Marketplace "advanced" "copy protection" cracked - General Topics

This is a continuation of this thread: http://forum.xda-developers.com/showthread.php?t=567870, which covered cracking the original "basic" copy protection of Marketplace.
---
I have now cracked the "advanced" copy protection used by Marketplace. As you may know, this is a "better" protection than the original "CAB copy protection" Marketplace offered. This "advanced" protection uses license keys that are verified when you run the application, and given out and controlled by Microsoft.
Several developers are annoyed that Microsoft does not allow us to use our own licensing schemes, and are forced to use "no protection" (the original CAB copy protection) or use Microsoft's scheme which is essentially a single point of failure for all Marketplace protected apps.
This new "advanced" protection was released today by Microsoft, and as far as I know no app available already uses it at the time of this writing.
So I got the code snippets you are supposed to put in your app and it was simply jawdroppingly WTF. While it was not exactly easy to beat, it took me less than two hours to devise a "generic" hack, without modifying any files on the device. (Well hey, at least it's better than the 5 minutes it took for the "basic" protection, right?)
A "generic" hack? Yes, by this I mean that this single hack (actually, running an EXE in the background) will completely bypass the entire code snippet provided by Microsoft that is supposed to check and validate your license code, for all Marketplace apps that use this "advanced" protection.
I will not publish the code that performs this hack, so don't ask. My goal is not to crack Marketplace apps, my goal is to get MS off their ass and allow us to use our own licensing systems, like the good little resellers they're supposed to be. I will tell you that it has to do with runtime patching the crypto API, but that's it. All in all, I don't think it will take long for the warez people to duplicate this hack.
---
Some further reasoning about anti-piracy, solutions, etc can be found in post 13 on page 2.

if there are no apps that use it yet, how do u know your hack works?

Because the Marketplace portal provides code ("code snippet") you have to compile in your EXE, and that takes care of the whole licensing thing.
So you look at that source, spot the weak points, devise a hack. Then compile a program using said "code snippet" and try the hack on it.
If developers simply copy/paste the snippet they are given by the Marketplace portal, this hack will work.

Chainfire said:
This is a continuation of this thread: http://forum.xda-developers.com/showthread.php?t=567870, which covered cracking the original "basic" copy protection of Marketplace.
---
I have now cracked the "advanced" copy protection used by Marketplace. As you may know, this is a "better" protection than the original "CAB copy protection" Marketplace offered. This "advanced" protection uses license keys that are verified when you run the application, and given out and controlled by Microsoft.
Several developers are annoyed that Microsoft does not allow us to use our own licensing schemes, and are forced to use "no protection" (the original CAB copy protection) or use Microsoft's scheme which is essentially a single point of failure for all Marketplace protected apps.
This new "advanced" protection was released today by Microsoft, and as far as I know no app available already uses it at the time of this writing.
So I got the code snippets you are supposed to put in your app and it was simply jawdroppingly WTF. While it was not exactly easy to beat, it took me less than two hours to devise a "generic" hack, without modifying any files on the device. (Well hey, at least it's better than the 5 minutes it took for the "basic" protection, right?)
A "generic" hack? Yes, by this I mean that this single hack (actually, running an EXE in the background) will completely bypass the entire code snippet provided by Microsoft that is supposed to check and validate your license code, for all Marketplace apps that use this "advanced" protection.
I will not publish the code that performs this hack, so don't ask. My goal is not to crack Marketplace apps, my goal is to get MS off their ass and allow us to use our own licensing systems, like the good little resellers they're supposed to be. I will tell you that it has to do with runtime patching the crypto API, but that's it. All in all, I don't think it will take long for the warez people to duplicate this hack.
Click to expand...
Click to collapse
amen
hallelujah
hit me now
YEAH

have given the issue some press : http://www.1800pocketpc.com/2009/11/13/marketplace-advanced-copy-protection-cracked-in-less-than-2-hours.html

anti-piracy protection is intended to stop ordinary users from transferring cabs between devices and it is successful at that. there is no protection that will stop apps from being pirated, certainly not for handheld devices. the new advanced protection is adequate and any further techniques are redundant and a waste of time, because no matter how 'strong' they are, they WILL be cracked.

Slightly if not totally off-topic: A mainstream consumer's view
mnet said:
anti-piracy protection is intended to stop ordinary users from transferring cabs between devices and it is successful at that. there is no protection that will stop apps from being pirated, certainly not for handheld devices. the new advanced protection is adequate and any further techniques are redundant and a waste of time, because no matter how 'strong' they are, they WILL be cracked.
Click to expand...
Click to collapse
I agree with you and your premise. Now a quick story.
I consider myself a mainstream consumer... but I have been a member of XDA for, what, i think 4 years, using 2 WM phones, first the T-Mobile MDA, then the Wing (HTC Herald), and I am about to switch to Android with the HTC Hero. I am reasonably savvy about tech, just not a coder. But I've done all the hard SPL, flashing ROMS, using beta software, and supporting developers here with pretty significant donations. I am also a User Experience / Usability designer for web as a profession. THAT'S MY BACKGROUND.
To date, my experience buying WM apps has been universally AWFUL. Whether it was, just recently, Resco Picture Viewer from PocketGear, or WM Defrag from Wizcode, or PocketPlayer from Conduits. I am more than happy to buy excellent software that works, and has a decent UI. But in each case, the process of buying the app and getting it onto my phone has been absurd, and frustrating beyond belief. Each provider makes all sorts of assumptions -- often wrong -- including "you must be downloading this from a PC, so we will download for you an executable that runs on a desktop PC then installs via active sync onto your device."
Whatever the percentage is, doesn't matter: A lot of people, like me, download all my cab files, and purchase apps, on my Mac... and either email myself the .cab file or .zip files, or place my microSD card from my phone into a USB reader. Thus, what a frikkin headache to end up getting PocketPlayer on my phone... but because i didn't download it from a Windows PC, I was screwed.
This stuff is archaic. This past week it has taken 5 days to get Resco Picture Viewer on my phone after purchasing from PocketGear.com . They have a completely retarded transactional process, a terrible UI, broken software in terms of user recognition and resetting username and password, and a completely phone-UNFRIENDLY site, with most sub-level menus not even accessible from browsers like Opera Mobile, Netfront, Iris ... They are dumbass pull downs using god knows what -- flash or javascript, whatever. But fact is: a simple navigation process to access the products on the phone itself can't even be achieved by these clowns -- yet everyone is in overdrive now trying to get their version of "THE" WindowsMobile app store online, while Microsoft stumbles.
The fact is: I would LIKE to see a uniform transaction process which is designed professionally, and supports great usability design, and once I buy the app, quit making me go through absurd backflips just to get access to the cab file. Stop requiring me to use a Windows PC. And stop all the "special OUR way" authentication processes. Because if they were so good, there wouldn't be the kind of problems I have described. I'll even grant anyone who wants to -- to say "well you're just a dumb**** user who doesn't understand their particular process"... I'll grant you that, and my answer would be:
If you plan to sell a lot of apps -- ie, make money via VOLUME transactions vs pricey apps -- a la iphone -- then it makes a hell of a lot of sense to make a uniform system of delivery if you're buying it through an app store, and for god's sake, cut the crap and figure it out. It's not so hard to send an authentication code via email or text message. But it's exactly WRONG to be having 1000 developers using 1000 special "our way" authentication processes, because the odds of 1000 app developers having a great, simple, effective UI and safe authentication system that prevents priacy of their app is pretty low, based on the experiences I have had to date with MAINSTREAM products for WM.
That's my view. But I see a whole lot of clumsiness from the Windows Mobile side of the fence pertaining to this whole new way of monetizing apps. There's a reason apple succeeds in that department -- even with their bloated catalog and draconian approval processes. They understand how to deliver products to consumers -- vs repelling them from a dumbass process, no matter how good that process may be in theory.

quicksite said:
I agree with you and your premise. Now a quick story.
I consider myself a mainstream consumer... but I have been a member of XDA for, what, i think 4 years, using 2 WM phones, first the T-Mobile MDA, then the Wing (HTC Herald), and I am about to switch to Android with the HTC Hero. I am reasonably savvy about tech, just not a coder. But I've done all the hard SPL, flashing ROMS, using beta software, and supporting developers here with pretty significant donations. I am also a User Experience / Usability designer for web as a profession. THAT'S MY BACKGROUND.
To date, my experience buying WM apps has been universally AWFUL. Whether it was, just recently, Resco Picture Viewer from PocketGear, or WM Defrag from Wizcode, or PocketPlayer from Conduits. I am more than happy to buy excellent software that works, and has a decent UI. But in each case, the process of buying the app and getting it onto my phone has been absurd, and frustrating beyond belief. Each provider makes all sorts of assumptions -- often wrong -- including "you must be downloading this from a PC, so we will download for you an executable that runs on a desktop PC then installs via active sync onto your device."
Whatever the percentage is, doesn't matter: A lot of people, like me, download all my cab files, and purchase apps, on my Mac... and either email myself the .cab file or .zip files, or place my microSD card from my phone into a USB reader. Thus, what a frikkin headache to end up getting PocketPlayer on my phone... but because i didn't download it from a Windows PC, I was screwed.
This stuff is archaic. This past week it has taken 5 days to get Resco Picture Viewer on my phone after purchasing from PocketGear.com . They have a completely retarded transactional process, a terrible UI, broken software in terms of user recognition and resetting username and password, and a completely phone-UNFRIENDLY site, with most sub-level menus not even accessible from browsers like Opera Mobile, Netfront, Iris ... They are dumbass pull downs using god knows what -- flash or javascript, whatever. But fact is: a simple navigation process to access the products on the phone itself can't even be achieved by these clowns -- yet everyone is in overdrive now trying to get their version of "THE" WindowsMobile app store online, while Microsoft stumbles.
The fact is: I would LIKE to see a uniform transaction process which is designed professionally, and supports great usability design, and once I buy the app, quit making me go through absurd backflips just to get access to the cab file. Stop requiring me to use a Windows PC. And stop all the "special OUR way" authentication processes. Because if they were so good, there wouldn't be the kind of problems I have described. I'll even grant anyone who wants to -- to say "well you're just a dumb**** user who doesn't understand their particular process"... I'll grant you that, and my answer would be:
If you plan to sell a lot of apps -- ie, make money via VOLUME transactions vs pricey apps -- a la iphone -- then it makes a hell of a lot of sense to make a uniform system of delivery if you're buying it through an app store, and for god's sake, cut the crap and figure it out. It's not so hard to send an authentication code via email or text message. But it's exactly WRONG to be having 1000 developers using 1000 special "our way" authentication processes, because the odds of 1000 app developers having a great, simple, effective UI and safe authentication system that prevents priacy of their app is pretty low, based on the experiences I have had to date with MAINSTREAM products for WM.
That's my view. But I see a whole lot of clumsiness from the Windows Mobile side of the fence pertaining to this whole new way of monetizing apps. There's a reason apple succeeds in that department -- even with their bloated catalog and draconian approval processes. They understand how to deliver products to consumers -- vs repelling them from a dumbass process, no matter how good that process may be in theory.
Click to expand...
Click to collapse
Couldn't agree more!
I'll add one more reason I wrap my head in ductape every time I download/install an app.
Think it's bad with every developer having their own authentication method? How about when each developer has a DIFFERENT authentication scheme for every app they make?

I like a rant - thanks for doing it for me as I agree with you 100%.
The top of my annoyance list (which you did include) are sites selling mobile software which are NOT mobile browser friendly, WTF is that all about?

Big Up, I still don't think anyone else would have done it in two hours.
Hey you warned them didn't you.

Haha Chainfire is there anything you cant do?

More in the Dutch press:
http://tweakers.net/nieuws/63713/nederlander-kraakt-nieuwe-beveiliging-windows-marketplace.html

While I do appreciate the "rant", I think you're missing my point - or perhaps I just don't agree. (Edit: that is in response to this post http://forum.xda-developers.com/showpost.php?p=4936479&postcount=7)
When I say "use our own licensing schemes", I do not mean codes sent back and forth through websites, screen you have to type stuff in etc. This is exactly not needed because Marketplace is also the delivery mechanism. In other words, the license code can be installed by Marketplace directly without the user ever seeing or hearing about it.
This is partly how the new system works, actually. However, if Microsoft supported license codes you give them things would be more secure (though granted, for a large part by obscurity).
Some authors will not care and simply not use it all, for example with the cheap apps it may not be worth their while. Others may wish to track license key usage, so that if suddenly 10.000 users start using the same key instead of the 1 who bought it, that key can be disabled, etc. Some may want the app to call home, some will not. Imagine that developers that do employ such anti-piracy measures will write their own verification / communication code, this beats the single point of failure we currently have. The crackers are back to having to crack each app independently and even then have a much lower chance of success.
Marketplace is the perfect opportunity to implement such a system that does provide some piracy security for the authors while for once it does not unnecessarily annoy the user.
To make the obligatory bad car analogy that fails in many ways, take you car keys. Everyone thinks it's normal to have a car key, so people can't just take your car. Of course, in line with some of the arguments against anti-piracy measures, car keys aren't really that useful, as there's always a brick - the universal key, and a car thief that really wants your car will get it. (You also lock the doors on your house, right?)
Now, the current situation is pretty much that everyone has the same car key. How useful is a car key in that situation? They way I see it (and I'm sure I'm not alone in that), is more like the actual car key situation. Some car keys are laser etched, or have something RFID-like in them and a receive in the car, or simply use different shapes, etc. That's a lot more useful than everyone having the same car key.
Sure, no matter what you do, eventually things will get cracked and it is a cat and mouse game. One of the reasons this is easily doable is because of the open nature and the very few restrictions of Windows Mobile. This is a good thing. No developer in their right mind would want to get to a restrictive system like is the case on the iPhone or other mobile OS's. That is not the point. That doesn't mean anti-piracy measures are useless though, far from it. The longer you can keep a release from being warez'd, the less you lose.
There are two arguments I hear coming back in various places by various people:
(1) If the normal users can't just copy it, then that is enough (even MS says this)
(2) Piracy works as advertising, you get more eventual sales, etc. etc
Both of these, are from my own experience, completely untrue. The thing is if one person cracks it, it usually spreads on those warez sites pretty quickly.
The big thing here is, the average user is apparently tech-savvy enough to search the warez sites first before buying, and that is just how it is:
We have played the game with that one warez site, monitoring sales when (apparent) cracks were listed and when they weren't (they do remove releases on request). This made a 30-50% difference in sales (with the number being highest during the weekends, and lowest during weekdays). For me that is enough data to know that both (1) and (2) are complete nonsense in the case of mobile apps. No matter all the pretty reasons and perhaps seemingly logical reasons you may come up with for (1) and (2), the numbers don't lie.
So, how would you like to get a 30-50% paycut? It's not like us developers are getting rich here, you know. Can we be blamed for trying to prevent this?
Now, here we have the chance to implement a system that is completely transparent for the user and can be made reasonably safe (and updatable), an obvious win-win situation for everyone involved except the warez people. Why exactly shouldn't we be aiming for this?
What is also painfully apparent here, as Microsoft themselves claim reason (1), that they have no idea what they are talking about.

i am no programmer so excuse my ignorance but doesnt everything eventually get cracked. Is there any mobile platform which hasnt a non cracked market place or sites where you can download paid apps for free?

Well done Chainfire

Hello Chainfire,
I am the webmaster of the Tamoggemon Content network, and just covered you:
http://tamsppc.tamoggemon.com/2009/11/13/advanced-marketplace-drm-broken/
http://tamswms.tamoggemon.com/2009/11/13/advanced-marketplace-drm-broken/
Furthermore, an email went out to MSFT asking for a statement. but this is not the reason why I registered here (!!!) - I am instead here to vent a bit being a Symbian dev myself.
While I fully understand your frustration, I think that allowing every developer to run his own DRM is not gonna do the store good. The reason is that the store was made to make purchasing apps simple - and by allowing everyone to run his own DRM I dont see much of a venue to do this anymore.
Whenever some kind of backend gets involved, there is a single point of failure - the only trhing I can think off now would be a very complet system based on servers.
Or, of course, platform security like on S60. But trust me - we wont want that!

Thanks! However, if you read my other post carefully you'd see it wouldn't make any difference to the ease of using the store (it wouldn't make any difference for the user at all), just to a part of the backend. And of course, each DRM system has a single point of failure, but the difference is in my case there is a point of failure per app, while in the current case it's a single point of failure for everything. There is no perfect solution, but there are better solutions than the current one.
I've been contacted by a handful of big WM devs by now who are of somewhat the same opinion.

microsoft.... when it comes to security, they are clueless as usual.
only apple is worse.
I find they windows-7 VPN and "encryption" funny , is there anybody that would trust it ? - even if it was not for the backdoors ?

Just wondering, is anyone else having problems accessing the windows marketplace from the phone? I was able to download a couple of apps yesterday after I installed a custom ROM (TPC Pro Series V3.2), but today I get a message saying there is an update, it installs the update but then I get the following message:
"Windows Marketplace for Mobile cannot connect right now. Try again later."
Is this because of the custom ROM and the latest update to the marketplace, or is this something other people are experiencing?

Remember the days when purchased mp3s were DRM protected and some companies like Sony even put rootkits on music CDs? Did that stop piracy?
Hopefully Microsoft will not repeat these mistakes... There is no need for any further 'protection' for marketplace apps. If a developer isn't satisfied with this mechanism then he/she doesn't have to publish their apps on the marketplace. There's no point in having a centralized app store if every developer uses his/her own licensing scheme.

Related

Android OS exploit discovered

I came across this article while surfing the internet. I wanted to share this with you guys, and see what your feelings were on this.
"Mobile Device Security and Android File Disclosure
Back in November, Thomas Cannon brought to light an issue within the Android operating system. Specifically, he found that it was possible to obtain the contents of files on an Android device by simply persuading its owner to visit a web site under attacker control. The issue only garners a 3.5 CVSS score, but yet it’s still fairly serious.
Thomas reported this issue responsibly to Google and they took it seriously. However, since then they have come back with a ridiculous remediation plan. Granted, its probably not entirely Google’s fault, but the overall situation looks very bleak for Android.
The problem is that Google stated that a fix will be available as part of an update to the upcoming Android 2.3. While that, in itself, may not be totally ridiculous, the reality of the situation is that Google is only one party involved in Android. There are two other groups, namely OEMs and Carriers, that must also do their part in getting the fix to users. Although Android devices are becoming increasingly functional, the security posture remains abysmal.
The security posture for desktop applications has improved vastly with all of the sand-boxing, automatic updates, and various other exploit mitigation technologies. Meanwhile, Android includes almost none of existing security protections. In fact, mobile users are being left out in the cold, unable to get a patch for a trivially exploitable cross-zone issue. For that matter, they can’t even control whether their device’s browser automatically downloads files or not.
This situation is not news, rather it is a sad fact. It is totally unfair for end users to be left out to fend for themselves. After all, they are paying a small fortune for these devices and the service to be able to use them. Hopefully the vendors involved will wake up before a network worm outbreak occurs.
Originally, Thomas disclosed the details of his bug on his blog. Later, he removed some details to help protect users. I believe that responsible disclosure is a two-way street that requires responsibility on both sides. Since Google, OEMs, and carriers all continue to act irresponsibly, it is necessary bring more attention to this issue and the situation as a whole.
I spent a little time and managed to recreate the issue with nothing more than HTML and JavaScript. As of today, I have released a Metasploit module to take advantage of the flaw. It is available in the latest copy of our Framework product, or you can view the source via the link to our Redmine project tracker above.
Before I go deeper into the consequence of this bug, I want to point out that Thomas outlined several workarounds for this vulnerability in his blog.
Now, take a deep breath give some thanks to the fact that, under Android, most every process runs under a separate, confined, unix-style user account. This design feature partially mitigates this issue, lowering confidentiality impact to “Partial” and bringing the CVSS score from 5 to 3.5. That said, an attacker can still gain access to some pretty interesting stuff.
For starters, an attacker can steal any world-readable file. In my tests it was possible to get potentially sensitive information from the within the “proc” file system. This type of information could include kernel versions, addresses, or configuration that can be used enhance further attacks.
Also, you can snarf any files that are used by the browser itself. This includes bookmarks, history, and likely more. This kind of information could potentially be embarrassing or possibly even give an attacker access to any saved passwords or session cookies you might have stored.
Perhaps the easiest win though, is that you can grab anything off of the SD card. You might ask, “Anything?! What about the user separation?” Well, because the SD card has been formatted with the “vfat” (aka “fat32”) file system, there is no concept of ownership. All files are owned by the same user id since the file system itself cannot encapsulate who created which file. As Thomas said, files in the SD card that have predictable names are ripe for the picking. This includes pictures and movies. These may in fact be some of the most private data on your device.
In conclusion, I hope that the Android security debacle will get resolved as soon as possible. If Google, OEMs, and carriers can’t work it out, perhaps another party will step in to maintain the operating system. I believe this could be very similar to the way various Linux distributions operate today. If the situation is not resolved, I fear the Android device pool could become a seething cesspool of malicious code..."
Here is the address
http://blog.metasploit.com/2011/01/mobile-device-security-and-android-file.html
Sent from my PC36100 using XDA App
Shocking. Thanks for the info.
Nice find. You are right that oems and manufactures need to stay on top to mantain security. Hopefully meaningful post like this will make users aware of the possible dangers of the internet, data, and phone usage
Sent from my ADR6300 using Tapatalk
Ouch. Wish Android updates were like iOS..
Android is open, one of the main assumptions is that there is no single company, which controls it. I could create my own phone with Android, sell it to people and give them no support at all - Google can't do anything about it.
There is only one solution to this problem: people have to choose their phones wisely. People look at phone specs, at CPU, RAM, camera, but they ignore future support and openess. Recently Motorola has stated they will lock bootloaders in their future phones. People will go for these phones anyway and then they will complain they can't do anything with some horrible bugs, they will complain about Android and Google, but they should complain about Motorola and themselves. While Nexus S owners will have same bugs fixed by both Google and community.
Choose your phones wisely.
SD with vfat...good catch. Horrible bug while many users trying to move their apps to SD. And maybe 80-90% of the apps in the market require modify SD card perm? Horrible. Verizon SGS is screwed since that phone have little internal and lots of external SD.
I'm so glad you guys came across this thread, and it didn't get lost in all the other threads. I hope some of the devs see it. Can a fix be implemented at the Rom or kernal level?
Sent from my PC36100 using XDA App

Security does matter![Updated 25th. Jan]

Introduction
I have not seen much talk about security in XDA, and not at all on Neo Section.
SO here's just one informative link talking about using and developing apps and security risks involved
http://www.technologyreview.com/computing/25921/?mod=related
Any bug in software could potentially be used as a security loophole to gain access to private information, spy on you, get your credit card info(should you do such things on phone).
What is kind of unsettling is that everyone seems fine with modding, tweaking, developing and using those ROMs made in XDA without worrying if there could be that kind of bug in your made or used ROM.
You don't need a malicious app only to have risks. Most people use Windows so they should know that it is OP systems bugs and vulnerabilities that allow for unwanted access to your files, data, etc.
Android itself is having very non-foolproof security system. All apps on unrooted phone are in sandbox. That's no security measure at all. It doesn't limit app from stealing your private info at all, it only cant delete the whole ROM. That's just idiotic security system, for it is the only thing beside encrypting shut off phone on 3.0 and 4.0. So that means Android on it's own has no security measures while it's working. Even Windows has... some... but not too much... so you could pay for antivirus and antispyware software ofc.
It has always been the goal of big corporations to make money from insecurity, be they software developers, arms dealers and you name it. They all benefit from insecurities existing. Same is with Google and it's Android. But the good news is that we the users can modify Android. We could all say "Au revoir security bugs and loopholes!" if we would care about developing ROMs designed to make Android more secure... alas that's not happening yet!
Overview of Linux/Android security issues.
It's a short condensed description just to get you interested in the topic. There's lots of material on net, you only need to search, read, watch videos.
Linux becomes more vulnerable with more applications with different permissions installed. Same is true for Android.
Say your Phone Exporer has root access, that means it has root access to whole Android. To remove unnecessary risks, this app's root access should be limited to only most necessary functions it needs to operate.
Currently for Android there is no such solution. For Linux there is Apparmor.
http://en.wikipedia.org/wiki/AppArmor
Total root access is obvious vulnerability, but it is at least known one. Let's look at possibility of apps having hidden permissions and what that could mean to you.
Blade Buddy from Market.
On market it does not list permission to "Unique Device ID"(IMEI for GSM and MEID; ESN for CDMA) for free nor for paid version.
That means the author of BB has left the code from free version in paid one. This permission is used by ads to track you. It's not necessary code for ads, but it helps the dev know who clicked on the add and generated him some money. To see your money generating zombie empire stretch across the whole globe.... quite a thrill, isn't it?
So it's a latent code, with no benefit to user and an exploit only calling to be abused.
Unique Device ID allows you to be tracked on net and also where you are physically. GPS is just one way to find you, police for example have scanners to locate your devices physical location by the IMEI code. You can count on the "bad guys" having this technology as well, for it's quite a tool for burglars and other criminals.
The risks of your home being marked as the next dungeon to be looted by some raiders, I mean criminals(or perhaps WoW players sleepwalking and sleepraiding?) or getting your ID and bank details stolen by trojan/hacker is random. Yet the threat would not exist without apps having so flagrant hidden permissions.
Next app with ludicrous permissions
Brightest Flashlight
It does list many permissions, among them "Hardware controls - take pictures and videos ". No, it does not need a permission to take photos through cameras to operate the flashlight. But it's fun nonetheless for the dev to see his trusty peasants, or maybe he just likes to observe people like some watch fish in aquarium or hamsters in cage( "Look at that dork!", "You're one ugly m...f...er","ummm a couple kissing in dark with ma flashlight, what are they searching?", "what's that you eat, mr Korean, brains?" "hey show me that document again.")
You don't even need to run the app yourself. It can be triggered by hacker on background and take a snapshot of you.
On top of this little needless permission it has following hidden permissions:
1. Unique IMSI, read about here http://en.wikipedia.org/wiki/IMSI
2. MCC+MNC (CDMA)
3. Unique Devide ID
4. Cell Tower Name.
That's a lot of needless permissions for flashlight, these are there just to track you the app user and have nothing to do with your comfortable use of the app.
These are just 2 apps with totally needless permissions for their intended functioning. If you don't want your Windows and Linux have such security holes then why do you want your Android have them?! You don't want, that's the point and these apps would not be so popular if people would really know and care about their phone being secure.
It can be stated for sure that above exemplified permissions not listed on market are more useful for pranksters, criminals or someone plainly looking-down-on-all-the-dumb-sheep and not at all for any legitimate, user or customer friendly purposes.
There are very few tools to check for security and privacy problems in apps. That gives a sense that majority of devs do not want Android to be secure and private, because Android is another revenue generating platform through Google ads business of course. Were people more educated about the matter then Google ads business would shrink down as well. A private and secure Android can't be tracked or annoyed with ads. No ads, no profit. No security therefore means profit. Unfortunately this lack of security can be exploited by anyone with criminal or malignant intentions so very easily.
The most important thing is to read the permissions before installing.
If you had read the article I linked. Those permissions don't matter anything really if stuff developers use doesn't reveal what it does, or developer itself doesn't disclose what the app does.
We can safely say that those permissions asked are just to make ordinary users of Android think that all is under their control.
I use Privacy Blocker app and it keeps finding app permissions that are not listed. Even that app doesn't find those permissions which Cyanogenmod permission manager shows. And I've sanitized all my apps, still I find my phone connecting to some odd servers while using certain paid and seemingly legit apps. I even found shapshots from front camera made by some app... and I am checking all permissions I can, even for those not listed.
What seems harmless but could reveal your IP address and potentially other data about you is... advertisements used by apps.
Ads can be far more than just a little annoyance that slows your device. Any file, picture loaded from some location in internet can be used to locate you.
I had a problem of getting phone call bills for calls lasting 10 to 20 secs that I never made after using a slew of market apps, flashlights, fun stuff, etc.
I paid two months for such calls trying to find out which app did it and still don't know which one it was. Skype(phone app has fake IP of Holland but actual connection goes to Moscow... oh come one what is this? Why such hiding? Like anyone would trust their phone's Skype connection stream through Moscow... no thank you! Then wonder still if the phone gets so slow and Skype call quality is so bad even over wifi while Windows Skype does just fine?), Brighest flashlight, some photo editors, and slew of other garbage I've already forgotten about cause I don't use any of it anymore.
First post updated
How about the new 4.3 update..in includes some security and privacy control..will this thing prevent you had mentioned?
Is there any way to reactivate this post? maybe start working on a security enhanced android ROM? I'm agree, Security does matter!

Security does matter!

I wrote this On Xperia Neo General forum but it belongs to here much more.
Original thread at: http://forum.xda-developers.com/showthread.php?t=1447095
Click to expand...
Click to collapse
Introduction
I have not seen much talk about security in XDA.
First, here's just one informative link talking about using and developing apps and security risks involved.
http://www.technologyreview.com/comp...1/?mod=related
Any bug in software could potentially be used as a security loophole to gain access to private information, spy on you, get your credit card info(should you do such things on phone).
What is kind of unsettling is that everyone seems fine with modding, tweaking, developing and using those ROMs made in XDA without worrying if there could be that kind of bug in your made or used ROM.
You don't need a malicious app only to have risks. Most people use Windows so they should know that it is OP systems bugs and vulnerabilities that allow for unwanted access to your files, data, etc.
Android itself is having very non-foolproof security system. All apps on unrooted phone are in sandbox. That's no security measure at all. It doesn't limit app from stealing your private info at all, it only cant delete the whole ROM. That's just idiotic security system, for it is the only thing beside encrypting shut off phone on 3.0 and 4.0. So that means Android on it's own has no security measures while it's working. Even Windows has... some... but not too much... so you could pay for antivirus and antispyware software ofc.
It has always been the goal of big corporations to make money from insecurity, be they software developers, arms dealers and you name it. They all benefit from insecurities existing. Same is with Google and it's Android. But the good news is that we the users can modify Android. We could all say "Au revoir security bugs and loopholes!" if we would care about developing ROMs designed to make Android more secure... alas that's not happening yet!
Overview of Linux/Android security issues.
It's a short condensed description just to get you interested in the topic. There's lots of material on net, you only need to search, read, watch videos.
Linux becomes more vulnerable with more applications with different permissions installed. Same is true for Android.
Say your Phone Exporer has root access, that means it has root access to whole Android. To remove unnecessary risks, this app's root access should be limited to only most necessary functions it needs to operate.
Currently for Android there is no such solution. For Linux there is Apparmor.
http://en.wikipedia.org/wiki/AppArmor
Total root access is obvious vulnerability, but it is at least known one. Let's look at possibility of apps having hidden permissions and what that could mean to you.
Blade Buddy from Market.
On market it does not list permission to "Unique Device ID"(IMEI for GSM and MEID; ESN for CDMA) for free nor for paid version.
That means the author of BB has left the code from free version in paid one. This permission is used by ads to track you. It's not necessary code for ads, but it helps the dev know who clicked on the add and generated him some money. To see your money generating zombie empire stretch across the whole globe.... quite a thrill, isn't it?
So it's a latent code, with no benefit to user and an exploit only calling to be abused.
Unique Device ID allows you to be tracked on net and also where you are physically. GPS is just one way to find you, police for example have scanners to locate your devices physical location by the IMEI code. You can count on the "bad guys" having this technology as well, for it's quite a tool for burglars and other criminals.
The risks of your home being marked as the next dungeon to be looted by some raiders, I mean criminals(or perhaps WoW players sleepwalking and sleepraiding?) or getting your ID and bank details stolen by trojan/hacker is random. Yet the threat would not exist without apps having so flagrant hidden permissions.
Next app with ludicrous permissions
Brightest Flashlight
It does list many permissions, among them "Hardware controls - take pictures and videos ". No, it does not need a permission to take photos through cameras to operate the flashlight. But it's fun nonetheless for the dev to see his trusty peasants, or maybe he just likes to observe people like some watch fish in aquarium or hamsters in cage( "Look at that dork!", "You're one ugly m...f...er","ummm a couple kissing in dark with ma flashlight, what are they searching?", "what's that you eat, mr Korean, brains?" "hey show me that document again.")
You don't even need to run the app yourself. It can be triggered by hacker on background and take a snapshot of you.
On top of this little needless permission it has following hidden permissions:
1. Unique IMSI, read about here http://en.wikipedia.org/wiki/IMSI
2. MCC+MNC (CDMA)
3. Unique Devide ID
4. Cell Tower Name.
That's a lot of needless permissions for flashlight, these are there just to track you the app user and have nothing to do with your comfortable use of the app.
These are just 2 apps with totally needless permissions for their intended functioning. If you don't want your Windows and Linux have such security holes then why do you want your Android have them?! You don't want, that's the point and these apps would not be so popular if people would really know and care about their phone being secure.
It can be stated for sure that above exemplified permissions not listed on market are more useful for pranksters, criminals or someone plainly looking-down-on-all-the-dumb-sheep and not at all for any legitimate, user or customer friendly purposes.
There are very few tools to check for security and privacy problems in apps. That gives a sense that majority of devs do not want Android to be secure and private, because Android is another revenue generating platform through Google ads business of course. Were people more educated about the matter then Google ads business would shrink down as well. A private and secure Android can't be tracked or annoyed with ads. No ads, no profit. No security therefore means profit. Unfortunately this lack of security can be exploited by anyone with criminal or malignant intentions so very easily.
In my honest opinion. If someone keeps files like ccinfo they have to worry about being jacked then they deserve it. Should it happen. U shouldn't keep things on your phoney don't want the rest if the world to have
Sent from my Cyanocrack using Xparent Blue Tapatalk
You don't need to keep credit card info on phone, your using the credit card via Market or logging in to bank on phones browser is enough to intercept your credit card info. Your browser may show you xxxxxxxxxxxx+"last four digits only" but that doesn't mean the data to and from your device doesn't contain exact credit card number. It's encrypted, but that is merely a minor inconvenience for a hacker.
That is why being rooted is not advised to everyone. Mainly if they don't know what they are doing. Also customs roms are not for everyone. People flash them cause they think its cool and don't understand what they are doing. That is their problem. People should pay attention to the permissions that am app asks for. Common sense is the best protection. Main reason I don't do anything that deals with a bank on my phone.
Raoa said:
I have not seen much talk about security in XDA.
Click to expand...
Click to collapse
There's talk. It's just not on important yet, because the android device is not being marketed like an OS is with a personal computer.
However, the more we do on our phones, the more we'll realize it needs protection like firewalls. We catch a few like CIQ or the Wimax exploit, but it's going to get worse as we advance in our integration. We do need to start now before exploits get worse and stay ahead of the curve.
Until that time, 4G exploits and root kit programs will run freely on our devices that houses a lot of our personal information.
Plus, for some stupid reason, there are a lot of people who think Linux is immuned to viruses and security holes due to it's code transparency. Android is being mainstreamed. It will soon be a continuous target like other existing popular software programs and operating systems.
And that's why iOS is far superior even without widgets or live wallpapers.
Something to think about.thanks for posting.
Sent from my HTC Glacier using XDA App
alex2792 said:
And that's why iOS is far superior even without widgets or live wallpapers.
Click to expand...
Click to collapse
IOS and Mac are just as vulnerable, maybe even more so because of there popularity and the misconception that IOS is secure and does not need AntiVirus protection. Just last week i removed a nasty virus on a brand new Macbook Pro so that is not the way to think. You need to act as if there are security issues and just be really careful at what link you click and what email you open.
mattfox27 said:
IOS and Mac are just as vulnerable, maybe even more so because of there popularity and the misconception that IOS is secure and does not need AntiVirus protection. Just last week i removed a nasty virus on a brand new Macbook Pro so that is not the way to think. You need to act as if there are security issues and just be really careful at what link you click and what email you open.
Click to expand...
Click to collapse
I'll give you OS X,but I've never heard of an iPhone virus while there are loads of malware on Android market.
Sent from my Galaxy Nexus using Tapatalk
I am not an expert on iOS nor do I have any wish to even know or use it, because Apple buys from suppliers that emply child labor and sweatshops.
When Linux started spreading around people also thought it has no viruses.
Same story repeats with every software.
For each different OS it takes merely time before people start to notice that their OS has viruses/trojans/spyware too. That doesn't mean their OS is not targeted. You should expect all sorts of thieves to use any and all opportunities.
Secondly OS does not matter so much as the matter that your device is connected to wifi, data, bluetooth, et or not. IP addresses, MAC, IMEI, etc they all stay the same on every platform. No matter which OS, they all connect to wireless networks, cell network, data, bluetooth, etc which all have set standards.
So someone wanting to track, spy, get your private info simply has to intercept the data your device sends to any network. If you don't use strong encryption to send info via network then it is easy to "wiretap" you.
Why is there so much spam, viruses, spyware in internet today? It's because the software managing internet is not made to be so secure. If it were secure then it would also be more private and safer for people to chat over net.
So not only OS's need to be more secure, but the very internet itself needs to be reformed.
This relates to SOPA and PIPA. Had those two bills been passed the next step would have been logically to make changes to all networks so you'd be more easily trackable, hackable, "wiretappable". It's simply logical, cause SOPA, PIPA were so defunctly worded as if asking/preparing for a third bill to regulate the networks.
So we must make sure that internet will be reformed for the private users and not for greedy corporations. We would not need to buy anti-spyware, anti-virus software if the internet were truly engineered for the welfare of humanity.
You could use any OS, bugged or not and not be afraid of loosing your property or privacy if the internet would stop such acts before they could harm you, the individual who is supposed to truly and freely benefit from the services; either for free or for honest price, but now you are robbed and think it is good to pay the thieves.
Raoa said:
Android itself is having very non-foolproof security system. All apps on unrooted phone are in sandbox. That's no security measure at all. It doesn't limit app from stealing your private info at all, it only cant delete the whole ROM.
Click to expand...
Click to collapse
Please elaborate. The sandbox does prevent one app from reading the data of another, such as the CC info from the Market.
Also, are you sure Market sends the entire CC number? There's no reason for it to send it, the transaction is performed on Google's servers.
alex2792 said:
I'll give you OS X,but I've never heard of an iPhone virus while there are loads of malware on Android market.
Click to expand...
Click to collapse
Are you talking about viruses or malware? Please don't conflate the two.
Malware is easy to take care of - check the apps you're downloading for what permissions they want. It's as simple as that.
alex2792 said:
I'll give you OS X,but I've never heard of an iPhone virus while there are loads of malware on Android market.
Sent from my Galaxy Nexus using Tapatalk
Click to expand...
Click to collapse
Just before xmas an iphone developer admitted to deliberately uploading malware in his ios app to show malware can easily affect iphone.
http://m.intomobile.com/2011/11/08/security-expert-sneaks-malware-into-iphone-app-store/
That was for normal iphones. For jailbroken ones there are more malware apps.
Dave
Sent from my LG P920 using Tapatalk
Raoa, your absolutely right.
I've had the exact same thought recently
Its like the overall view of the Android landscape is ridden from real security apps, for the simple purpose of have the platform as open as possible. And while this is good for developers and users of this and other serious forums, its also open for the "dark" communities as well.
I often ask myself, if the ROM devs onboard have these thoughts themselves, as in, what is my source of this modded apk, is is straight from the Market or from another dubious, (do I dare say chinese forum, just an example)
And how clean is my code really?
And is all mods just legit just cuz they are from here?
I love that we have so many ppl having a desire to mess around with the OS, but I miss, as you say, the talk about having a go on security as well.
I dont know, but I do think that awareness, as you initial post direct us to, should be raised, as a natural step for any serious dev and users in general on XDA, to be more aware, of the code.
Im on my first year as an Android user, and ofcourse did have to gain root on my splendid Sensation. Why?, cuz I needed the security tools requiring root.
Ask again, why? Cuz I came from Winblows 7, and know what a jungle software is, and that is is indeed exploitable, like hell, you might say.
And Im gladd I did gain s-off and root, cuz its really really needed fo youre just a little concerned about your privacy in, mails, sms, location, usage pattern, netbanking, dropobox deposits of your ****, some might even be work related and therefore hold more than just your own privacy.
And then there is what you mentioned, our devices unique ID's, the intent "app install referrer" to "plug" you into admob/google analyzer and so on.
I love one guy here, Treve, who made the HTC tool for scanning for ****, Logging Test Tool, and in version 10, he made it aware of admob/mobclix/analytics, and my god it find a lot...
So Treve, please, if you read this, just go on, as every version you make is getting finer and finer.
We could learn from this guy, and others here that got more code-insight.
What we CAN do as a community at the very least, is to share our knowledge and tips for securing our phones.
HOST filtering, code scanning of apks and so on. using AV's and firewalls and so on.
Right from the start I noticed that Android is not a clean OS, nor is its app market, and I noticed this cuz I have another splendid little Linux system at hand, Smoothwall Express with url filtering and proxy enabled
and My god is Android and its aps LEAKING!
Have a look in your urlfilters on a standalone firewall the step after your wireless android phone, and watch how much **** is going on.
Well, I can tell you for a start that I have added atleast 100 new domains to my custom urlfilter, besides the casual downloadable HOST filters around the net, like the ones found in AdblockPlus and so on. But after android, heh, you need more than just advertising filtering, that much I can say.
Just as an example, like those you mentioned, I have one too, that I was made aware of by Avast on my phone tonight, that ChompSMS was being flagged as malware/trojan.
I thought, **** man, why this crap, Im quite fund of Chomp, really.
So I thought, no, imma let more that Avast on my phone have a go.
So I File Expert dump the full apk, and uploaded it for a scan on virustotal, just for the sake of it. And whatta'ya know, ClamAV, GData, Kaspersky, NOD32, and Sophos flagged it as that same Plankton.G variant as my on-phone Avast.
Great, I thought (sarkasm intended)
I thought a bit further and picked up APK Multi-Tool, had a decompile and a content-scan for just "http" in is readable code.
12 different domains is mentioned so far, and I didnt even poke in all of its xml's, just the smali's
I know android is by a far stretch advertising born, and ofcuz the app devs have a right to earn their money, no doubt about that, and I gladly pay for the good ****, like most ppl here believeably do, but.. 12 different .com's mentioned in its code is a no go for me.
I have earlier used Privacy Blocker, and Privacy Inspector from XEUDOXUS in the market, to make permission scanning, beside using LBE/HOST/Avast, and I like those two aps, the Inspector one is free but only can scan.
The paid Blocker can "repair" as a feature, but its not maintained enuff, so it often fails to make installable apks, so not really worth it for me anymore, but as a free too, it can tell you more about those permissions you mentioned.
But enuff said from me for now, lets just collect and share our tips and tricks, ALSO for security, not just developing ROM and mod's and hacks, as thou they are fine, if not to say, so cool and great, but, we need to be secure too.
Please do not polute the discussion with IOS vs Android and what not, cuz thats not the purpose of it, even thou it definitly concerns (g)A(r)pple products too.
Sincerely, Omnius
alex2792 said:
I'll give you OS X,but I've never heard of an iPhone virus while there are loads of malware on Android market.
Sent from my Galaxy Nexus using Tapatalk
Click to expand...
Click to collapse
Iphones can get viruses they come through SMS's and other sources not as bad as android apple keeps there market much more under control, but everything is vulnerable i work in a security team for a big corp and believe me nothing is safe.
Check these articles out i just found them on google.
I remember a while ago maybe a year or so there was a huge security hole in IOS5 and Mac waited a long time to tell the public and release a patch. The one major problem with Apple is when there are security threats they really try to keep it hush...Iphone's OS is tight but not totally secure. Its not viruses either its moslty just malware that charges you tons of money in texting i saw once an iphone that turned into a bot and at midnight it would dial a 900 number and just sit there all night at like $20 bucks a minunte then disconnect when it felt the phone move.
http://www.mactrast.com/2010/07/iphone-virus-discovered-be-vigilant-and-seek-advice/
http://techfragments.com/news/982/Software/Apple_iPhone_Virus_Spreads_By_SMS_Messages.html
I'm going to fanboy MIUI for a second.
When you install an app you are presented with a screen (separate from the market) that allows you to toggle all the permissions an app ask for between Allowed/Ask/Disabled.
More roms should adopt this.
NB: I haven't checked CM9 so it might be a CM9 feature that MIUI has polished or it might be native to MIUI.
weedy2887 said:
I'm going to fanboy MIUI for a second.
When you install an app you are presented with a screen (separate from the market) that allows you to toggle all the permissions an app ask for between Allowed/Ask/Disabled.
More roms should adopt this.
NB: I haven't checked CM9 so it might be a CM9 feature that MIUI has polished or it might be native to MIUI.
Click to expand...
Click to collapse
I wouldn't be so fast to praise MIUI.
weedy2887 said:
I'm going to fanboy MIUI for a second.
When you install an app you are presented with a screen (separate from the market) that allows you to toggle all the permissions an app ask for between Allowed/Ask/Disabled.
More roms should adopt this.
NB: I haven't checked CM9 so it might be a CM9 feature that MIUI has polished or it might be native to MIUI.
Click to expand...
Click to collapse
The problem is the "Average Joe" doesn't even look at those or doesn't know what they mean. I see so many viruses/malware/open security holes just because of user error its insane. Almost 90% of security breaches or problems originate from the end users not paying attention or just not knowing or caring. Also another thing i see so much when new clients call me with there servers melting down and all there banking info being stolen is they haven't installed any updates on there servers since they were set up 2-5 years ago. I worked for a large industrial supply company and all there servers running MS Server 2008 no updates had been installed and they were using AVG free on there main SQL server...INSANE LOL
Then theirs the users, "my computer was fine until my friend on facebook wanted my SS# and mothers maiden name and insisted i open his email attachment, now its acting weird what do you think is wrong?"
Brutal
what is the 4g exploit that you are talking about? And is it only with wimax or is lte part of it as well?
Oneiricl said:
Malware is easy to take care of - check the apps you're downloading for what permissions they want. It's as simple as that.
Click to expand...
Click to collapse
It's absolutely amazing that people are willing to put up with something so ridiculous.
Sent from my SGH-I897

Webkit vulnerability (mirror)

I threw a thread in Android general to bring awareness of an article about a webkit vulnerability that will be/is being demo'd on the Android platform.
Thread:
http://forum.xda-developers.com/showthread.php?p=24154035#post24154035
Article:
http://news.cnet.com/8301-27080_3-57386319-245/researcher-to-demo-smartphone-attack-at-rsa/
Discuss?
Long as people practice the same rules as receiving fake facebook,banking ,etc emails than you should be ok. One advantage to desktops is you easily can hoover over the embedded link to see if its legit,report it as spam if not,& forward it to the actual company if they have department that handles phishing emails/fraud. Also from the article it doesnt say how the message was being faked as a carrier message. I normally save the short codes I use in my address book so I know whats what but I know from working customer service alotta people skip over the users manual that list the short codes & info for online saftey etc.
Yep, absolutely some common sense and safe browsing practices are important in something that is probably linked to your identity, and likely financial information.
What got me was the control over the real-time tracking ability of the device and recordings of audio (and video would not be a stretch I bet)
I haven't had a lot of time to look into it further yet, and it is a highly focused attack that is probably not of concern to the average user just yet - but given the scope of what this attack allows it's definitely something to be aware of.
Anything that lets joe-blow become a junior On-Star type peeping tom with my Android is something to worry about.
I never use the front-facing camera for anything, so it has a little piece of electrical tape cut to fit over it. No matter of software engineering can overcome that physical obstruction, but what of the microphone, gps and so on?
I'm eagerly awaiting the chance to look into this more after work tonight, meantime just wanted to throw it out there and try to get some awareness out and see what other people had to say.
I'm glad to see the first post in response here was a reminder about user-level security and explicitly cautioning people about clicking random links!
Also:
pimppoet said:
... Also from the article it doesnt say how the message was being faked as a carrier message...
Click to expand...
Click to collapse
This is the part where you get to be creative about it - you could make it anything, that was just the method they chose to get to the needed trigger, the user clicking the link.
I'm curious how they faked the carrier message too, but that doesn't mean that's the only method of injecting the desire to click into the users head.
Good points so far!
Edit:
To be honest, if it's not a click that's needed but just a visit to the website, an injection method could be to compromise an ad-serving machine that serves ads in apps and get an 'ad' that would take the user to the website inserted to what's already served to their device.
Heck, if that's viable, then you might even get them to accidentally go there with a stray touch and bam, you win.
Identification explicitly of the problem is step 1 on the path to a solution.
i am kind of in the habit that, whether an sms message is truly from the carrier or not, it's a scam either way **DELETE**
definitely worrisome, but i guess not surprising that stuff like this exists. good tho to bring it to light so that the race for patches can begin.
i'd be more worried if there was something that can attack your device without you clinking on a link or opening a message.... wait a minute, i guess a carrier could do that! tho it seems that their main interest is gathering data as research for how to sell more stuff, or to sell the data to others wanting to sell more stuff.
Blue6IX said:
Yep, absolutely some common sense and safe browsing practices are important in something that is probably linked to your identity, and likely financial information.
What got me was the control over the real-time tracking ability of the device and recordings of audio (and video would not be a stretch I bet)
I haven't had a lot of time to look into it further yet, and it is a highly focused attack that is probably not of concern to the average user just yet - but given the scope of what this attack allows it's definitely something to be aware of.
Anything that lets joe-blow become a junior On-Star type peeping tom with my Android is something to worry about.
I never use the front-facing camera for anything, so it has a little piece of electrical tape cut to fit over it. No matter of software engineering can overcome that physical obstruction, but what of the microphone, gps and so on?
I'm eagerly awaiting the chance to look into this more after work tonight, meantime just wanted to throw it out there and try to get some awareness out and see what other people had to say.
I'm glad to see the first post in response here was a reminder about user-level security and explicitly cautioning people about clicking random links!
Also:
This is the part where you get to be creative about it - you could make it anything, that was just the method they chose to get to the needed trigger, the user clicking the link.
I'm curious how they faked the carrier message too, but that doesn't mean that's the only method of injecting the desire to click into the users head.
Good points so far!
Edit:
To be honest, if it's not a click that's needed but just a visit to the website, an injection method could be to compromise an ad-serving machine that serves ads in apps and get an 'ad' that would take the user to the website inserted to what's already served to their device.
Heck, if that's viable, then you might even get them to accidentally go there with a stray touch and bam, you win.
Identification explicitly of the problem is step 1 on the path to a solution.
Click to expand...
Click to collapse
That too. I think tools like lbe,droidwall,adaway etc should come standard but I doubt it will ever since it would cut into google profits aswell.
One ad blocker I would love to see on smartphones is ad muncher since you can see the scripts,urls,etc being loaded,set your user agent for your browser to whatever you like etc.

[Q] Worst scenario: Are homebrew app dangerous?

Guys,
I always wondered how harmful could be - in theory - a homebrew app installed on an Interop-unlocked wp7.5 device.
What is considered as a virus, spam or scam app?
The worst it could do is copy my contact list and upload it on its own server? (privacy issue).
Could an app take the whole OS down?
How much do we trust casual developer?
I always install homebrew apps found on the xda with no second thought. But a few days ago I installed an app to browse some *dirty* websites and dunno why, I started thinking about this issue?
Thanks to you all!
K.
Usually, you can trust the guys here on XDA.
However, even a normal app could steal your contacts. And a homebrew app on a b fully unlocked rom can do even more (of course! that's the point ).
But as said, XDA is usually quite OK, and if a big name like cotulla, ultrashot, Heathcliff74 (and all other amazing devs here on xda) is behind it, you're definately safe.
Oh, and what's a virus? That's nood easily defined. Just think of a file manager. It allows you to delete files. Deleting a file is nothing special. So what? Well, what if the app is going to delete random files? You got a virus... (That's why it's so hard to make behaviour analysis....)
LOL, there is no way WP can get a virus with it's locked down UI and isolated storage. WP isn not Windows OS. So don't worry.
Unlocked phones and risks
sinister1 said:
LOL, there is no way WP can get a virus with it's locked down UI and isolated storage. WP isn not Windows OS. So don't worry.
Click to expand...
Click to collapse
Please note that the OP is talking about an Interop-unlocked phone which is quite open compared to a WP7 phone in its normal state (which really does give little reason for worry).
If you ask me, the age of pranks and viruses that delete your files just because they can is over already quite some time. Today people most often try things with malware if there is money to be made.
So you may ask yourself: How could there be monetary profit from the very small base of users with fully-unlocked WP7 phones? Especially factoring in the fact that many of those users being anything than noobs which will get suspicious easily.
If I was a malware author I really would look out for greener pastures
if you don't trust the developer you can easily check the code by decompiling it. ok... this requires some knowledge in c# development and doesn't work for native code.
Well, decompiling native code is entirely possible. It's just more difficult to read the resulting source.
There risk is absolutely there. The way malware would work on WP7 is different from how it would work on a PC, but it's certainly possible (and actually, on a full-unlock ROM you could write malware very similar to how you'd write it for PC). Consider the various kinds of Android malware; WP7 malware (with sufficient permissions) could do things like send SMS to "premium" numbers, track you using the GPS, and other unpleasantries.
This is the reason that, for example, Heathcliff74 made Root Tools require that the user manually mark an app as Trusted before the app receives full permissions. Of course, that requires that you trust Root Tools itself (and it's quite heavily obfuscated, so decompiling it won't do you much good) but as @chabun said, he's one of the "big names" in WP7 homebrew and is considered trustworthy.
For myself, this question is one of the reasons I release the source code to my apps. If you've got the source, you can check it for any malicious or even undesirable behavior, and if you want to you can modify it to suit yourself better.
kevyn82 said:
Guys,
I always wondered how harmful could be - in theory - a homebrew app installed on an Interop-unlocked wp7.5 device.
Click to expand...
Click to collapse
Well, there are quite a few harmful things a malicious homebrew app could do:
spy on you all the time using the built-in cam and mic;
record all your phone and video calls;
copy all your text messages;
track and report all your movements (GPS);
upload all your personal pictures to a third party;
call international or "premium" phone numbers without your knowledge, generating large phone bills;
send "premium" text messages or registering you to premium subscriptions;
sent text messages in your name to influence a TV show vote;
reroute all your phone calls through a "premium carrier", again generating large costs;
transform your phone into an email relay or VoIP for spamming;
record all your usernames, passwords, account numbers or credit cards for financial profit;
make your phone become a BitTorrent relay, eating through your mobile data allowance in a few days;
I am sure that we can find a few more by brainstorming a little bit, or by googling "iOS malware" or "Android malware"...
So the key questions is not what is possible in theory, but how much do you trust the developer of an app, homebrew or not.
Cheers,
Stephen
GoodDayToDie said:
This is the reason that, for example, Heathcliff74 made Root Tools require that the user manually mark an app as Trusted before the app receives full permissions. Of course, that requires that you trust Root Tools itself (and it's quite heavily obfuscated, so decompiling it won't do you much good) but as @chabun said, he's one of the "big names" in WP7 homebrew and is considered trustworthy.
Click to expand...
Click to collapse
Thanks for your answer!
Yes I think some premium dev like yourself, Heathcliff74 etc are deeply trusted on here.
But still I am pretty sure the average user doesn't care about names or source. He or she won't be able to read though the source code or understanding what does require an app access to.
Also, if the app would require "elevated privileges" trough Heathcliff's Root Tool, he wouldn't think twice about granting to it.
Then if something bad would happen, then it would blame the OS, not him- or herself.
Things like requiring user confirmation to call or send a text within an app, from my prospective, never should be avoided.
On iOS for instance a lot of user complained to the carrier (here in Italy), some international sms sent billed in their accounts. It was iMessage first set up to send a txt to the UK (which costs on avg 0.30 Eur, compared to 0.10-0.15 a single sms).
But I am wondering now why jail-broken iPhone aren't subject to malewares like the open Android platform. I'm sure unlocked iOS would be a pretty green garden for them.
rbrunner7 said:
Please note that the OP is talking about an
If you ask me, the age of pranks and viruses that delete your files just because they can is over already quite some time. Today people most often try things with malware if there is money to be made.
Click to expand...
Click to collapse
You're right, just wanted to show that it's not really easy to say what's bad and what's good...
There's been malware for jailbroken iPhones. There was even a worm that spread by infecting people who had enabled an SSH server on their phone but left the default password.
The reason it's less of an issue there than on Android is that malware is typically a business - that is, it's done to make money - and so you target the largest number of people you can. There are fewer iPhones than Android phones, and far fewer jailbroken iPhones than Android phones that can access the market or even install apps from outside the official market (pretty much all of them).

Categories

Resources