OpenVPN works on Ubuntu but not Android – Name Resolution [migrated]

Setup:
Server1 – Primary DNS/Plesk
Server2 – Secondary DNS
Server3 – OpenVPN

On by local computer running Ubuntu 20.04 I can successfully connect to the OpenVPN server and browse any website. My public IP Address shows as the SERVER3 IP Address.

On my Android, I can successfully connect to the OpenVPN server but I can only browse websites hosted on Server1. All other websites get the DNS_PROBE_FINISHED_BAD_CONFIG error message. In the OpenVPN app it shows a successful connection and the correct IP Addresses.

I am using the exact same configuration file for both devices. Note, different certificates are used for the connection.

Looking at the syslog on Server1, I see:

client @0x7f79480ea2b0 ANDROID-PUBLIC-IP-ADDRESS#50743 (www.facebook.com): query (cache) 'www.facebook.com/A/IN' denied 

I don’t get these errors when browsing on the Ubuntu box.

My ovpn file:

dev tun proto tcp remote SERVER3 IP 443 resolv-retry infinite nobind user nobody group nogroup persist-key persist-tun remote-cert-tls server cipher AES-256-GCM auth SHA256 verb 3 key-direction 1 <certificates are here> 

My OpenVPN Config file:

management 127.0.0.1 5555 dev tun ca ca.crt cert server.crt key server.key  # This file should be kept secret dh none server 10.8.0.0 255.255.255.0 ifconfig-pool-persist /var/log/openvpn/ipp.txt push "dhcp-option DNS SERVER1 IP" push "dhcp-option DNS SERVER2 IP" keepalive 10 120 tls-crypt ta.key cipher AES-256-GCM auth SHA256 user nobody group nogroup persist-key persist-tun status /var/log/openvpn/openvpn-status.log log         /var/log/openvpn/openvpn.log log-append  /var/log/openvpn/openvpn.log verb 3 explicit-exit-notify 0 

Android exploit demos to scare my parents?

I recently discovered that my parents’ android phones have not received security updates for years. When I talked to them I realized that the benefit of software updates is very abstract to them and that they clearly felt like I was overreacting.

I personally really understood importance of software updates by watching exploit demos at IT conferences. So now I am wondering: Are there such demos aimed at educating everyday users?

I am thinking of something like https://haveibeenpwned.com/ or https://amiunique.org/ but for android.

Remote debugging android app from another computer on different network

Is is it possible for Android development to remote debug an app from another network? I am not talking about WebView/Web Pages debugging but as stated here, as this page talks about remote debugging a WebView or web pages opened in any app and also I don’t think it will work on if device and computer are on different networks.

My scenario is that if Device A is connected to Computer A on Wifi A and I want to debug the app running on Device A from Computer B on Wifi B.

There is option to connect your device using the ADB wireless debugging using TCP-IP, but that requires the Device and Computer to be on the same network, but in my case device and computer are on another network.

Android: How safe is PBKDF2 with a 4 digit pin?

Our Product Manager wants a 4 digit pin for login in our app, obviously for UX reasons, so user don’t have to remember their password each time when they login.

A refresh token can be retrieved from backend to obtain a session token, which have access to the API. On our app, we encrypt the refresh token with AES and PBKDF2. A random salt and IV are generated plus the 4 digit used as password for PBKDF2.

After the encryption, I store the salt, IV and the cipher text base64 encoded in private shared preference.

The encryption code looks like this:

const val CPR_TRANSFORMATION = "AES/CBC/PKCS7Padding" const val ALGORITHM_TYPE = "PBKDF2WithHmacSHA1" const val ITERATION_AMOUNT = 12000 const val KEY_SIZE = 256  private fun encrypt(passCode: String, data: ByteArray): Encrypted { //e.g.: passCode = "0000"     val salt = ByteArray(256)     SecureRandom().nextBytes(salt)      val iv = ByteArray(16)     SecureRandom().nextBytes(iv)      val cipher = Cipher.getInstance(CPR_TRANSFORMATION)     cipher.init(Cipher.ENCRYPT_MODE, getSecretKey(passCode, salt), IvParameterSpec(iv))     val raw = cipher.doFinal(data)     return Encrypted(salt.encodeBase64(), iv.encodeBase64(), raw.encodeBase64()) }  private fun getSecretKey(passCode: String, salt: ByteArray): Key {     val pbKeySpec = PBEKeySpec(passCode.toCharArray(), salt, ITERATION_AMOUNT, KEY_SIZE)     val keyBytes = SecretKeyFactory.getInstance(ALGORITHM_TYPE).generateSecret(pbKeySpec).encoded     return SecretKeySpec(keyBytes, KeyProperties.KEY_ALGORITHM_AES) } 

Now my question is: How secure is this implementation?

  • How could an attacker retrieve the refresh token from shared preference and decrypt it?
  • Is the symmetric key inside secure element?
  • How safe is this implementation against malware or root?
  • How easy can the key be brute forced? (except that user tries 10k times manually to insert the correct pin)

Which smartphone is more secure Iphone or Android?

I need to decide whether or not I will push all of my employees to Apple or Android. Right now we’re about an even split and I’d really like to have them all on one side. It really comes down to which phone is more secure, The new iPhones or new Androids? These phones are only used for email connectivity.

  • What features make one more safe than the other?
  • What vulnerabilities have been seen between these two phones?
  • Which is more security oriented?

How to check if Android app is taking pictures in the background? [migrated]

I have Android app that I found to be loading Camera in the background. It’s one of the most widely used internet browsers.

I been trying debug what is actually happening with LogCat in the Android Device Monitor. Couple of lines that catch my eye:

I/CameraManagerGlobal(24529): getCameraService: Reconnecting to camera service I/CameraService(331): getCameraCharacteristics: Switching to HAL1 shim implementation... I/NuPlayer(331): setDataSourceAsync(URL suppressed) I/CameraClient(331): Opening camera 1 E/QCamera2HWI(331): [KPI Perf] int qcamera::QCamera2HardwareInterface::openCamera(hw_device_t**): E PROFILE_OPEN_CAMERA camera id 1 I/QCameraHalWatchdog(331): Starting Watchdog Thread... E/mm-camera-intf(331): mm_camera_open: dev name = /dev/video2, cam_idx = 2 D/QCameraParameters(331): int32_t qcamera::QCameraParameters::initDefaultParameters(): supported pic sizes: 1280x960,1280x720,640x480,352x288 D/QCameraParameters(331): int32_t qcamera::QCameraParameters::setNumOfSnapshot(): nBurstNum = 1, nExpnum = 1 I/QCameraHalWatchdog(331): Stopped Watchdog Thread... I/CameraClient(331): Destroying camera 1 E/QCameraPostProc(331): int32_t qcamera::QCameraPostProcessor::deinit(): Jpeg closed, rc = 0, mJpegClientHandle = 7900 

How would I know if picture is actually taken?

Is this possibly normal behavior to check camera availability?

3rd party (employer’s) app on android phone – what is the risk for an employee?

An employer (someone’s employer) issued an android app and requests that all of the employees install it. During installation the app requests access to all of the phone’s resources and it wouldn’t work if the access is declined.

The official purpose of the app is sending some internal requests concerning work-related stuff. But, who knows, maybe an employer has some additional goals.

What is the risk for employees when installing such an app on a personal phone? What an employer might see on an employee’s phone? Could it see the employee’s location? What files or personal data can it get access to?

What can an employee do to restrict the employer’s access?

The question is not about using a separate phone. A separate phone for each app is not what the question is about. It is about a 3rd party app on a personal phone.

Android phone’s lockscreen PIN disappeared?

I own a ZTE Axon 7 (model 2017G) that I purchased secondhand from a reputable vendor in Germany ca. 3 years ago. The phone has been working well, and I updated the OS to Android 8.0. manually earlier this year using an official image from ZTE.

A severe case of butterfingers affected me yesterday (and I guess today), and I dropped the phone a couple of times (the phone has never been in use with out this very good TPU case from this company called Spigen). The last of these drops (today) broke the display. No physical damage, but half the screen is "gone"–it looks like the display pictured here in this iFixit thread but with multicolored dots instead of lines.

I wasn’t too worried about this (hopefully it’s just a loose cable), but then I noticed I was only swiping up to get past the lockscreen. Now here’s the thing: I’ve always used this phone with a 4-digit lockscreen PIN. I can confirm–that as recently as yesterday–my partner and I mentioned the PIN because my phone had died (battery ran too low), and they had to enter the PIN after restarting it; so this isn’t my imagination going wild.

As far as I can tell, nothing else has been affected. All the data still seems to be there, and nothing seems to have been "hacked" (I even briefly texted my partner with the broken screen to let them know that the screen is broken).

I went and checked in the settings, and the lockscreen PIN isn’t active there either as far as I can tell (so it doesn’t seem to be some kind of a glitch). I restarted the phone, and it asked for the PIN as it does normally to authorize the SIM. So it appears the lockscreen PIN has been disabled entirely, but it wasn’t me who disabled it.

How is this even possible? Can the phone being dropped at a weird angle disable the lockscreen PIN? (It sounds ridiculous just even typing that.) How can I check for signs of intrusion on the device (with the broken screen)?

Some "events"/facts that may be of relevance(?):

  • The one other question I have on this SE is about legitimate Google 2FA codes arriving from random numbers. This hadn’t happened in a while, but it happened again on 29.06.2020 (this Monday).
  • I always put my phone next to the bed during the night, and I did so last night. The phone was in another room this morning, however. Neither my partner nor I remember moving it. It is plausible that I moved the phone (I have a mild tendency to sleep walk), but I doubt I would have been able to disable the PIN in my sleep.
  • The phone’s storage is not encrypted.

Can one trust OS and apps from Onyx: app store, modified Android, Onyx Cloud

Onyx Boox is a brand of e-book reader produced by Onyx International Inc, based in China. They have e-book readers based on Android OS. They have features that can violate user privacy or other accounts security:

  1. App store with optimized for e-book apps from other App stores: kindle, office, evernote and etc
  2. Account manager: Dropbox, Evernote and etc
  3. Option to enable Google play and other Google services (like Calendar)
  4. Onyx Cloud (sync personal notes and etc)

So the question is: are there any sings of backdoors or vulnerabilities known about their modified apps or OS itself or other stuff that can lead to user data leaks (like privacy leaks or leaks of sensitive information: like passwords or other data)?