Device security is a top priority at Mason. We closely follow the security standards and protocols developed for the Android operating system. We have taken the following actions to ensure our devices can safely exist within any network eco-system.
SELinux Properly Configured
SELinux is a security architecture for Linux that allows for fine controls over who can access the system. Access control polices are defined for all Mason apps and process that strictly define their access. This ensure a service or device process could never go rouge and access files or memory outside the policy.
Android Verified Boot Enabled
The verified boot process ensure the integrity of the device and that all code execution comes from a trusted source. Verified boot establishes a full chain of trust, starting from a hardware-protected root of trust to the bootloader, to the boot and system partitions.
Locked Bootloader & Signed OS Protection
The bootloader on all Mason devices has been locked preventing other distributions of Android from being installed over top of MasonOS. The MasonOS has a cryptographic signature that gets verified on every boot before the OS is allowed to start. This ensures that only system that is allowed to boot are ones that have been built and signed by Mason.
Mason devices take two different approaches to device storage encryption. The difference maker is the generation of the device.
Android 7 & Android 8
Uses FD (Full Disk) encryption. With FD encryption all partitions on the device are encrypted until unlock by the OS once fully booted. The encryption algorithm is 128 Advanced Encryption Standard (AES) with cipher-block chaining (CBC) and ESSIV:SHA256. The master key is encrypted with 128-bit AES via calls to the OpenSSL library
Uses FB (File Based) encryption. With FB encryption, individual files and directories can be encrypted but allows for unencrypted files and directories to exist alongside. This enabled application and system developers to decided what needs to be protected. The encryption algorithm is AES-256 in XTS mode for file content encryption and AES-256 in CBC-CTS mode for file name encryption.
Storage encryption can be verified to be active on the device in two ways:
Settings → Security → Encryption & Credentials
“Encrypt Phone” should say “Encrypted”
“Storage type” should say “Hardware backed”
adb shell getprop | grep crypto
No External Ports Open
MasonOS devices close all non-standard ports, and does not identify to port scans run on a network.
No Unnecessary Applications Installed
MasonOS is designed to be the slimmest install of Android possible. The system comes pre-installed with the bare minimum of system services and applications installed. There is no OEM bloatware or social apps baked into the OS.
Privilege Separation in Mason SDK
MasonOS gives application developers hooks into system controls not exposed in traditional Android devices through the Mason SDK. Each Mason SDK services has it’s own SELinux policy that isolates the feature to the most narrow scope of access it needs to complete.
Passes all Google Compatibility Test Suite(CTS) Security Tests
CTS is a collection of device and software tests developed by google to ensure a high standard of quality could be guaranteed for any device that wants to ship with Google product pre-installed. Even through MasonOS does not ship with support for Google, we still hold ourselves to the same standard. All of our devices pass CTS security checks. These tests include ensuring that the OS permission system works, and that cryptographic signature verification is fast and accurate.
Mason Server-side API Security Facets
Encryption in transit for all API requests/responses over HTTPS
Encryption at rest for persistence layers
Scope-based authorization model which limits actions that can be taken by caller based on scopes provisioned on the respective user-context/API-key