CopperheadOS: Verified Boot limitations

December 24, 2018 ~ hucktech ~ Leave a comment

CopperheadOS appears to becoming active again. There is — AFAICT — a new document on Verified Boot security.

https://copperhead.co/android/docs/verified_boot_limitations

SecurePhones.net

October 25, 2018 ~ hucktech ~ Leave a comment

Re: https://firmwaresecurity.com/tag/copperheados/

I just noticed a new web site show up in my daily searches:

https://securephones.net/

Securephones official distributor of Copperhead OS for Europe and Russia

CopperheadOS: rebooting

August 24, 2018 ~ hucktech ~ Leave a comment

Re: https://firmwaresecurity.com/2018/07/12/copperheados-continuing-with-new-team/

Sources for #CopperheadOS have been posted back on Github: https://t.co/GiXEccnx9E

— CopperheadOS (@CopperheadOS) August 24, 2018

https://github.com/copperheados

There’re also a series of tweets to show the current perspective of open source software (”source-available software’):

Common Clause is an interesting advancement for source-available software. It may not be the final conclusive piece for helping OSS developers/companies sustain themselves but at lteast it's a step forward.

— CopperheadOS (@CopperheadOS) August 22, 2018

The Open Source community should be concerned with developer/company sustainability first and hard-lining ethics second. Code can always be opened down the road.

— CopperheadOS (@CopperheadOS) August 22, 2018

When debating the intricacies of OSS business models the overarching question should always be: what keeps this product or project sustainable.

— CopperheadOS (@CopperheadOS) August 22, 2018

A fundamental truth for sustaining OSS vs licensing is that companies have an easier time purchasing software licenses rather than donating. Donations are hardly a way to sustain a OSS product – we know.

— CopperheadOS (@CopperheadOS) August 22, 2018

AndroidHardening’s Auditor app for Android

August 12, 2018 ~ hucktech ~ Leave a comment

Re: https://firmwaresecurity.com/2018/06/13/copperheados-and-androidhardening-project/

Initial release of my Auditor app as an independent project: https://t.co/0WOHiy68S2. It's also available on the Play Store as a free app: https://t.co/q8h8G9d3kL.

It provides hardware-based integrity and identity verification for a gradually expanding set of supported devices.

— DanielMicay (@DanielMicay) August 11, 2018

Hardware-based attestation app for select Android devices. It can do either local verification with another Android device via QR code or scheduled server-based verification. It primarily relies on Trust On First Use using the hardware-backed keystore and key attestation. The initial unpaired verification relies on key attestation root.

https://github.com/AndroidHardening/Auditor/releases/tag/1

https://github.com/AndroidHardening/Auditor

https://play.google.com/store/apps/details?id=app.attestation.auditor

CopperheadOS: continuing with new team

July 12, 2018 ~ hucktech ~ 1 Comment

Re: https://firmwaresecurity.com/2018/06/04/copperheados-company-problems/ and https://firmwaresecurity.com/2018/06/21/canebrakeos-based-on-copperheados/

it looks like CopperheadOS is continuing:

#CopperheadOS will be:

1) Continuing with contingency plans for our customers. No more SPOF.

2) Keeping our original licensing – free for personal use, non-commercial requires licensing agreement

3) Source code will be available on Github soon, though we may move platforms.

— CopperheadOS (@CopperheadOS) July 11, 2018

Copperhead's new team have successfully patched all builds with July's update and will be providing them to our customers shortly.

— CopperheadOS (@CopperheadOS) July 11, 2018

This is unequivocally false. #CopperheadOS will be continuing with proper contingency plans for our customers. https://t.co/i0WWhjIXQG

— CopperheadOS (@CopperheadOS) July 11, 2018

#CopperheadOS source code will be added back on Github in due time. We have some house cleaning to do.

— CopperheadOS (@CopperheadOS) July 11, 2018

https://copperhead.co/android/

https://github.com/copperheados

CanebrakeOS: based on CopperheadOS

June 21, 2018 ~ hucktech ~ Leave a comment

https://github.com/CanebrakeOS

CanebrakeOS from CopperheadOS

Comment from discussion .

CopperheadOS and AndroidHardening project

June 13, 2018 ~ hucktech ~ 1 Comment

Re: https://firmwaresecurity.com/2018/06/04/copperheados-company-problems/

https://twitter.com/DanielMicay/status/1006662420700499969

https://twitter.com/DanielMicay/status/1006665999184285697

https://github.com/AndroidHardening

CopperheadOS company problems

June 4, 2018 ~ hucktech ~ 2 Comments

https://twitter.com/danielmicay/status/1003704234263511040

https://twitter.com/danielmicay/status/1003704704814026753

https://twitter.com/danielmicay/status/1003705802270445573

https://copperhead.co/android/
https://github.com/copperhead

copperheadOS: Samsung missing security features needed for Android Verified Boot

April 14, 2018 ~ hucktech ~ Leave a comment

Tweets from CopperheadOS, a security-centric Android-based distribution, are a good source of Android security news, since they’re stretching the boundaries of the open source android release.

Samsung Galaxy S9 / S9+ is missing hardware-backed key rollback resistance, per-profile encryption keys (lacks file-based encryption), A/B updates and Android Verified Boot 2.0.

It's very telling that anything Google doesn't make into a hard requirement doesn't get implemented.

— CopperheadOS (@CopperheadOS) April 12, 2018

CopperheadOS on Android Verified Boot 2.0 docs

January 31, 2018 ~ hucktech ~ Leave a comment

Documentation on using AVB (Android Verified Boot 2.0) on the Pixel 2 landed with some modifications:https://t.co/RBTcHinewf https://t.co/oFO4dnxhJ1

No longer need to find the flash handler for 'fastboot flash avb_custom_key' in the bootloader disassembly to make use of it…

— CopperheadOS (@CopperheadOS) January 12, 2018

https://android.googlesource.com/platform/external/avb/#device-specific-notes

Here's the pull request documenting it to make this far easier to the next person trying to figure it out: https://t.co/9O3dD93vtk.

— CopperheadOS (@CopperheadOS) January 6, 2018

https://android-review.googlesource.com/c/platform/external/avb/+/582100

CopperheadOS: business model concerns

November 15, 2017 ~ hucktech ~ Leave a comment

CopperheadOS is “A security and privacy focused mobile operating system compatible with Android apps.“.

It appears the company is having problems trying to monetize an open sourced operating system. I hope they can solve things, they’re doing interesting security things with Android.

https://t.co/OUf86TcH7Y Since they built illegitimate businesses on the *official releases*, it doesn't matter that any checks we implement will be open source code…

— CopperheadOS (@CopperheadOS) November 14, 2017

Users on devices that were sold illegally will be able to contact us to purchase a commercial license to have the device whitelisted. Many of these devices will have been sold with potentially malicious apps / device managers installed and we'll be able to help with that too.

— CopperheadOS (@CopperheadOS) November 14, 2017

https://t.co/h8hjRbvOT5

No, they steal our work and use it against the terms of the licensing forbidding commercial usage. They download our Nexus releases, flash them onto phones, add their apps and sell them to organized crime.

Why should we keep offering downloads for them?

— CopperheadOS (@CopperheadOS) November 12, 2017

They can take our sources and even our unaltered releases and sell refurbished phones as new to organized crime. Our license forbids it and we're willing to enforce that in court but they have bigger legal issues than us.

It's not possible to expect people to act in good faith.

— CopperheadOS (@CopperheadOS) November 12, 2017

The only thing we're committed to doing is honoring our update / support commitments to customers. We're not locked into doing this for the rest of our lives if we decide it's not working out and the way we do it is in flux and needs to change based on what does and doesn't work.

— CopperheadOS (@CopperheadOS) November 12, 2017

Giving everything away for free under permissive licensing wasn't ever going to work out.

Our expectation of being able to make money on support and custom work on open source software was extremely far from the mark.

Rather than giving up, we've kept adapting to keep on going.

— CopperheadOS (@CopperheadOS) November 12, 2017

We've enabled over-the-air updates again to avoid impacting our remaining customers on Nexus devices and other legitimate users. However, downloads on the site will no longer be available and we'll be making changes to the update client for Nexus devices. https://t.co/jJTI6fpy5b

— CopperheadOS (@CopperheadOS) November 11, 2017

https://copperhead.co/android/
https://github.com/copperheados/

Copperhead OS blocked by missing Google Nexus blobs

January 16, 2016 ~ hucktech ~ Leave a comment

Copperhead OS is a hardened verison of Android, including PaX and other security features beyond ASOP, mainly targetting Google Nexus devices. It appears they’re having some problems with availability of ASOP blobs from Google on some new Nexus devices:

Support for the Nexus 5X and Nexus 6P is on hold until Google feels like providing official blobs. Not wasting more time hacking around it.

— CopperheadOS (@CopperheadOS) January 15, 2016

@cipheranthem Support for any new devices is on hold. The Nexus 5X is the next device on the roadmap. It's blocked on Google at the moment.

— CopperheadOS (@CopperheadOS) January 15, 2016

The @googlenexus vendor blobs were never published for the Nexus 5X and Nexus 6P. There's no official way to build AOSP for those devices.

— CopperheadOS (@CopperheadOS) January 15, 2016

The public code for updating the Nexus 5X bootloader is broken. It needs missing edify script functions (lge_bullhead_{update,restore}_gpt).

— CopperheadOS (@CopperheadOS) January 16, 2016

https://copperhead.co/android/
https://copperhead.co/docs/technical_overview
https://github.com/copperheados