (@CopperheadSec) January 16, 2016

https://copperhead.co/android/
https://copperhead.co/docs/technical_overview
https://github.com/copperheados

Firmware Security

Hastily-written news/info on the firmware security/development communities, sorry for the typos.

Tag Archives: CopperheadOS

copperheadOS: Samsung missing security features needed for Android Verified Boot

CopperheadOS on Android Verified Boot 2.0 docs

CopperheadOS: business model concerns

Copperhead OS blocked by missing Google Nexus blobs