Skip to main content

Security for FMD Android

This page describes the security considerations that went into designing FMD Android, and what you may want to think about when using it.

Use case

FMD is designed to remotely locate and control your device in situations where you have lost it and an honest person finds it.

FMD Android is NOT designed to protect you against the device being taken against your will (theft, seizure by the authorities, etc.). FMD might help you to lock and/or wipe the device -- if you are fast enough to send the commands. But a malicious thief can shut down your phone or put it in a Faraday cage, thus prevent all remote communication.

With great power comes great responsibility

In order to control your device, FMD requires a great level of access. The broad range of commands comes with a broad range of permissions. FMD is only an app, but in some sense it "extends the operating system" by adding the functionality of controlling your device.

This power comes with responsibility.

FMD effectively becomes an additional gateway into your device (by design!). By granting the FMD Android app certain permissions, you are granting these permissions to anyone who can cause (or trick) the FMD Android app into doing something.

This is why access control and authentication are critically important in FMD. Most access control happens on a per-transport-channel basis, so see their sections below.

It is also important that you trust FMD to only do what it claims to do and not to abuse its access. FMD's code is open source under a free license; you are encouraged to take a look and verify what it does. You can even modify it to your needs, for example to completely remove code for features you don't need, thereby reducing the attack surface.

Commands

For each command, FMD Android shows you which permissions are required or optional. Only grant the permissions for the commands you intend to use! Android's permission system limits what the operating system allows the FMD Android app to do, which is a strong line of defence.

Due to Android limitations, some permissions are coupled. Device lock and factory-reset are grouped under Device Admin. Therefore, the delete command needs to be explicitly enabled in FMD's settings, too.

The delete command also requires the PIN, even when sent over a non-PIN transport channel. Currently the same PIN is used as for normal authentication; it is not yet possible to set a separate "delete PIN". Please follow this issue.

info

For historical reasons, it is called a "PIN", but it can be any alphanumerical passphrase. However, it should not have spaces, as this may confuse the parser.

Transport channels

When choosing a transport channel, ask yourself whether it is sufficiently secure for your personal threat model. Who can send commands to your device? Who can read the responses? This section gives an overview of what you might consider.

SMS

In FMD Android, you can use SMS either via allowlisting certain phone numbers, or by including a PIN in the message. When a PIN is included, the sending number is temporarily allowlisted (for 10 minutes).

Phone number spoofing may be possible, depending on what area you are in and what carrier and phone you are using. 5G is more secure than 2G or 3G.

The PIN may be brute-forced. You need to choose a PIN that is strong enough to not be guessed, but that is memorable enough so that you remember it in the high-stress situation of loosing your device.

Notification reply

Notification Reply only has PIN-based access. Thus the same considerations as with PIN over SMS apply.

Additionally, FMD Android currently has no way to limit notification reply to specific applications (e.g., allow Signal but not E-Mail). That is, commands may reach FMD Android over any app on your device that posts a notification to the system notification tray.

FMD Server

See the dedicated FMD Server security docs.

Transparency

FMD Android gives the user information about what the app is doing:

  • Notifications: FMD Android shows notifications of the form "Command 'fmd locate' was executed by +49 152 28817386".
  • Logging: FMD Android has logging that shows when, which, and why commands are excuted. The logs can be viewed in the app and can be exported for analysis.