The company I work for recently implemented Duo Security for our variant of two-factor authentication. Two-factor auth is a great idea and helps limit account access to only individuals who possess a token, usually in the form of a physical device (specifically, a phone). Duo isn’t compatible with other TOTP/HOTP software clients, unfortunately (I’d prefer to just use the Google Authenticator app for all accounts), so I need to have the second application installed on my phone in order to log in at work—even though I will only use Duo’s TOTP functionality (ideally as much of my computing experience as possible should be able to operate independently of a functional network connection).
The latest Duo Mobile changelog includes the following line (version 3.9.0):
Duo Mobile now ensures your device is up to date using Android Security Provider and Google Play Services APIs.
What does that mean? Is the app performing background rootkit operations to accomplish this? Notably, I’m paranoid about Android security because (1) the OS is notoriously hard to patch in anything resembling a timely fashion; (2) Verizon software bundling includes rootkits and pointless apps and other nefarious goodies; and (3) Verizon broke the upgrade from KitKat to Lollipop, such that because the phone’s disk is encrypted, the upgrade fails and reboots in a disturbing loop, which is 100% not acceptable. In other words:
- my phone can’t install security patches; and
- there aren’t really any meaningful security patches to install even if I could.
I consider my smartphone to be the weakest point in my cybersecurity experience, so I purposefully limit what goes on it.
Regardless, I can’t not install the Duo update. However, I can install a firewall to at least monitor what it’s doing on the network. For this, I chose AFWall+ (note: requires root), which is basically iptables for Android.
Great! Now I can monitor and block outbound traffic.
Question: Why is the kernel trying to connect to AWS’s West Coast infrastructure every few seconds?
It’s now denied. I have no idea what it was sending to Amazon, but it’s not happening any more. And it was the kernel. Weird. I hate closed-source OSes—it’s probably some Android tracking service. The BluetoothTest and VZWAVSService applications were displaying similar behavior, which is now blocked, with no apparent ill effect. The good news? They’d been operating over port 443. The bad news? Why.
This is why I want a fully-FOSS linux phone, where I can see exactly whatever nonsense the phone manufacturer is trying to pull.