Running LaTeX, Python and more in an Android Phone

Because you want to travel without your laptop

If you are an open source enthusiast, you have a problem when you travel without a laptop. This is one situation where you are at a serious disadvantage compared to somebody who uses Microsoft Office (Word, Excel and Powerpoint) or Google’s G Suite (Google Docs, Sheets and Slides). Even while travelling, MS Office users can use a mobile App to correct a spelling mistake in Word or Powerpoint or change some parameters in an Excel spreadsheet. If they need more serious work, they would often be able to borrow a laptop from whoever they are visiting and be almost sure that MS Office is already installed on that machine.

However, you have no such luck with correcting your LaTeX/Beamer presentation or editing your Python code. There are no mobile Apps for LaTeX. There are Apps for Python (QPython) for example, but using them without access to your other development tools can be very tortuous. Your friends might be happy to lend their laptops, but they would probably not have LaTeX and Python installed. The only solution appears to be to carry your laptop with you all the time.

But there is a better solution if you have a decent Android smartphone (say 4GB of spare storage space, reasonably powerful processor and say 2GB or more of RAM). You can turn your phone into a miniature version of your laptop by installing a desktop Linux distribution inside your Android phone and then installing all your favourite open source software inside that. It is true that every Android phone is already running Linux, but that is just the Linux kernel on top of which runs the Android operating system. What we want to do is to take the same Linux kernel and run a standard desktop Linux operating system on top of that. In other words, we want all the Linux system administration tools and our preferred application software running on Android’s Linux kernel: we want the GNU tools, LaTeX, Python and lots of other things.

Thankfully, there is an Android App called GNURoot Debian which makes all this possible: it installs a fully functional Debian (Jessie) Linux system right inside your phone. Most importantly, it does not need a rooted phone to work.

Identifying and installing the desired software

The first step is to install the Android Apps that you need. In addition to GNURoot Debian itself, you also need the Hacker Keyboard: you are going to be using the command line terminal a lot and to do that effectively you need arrow keys, control keys and function keys. The Hacker Keyboard gives you all that you want, and to my knowledge there is no other keyboard that provides all this. Just in case you are wondering, both GNURoot Debian and Hacker Keyboard are open source projects.

My work requires LaTeX and the full SciPy Stack (a collection of open source software for scientific computing in Python that includes Numpy, Scipy, Matplotlib, and Pandas). Most of my computations happen in Python and I use Pweave to include Python output into my LaTeX files automatically. In addition, as explained later, I find it useful to run a Jupyter notebook (or its older version, the ipython notebook) on the phone.

After installing GNURoot Debian, I opened the App, switched to the Hacker Keyboard, and ran the following commands in the Debian command terminal to install the Linux software that I needed. You may be interested in a different set of software, but you will observe that the standard installation methods work, and you could install your favourite software the same way.

    apt-get update
    apt-get upgrade
    dpkg-reconfigure tzdata
    apt-get install man-db nano  build-essential
    apt-get install python3  python3-scipy python3-matplotlib python3-pandas python3-jedi
    apt-get install python3-pip ipython3 ipython3-notebook 
    apt-get install texlive
    apt-get install fonts-noto emacs  pandoc pdftk aspell aspell-en

    # pip install of Pweave fails in Python 3 (http://mpastell.com/pweave/#install-and-quickstart) 
    # so we install from source
    apt-get install curl
    url=https://pypi.python.org/packages/f6/2f
    url+=/e9735b04747ae5ef29d64e0b215fb0e11f1c89826097ac17342efebbbb84
    url+=/Pweave-0.25.tar.gz#md5=d406395ee4a578c30ad498426402b8e6
    curl $url > Pweave-0.25.tar.gz
    tar -xvf Pweave-0.25.tar.gz
    cd Pweave-0.25
    python3 setup.py install
    cd ..
    # clean up 
    rm -r Pweave-0.25
    rm Pweave-0.25.tar.gz

Transferring files in and out

The Debian Linux is like an island inside the phone: the file system (/home or /usr) is all contained in the private data storage space of GNURoot Debian and is not accessible to other Apps. Nor are these folders visible to your PC when you connect your phone to it using a USB connection. So we need to build bridges from this island to other Android Apps, to our PCs and to the cloud so that we can conveniently transfer stuff into and out of it. Since folders in the internal storage of the phone are accessible to all Apps and also to the PC over a USB connection, I created a folder mydebian in internal storage using the File Manager in the phone. GNURoot Debian mounts the internal storage as /sdcard and so this new folder will appear inside Debian Linux as /sdcard/mydebian. I also created a convenient symlink /j to this folder:

    # create a short symlink to a folder accessible to other applications
    ln -s /sdcard/mydebian /j

Now I can use my preferred Android text editor App to edit LaTeX or Python source files in the mydebian folder and access them inside Debian Linux in the /j folder. Running pdflatex on a .tex file in /j will produce a PDF file in the same folder and I can use standard Android Apps to view the PDF files. The same is true of image files produced by running Python code. This setup also makes it easy to transfer files to and from the cloud or a computer. For example, I can now copy all my tex style files to mydebian/texmf using a USB connection or through the cloud. Then, in the Debian terminal, I can either copy /j/texmf to /home/texmf or make LaTeX find my style files directly from /j/texmf with the following command:

    # this did not work: tlmgr conf texmf TEXMFHOME  "/j/texmf"
    # so we do it using .bashrc
    echo "export TEXMFHOME=/j/texmf"  > ~/.bashrc

I usually copy LaTeX and Python source files from my PC to the mydebian folder on the phone through a USB connection or through the cloud. In the latter case, the files are encrypted using GPG and are decrypted on the phone using the OpenKeyChain Android App. The decrypted files are also placed in the mydebian folder in internal storage. Therefore, most of the time when I am running Debian Linux, I am in the /j folder; it plays the role that is normally played by my home folder in standard Linux. There is however one thing you cannot do in this folder: if you create a shell script or a Python file inside /j and try to make it executable in order to run it directly, you will find that it does not work. If you issue a chmod +x command, it would not produce any error message, but the file would not actually become executable. The reason is that Android mounts the storage card with the -noexec flag which denies execute permission to any file here. If you want to create an executable file, you will first have to copy them to a folder somewhere else (for example, inside /home or /usr) and then use chmod to make them executable.

Graphic Interface: notebook servers and web servers

GNuRoot Debian can also run a graphical environment (X windows) using a VNC server. But I do not use this because it is slow and is more suited for tablets than for phones. Instead, I use native Android Apps when I need a graphical environment.

For editing and running Python code, I find the ipython notebook server most useful. In the Linux terminal, I cd to a suitable folder and run the command ipython3 notebook to start the notebook server. Then I can go to the browser in the phone and point it to localhost:8888 to connect to this server. I can write Python code in this notebook and run it. Plots produced by matplotlib also display in the browser if I add the line %matplotlib inline at the beginning of the code.

Many times, even when I am travelling, I can get access to a Windows PC. Much of the software on the Windows PC is totally useless for me, but the web browser is quite valuable. The Chrome web browser has the same look and feel on Linux, Windows and Android. When I use Chrome on a Windows PC, I can forget that it is a Windows PC. What is interesting is that the browser can connect not only to the world wide web but also to the Debian Linux running on my phone provided I run a server there. Most commonly, I connect to the ipython3 notebook mentioned above. For example, I can walk into a classroom or conference hall anywhere, connect my mobile to the instructor’s or presenter’s laptop, run the browser in that laptop and connect to ipython3 notebook server in my mobile. The Python code and its output now appear on the projection screen for all to see. I do not even need to touch the mobile as everything is controlled from the laptop.

There are many ways to connect the mobile to the laptop. I can use a USB cable and use USB tethering to make the mobile accessible from the browser. Alternatively, I can create a WiFi hotspot in my phone and connect the laptop to this hotspot. In both cases, the server has to be made visible to the local network. This requires adding the switch --ip=* while starting the server: ipython3 notebook --ip=*. Also, we then need to know the IP address of the phone; the command hostname -I in the Debian terminal gives the IP address of the phone (say 192.168.1.100). Then the Chrome browser in the laptop has to be pointed to 192.168.1.100:8888. A third (more risky) way of creating the network connection can be used if the laptop is connected to a WiFi network. I can connect the phone to the same network instead of setting up a hotspot on the phone and connecting the laptop to it. Either way, the laptop and the phone need to be on the same network for the connection to be possible. Needless to say exposing the notebook server to a large WiFi network can be a serious security risk (the whole point of the IPython notebook is arbitrary code execution), and I would recommend this only under exceptional circumstances.

In some situations, it can be useful to run a web server on the phone and connect to that instead of to the notebook server. I find the lightweight web server lighttpd attractive for this. I install and run it as follows:

    # install lighttpd
    apt-get install lighttpd
    # configure it suitably (this would probably require a separate tutorial)
    nano /etc/lighttpd/lighttpd.conf
    # run the web server only when required
    /etc/init.d/lighttpd stop
    update-rc.d -f lighttpd remove
    lighttpd -D -f /etc/lighttpd/lighttpd.conf

At some point, I might run an ssh server or an ftp server on the phone as well, though I have not felt the need for that yet.

Conclusion

A phone with spare storage space, reasonably powerful processor and decent RAM is a more powerful computer than the mainframe computers of my student days. If I install the right software, it is perfectly capable of running most of the programs that I might need while travelling, and I can avoid carrying my laptop all the time.

With all the programs that I have installed GNURoot Debian takes up about 4GB of space in the internal storage. Since (a) GNURoot Debian runs directly on the Android kernel and (b) I do not use any graphic environment in Linux, the RAM usage is quite low (it typically uses less RAM than the GMail or Dropbox Apps and only a tiny fraction of what the Chrome browser uses). Compared to my Intel i7 powered laptop with 8GB of RAM, the phone is quite slow in running computationally intensive tasks. But I have found the setup quite usable on budget phones like the Moto G4 Plus and the Moto G5 Plus.

Note for Geeks

This note is for those who are wondering how all this works without rooting the phone though normally only root can install software. Yes, it is a lot easier to install a Linux distribution in a rooted phone, but GNURoot Debian is able to pull this off on a non rooted phone. It uses a tool called PRoot that allow non root users to run almost any Linux commands in a jailed shell environment. Inside this jail, you appear to have all the capabilities of root. For example, you seem to be able to install new programs and create files in any folder. PRoot makes you think that you are writing to /usr/bin, but you are actually writing to something like /home/me/jailed_root/usr/bin. Technically, PRoot is a user space implementation of Chroot; it uses the Ptrace system call that allows one program (for example, a debugger) to run another program under its control, intercepting all its system calls. When you try to write to /usr/bin, PRoot (via Ptrace) intercepts that call and converts it into a write to a folder inside the jailed environment, say /home/me/jailed_root/usr/bin.

Advertisements

Why Aadhaar transaction authentication is like signing a blank paper

Using Aadhaar (India’s biometric authentication system) to verify a person’s identity is relatively secure, but using it to authenticate a transaction is extremely problematic. Every other form of authentication is bound to a specific transaction: I sign a document, I put my thumb impression to a document, I digitally sign a document (or message as the cryptographers prefer to call it). In Aadhaar, I put my thumb (or other finger) on a finger print reading device, and not on the document that I am authenticating. How can anybody establish what I intended to authenticate, and what the service provider intended me to authenticate? Aadhaar authentication ignores the fundamental tenet of authentication that a transaction authentication must be inseparably bound to the document or transaction that it is authenticating. Therefore using Aadhaar to authenticate a transaction is like signing a blank sheet of paper on which the other party can write whatever it wants.

All this was brought home to me when I bought a new SIM card recently and was asked to authenticate myself with a finger print. The employee of the telecom company told me that there was a problem and I needed to try again. Being a little suspicious, I stretched forward and twisted my neck to peep at the computer screen in front of the employee (this screen would otherwise not have been visible to me). My suspicion was allayed on seeing an error message on the screen and I tried again only to get the same error message. After three attempts, the employee suggested that I come again the next day. Back home, I saw three emails from UIDAI (Unique Identification Authority of India) stating “Your Aadhaar number ___ was used successfully to carry out e-KYC Authentication using ‘Fingerprint’ on ___ at ___ Hrs at a device deployed by ___.” Note the word successfully.

That is when I realized that the error message that I saw on the employee’s screen was not coming from the Aadhaar system, but from the telecom company’s software. That is a huge problem. This conclusion was corroborated the next day when after one more error message, I found that the employee had left one field in the form partially filled and the error message disappeared when that was corrected.

Let us think about why this is a HUGE problem. Very few people would bother to go through the bodily contortion required to read a screen whose back is turned towards them. An unscrupulous employee could simply get me to authenticate the finger print once again though there was no error and use the second authentication to allot a second SIM card in my name. He could then give me the first SIM card and had over the second SIM to a terrorist. When that terrorist is finally caught, the SIM that he was using would be traced back to me and my life would be utterly and completely ruined.

Actually, even my precaution of trying to read the employee’s screen is completely pointless. The screen is not an inseparable part of the finger print reader. On the contrary. the fingerprint reader is attached by a flimsy cable to a computer (which is out of view) and the screen is purportedly attached to the same computer. It is very easy to attach the fingerprint reader to one computer (from which a malicious transaction is carried out) and attach the screen on the counter to another computer which displays the information that I expect to see.

Another way of looking at the same thing is that a rogue employee of the telecom company could effortlessly execute what is known in computer security as an MitM (Man in the Middle) attack on the communication between me and the Aadhaar system. In fact, I see some analogies between the problem that I am discussing and the MitM attack described by Nethanel Gelerntor, Senia Kalma, Bar Magnezi, and Hen Porcilan in their recent paper (h/t Bruce Schneier). Neither I nor the Aadhaar system has any way of detecting or foiling this MitM attack.

I think the whole model is fundamentally broken, and Aadhaar should be used only to verify identities, and not to authenticate transactions. Transaction authentication must happen with a thumb impression, a physical signature, a digital signature or something similar that is inseparably bound to a document.