Conversation

Nov 7, 2018

Thanks to sample submissions from users, the next release of my Auditor app will add support for verifying the BlackBerry Key2 BBF100-6, Huawei P20 Pro CLT-L29 and Sony Xperia XZ1 G8341. Device support will be expanded further once more valid samples are submitted via the app.

Show this thread

Previously, every supported device had file-based encryption with the exception of all Samsung devices. The Aquaris X2 Pro and Mi A2 Lite are missing FBE though along with Android Verified Boot 2.0, ro.control_privapp_permissions=enforce, and other sec features just like Samsung.

Mi A2 Lite has trivial leaks of identifying information in system properties like some Samsung phones leaking ro.ap_serial and ro.em.did: ro.ril.miui.imei0, ro.ril.miui.imei1, ro.ril.oem.psno and ro.ril.oem.sno.

Mi A2 Lite is an Android One device but that doesn't appear to mean much beyond having a basic set of rules for updates and higher level changes. It's sad that a very basic device survey without any depth is all that's needed to find serious problems in devices from many vendors.

Support for the moto g(6) hasn't been added to my Auditor app yet despite having a sample from a device running the stock OS and locked bootloader because of a strange issue. It set expiry to the Unix epoch for the attestation certificate when no expiry was supposed to be set.

This Tweet was deleted by the Tweet author. Learn more

GitHub Gist: instantly share code, notes, and snippets.

Nov 10, 2018

It seems the moto g(6) has a broken keystore implementation. The same problem occurred again with the new sample. You can see here that the attestation certificate expires one second before the Unix epoch and claims to have been issued at the Unix epoch:

gist.github.com

moto g(6) attestation

Replying to