- Edited
As far as I am aware, GrapheneOS is missing an application for finding a device. Google's Find My Phone
is not working on Graphene OS, and basically I would like something, that enables me (and only me) to track down my device in case it is lost or stolen. This means the data should be encrypted and ideally - have a possibility to be hosted on my own server. And of course - app should be open source.
I am absolutely aware that tracking application are problematic, however having an option to track down your mobile phone (if lost or stolen), ring it, factory reset it, etc., is a very useful one, especially if you have a complete control of your data.
So I found an app Find My Device
, which enables all of that. There are some problems that I am not sure if they are bugs or I am just unable to solve them, but I preapred a short explanation how to put everything together.
First, we will set up our own FDM server, then we will install the app on the phone and finally, we will connect the app with our server.
Setting up the FMD server
Let's create a folder and set the rights for the user with UID 1000 (in the documentation it is stated, that Docker should be running as user with UID 1000):
sudo mkdir /opt/fmd
cd /opt/fmd/
sudo chown -R matej:matej .
Let's create a Docker compose configuration file (`nano fmd-docker-compose.yml'):
version: '3'
services:
fmd:
build: https://gitlab.com/Nulide/findmydeviceserver.git#v0.5.0
container_name: fmd
ports:
- 127.0.0.1:8090:8090
volumes:
- './data:/fmd/objectbox/'
- './data/config.yml:/fmd/config.yml'
restart: unless-stopped
The web server in docker will run on TCP port 8090
.
Let's create a subfolder and save the FMD server settings in it:
mkdir data
nano data/config.yml
Configuration:
# Config file for FMD Server
# The ports FMD Server should listen on
PortSecure: 8493
PortInsecure: 8090
# The length for the user IDs that are generated
UserIdLength: 5
# How many location points or pictures FMD Server should save per account
MaxSavedLoc: 1000
MaxSavedPic: 10
# If RegistrationToken is non-empty, FMD Server will require the FMD app to provide this token during registration.
# Set this to a long random string if you want your instance to be private and not open to registrations by anyone.
# You can e.g. generate a 32 character string with your password manager.
RegistrationToken: "xXxXxXxXxXxX"
If we want the FMD server to be private (so that it cannot be used by anyone), we create and save a registration token in the configuration file (above). It can be created with the command (in the example below it is 32 characters long):
tr -dc 'A-Za-z0-9!"#$%&'\''()*+,-./:;<=>?@[\]^_`{|}~' </dev/urandom | head -c 32; echo
We start the server with Docker compose:
sudo docker-compose -f fmd-docker-compose.yml up -d
Let's check if the docker container is running (sudo docker ps
):
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
8270887c82e9 fmd_fmd "/fmd/server" 41 seconds ago Up 40 seconds 8080/tcp, 127.0.0.1:8090->8090/tcp fmd
If we want, we can also look at the log records with the sudo docker logs fmd
command:
Init: FMD-Data directory: /fmd/
Init: Loading Config...
Init: Loading database
Note: the loaded ObjectBox C library should be updated.
Found ObjectBox version 0.21.0, but the minimum recommended version is 0.18.1.
DB: Migrating datatabase ...
DB: DB version: 2
DB: Migration finished
FMD Server v0.5.0
Starting Server
Port: 8090 (insecure) 8493 (secure)
Putting the FMD server online
If we are using Nginx, prepare the Nginx configuration file (sudo nano /etc/nginx/sites-enabled/default
):
## FMD.MYSERVER.SI
#######################
# HTTPS server
server {
server_name fmd.myserver.si;
client_max_body_size 20M;
error_log /var/log/nginx/fmd-server.error;
location / {
proxy_pass http://127.0.0.1:8090;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
server {
if ($host = fmd.myserver.si) {
return 301 https://$host$request_uri;
}
leaf 80;
listen [::]:80;
server_name fmd.myserver.si;
return 404;
}
I check that the configuration is error-free:
sudo nginx -t
Then restart the Nginx web server:
sudo service nginx restart
Now we enter the domain in DNS and then run Certbot to get the HTTPS digital certificate:
sudo certbot -d fmd.myserver.si -m matej@myserver.si
Finally, we restart Nginx once more, and the server should now be working:
sudo service nginx restart
FMD server is now online.
Installing the application on the phone
The application Find My Device (FMD) is installed on the phone via the F-Droid.
After installation, the Find My Device (FMD) application must first be given the permissions. There are quite a few of them, some are mandatory and some are not, but in the latter case the application will work in a reduced way.
However, there is one permission, that should be granted with computer. FMD can automatically turn Location Services on when you trigger a fmd locate command, and turn it off again afterwards. This requires the special WRITE_SECURE_SETTINGS permission.
So you need to have installed adb
on your computer, and then you can issue the command adb devices
. You will see:
List of devices attached
xxxxxxxxxxxxxx device
Then write: adb shell pm grant de.nulide.findmydevice android.permission.WRITE_SECURE_SETTINGS
, and that is it.
Installing push notification software
FMD uses UnifiedPush to receive push notifications. No sensitive data is sent in push notifications, they are only used to wake up FMD. The recommended one is ntfy, however I installed UP-FCM Distributor from Google Play Store (I know, I am guilty. But to defend myself, it is just temporary, for testing.).
After installing a push distributor app, remove FMD from the "Recent Apps" switcher by swiping it away, and then reopen it. This forces FMD to retry registering itself with the distributor.
Connecting the app and server
Now open the FMD app again, got osettings and enter the server's URL (I think it should be without trailing slash, there was a bug around this, and I am not sure if it is fixed or not). It will require Registration Token
(from FMD server's config) and then you will have to set up your password. This is the password, that will be used to unlock your data on your FMD server. You will also see a device's ID (for instance 6Wagh
), and that is it.
Then you go to your server (https://fmd.myserver.si
), enter your ID and your password - and you can see your location data, take a picture with your camera, etc.
You can also set up trusted contacts, that will be able to send your device a SMS commands (fmd locate
, fmd ring
, fmd camera
, etc.), and receive answers back to SMS. Useful, if device has lost a data connection (but has at least access to 2G network).
The problems (of course)
App looks really nice, however I would really like to see a security review of it. Anyway, I found one big problem. When my telephone is not active (it is powered on, but I leave it on the table and the screen is locked), FMD is not sending data to my server. And server also can not sent queries (for location or camera, etc.) to phone.
However, when I unlock the screen, those queries (finally) come through and I get update of location (and picture from camera), etc.
On the other hand, if I send SMS, I get a response. But only back to SMS. Server can not communicate with the phone (meaning, I can not take a picture from camera and send it to server, until screen is unlocked).
I tried to enable Exploit protection compatibility mode, but it is still not working. I also did this for gCompat UP-Distributor, and it is still the same.
I guess, I will need to try some more debugging, but I hope someone else find this post useful, and maybe propose some possible solution.