Security for FMD Android
This page describes the security considerations that went into designing FMD Android, and what you may want to think about when using it.
Use case
FMD is designed to remotely locate and control your device in situations where you have lost it and an honest person finds it.
FMD Android is NOT designed to protect you against the device being taken against your will (theft, seizure by the authorities, etc.). FMD might help you to lock and/or wipe the device -- if you are fast enough to send the commands. But a malicious thief can shut down your phone or put it in a Faraday cage, thus prevent all remote communication.
With great power comes great responsibility
In order to control your device, FMD requires a great level of access. The broad range of commands comes with a broad range of permissions. FMD is only an app, but in some sense it "extends the operating system" by adding the functionality of controlling your device.
This power comes with responsibility.
FMD effectively becomes an additional gateway into your device (by design!). By granting the FMD Android app certain permissions, you are granting these permissions to anyone who can cause (or trick) the FMD Android app into doing something.
It is important that you trust FMD to only do what it claims to do and not to abuse its access. FMD's code is open source under a free license; you are encouraged to take a look and verify what it does. You can even modify it to your needs, for example to completely remove code for features you don't need, thereby reducing the attack surface.
Access control
Because FMD becomes a gateway into your device, access control and authentication are critically important. Most access control happens on a per-transport-channel basis. The following table lists an overview. For detailed descriptions, see the transport channel explanations further below.
| Transport channel | Access control |
|---|---|
| SMS |
|
| Notification Reply | Any app on the same device via the FMD PIN |
| FMD Server | Username and password |
Permissions
Currently, anyone who is allowed to access FMD can execute any command!
(Depending on how you configure FMD, so read on.)
Let's assume that you allow-listed Alice's phone number, granting her access to your device via SMS. Currently, there are two ways by which you can restrict what Alice can do:
- Restrict which permissions you grant the FMD Android app. If the FMD Android app does not have an Android permission, the Android OS will deny the access. Therefore, carefully choose which permissions you grant FMD!
- The
deletecommand (to factory reset the device) needs to be explicitly enabled in the FMD Android settings and requires the FMD PIN.
Of course, it would be great if within FMD there were fine-grained permissions.
For example, so that you can grant Alice access to the locate command only and nothing else,
while granting Bob access to locate and ring.
This is an open feature request and tracked in this issue.
Until then, we highly recommend that you are careful about 1) who you grant access to FMD and 2) which Android permissions you grant to FMD.
Commands
For each command, FMD Android shows you which permissions are required or optional. Only grant the permissions for the commands you intend to use! Android's permission system limits what the operating system allows the FMD Android app to do, which is a strong line of defence.
Due to Android limitations, some permissions are coupled. Device lock and factory-reset are grouped under Device Admin. Therefore, the delete command needs to be explicitly enabled in FMD's settings, too.
The delete command also requires the PIN, even when sent over a non-PIN transport channel. Currently the same PIN is used as for normal authentication; it is not yet possible to set a separate "delete PIN". Please follow this issue.
For historical reasons, it is called a "PIN", but it can be any alphanumerical passphrase. However, it should not have spaces, as this may confuse the parser.
Transport channels
When choosing a transport channel, ask yourself whether it is sufficiently secure for your personal threat model. Who can send commands to your device? Who can read the responses? This section gives an overview of what you might consider.
SMS
In FMD Android, you can use SMS either via allowlisting certain phone numbers, or by including a PIN in the message. When a PIN is included, the sending number is temporarily allowlisted (for 10 minutes).
Phone number spoofing may be possible, depending on what area you are in and what carrier and phone you are using.
5G is more secure than 2G or 3G. Note that even though your phone may show "5G", it may actually be using 5G NR NSA (that is, using 5G for the data plane and 4G for the control plane). One way to check for this is Privacy Cell.
The PIN may be brute-forced. You need to choose a PIN that is strong enough to not be guessed, but that is memorable enough so that you remember it in the high-stress situation of losing your device.
There is currently no rate limiting or other brute force protection in FMD Android. Please follow this issue.
Notification reply
Notification Reply only has PIN-based access. Thus the same considerations as with PIN over SMS apply.
Additionally, FMD Android currently has no way to limit notification reply to specific applications (e.g., allow Signal but not E-Mail). That is, commands may reach FMD Android over any app on your device that posts a notification to the system notification tray.
FMD Server
See the dedicated FMD Server security docs.
Transparency
FMD Android gives the user information about what the app is doing:
- Notifications: FMD Android shows notifications of the form "Command 'fmd locate' was executed by +49 152 28817386".
- Logging: FMD Android has logging that shows when, which, and why commands are excuted. The logs can be viewed in the app and can be exported for analysis.