Auto-update Android apps with F-Droid & Yalp Store

I consider auto updates of userland software as an important and also convenient security feature, easpecially on mobile platforms. As far as I know this is already the default behaviour for Android systems with Google Play Store preinstalled.

Some time ago I switched from Play Store to the open-source F-Droid market which offers many good free and open-source apps as an alternative. Since I couldn’t yet find a good replacement for Scout, Soundhound etc. I also used the open-source app Yalp store to fetch these apps and updates from Google without requiring Gapps or a Google account.

Usally third-party apps or installation files (apks) can be installed without the need of “rooting” (acquiring super user permissions) the phone. But you have to explicitly grant permissions for every single installation or update. If you want to automate these steps, you have to install Yalp store and F-Droid as system apps.

F-Droid Privileged Extension

Instead of installing the usual F-Droid apk, you can also flash F-Droid as a so called “privileged extension“. It comes as a zip file which you can obtain here. Put this zip file on your mobile phone storage and reboot into your phones recovery mode. In my setup I was using the recovery app TWRP which has to be installed manually on a rooted phone. Unfortunately rooting a phone and installing a recovery app is a difficult step which I’ll cannot cover here. If you already have TWRP or something similar installed, I recommend you to do a full system backup before flashing anything. In recovery, select and install the F-Droid privileged extension zip file.
After rebooting back into your Android, you have to change following settings inside F-Droid to enable auto-updates:

  • Enable expert mode
  • Enable privileged extension
  • Enable auto-update, e.g. in an interval of every day
  • Automatically install apps in background

Yalp store auto-update

Yalp store is using a different technique to obtain system permissions. It relies on a third-party app like Superuser which you have also to install via recovery (which is done via this zip-file). Once installed you also have to enable auto-update settings inside Yalp store:

  • Installation method: Use root permissions
  • Enable: Install apps as soon as download is finished
  • Search for updates: E.g. daily
  • Enable: Auto download available updates
  • Enable: Automatically install new updates (root)

I also activated the automatic whitelist feature so that auto-updates are only installed for apps managed by Yalp store.

After that everything should work flawlessly and you should be notified when an app has been updated in the background.

Changelog

  • 20.05.18: Changed Yalp Store SuperSU dependency to open source alternative Superuser app.

Sandbox and torify Signal messenger on Linux

Most of the popular Linux distributions don’t offer any sandboxing or anonymization capabilities and it can be quite difficult to find a good solution. In this post I’m going to describe how I manged to sandbox the messenger app Signal and tunnel all it’s traffic through the anonymization network Tor.

All the tool you need are already in the Archlinux repositories:

pacaur -S firejail tor signal
Firejail is a kind of wrapper around sandboxing capabilities of the Linux kernel. It ships with profiles for various applications, including a profile for Signal.

To launch Signal in a sandboxed environement, just prepend the command firejail like this:
firejail signal-desktop
If you try to share files with someone, you’ll notice that your local files aren’t available anymore to Signal. One of the few “shared” and real directories left is the Signal configuration directory in ~/.config/signal. All files in there will be preserved, even after you close the sandbox. As a lazy workaround I’ll temporarily move files into this directory if I want to share them via Signal.

To isolate the sandbox from your local network and tunnel all traffic through Tor is a bit more difficult. First of all, we have to create a virtual networking bridge with an own subnet:

Somehow assigning the IP with the systemd network profile was not successfull so I further used this service file to manually set the address:

Now start and enable the services to make these changes persistent:
systemctl start systemd-networkd bridge-set-addr
systemctl enable systemd-networkd bridge-set-addr

We also need to enable IP forwarding for the tornet network bridge:

In the Tor configuration, we have to enable the a local port to which we can route our internet traffic:

It is than useful to autostart Tor at boot time:
systemctl start tor
systemctl enable tor

Run following Iptable rules as root
inet_interface=wlp3s0
iptables -P FORWARD DROP
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i tornet -o ${inet_interface} -p tcp -j ACCEPT
iptables -A FORWARD -i tornet -o ${inet_interface} -p udp --dport=53 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.100.100.0/24 -o ${inet_interface} -j MASQUERADE
iptables -t nat -A PREROUTING -i tornet -p udp -m udp --dport 53 -j DNAT --to-destination 127.0.0.1:5353
iptables -t nat -A PREROUTING -i tornet -p tcp -j DNAT --to-destination 127.0.0.1:9040
iptables -A INPUT -i tornet -p tcp --dport 9040 -j ACCEPT
iptables -A INPUT -i tornet -p udp --dport 5353 -j ACCEPT

And save the routing table state to the main configuration file:
iptables-save > /etc/iptables/iptables.rules
systemctl start iptables
systemctl enable iptables

I also had to use the program ifplugd to prevent firejail from removing the IP address after closing the sandbox:
pacaur -S ifplugd
So ifplugd will always reassign an IP to the network bridge if you start the sandbox again:

Enable and start ifplugd:
systemctl start ifplugd@tornet
systemctl enable ifplugd@tornet

You can now run Signal sandboxed and in an isolated network where all traffic is going through Tor:
firejail --net=tornet signal-desktop
Signal won’t have any connection if the Tor daemon isn’t running or when Tor is blocked in your network. You can also use the program arm to check if all traffic is going through Tor.

I’m not entirely sure if DNS queries are also anonymized in this setup but according to the original how-to by kargig this should also be the case.

It is important to note that this setup just adds an extra layer of security and anonymity in using Signal. If you strongly rely on anonymity you should consider using Tails or SubgraphOS as pointed out by the security researcher x0rz. His blog post also explains how to register Signal with a fake mobile number to use it pseudonymously.

Download an installation medium directly to your flash drive


For a longer time I was looking for a more direct and faster method to setup my Linux installation medium on an USB flash drive. Usally one would download an ISO image and wait for it to finish before copying to the drive. Both tasks could take some time, depending on your internet connection and USB speed.
Considering you’ll doing both at the same time, downloading and writing the image, you could save half the time. It took a while for me to figure out, that one of my favorite downloading tools for the command line, Aria2, could do exactly this job. It will download your file, supporting different protocols (sftp, https, bittorrent), and write it directly to any block device.
Of course not every installation image could be written directly without any modifications and thus will be bootable, but my favorite Linux distributions support this feature (e.g. ArchLinux, Ubuntu).
In this example, we’re going to download the most recent Archlinux iso using a Bittorrent magnet link (get the newest magnet link from here). Further we select only the iso-file in the torrent and write it to our flash drive at /dev/sdc:
aria2c "magnet:?xt=urn:btih:2d3b3d65b369ba519292dd8ce420afe95120df1e&dn=archlinux-2018.01.01-x86_64.iso&tr=udp://tracker.archlinux.org:6969&tr=http://tracker.archlinux.org:6969/announce" --select-file=1 --index-out=1=sdc --dir /dev --allow-overwrite=true --file-allocation=none --save-session=/tmp/tmp.aria2
Caution: Running this code with root is dangerous when you’re unsure about the destination path of your block device. You could easly overwrite, for example, your system partition, brick your system or lose important data!

Aria2 will start downloading the installation medium and write it directly to your installation medium :) The cool thing is, as long as you keep Aria2 open and your flash drive inserted, the iso will still be seeded from your device.

Stopwatch module for py3status

Whenever you use a tiled window manager like Dwm, Awesome or i3 on your linux desktop, you might also want to replace or modify the default behaviour of the status bar. Usually you’ll display some common information like date, battery level or informations about your network connection.

Compared to the quasi standard program i3status, you can also use py3status as an external program to generate the status bar text. It has even more modules you can use to display additional statistics or functions. One thing I was missing, was the ability to easily track time so I modified the included timer module and transformed it into a stopwatch.

You can run or pause the stopwatch with a left click and reset it with a right mouse click. That’s all … very easy but also very useful ;) You can check out the source code here or just wait until module gets upstream.

Open source powered GNU Casino slot machine

For our private party some weeks ago we prepared a fun slot machine in the spirit of GNU open source software (I’m aware that this might sound contradictory). We already had an old internet cafe terminal but had to change the internal hardware to more recent components. Then we were ready to install a most basic ArchLinux system and configured it to launch X and our PyGame application at startup.

A real slot machine needs some fancy colored buzzers for authentic gamble feeling. So we developed some in Blender and 3d printed them. They are wired to a tiny USB-Arduino and on key press, they will trigger generic key press events on the system.

 

Since we haven’t been able to get the “coin entry” machine working, we checked the credit with a barcode scanner which was further connected to our party payment system :)

Here’s a demo video:

And here you can get our unenhanced, hacky source code. Note that we removed all original sounds and graphics to avoid copyright infringement.

Update (December 2017): We are proud to note that our project got featured on the front page of Heise Online, one of the leading technology news sites in Germany. In addition to the online publication, an even longer article was printed in the C’t Make magazine of 6/2017 (page 104-105).