Motivation and design principle underlying the configurable
Hardware Pseudo-Random Number Generator (HW PRNG)
An Hardware Pseudo-Random Number Generator (HW PRNG) commonly employed for cryptographic and other security-related applications is potentially much safer than a Software Pseudo-Random Number Generator (SW PRNG), as the entropy is gathered from a physical process embedded in hardware, therefore it is usually very desirable to have such a feature, as provided by the chipset manufacturer.
However, many people are concerned with the fact that an Hardware PRNG (as well as Hardware Cryptographic Algorithms) can be defective by design (e.g. it might contain weaknesses deliberately introduced to aid SIGINT operations carried out by foreign intelligence agencies or by corporates) or by mistake: consider that if there is a fault in hardware it cannot be fixed, at the most it can only be weakly "mitigated" in software and that rarely happens.
On the other hand, with an open-source Software PRNG, deliberate or unintentional weaknesses can usually be spotted in a timely manner and fixed at anytime by anyone (including the end-user, if he/she is skilled enough), although the PRNG itself might provide less entropy than its hardware counterpart.
Always consider that the distribution unfortunately contains some closed-source software libraries by the chipset manufacturer, because they have not been released as open-source and therefore cannot be updated, inspected and rebuilt independently, so that is probably a much weaker point, although the custom SELinux policy (not enforced in the original firmware by the phone manufacturer) might be able to contain most risky attack vectors arising from weaknesses in those libraries.
Hardware cryptographic algorithms have been completely disabled (with the only exception of the short-range physical layer 3GPP cryptography to the local radio Base Transceiver Station (BTS), which cannot be disabled). They only consisted of hardware implementations of algorithms invented or patented by others.
The Android 4.4.4 "KitKat" OS hardened binary distribution for the Sony Xperia E3 (D2203, D2206, D2243, D2202) devices is available here: Android 4.4.4 KitKat hardened binary distribution
Android is Copyright (C) 2007-2024 by the Android Open Source Project
and is a trademark of Google Inc.
Xperia is a trademark of Sony Mobile Communications Inc.
Copyright © 2007-2024 Guido Trentalancia. All rights reserved.