This page provides a list of security related tweaks and tipps.

Information on how to use a VPN and increasing your privacy by configuring your network can be found on the networking page.

When you have SSH enabled on your phone, it is a good idea to use key-based authentication instead of password-based authentication. This is especially true in the case of numerical passwords only!

On your mobian phone install openssh-server:

sudo apt install openssh-server

If you don't have already have a private/public key pair on the device you want to access the phone from (say your desktop or laptop), you want to first generate one. Assuming you're using linux or something similarly unix-compatible:

ssh-keygen -t ed25519

You should probably secure your key with a password. Now copy your public key to the phone. Again assuming linux or similar, and that the phone is accessible using the name mobian on your local network:

ssh-copy-id mobian@mobian

Check the man pages for the commands if you want to know more about the options. If you are using PuTTY then the process will be somewhat different.

You should now be able to log in via SSH using the key rather than the password for the user on the phone. If you specified a password for the key you will be asked for that password.

Once you know login works with the key you can change the sshd configuration on the phone to disable access using the phone user's password, and optionally change the port it listens on. Search for PasswordAuthentication in /etc/ssh/sshd_config and change it to PasswordAuthentication no.

Or run this command:

sudo sed -i "s/#PasswordAuthentication yes/PasswordAuthentication no/"  /etc/ssh/sshd_config

Also it's good to use an uncommon port for SSH to reduce noise and battery usage caused by SSH scanners on the Internet.

sudo sed -i "s/#Port 22/Port 45673/"  /etc/ssh/sshd_config

Change 45673 to any port that isn't already being used. Note that you will have to specify this port when connecting to the phone via ssh in future, usually with the -p option.

Finally on the phone restart the sshd so that it will use the settings you just changed:

sudo systemctl restart sshd

Extra note:

If you have secured your SSH key with a password and don't want to bother retyping the password for every time you reconnect with SSH, you can run:

eval $(ssh-agent)
ssh-add

Now you should not be prompted to enter your password (as long as you are running ssh from the same environment/terminal).

Disk encryption is currently available through the Mobian Installer. This image can be found in the installer directory of the download page for your device. For the PinePhone for example, this is https://images.mobian-project.org/pinephone/installer/.

The following method uses a keyfile which will be stored on disk, so it is strongly recommended to only use in conjunction with an encrypted rootfs.

1. Copy the contents of your home directory with: sudo mkdir /tmp/mobian && sudo rsync -avz /home/mobian/ /tmp/mobian/

2. Ensure your sdcard has a single ext4 (or f2fs) partition

3. Encrypt your sdcard (WILL ERASE ALL DATA): sudo cryptsetup -h sha256 -c aes-xts-plain64 -s 512 luksFormat /dev/mmcblk0p1

4. Unlock the new encrypted partition: sudo cryptsetup luksOpen /dev/mmcblk0p1 home_crypt

5. Format the unlocked partition with ext4 (or f2fs): sudo mkfs.ext4 -m 0 /dev/mapper/home_crypt

6. Generate the keyfile which will automatically unlock the partition: sudo dd if=/dev/urandom of=/root/keyfile bs=1024 count=4 && sudo chmod 0400 /root/keyfile

7. Add the keyfile to the Luks partition: sudo cryptsetup luksAddKey /dev/mmcblk0p1 /root/keyfile

8. UUID is more specific than device block for fstab, so run sudo blkid /dev/mmcblk0p1 and copy the UUID

9. In /etc/crypttab add the following line: home_crypt /dev/disk/by-uuid/{PASTE UUID HERE} /root/keyfile luks,timeout=30

10. Add the line to /etc/fstab: /dev/mapper/home_crypt /home ext4 defaults 0 2 (If you formatted it as f2fs then replace ext4 with f2fs)

11. Mount the partition: sudo mount -t ext4 /dev/mapper/home_crypt /home

12. Copy the contents of /tmp/mobian (original home dir data): sudo rsync -avz /tmp/mobian /home/ (Trailing slashes must be exactly as written)

13. Reboot (Upon verified success, delete /tmp/mobian)

TODO

Implemented on some system daemons using unit files

Use `sudo systemd-analyze security` to check the current status

Application sandboxing can be implemented using either Bubblewrap or Firejail.

Bubblewarp is configured by wrapping the application you want to sandbox in a script which builds the sandbox. Using this method, it is possible to reproduce the isolation provided by Flatpak packages, using only first party Debian packages. For example, to sandbox Firefox, while using the mobile config and providing access to the Downloads folder, the following script could be used:

 bwrap \
--symlink usr/bin /bin \
--ro-bind /usr/bin/ /usr/bin/ \
--symlink usr/lib /lib \
--ro-bind /usr/lib /usr/lib \
--ro-bind /usr/share/applications /usr/share/applications \
--ro-bind /usr/share/ca-certificates /usr/share/ca-certificates \
--ro-bind /usr/share/fonts /usr/share/fonts \
--ro-bind /usr/share/glib-2.0 /usr/share/glib-2.0 \
--ro-bind /usr/share/glvnd /usr/share/glvnd \
--ro-bind /usr/share/icons /usr/share/icons \
--ro-bind /usr/share/libdrm /usr/share/libdrm \
--ro-bind /usr/share/mime /usr/share/mime \
--ro-bind /usr/share/X11/xkb /usr/share/X11/xkb \
--ro-bind /usr/share/icons /usr/share/icons \
--ro-bind /usr/share/mime /usr/share/mime \
--ro-bind /etc/firefox /etc/firefox \
--ro-bind /etc/firefox-esr /etc/firefox-esr \
--ro-bind /etc/fonts /etc/fonts \
--ro-bind /etc/mobile-config-firefox /etc/mobile-config-firefox \
--ro-bind /etc/resolv.conf /etc/resolv.conf \
--dir /run/user/"$(id -u)" \
--ro-bind /run/user/"$(id -u)"/pulse /run/user/"$(id -u)"/pulse \
--ro-bind /run/user/"$(id -u)"/wayland-0 /run/user/"$(id -u)"/wayland-0 \
--dev /dev \
--dev-bind /dev/dri /dev/dri \
--ro-bind /sys/dev/char /sys/dev/char \
--proc /proc \
--tmpfs /tmp \
--bind /home/mobian/.mozilla /home/mobian/.mozilla \
--bind /home/mobian/Downloads /home/mobian/Downloads \
--unshare-all \
--share-net \
--hostname RESTRICTED \
--setenv HOME /home/mobian \
--setenv GTK_THEME Adwaita:dark \
--setenv MOZ_ENABLE_WAYLAND 1 \
--setenv PATH /usr/bin \
--die-with-parent \
--new-session \
/usr/bin/firefox

Like Bubblewrap, Firejail sandboxes applications and has a fairly straightforward syntax.

To install: sudo apt install firejail

To wrap an application run:

firejail CommandHere

To check on currently sandboxed applications run:

firejail –list

To setup all applications for sandboxing:

sudo firecfg

To whitelist locations to give access permission to an app, edit the application's firejail profile in /etc/firejail directory. Add this line to specify the location for access (such as Downloads directory):

whitelist /directory/fileStructure

Blacklisting access can be done by adding:

blacklist /directory/fileStructure

To firejail sandbox an application when called from its desktop button/icon, edit the application's /usr/share/applications directory .desktop file and change the line exec= to add firejail in front of the full path to the application:

exec=firejail applicationCommand

Further profile configuration can be accomplished through Firejail Configuration Tool.

Protects from unauthorized USB devices being connected. Provided optionally by the usbguard package. Not enabled by default.

To install: sudo apt install usbguard

/etc/usbguard/usbguard-daemon.conf is used to to configure runtime parameters of the daemon.

/etc/usbguard/rules.conf is used to define policy rules for USB devices.

This example will apply policies for any connected USB device and would only allow to operate devices that are allowed in /etc/usbguard/rules.conf.

/etc/usbguard/usbguard-daemon.conf
RuleFile=/etc/usbguard/rules.conf
ImplicitPolicyTarget=block
PresentDevicePolicy=apply-policy
PresentControllerPolicy=keep
InsertedDevicePolicy=apply-policy
AuthorizedDefault=none
RestoreControllerDeviceState=false
DeviceManagerBackend=uevent
IPCAllowedUsers=root
IPCAllowedGroups=root plugdev
IPCAccessControlFiles=/etc/usbguard/IPCAccessControl.d/
DeviceRulesWithPort=false
AuditBackend=FileAudit
AuditFilePath=/var/log/usbguard/usbguard-audit.log
HidePII=false

After installation, rules will be auto generated for all currently connected USB devices. If you are occasionally using other devices like USB hub, keyboard or mouse you'll need to plug all required devices and re-generate policy rules using:

sudo usbguard generate-policy » /etc/usbguard/rules.conf

and edit the file to remove duplicates and choose which rules to keep or remove.

Edit /etc/usbguard/rules.conf and simplify the rules for the phone modem. The auto-generated rule doesn't always match the modem and it might be not be allowed to connect after return from a deep sleep. Leave only allow, id, serial, name, hash and parent-hash values. I.e:

allow id 2c7c:0125 serial “” name “EG25-G” hash “…” parent-hash “…”

This is important, if you don't do this, the modem might get blocked after waking from sleep, and you lose phone capability. The calls app will say something along “no voice capable modem found” and you will get a notification about a unknown usb device.

Modem-firmware warning: as of 2022-06-17, updating to the (mostly free) modem firmware (https://github.com/Biktorgj/pinephone_modem_sdk) appears to be incompatible with usbguard-1.1.1+ds-4. For example, the rule allow id 18d1:d00d is insufficient to allow access by adb. Hints for recovering modem functionality: completely uninstall usbguard: sudo apt remove usbguard and reboot your main pinephone system.

Troubleshooting:

• Check active rules: usbguard list-rules
• Examine /var/log/usbguard/usbguard-audit.log

By default, mobian should not be exposing dangerous ports. However, when you install additional packages (umtp-responder, ssh, ….) you might want to enable a firewall in order to limit access to the pinephone. See here how to.

The keypad on the login screen has a fixed layout by default. If you want it to make it harder for an observer to guess your password (by watching your fingers), you could do this by shuffling the keypad.

The setting can be adjusted by calling the following line on a shell (gnome-shell, …)

gsettings set sm.puri.phosh.lockscreen shuffle-keypad true

This feature is available in phosh-0.17.0 (or higher).

Trusting that the programs you download and execute are actually the ones the authors have written is a crucial and critical issue. And there are several steps in the chain from the authors editor to the binary on your device. To make sure the binary package you download does not contain any backdoors, malware or has been modified in any other form, the Debian project pushes Reproducible builds to make sure that a user recompiling a source package would end up with a byte-identical binary package. This is less trivial than it might sound, but it has progressed a lot. See their page for more information on that. Trusting that no-one has modified the package in transport from the Mobian or Debian repository on its way to your device (e.g. a mirror operator, a mobiles phone operator, your ISP, a wifi hotspot operator, or your favorite 3-letter agency) is done by signing all binary packages with a GPG key from either the debian or the mobian project. Only if the signature matches, the package manager will accept the binary download and install it. This way you can retrieve your updates via unsecure means, e.g. over http in a public hotspot and still be sure you get an unmodified package file.

See https://wiki.debian.org/AppArmor/HowToUse for install and configuration instructions.

Although DUO claims you have to use their Android App to function with it, some smart folks have reverse engineered the protocol here and kop316 has an up to date working version here.

Once you used this to get credentials, you can export it with `duo-export.py` into your favorite 2FA app.

Some packages in Debian (and thus mobian) have known privacy issues. Check their list for details.