{"id":5174,"date":"2020-10-28T23:55:52","date_gmt":"2020-10-28T22:55:52","guid":{"rendered":"https:\/\/nethemba.com\/?p=5174"},"modified":"2020-10-29T17:34:33","modified_gmt":"2020-10-29T16:34:33","slug":"ako-si-maximalne-zabezpecit-smartfon","status":"publish","type":"post","link":"https:\/\/nethemba.com\/sk\/ako-si-maximalne-zabezpecit-smartfon\/","title":{"rendered":"Ako si maxim\u00e1lne zabezpe\u010di\u0165 smartf\u00f3n"},"content":{"rendered":"\n

Ako si vybra\u0165 <\/span>vysoko <\/span>bezpe\u010dn<\/span>\u00fd<\/span> Android telef\u00f3n a <\/span>najbezpe\u010dnej\u0161\u00ed Android <\/span>syst\u00e9m<\/span><\/span><\/span><\/h1>\n
\n
\u00a0<\/div>\n<\/div>\n

<\/a>\u00davod<\/span><\/h1>\n

Tento \u010dl\u00e1nok je prirodzen\u00fdm pokra\u010dovan\u00edm a ist\u00fdm sp\u00f4sobom vyvrcholen\u00ed mojich star\u0161\u00edch \u010dl\u00e1nkov Ako si maxim\u00e1lne zabezpe\u010di\u0165 laptop<\/a> (na Purism Librem<\/a> s Qubes OS<\/a>) a Chr\u00e1\u0148te svoje d\u00e1ta: Odstrihnite sa od Google<\/a>, ktor\u00e9 odpor\u00fa\u010dam pre\u010d\u00edta\u0165 predt\u00fdm, ako sa rozhodnete <\/span>zak\u00fapi\u0165 <\/span>bezpe\u010dn\u00fd <\/span>Android telef\u00f3n a nain\u0161talova\u0165 na\u0148 najbezpe\u010dnej\u0161iu variantu Androidu<\/span>.<\/span><\/p>\n

Cie\u013eom \u010dl\u00e1nku<\/span> je <\/span>teda<\/span> predstavi\u0165 pod\u013ea m\u00f4jho n\u00e1zoru <\/span>jeden z <\/span>najbezpe\u010dnej\u0161<\/span>\u00edch dostupn\u00fdch<\/span> Android telef\u00f3n<\/span>ov<\/span> (Google Pixel 2 a vy\u0161\u0161ie) a <\/span>pravdepodobne<\/span> najbezpe\u010dnej\u0161iu verziu modifikovan\u00e9ho Android syst\u00e9mu (GrapheneOS<\/a><\/span>), na ktorom bud\u00fa nain\u0161talovan\u00e9<\/span> 100% <\/span>open-source d\u00f4veryhodn\u00e9 aplik\u00e1cie<\/span> z F-<\/a><\/span>D<\/span>ro<\/span>id repozit\u00e1ra<\/span><\/a> s cie\u013eom zabezpe\u010di\u0165 maxim\u00e1lnu ochranu s\u00fakromia. <\/span>Aj napriek tomu, \u017ee z h\u013eadiska <\/span>ochrany s\u00fakromia, <\/span>ide zrejme o ekvivalentn\u00e9 rie\u0161enie ako Lineage OS,<\/a> najv\u00e4\u010d\u0161ia pridan\u00e1 hodnota ni\u017e\u0161ie <\/span>uveden\u00e9ho<\/span> rie\u0161enia <\/span>spo\u010d\u00edva vo vy\u0161\u0161ej<\/span> bezpe\u010dnosti a to v\u010faka pou\u017eitiu <\/span>bezpe\u010dn\u00e9ho hardv\u00e9ru telef\u00f3nu<\/span> a <\/span>\u0161peci\u00e1lne zabezpe\u010den\u00e9ho GrapheneOS<\/a>.<\/span><\/p>\n

<\/a>Pre\u010do Google telef\u00f3n, ale bez Google slu\u017eieb?<\/span><\/h1>\n

Google telef\u00f3ny s\u00fa vysoko bezpe\u010dn\u00e9<\/span><\/h3>\n

Google zamestn\u00e1va najlep\u0161\u00edch bezpe\u010dnostn\u00fdch expertov na svete, tak\u017ee Google telef\u00f3ny \u010di in\u00e9 Google produkty alebo slu\u017eby s\u00fa obvykle ve\u013emi bezpe\u010dn\u00e9.\u00a0 <\/span>Google Pixel telef\u00f3ny implementuj\u00fa TEE (Trusted Execution Environment), kedy hlavn\u00fd procesor a opera\u010dn\u00fd Android syst\u00e9m s\u00fa pokladan\u00e9 za ned\u00f4veryhodn\u00e9 a teda nem\u00f4\u017eu pristupova\u0165 k niektor\u00fdm \u010dastiam RAM („Protected Hardware Resources“), hardv\u00e9rov\u00fdm registrom a citliv\u00fdm d\u00e1tam (ako kryptografick\u00e9 k\u013e\u00fa\u010de). Naopak TEE procesor je oddelen\u00fd od zvy\u0161ku syst\u00e9mu vyu\u017eit\u00edm r\u00f4znych mechanizmov a m\u00e1 pr\u00edstup k v\u0161etk\u00fdm citliv\u00fdm d\u00e1tam a aplik\u00e1ci\u00e1m.<\/span><\/p>\n

\"\"<\/p>\n

V GrapheneOS sa nach\u00e1dza priamo \u0161peci\u00e1lny auditovac\u00ed n\u00e1stroj Auditor app<\/a>, ktor<\/span>\u00fd<\/span> umo\u017e\u0148uje vytvori\u0165 <\/span>tzv. atesta\u010dn\u00e9 <\/span>prepojenie medzi tzv. Aud<\/span>\u00ed<\/span>torom (zariadenie, ktor\u00e9 vykon\u00e1va audit) a Auditovan<\/span>\u00fdm<\/span> (zariadenie, ktor\u00e9 je predmetom auditu). <\/span>P<\/span>ou\u017eit\u00edm TEE <\/span>(Trusted Execution Environment)<\/span> alebo hard<\/span>v<\/span>\u00e9rov\u00e9ho bezpe\u010dnostn\u00e9ho modulu (HSM) <\/span>je potom mo\u017en\u00e9 na<\/span> 100% <\/span>overi\u0165 <\/span>integritu dan\u00e9ho opera\u010dn\u00e9ho syst\u00e9mu <\/span>a pr\u00edpadne <\/span>odhali\u0165 ak\u00e9ko\u013evek potenci\u00e1lne zadn\u00e9 vr\u00e1tka („backdoors“), ktor\u00e9 sa defacto <\/span>u\u017e <\/span>nedaj\u00fa skry\u0165 oproti origin\u00e1lnemu „stock“ Android <\/span>OS<\/span>. Niektor\u00e9 Android zariadenia (vy\u0161\u0161ie ako 9) maj\u00fa implement\u00e1ciu StrongBox Keymaster<\/a>, ktor\u00e1 umo\u017e\u0148uje auditorskej aplik\u00e1cie dr\u017ea\u0165 k\u013e\u00fa\u010de <\/span>pou\u017e\u00edvan\u00e9<\/span> dan\u00fdm atesta\u010dn\u00fdm protokolom v dedikovanom bezpe\u010dnom hardv\u00e9rovom module (HSM) (Pixel telef\u00f3ny <\/span>na to<\/span> pou\u017e\u00edvaj\u00fa Titan M<\/a>) namiesto pou\u017eitia TEE, \u010do v\u00fdrazne zni\u017euje potenci\u00e1lny dopad \u00fatokov. V\u010faka tomu nie je mo\u017en\u00e9 realizova\u0165 \u017eiadne hardv\u00e9rov\u00e9 \u00fatoky ako <\/span>napr\u00edklad<\/span> Rowhammer<\/a>, Spectre<\/a>, Meltdown<\/a> a in\u00e9.<\/span><\/p>\n

<\/a>Probl\u00e9m Google nie je „security“, ale „privacy“<\/span><\/h3>\n

Probl\u00e9m Google slu\u017eieb a produktov teda nie je ich bezpe\u010dnos\u0165 (ako som spom\u00ednal vy\u0161\u0161ie, Google zamestn\u00e1va <\/span>najlep\u0161\u00edch<\/span> \u013eud\u00ed na <\/span>IT bezpe\u010dnos\u0165<\/span>), ale „privacy“, teda to, \u017ee sa vzd\u00e1vate svojho s\u00fakromia v prospech slu\u017eieb, ktor\u00e9 V\u00e1m Google <\/span>poskytuje<\/span> „zadarmo“ . <\/span>Ak si u Google nekupujete jeho slu\u017eby ako reklamu, tak ste potom v\u017edy jeho <\/span>produkt, nie z\u00e1kazn\u00edk. <\/span>To sa t\u00fdka prakticky v\u0161etk\u00fdch jeho slu\u017eieb, ktor\u00e9 poskytuje zadarmo. <\/span>Gmail by ste nemali pou\u017e\u00edva\u0165 <\/span>nie <\/span>preto, \u017ee hroz\u00ed, \u017ee ho niekto vyhackuje (je zrejme chr\u00e1nen\u00fd lep\u0161ie ako v\u0161etky mailov\u00e9 servery na Slovensku – hackersk\u00e9 \u00fatoky na Gmail <\/span>prebiehaj\u00fa<\/span> nonstop). Ale preto, \u017ee k v\u0161etk\u00fdm va\u0161im emailom m\u00e1 pr\u00edstup nielen Google, ale v\u0161etky svetov\u00e9 \u0161t\u00e1tne in\u0161tit\u00facie, ktor\u00e9 ho o to s\u00fadnym pr\u00edkazom <\/span>m\u00f4\u017eu po\u017eiada\u0165 a bohu\u017eia\u013e to aj \u010dasto robia. <\/span>Google sa sna\u017e\u00ed by\u0165 ale v zverej\u0148ovan\u00ed toho, ko\u013ek\u00fdm in\u0161tit\u00faci\u00e1m tieto inform\u00e1cie poskytuje, transparentn\u00fd (viac Google Transparency Project<\/a>). Google <\/span>logicky preto <\/span>va\u0161e emaily, \u010di in\u00e9 vzorce v\u00e1\u0161ho spr\u00e1vania nikdy <\/span>nebude <\/span>\u0161ifrova\u0165 (aj ke\u010f technicky to nie je pre neho \u017eiadny probl\u00e9m), ke\u010f\u017ee <\/span>predstavuj\u00fa k\u013e\u00fa\u010dov\u00e9 inform\u00e1cie pre jeho biznis.<\/span><\/p>\n

<\/a>GrapheneOS<\/span><\/h1>\n

Chceme teda kvalitn\u00e9 bezpe\u010dn\u00e9 telef\u00f3ny od Google (na Alze<\/a> si dok\u00e1\u017eete svoj telef\u00f3n zak\u00fapi\u0165 \u00faplne anonymne, ak zvol\u00edte platbu kryptomenami) , ale bez ich \u0161pehovacej propriet\u00e1rnej funkcionality. Ide\u00e1lne v\u00fdhradne s 100% open-source opera\u010dn\u00fdm syst\u00e9mom, kni\u017enicami a aplik\u00e1ciami, ktor\u00e9 s\u00fa v\u0161etky auditovate\u013en\u00e9. <\/span><\/p>\n

A o tom je presne projekt GrapheneOS<\/span><\/p>\n

<\/a>Bezpe\u010dnostn\u00e9 prvky GrapheneOS<\/span><\/h3>\n

Jadro a kni\u017enice:<\/span><\/strong><\/p>\n