• Off Topic
  • Find my device - a possible solution

As far as I am aware, GrapheneOS is missing an application for finding a device. Google's Find My Phone is not working on Graphene OS, and basically I would like something, that enables me (and only me) to track down my device in case it is lost or stolen. This means the data should be encrypted and ideally - have a possibility to be hosted on my own server. And of course - app should be open source.

I am absolutely aware that tracking application are problematic, however having an option to track down your mobile phone (if lost or stolen), ring it, factory reset it, etc., is a very useful one, especially if you have a complete control of your data.

So I found an app Find My Device, which enables all of that. There are some problems that I am not sure if they are bugs or I am just unable to solve them, but I preapred a short explanation how to put everything together.

First, we will set up our own FDM server, then we will install the app on the phone and finally, we will connect the app with our server.

Setting up the FMD server

Let's create a folder and set the rights for the user with UID 1000 (in the documentation it is stated, that Docker should be running as user with UID 1000):

sudo mkdir /opt/fmd
cd /opt/fmd/
sudo chown -R matej:matej .

Let's create a Docker compose configuration file (`nano fmd-docker-compose.yml'):

version: '3'
services:
    fmd:
        build: https://gitlab.com/Nulide/findmydeviceserver.git#v0.5.0
        container_name: fmd
        ports:
         - 127.0.0.1:8090:8090
        volumes:
            - './data:/fmd/objectbox/'
			- './data/config.yml:/fmd/config.yml'
        restart: unless-stopped

The web server in docker will run on TCP port 8090.

Let's create a subfolder and save the FMD server settings in it:

mkdir data
nano data/config.yml

Configuration:

# Config file for FMD Server
# The ports FMD Server should listen on
PortSecure: 8493
PortInsecure: 8090
# The length for the user IDs that are generated
UserIdLength: 5
# How many location points or pictures FMD Server should save per account
MaxSavedLoc: 1000
MaxSavedPic: 10
# If RegistrationToken is non-empty, FMD Server will require the FMD app to provide this token during registration.
# Set this to a long random string if you want your instance to be private and not open to registrations by anyone.
# You can e.g. generate a 32 character string with your password manager.
RegistrationToken: "xXxXxXxXxXxX"

If we want the FMD server to be private (so that it cannot be used by anyone), we create and save a registration token in the configuration file (above). It can be created with the command (in the example below it is 32 characters long):

tr -dc 'A-Za-z0-9!"#$%&'\''()*+,-./:;<=>?@[\]^_`{|}~' </dev/urandom | head -c 32; echo

We start the server with Docker compose:

sudo docker-compose -f fmd-docker-compose.yml up -d

Let's check if the docker container is running (sudo docker ps):

CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
8270887c82e9 fmd_fmd "/fmd/server" 41 seconds ago Up 40 seconds 8080/tcp, 127.0.0.1:8090->8090/tcp fmd

If we want, we can also look at the log records with the sudo docker logs fmd command:

Init: FMD-Data directory:  /fmd/
Init: Loading Config...
Init: Loading database
Note: the loaded ObjectBox C library should be updated.
      Found ObjectBox version 0.21.0, but the minimum recommended version is 0.18.1.
DB: Migrating datatabase ...
DB: DB version:  2
DB: Migration finished
FMD Server  v0.5.0
Starting Server
Port: 8090 (insecure) 8493 (secure)

Putting the FMD server online

If we are using Nginx, prepare the Nginx configuration file (sudo nano /etc/nginx/sites-enabled/default):

## FMD.MYSERVER.SI
#######################

# HTTPS server

server {
   server_name fmd.myserver.si;
   client_max_body_size 20M;
   error_log /var/log/nginx/fmd-server.error;

   location / {
     proxy_pass http://127.0.0.1:8090;
     proxy_set_header Host $host;
     proxy_set_header X-Real-IP $remote_addr;
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
   }

}

server {
     if ($host = fmd.myserver.si) {
         return 301 https://$host$request_uri;
     }

     leaf 80;
     listen [::]:80;
     server_name fmd.myserver.si;
     return 404;
}

I check that the configuration is error-free:

sudo nginx -t

Then restart the Nginx web server:

sudo service nginx restart

Now we enter the domain in DNS and then run Certbot to get the HTTPS digital certificate:

sudo certbot -d fmd.myserver.si -m matej@myserver.si

Finally, we restart Nginx once more, and the server should now be working:

sudo service nginx restart

FMD server is now online.

Installing the application on the phone

The application Find My Device (FMD) is installed on the phone via the F-Droid.

After installation, the Find My Device (FMD) application must first be given the permissions. There are quite a few of them, some are mandatory and some are not, but in the latter case the application will work in a reduced way.

However, there is one permission, that should be granted with computer. FMD can automatically turn Location Services on when you trigger a fmd locate command, and turn it off again afterwards. This requires the special WRITE_SECURE_SETTINGS permission.

So you need to have installed adb on your computer, and then you can issue the command adb devices. You will see:

List of devices attached
xxxxxxxxxxxxxx	device

Then write: adb shell pm grant de.nulide.findmydevice android.permission.WRITE_SECURE_SETTINGS, and that is it.

Installing push notification software

FMD uses UnifiedPush to receive push notifications. No sensitive data is sent in push notifications, they are only used to wake up FMD. The recommended one is ntfy, however I installed UP-FCM Distributor from Google Play Store (I know, I am guilty. But to defend myself, it is just temporary, for testing.).

After installing a push distributor app, remove FMD from the "Recent Apps" switcher by swiping it away, and then reopen it. This forces FMD to retry registering itself with the distributor.

Connecting the app and server

Now open the FMD app again, got osettings and enter the server's URL (I think it should be without trailing slash, there was a bug around this, and I am not sure if it is fixed or not). It will require Registration Token (from FMD server's config) and then you will have to set up your password. This is the password, that will be used to unlock your data on your FMD server. You will also see a device's ID (for instance 6Wagh), and that is it.

Then you go to your server (https://fmd.myserver.si), enter your ID and your password - and you can see your location data, take a picture with your camera, etc.

You can also set up trusted contacts, that will be able to send your device a SMS commands (fmd locate, fmd ring, fmd camera, etc.), and receive answers back to SMS. Useful, if device has lost a data connection (but has at least access to 2G network).

The problems (of course)

App looks really nice, however I would really like to see a security review of it. Anyway, I found one big problem. When my telephone is not active (it is powered on, but I leave it on the table and the screen is locked), FMD is not sending data to my server. And server also can not sent queries (for location or camera, etc.) to phone.

However, when I unlock the screen, those queries (finally) come through and I get update of location (and picture from camera), etc.

On the other hand, if I send SMS, I get a response. But only back to SMS. Server can not communicate with the phone (meaning, I can not take a picture from camera and send it to server, until screen is unlocked).

I tried to enable Exploit protection compatibility mode, but it is still not working. I also did this for gCompat UP-Distributor, and it is still the same.

I guess, I will need to try some more debugging, but I hope someone else find this post useful, and maybe propose some possible solution.

    • [deleted]

    Matthai how will you track your device when it's turned off or sim card has been removed?

      Matthai When my telephone is not active (it is powered on, but I leave it on the table and the screen is locked), FMD is not sending data to my server. And server also can not sent queries (for location or camera, etc.) to phone.

      What battery-usage options are set for the app?

      OK, I found the problem. UP-FCM Distributor is not working good. However, installing ntfy solved his problem, so do not repeat my mistake. :)

      But also do not forget to set battery usage for ntfy without restrictions.

      Final thoughts

      App looks really nice, and it is not eating too much battery (about 1%).

      Option to get data through SMS is quite cool to, because if phone does not have data connection, you can still track it via old 2G network. But of course, this option could be quite dangerous, because an attacker could fake SMS caller ID field and then intercept the response. But then, you can change fmd command to something else...

      Anyway, nice app, but I would really like to see something like that in GrapheneOS natively. :)

      [deleted]

      Well, I really do not understand is this serious question or not.

      Of course you can not track the device if it is turned off or has SIM card removed! In that case some kind of "airtag" would help, but then the question is - what if airtag is removed? :)

      This software definitively does not cover all the scenarios. But it covers some. For instance, when you loose your phone or forget is somewhere. And in some cases could also help if your phone is stolen. But not in all cases, of course.

      So if some solution does not cover all possible uses cases, it is bad?

        • [deleted]

        Matthai it makes sense in case it is lost, not when stolen. When it is lost or misplaced, there are other simpler ways of locating it, for instance by activating the ringer or if location services are active, by periodically or on demand sharing location to the cloud or another device.

          [deleted]
          Yes, but can you activate the ringer with "clean" installation of GOS? If phone is in silent mode?

          This app can do this.

            • [deleted]

            Matthai I apologize for my comment, if I can come up with anything helpful regarding locating your device when it is in AFU, I will chime in.

            3 months later

            Could you add some color around how to configure the ntfy app to work with FMD? Not finding any docs on that bit.