Related
Hi,
Sometimes an app (.apk) is either simply not available through Google's store, or it might say "not compatible with your device", etc. There can be various reasons why a person might download a .apk from somewhere other than a "trusted" source.
If this was a file for my PC I could test it in a "sandbox", and I could scan it with both Microsoft Security Essentials and Malware Bytes Antimalware.
On my Android phone(s) I'm not aware of something like the "sandbox" option, and I don't really want to run an "antivirus" program on my phone. Is there an easy way to scan .apk files on the PC to see if they are rogue apps, might send SMS, "phone home", or otherwise mess with other applications or the system software installed on my phone?
Lets give another example: say I thought 15 minutes was not long enough to evaluate a relatively expensive Android game (it certainly isn't!) and I want to test it out first. Let's assume my only option in that case might be an illegally downloaded copy from unknown sources. Of course, we shouldn't do that. But if we did, how could we know if the file is safe and not risk installing some Chinese spyware?
About Android AV programs: anybody know how effective they are? Do some defend against "trojans" - I would think these days trojans are 99% of problems and viruses mostly a relic of the past?
My biggest concern is actually just unwanted crap that runs in the background which eats up battery, makes my phone warm (which I hate), or, perhaps even sends SMS message [this would be even worse because I don't have a text message plan].
EDIT: I see web pages with tiles like "new study finds Android antivirus apps not effective" and articles like this one: http://www.zdnet.com/blog/hardware/...bouncer-does-it-offer-enough-protection/17981
Do we have an easy way to boot Galaxy S3 off of "external" SDCARD instead of internal memory?
Search play store for avast antivirus, completely free, updates daily and works really well (firewall. Anti theft. And many more Features
sony xperia ray ics 4.0.4
stock rom unrooted
I found this website, maybe it can help someone.
h t t p://scan.netqin.com/en/
Maybe someone can post another one...
an easy way to check for safe apk
The easiest way to check for safe apk is to have one gmail account and another "whatever" email account. Then just send the apk from the gmail one to the second account, gmail always find viruses in any apk and stop the process to join the file (virus alert). Bad point is you are limited with the size of the file you wanna send.
Nowadays, even pc antiviruses can detect viruses in apks. I would rather not burden my phone with any android antivirus,since they are literally battery hogs.
sent using my HTC One S
Go here and upload the APK
http://anubis.iseclab.org/
Anubis is a service for analyzing malware.
Submit your Windows executable or Android APK and receive an analysis report telling you what it does. Alternatively, submit a suspicious URL and receive a report that shows you all the activities of the Internet Explorer process when visiting this URL.
Andrubis executes Android apps in a sandbox and provides a detailed report on their behavior, including file access, network access, crypto operations, dynamic code loading and information leaks. In addition to the dynamic analysis in the sandbox, Andrubis also performs static analysis, yielding information on e.g. the app's activities, services, required external libraries and actually required permissions.
Found a good one too
apkscan.nviso.be - give it a try. Drag and drop - wait for the upload - than click SCAN . Wait for a few minutes. That`s all. Unlike ANUBIS it has a resolution at the end of the analysis . Usually helpful.
You can also email the file to [email protected] and it will email the report back in about ten minutes. Virustotal can display some interesting info, for example it said that Lucky Patcher is a "Potentially Infected Hosts File (v)", as reported by VIPRE and AVware.
Virustotal also has an official android app.
The Netqin scanner is also an android mobile app.
Late answer, sure, but I think ClamAV is what you want. You also want its bytecode signature file, and to speed things up, you only want that single file (speeds up things quite a bit).
It is the only offline apk scanner i know of, and as for its efficiency i cannot say, but it seems like it is what you are asking for.
An alternative would be to install something like BlueStacks and remap your "Windows shared folder" (through registry) to the folder you have your apk files in, and then run BitDefender on it. BD is by far the most pernickety AV app out there for Android.
I'll have to check out bitdefender (it's also included on virustotal.com)
apkscan.nviso.be seems to be pretty good at analyzing files for suspicious activity, and it also uploads the file to virustotal for you. Then you can copy the sha256 hash into the virustotal's search, to get all the gory details.
anubis.iseclab.org limits files to 8 megabytes.
Another way to avoid malware is:
when installing an update to an already-installed version of an application, it will 99% of the time prompt you to update an existing app. There's been rare instances where some apps do use a new digital signature (for example when spotify had a big security hole, and for awhile there were two apps by spotify in the app store).
One other way to tell, as a final check when launching the apk for installation on the phone: the icon will not have the right icon. I've installed apps before that I thought came from a trusted source, but the icon was not right. In fact, I was considering not posting this publically, so the "bad dudes" would not update their methods.
Another tool I found:
http://andrototal.org/
Although it might be a duplicate of virustotal.
nintendo1889 said:
Another tool I found:
http://andrototal.org/
Although it might be a duplicate of virustotal.
Click to expand...
Click to collapse
I just tried out this site. To me, it appears to be the most thorough virus testing site that I have seen. It takes some time for it to complete the scans. mainly because it scans the file with about 7 or 8 different scanning engines. Just just have to keep refreshing the page every few minutes to see if the results have updated.
I will be using this one as my go to site for apk scanning.
Just install it on the default emulator in the Android SDK
You can also install your apps on other emulator live bluestacks(best for games), jar of beans(best for rooted app) and windroy(the lightest)
Hit thanks if this helps
nintendo1889 said:
I'll have to check out bitdefender ...
Click to expand...
Click to collapse
Your signature photo ... awesome ... Bad Dudes
By using GDATA security , When you want to install an app the GDATA will scan it befor installing
Sent from my LG-D855 using Tapatalk
Use google scanning service VirusTotal to scan any app, secondly always use secure source. There are many well reputed apk sites but I personally use apklink.com , on this site required apk file is just a click away and its quite easy as well...
be safe & secure
This threads out of date, but it has me thinking I want to use something as mentioned in several replies to OP.
Are there any sites, or apps that can warn me if an .apk (for example) has malware etc.?
Thanks in advance for any help, including a link to another discussion that may have my answer
denise1952 said:
This threads out of date, but it has me thinking I want to use something as mentioned in several replies to OP.
Are there any sites, or apps that can warn me if an .apk (for example) has malware etc.?
Thanks in advance for any help, including a link to another discussion that may have my answer
Click to expand...
Click to collapse
Malwarebytes can detect malware.
Sent from my LGL84VL using Tapatalk
I tried this site and I like it because it goes into a lot of detail after analyzing and sends me a report in email. It was mentioned, and it is still available to use: https://apkscan.nviso.be/
Thank you for the heads up on MB, I use that on my PC and works great
You can use virustotal.
Authenticator Plus generates 2-step verification codes which will protect your accounts with both your password and your phone / tablet.
With Authenticator Plus you can seamlessly sync and manage all your 2-step enabled accounts in phones / tablet / kindle.
Notable features:
* Seamlessly sync accounts across your phone, tablet and kindle
* Restore from backup to avoid being locked out if you upgrade or lose your device
* Strong 256-bit AES encryption, so even in rooted devices you accounts are safe
* Personalize as per you needs (Themes, Logos, group your most used account and more)
* battle.net accounts can be added
* Hardware based encryption key support, even rooted apps cannot access the encryption keys - http://help.authenticatorplus.com/hardware-backed-keys/
* Easily import from Google Authenticator
* Import / Export to WinAuth (Authenticator Plus -> Settings -> Backup & Restore -> Import from text file)
Detailed compare with Google Authenticator - http://compare.authenticatorplus.com/
Technical Details - http://design.authenticatorplus.com
Authenticator Plus in Press
I was super excited to find this application. It solves my biggest grievances with Google Authenticator, and does it in a way that is largely invisible to the user (until it matters!). -techThreads
Recommended by Wordpress Authenticator plugin - http://s.www.authenticatorplus.com/wp
NOTE : As a commitment to XDA users, where I have uploaded my first release, I can provide free trial version of the application on request to [email protected]
It's mind-blowing that Google's own Authenticator on its own Android platform lacks the feature to re-order the account entries, while the iOS version does support this.
And also mind-blowing that it lacks PIN control, any option to sync/ backup, and several of the other highly desirable (even necessary!) features which Mufri has built-in to the Authenticator Plus app.
I've also been pleased by Mufri's responsiveness and willingness to work to make the app have only the needed permissions. We've exchanged several detailed technical and philosophical messages; it's very nice to see yet another developer devoted to our community.
I can't make any claims about the security of the app as I'm not a developer (well, haven't been since twenty years ago) and I lack the tools, but I hope that others with more skills than I have will analyze the app and can confirm the app's health so the app can be established as a much better reference than Google's own minimally featured Authenticator, and that we can get Mufri lots of users!
Thanks Mufri,
-Jay
Requesting security analysis
libove said:
It's mind-blowing that Google's own Authenticator on its own Android platform lacks the feature to re-order the account entries, while the iOS version does support this.
And also mind-blowing that it lacks PIN control, any option to sync/ backup, and several of the other highly desirable (even necessary!) features which Mufri has built-in to the Authenticator Plus app.
I've also been pleased by Mufri's responsiveness and willingness to work to make the app have only the needed permissions. We've exchanged several detailed technical and philosophical messages; it's very nice to see yet another developer devoted to our community.
Click to expand...
Click to collapse
Thanks Jay for the review.
libove said:
I can't make any claims about the security of the app as I'm not a developer (well, haven't been since twenty years ago) and I lack the tools, but I hope that others with more skills than I have will analyze the app and can confirm the app's health so the app can be established as a much better reference than Google's own minimally featured Authenticator, and that we can get Mufri lots of users!
Thanks Mufri,
-Jay
Click to expand...
Click to collapse
I am open for the security related queries about Authenticator Plus, I myself use it daily and I would be happy to improve its security.
If anyone have questions kindly post your queries here or @ [email protected]
This APK is version 1.3
(Latest is 2.9.x, a lot of development has been done in this year as it seems!)
I downloaded the APK to try it out.
It first works when it is installed and I was able to import my accounts from the original Google Authenticator.
Then I closed the app.
I can open it again but the keyboard pops up saying "sign in" (where usually the "enter" button is).
Even when I enter the correct passphrase it shows only an empty app without the codes.
I can also install and add the import plugin but then I don't see the codes anymore.
Used on: CM 10.2 and CM11.
Very strange...
i just installed the app and i have some issues. first of all i would like the option to not choose a passphrase to open the app, but well thats not a big problem. after i choose a passphrase and set the app up and want to start it again it just shows me the header with the logo of the app but everything else is blank, there is no password field to type in the selected password and even if i type it in, without anything showing, it doesnt open the app. i can just use it once and thats it
also import from google authenticator doesnt work. it tells me no root or script not in xbin. well its all there. the problem is probably root, because the dialogue to grant root never shows up. I try to get it now manually granted but still that doesnt help if i can start the app only once :/
I am on a galaxy note 3. hope someone can help me...
Yes, attached APK was outdated, I have removed it now.
i see to get a blank web site when i visit http://authenticatorplus.com/ ?
devtools reports 404 error
GET https://www.authenticatorplus.com/js/jquery.cycle2.js.map 404 (Not Found)
Click to expand...
Click to collapse
That's weird, might be adblock or some other issues ...
you can try Google cache here, its a simple site, google cache displays well
http://j.mp/1tBGjhH
connectandroid said:
i see to get a blank web site when i visit http://authenticatorplus.com/ ?
devtools reports 404 error
Click to expand...
Click to collapse
Just FYI, I also get a blank page in Firefox with AdBlockPlus, but the page displays properly in an IE (InPrivate) session.
Thanks for the info, I couldn't reproduce this myself in various browsers, is https version working fine?
https://www.authenticatorplus.com/
I will check for cross platform browser tests.
oyam said:
Thanks for the info, I couldn't reproduce this myself in various browsers, is https version working fine?
https://www.authenticatorplus.com/
I will check for cross platform browser tests.
Click to expand...
Click to collapse
Ah, oops, my bad - had nothing to do with AdBlockPlus; I use NoScript, and hadn't enabled script on the authenticatorplus.com page. Works fine in both http:// and https://
Sorry.
Cool, thanks for the info, I will add a noscript info in site.
Compatibility with Pebble Smartwaches
Hi !
Has anyone tried to use Authenticator Plus with a Pebble smartwach, through Android Wear integration ?
I'll get an Pebble Time in May and hope it will work with it, that's why I'm asking for a clue
Interesting, I never heard of anyone tried it, let me know how it goes .
Store site order in cloud sync?
I use Authenticator Plus with cloud sync via Google Drive.
It seems that the order in which I have the accounts in Authenticator Plus does NOT get sync'd to the cloud (or, if it does get sync'd up, then when the sites are imported back down from the cloud, the order is not maintained).
Can the author comment please?
thanks,
Jay
from last release(3.3.5), app shows more details about sync status in Settings -> Cloud -> last sync status and let me know, what's the last status.
Also please contact [email protected] for faster response.
oyam said:
Interesting, I never heard of anyone tried it, let me know how it goes .
Click to expand...
Click to collapse
Pebble don't get it working through Android Wear, I think a layer is missing, maybe like an "emulator" (not the way Google implemented it) that can send other things but notifications to Pebble (it's the only thing supported for now).
Anyway, IMO for Authenticator Plus it will requires an Pebble OS app and a modification to makes it work as a companion.
Hi,
I would like to add a Battle.net account but the app fails to connect to battle.net server, is this something you can fix ?
edit : and do you think you can add Steam support in future release ?
Same problem with the battle.net server. No matter if I try it at home or at work or via LTE.
Since the Blizzard battle.net Authenticator works and I can access the battle.net site without any problem I suspect a problem with the Authenticator+ App. Syncing time with battle.net is also not working btw (in the settings)
Is the app working in 6.0? If Yes, could u send me a trial?
Is it possible to use Internet while keep annonymous ??
Well as soon as you go on the internet you are going to leave a fingerprint behind. You can minimize this a bit but you can't visit websites and not visit them at the same time. You can only make it less obvious that you visited them.
Some things that can make it harder for you to be tracked:
- Use a costum rom (AOSP probably best) without Google Apps.
- Use a VPN (Virtual Private Network) while browsing the web. This way websites only know that a certain "server" visited them, but they do not know who is behind this server. This way it becomes a lot harder to trace the visit back to you.
- Use Firefox Browser, it helps especially compared to Chrome.
- Send DoNotTrack requests (With tools such as Ghostery). Most web browsers now have an option build-in.
- Use an Adblocker on untrusted websites (Pref not on XDA ). Adaway is one of the apps you can use on Android to achieve this.
If you this kind of things on your Android device you will become a lot more anonymous. Ofcourse this is all pretty basic, if you start throwing out your passwords and name in the stuff you post online, ofcourse you no longer be anonymous . The largest danger is in giving your information to random websites/people on the internet. Tools such as e-mail maskers are always useful. Also try to refrain from installing apps without checking their permissions and stuff. If you install "Cute Free Wallpaper App" you might be infesting your device with malware, no matter how much protection you use it still all boils down to common sense.
H-Cim said:
Well as soon as you go on the internet you are going to leave a fingerprint behind. You can minimize this a bit but you can't visit websites and not visit them at the same time. You can only make it less obvious that you visited them.
Some things that can make it harder for you to be tracked:
- Use a costum rom (AOSP probably best) without Google Apps.
- Use a VPN (Virtual Private Network) while browsing the web. This way websites only know that a certain "server" visited them, but they do not know who is behind this server. This way it becomes a lot harder to trace the visit back to you.
- Use Firefox Browser, it helps especially compared to Chrome.
- Send DoNotTrack requests (With tools such as Ghostery).
- Use an Adblocker on untrusted websites (Pref not on XDA )
If you this kind of things on your Android device you will become a lot more anonymous. Ofcourse this is all pretty basic, if you start throwing out your passwords and name in the stuff you post online, ofcourse you no longer be anonymous . The largest danger is in giving your information to random websites/people on the internet. Tools such as e-mail maskers are always useful. Also try to refrain from installing apps without checking their permissions and stuff. If you install "Cute Free Wallpaper App" you might be infesting your device with malware, no matter how much protection you use it still all boils down to common sense.
Click to expand...
Click to collapse
Thanks a lot bro.. for your gud suggestions
You can install Orbot and Orweb to browse through the Tor network. This is much slower than using a VPN, but you don't have to trust a VPN provider to keep you anonymous.
Thanks you too !:good:
Tor isn't for beginners or total secure but people seems not able to understand it.
It your traffic isn't encrypted this means you sent plain text, passwords etc it goes unencrypted to the nodes and if these notes are compromised it's 'easy' to identify what you sent via deep package inspection. Silkroad was busted by this, an compromised www site with an sql hack and ... Tor is useless, so easy is that. Again it's not designed and never will be for beginners if we talking about 'total security'.
Heavyly hetting detected in the Web!
I was EDV-Technikan, and would really know more about be Nearly-Anonymouse. have a few tips without VPN, WARP,Tor Browser... If your Phone is rooted you can do more so how whats best Magisk,Root, Apps or other things i can USE ??
Thanks for Helping
How far are you ready to go in order to achieve anonymity?
It's kind of possible, but it's a bit cumbersome.
First, you need different browsers for different activities so that you have different fingerprints.
For example, one browser only for personal stuff where you real name appears like emails, tickets, banks etc., one browser only for emails and accounts where your real name doesn't appear, and one browser only for web surfing on websites where you aren't registered and don't need to be.
On all browsers try to avoid as much as you can to have Java script enabled, for banks and tickets you mostly can't but you can for emails (at least some of them so depending on which email you use you may want to change for one that doesn't require Java script to be enabled) and you can for many websites as long as you don't watch videos.
Atlas is a good browser, it isn't open source but it's clean and it enables you to switch between Java script and non Java script easily.
Naked browser is a good clean choice too.
Avoid like plague Chrome, and even Mozilla that isn't anymore what it used to be (unless you build your own version and you remove the nasty stuff).
Then you need different identities depending on which browser you use.
That is, everytime you switch browser you turn the WiFi off, you fire a script that changes your Mac address, your android ID and all the other IDs your phone may have, including phone model, phone manufacturer etc., and then you turn the WiFi back on and switch IP on your VPN if you use one (I personally don't, I don't see the point since I'm not a bad guy and since anyway a government agency could most likely oblige your VPN provider to give you away).
Now as said above you'll need a clean AOSPish ROM, without any Google apps (which is where most people's desire on privacy hiccups, because they can't live without the Google apps' suite).
You'll have to be rooted.
You'll need a firewall like AF+.
You'll need a network log app to check which app connects where, specially for newly installed apps that require internet access.
You'll have to be careful with the apps you install and go as much as possible with open source apps.
If you are into social networking, don't install their apps (unless you know how to patch closed source apps, see below), it's far safer, and battery friendly, to access their sites from a browser.
You'll have to learn how to compile your ROM, your kernel and your apps from source, and clean whatever needs to be cleaned before compilation because even pure AOSP has some unpleasant code like analytics and connections to Google everytime you turn the internet on (even if you don't have any Google apps installed, and even if you haven't opened any browser or internet allowed app yet) and because even open source apps use sometimes stuff you don't want.
If needed, you'll have to learn how to patch closed source apps to remove the analytics, the gms and the Facebook spywares if present, and whatever else you may find (Firebase, crashlytics etc.), and to remove the unwanted permissions, services, receivers and providers.
You'll have to learn how to use and read logs because patched apps often crash.
Last but not least, you'll need some common sense and change the way you interact with the internet...
If you do all of the above, you'll have a good level of anonymity.
So it's definitely possible, but one has to work a bit...
Are you willy to work?
I habe just tryed permissions ruler,3 WebBrowser,Network Connector to See what Apps and scrips works in Background of Android. Most is Google Framework nearly Evers secound Sending or looking up for anything...! AS i like some Google Services i will SetUp now next Rom without Google Services .... Would you have some Ideas,Apps,Roms,Markets like 1Market,Blackmart, Network Connector,Anty Spyware ?
Thanks a lot
Fdroid is good for open source apps. a good firewall. find a privacy oriented browser , i.e. yandex , startpage , duckduck go , tor. FairEmail for your email client. very privacy oriented.
https://forum.xda-developers.com/showthread.php?t=3824168
Situation:
I have somewhat of a "love-REALLY HATE" relationship with Google apps and ecosystem.
On one hand, they are great at what they do.
On the other, it's like having a spy satellite overhead, given how much telemetry it does.
Question:
I'd like to cut all of the Google apps' internet, location, sensor and background activity access for good when not in use. Or at least spoof whatever personal data is being sent (Device info, location, activities, etc). Any way to do that?
What I've done so far:
My current way-to-go method involves installing RethinkDNS+firewall, then blocking every single one of google apps including Gboard. It sort-of works, but very inconvenient, as I have to manually enable internet access for a particular app and/or service when needed. I also tried edXposed's XluaPrivacy module to cut off access to certain permissions. Again, cumbersome.
After going through F-Droid, I found an app called "Insular", that claims being able to put all of the "big brother" apps (such as Gapps) behind an isolated sandbox, a digital gulag of sorts.
Thanks for the pointer to Insular whose advertising on F-Droid says:
Insular is a FLOSS fork of Island.
With Insular, you can:
Isolate your Big Brother apps
Clone and run multiple accounts simutaniuosly
Freeze or archive apps and prevent any background behaviors
Unfreeze apps on-demand with home screen shortcuts
Re-freeze marked apps with one tap
Hide apps
Selectively enable (or disable) VPN for different group of apps
Prohibit USB access to mitigate attacks with physical access
Click to expand...
Click to collapse
Based on that, I suspect this XDA thread about "Island" may be useful.
[APP][5.0+][BETA] Island - app freezing, privacy protection, parallel accounts
"Island" is a sandbox environment to clone selected apps and isolate them from accessing your personal data outside the sandbox (including call logs, contacts, photos and etc) even if related permissions are granted. Device-bound data is still accessible (SMS, IMEI and etc).
Isolated app can be frozen on demand, with launcher icon vanish and its background behaviors completely blocked.
Click to expand...
Click to collapse
Totesnochill said:
Question:
I'd like to cut all of the Google apps' internet, location, sensor and background activity access for good when not in use. Or at least spoof whatever personal data is being sent (Device info, location, activities, etc). Any way to do that?
Click to expand...
Click to collapse
Like you, my relationship with Google is strained where I don't set up any Google Account on Android and it works just fine.
I don't have a contacts.db sqlite database for that reason too, so my favorite communication apps are all designed to store their own contacts db internally to the app itself.
I replace Google apps with FOSS equivalents such as NewPipe (or, more recently, Vanced YouTube) for example.
And I spoof my GPS location by default (using Lexa Fake GPS, for example).
Of course, given I don't have a Google Account on my phone, I use the Aurora Store instead of the Google Play Store. Of course, I strive for apps that don't require Google Framework Services (GSF) which Aurora neatly filters out for us.
Since I'm not rooted, I can't delete Google Play Store, but I can disable it, which is almost as good.
And, I use privacy-aware apps for my messenger, calendar, contacts, and dialer apps (many of which come from Simple Mobile Tools' suite which are available on F-Droid).
To keep my WiFi SSID/BSSID/GPS/Strength/etc. out of the hands of Google (& Mozilla and Kismet and Wigle, etc.), I add "_nomap" to the SSID and I turn off the SOHO router SSID broadcast (which "hinders" most cellphones from uploading my BSSID information to Google public servers); but then I have to also turn off "AutoReconnect" on Android 12 and also I have the Developer Options set in Android 12 to randomize the MAC address on EACH connection; however that means I need to set any "static" connections on my LAN from the phone and not with address reservation on the router (which typically utilizes the MAC address).
And it's not just Google we need to keep our data out of their hands, as I even use WhatsApp privacy aware tools such as the WhatsApp dialer and WhatsApp Click to Chat mechanisms (to keep my contacts out of Facebook's hands too).
For offline maps, I use a quick web browser lookup on a privacy browser (such as Tor or Epic or Opera), since the Google address lookup is still the best in the world... (which is the love/hate relationship, right?)... and then I paste the GPS coordinates that the privacy browser found on the maps.google.com web site into a local routing application (such as a shortcut to a browser to google maps on the phone or better yet, to a dedicated offline map program such as OSM And~), and even traffic can be gotten without Google (e.g., Sigalert & 511 apps).
I used to reset the Advertising ID with a homescreen shortcut that could be activated from Windows via a batch file over Wi-Fi, but now with Android 12 we can wipe out the Advertising ID altogether (i.e., reset it to all zeroes). However, I still periodically change my GSF ID and other supposedly unique identifiers.
I'm still trying to figure out the implication of "trackers", so if anyone has more information about them, please advise.
Off hand there must be scores more things I do for privacy, where we probably should have a main thread on this site of all the myriad things people can do to increase their privacy on Android (some of which I've screenshotted for you below).
GalaxyA325G said:
Like you, my relationship with Google is strained where I don't set up any Google Account on Android and it works just fine.
Click to expand...
Click to collapse
Thanks heaps for the very in-depth response. Really opens up on a lot of things I wasnt aware of, and I realized that unlike desktop, when it comes to mobile privacy I'm still a bit behind.
Are there any guides where I can do some reading on the concepts and techniques you've described? Especially regarding contacts.db sqlite database, GPS spoofing and privacy-aware options for accessing WhatsApp.
Also, what are your thoughts on MIcroG?
Totesnochill said:
Thanks heaps for the very in-depth response.
Click to expand...
Click to collapse
I try to put effort into the response so that others can benefit (but nobody ever presses the like button so maybe it's not worth the effort).
For example, when I mentioned I spoof my GPS, I looked up the app I used and linked to it so that you wouldn't have to test a score of apps like I did to find the best one.
Totesnochill said:
Really opens up on a lot of things I wasn't aware of, and I realized that unlike desktop, when it comes to mobile privacy I'm still a bit behind.
Click to expand...
Click to collapse
That was just off the top of my head where there has to be at least a hundred different privacy things I do on Android to distance me from Google that most people don't bother to do.
I admit, sometimes it feels like we're putting a dozen locks on the front door, but in the end, we LEARN a lot about Android in the process.
A lot of the protection is to protect ourselves from others who don't know how to configure their phone, so they are uploading our private information (like our contacts and home locations) to Google databases.
For example, the typical Android phone when it drives by your front door uploads to google your exact location, your signal strength, your unique BSSID and your SSID... where you'll note in my response above I had to do a half dozen things on my phone and router to prevent that from happening (i.e., just adding "_nomap" doesn't work but most people don't realize that because they don't think about it).
Totesnochill said:
Are there any guides where I can do some reading on the concepts and techniques you've described?
Click to expand...
Click to collapse
I'm sure there are plenty.
But I have been in MANY situations where there are none.
Take, for example, changing the GSFID... almost nowhere on the net is that described how to do it. Almost nobody does it, but it can be done if you know how.
I really should write a set of privacy tutorials so that everyone can do it but I have to find the time, and this web site doesn't like text tutorials I found out recently. So they make it a PITA in the end to help people. Sigh.
Totesnochill said:
Especially regarding contacts.db sqlite database, GPS spoofing and privacy-aware options for accessing WhatsApp.
Click to expand...
Click to collapse
If you look at the links I gave you in my response for contacts, gps spoofing and privacy-aware WhatsApp, you'll get a good start.
A quickie is to not have a contacts.sqlite database, which means you need your own contacts.csv or more likely contacts.vcf file, which you can maintain on the PC if you like (works with Excel for example).
Now that you don't have a contacts.db sqlite database, you need to find the contacts and dialer and mms/sms apps that can suck in their own contacts.vcf file, which I pointed you to in the Simple Mobile Tools suite.
For GPS spoofing, I didn't mention you need to turn "Mock Location" on in the Android Developer Options, but that's what most people already do so I assumed you knew that. Once you turn that on, you can just select the mock location app of your choice (where I suggested one above which isn't perfect but none of them are).
That particular app moves your location every few feet and it gets the altitude and it can easily be stopped and started, etc., but I'd like it if it didn't move just "west by 10 feet every minute" but instead if it would follow a pre-determined route that I could give it. So they need a lot more work to be as good as we'd like them to be.
For What'sApp privacy, look at the two apps I linked to in the prior post as they don't need the contacts.sqlite database to work.
Your WhatsApp should only have an icon in your folders for the people you contact and nothing else, IMHO. That's the best privacy you can get, although WhatsApp does decent hashing on the contacts file when it uploads it to their servers - but still - why give them your entire contacts when you only contact 10 people (or whatever) on WhatsApp. Right?
Totesnochill said:
Also, what are your thoughts on MIcroG?
Click to expand...
Click to collapse
Funny you mentioned microG since I installed it for the first time yesterday when I was setting up Vanced Youtube based on this thread.
I generally choose apps that don't use GSF but sometimes you have to use a GSF app (e.g., Zoom meetings), and then it's nice to use MicroG instead of Google Services Framework.
I only installed it yesterday so I really don't know how well it will work for me as I didn't even need to install it to install VancedYoutube. You just need it to log into YouTube but I never do that anyway.
In summary, there's probably a hundred things we do to our phones to set up privacy but I'd have to write each one up in detail to help everyone and that's a lot of work.
Especially if almost nobody reads these threads.
GalaxyA325G said:
I try to put effort into the response so that others can benefit (but nobody ever presses the like button so maybe it's not worth the effort).
In summary, there's probably a hundred things we do to our phones to set up privacy but I'd have to write each one up in detail to help everyone and that's a lot of work.
Click to expand...
Click to collapse
Thank you for doing God's work out there. Ethics like these are what creates the content that keeps the internet from becoming a dumpster fire otherwise. Tutorials and explanations that come from the fellow users are THE best and usually directly on-point.
When I was just starting setting up Linux environment, I wrote "how-to notes" on every successful step. At first it was more like the "sticky notes" to help me remember, but eventually (as the list grew) I started writing these tips in a way as if they were to be read by someone with little background in the subject. What used to be the "Linux notes" file became 10563 lines monstrosity now... So every time I need to answer someone's question I just copypaste from this file.
GalaxyA325G said:
That was just off the top of my head where there has to be at least a hundred different privacy things I do on Android to distance me from Google that most people don't bother to do.
I admit, sometimes it feels like we're putting a dozen locks on the front door, but in the end, we LEARN a lot about Android in the process.
Click to expand...
Click to collapse
Absolutely. I've spent about 2 weeks tweaking my new phone (Nokia X6), trying out different roms/recoveries and app setups. Pissed off a bunch of people in the process - most wouldn't understand that I'm setting up a system to last another 7 years, just like my previous phone (Galaxy Gprime). Not to mention that with the amount of sensitive info on the phone, security and privacy are a legit concern, and worth learning about just how one learns to install and use the lock on the front doors.
Phones became disposable both in software and hardware, and so have the general attitude towards the devices.
My final setup became AOSP PixelPlusUI Rom (comes with about openGapps nano worth of Google stuff) with most other stock apps (contacts , dialer, keyboards, msg etc) removed via ADB and replaced with F-Droid alternatives.
I've also used Rethink DNS with whitelist set up/AppInspector to put Google in the Goolag - no internet access for anything google-related at all times. So far my phone has 253 apps blocked (including almost all of the system apps). Surprisingly, all of the necessary apps off google play store (Whatsapp, FB messenger) still function well. Whenever I need a particular Gservice (like a translator), I just enable access for that (and only that) until I dont need it anymore.
GalaxyA325G said:
If you look at the links I gave you in my response for contacts, gps spoofing and privacy-aware WhatsApp, you'll get a good start.
A quickie is to not have a contacts.sqlite database, which means you need your own contacts.csv or more likely contacts.vcf file, which you can maintain on the PC if you like (works with Excel for example).
Click to expand...
Click to collapse
Thanks! I'm not sure why the links didnt show up at first. I'll give this a look. I've been using "simple mobile tools" for quite a while, and I must say I like how they are completely autonomous and transparent about what prems they need and why.
GalaxyA325G said:
For GPS spoofing, I didn't mention you need to turn "Mock Location" on in the Android Developer Options, but that's what most people already do so I assumed you knew that.
Click to expand...
Click to collapse
I definitely saw the option in the dev settings, but didnt experiment with it. Well, now I know, thanks!
Funny you mentioned microG since I installed it for the first time yesterday when I was setting up Vanced Youtube based on this thread.
I generally choose apps that don't use GSF but sometimes you have to use a GSF app (e.g., Zoom meetings), and then it's nice to use MicroG instead of Google Services Framework.
I only installed it yesterday so I really don't know how well it will work for me as I didn't even need to install it to install VancedYoutube. You just need it to log into YouTube but I never do that anyway.
In summary, there's probably a hundred things we do to our phones to set up privacy but I'd have to write each one up in detail to help everyone and that's a lot of work.
Click to expand...
Click to collapse
I will give microG a try (in a form of LineageOS for MicroG). In fact I did install this rom before but I was a bit confused about what it did and assumed that it is a regular LinOS repack with Gplay store and apps built-in. Time to test again.
Especially if almost nobody reads these threads.
Click to expand...
Click to collapse
Threads like these is how I passed my uni exams. Not even exaggerating XD. Thanks again for a very detailed insightful read!
Hello my friends, very happy to meet good hearted people who think alike about Gugle.
as my name suggests I'm noob still and didn't understand much of discussion but very happy to meet you friends. My love & warm regards to all here. Here is what I did uptill now before I saw this thread :
1> Load GSI/ROM.
2> Load TWRP
3> Load Magisk
4> Load microG
5> Install Service Disabler
5.1> Disable bunch of internal services like telemetry, analytics, location (FusedLocation not possible to disable) for every app (3-rd party & system app), contacts sync etc.
6> Install SD-Maid Pro
6.1> Freeze apps like Gugle Calendar Sync Adapter & Gugle Contacts Sync Adapter
7> Install CIAFirewall Fake VPN & configure it.
8> I use Opera browser for Banking, Youtube, Cab booking, Surfing, Gmail, Food Order etc.
9> Install Aurora Store for general app management & installation
10> For contacts I save all contacts in notepad app, and let all calls purposely bounce then I call back aftter checking whose call it was & state false apologies.
#FYI :- Gugle, Mycrowsowft , eFbee are not really to be blamed, rhey are having to comply with FBI, Phentagon, Central Intelligence Agencies, Interpol, etc. or they have to shut bizness.
GalaxyA325G said:
Like you, my relationship with Google is strained where I don't set up any Google Account on Android and it works just fine.
Click to expand...
Click to collapse
Hi, I’m glad to have found this thread as I’m not happy with how my normal Android phone is spied upon by google. But I’m not technically knowledgeable and I don’t want to risk bricking my phone by trying amateur attempts at rooting, or installing Insular, etc…
So far I have not signed in, I allow only minimum permissions, use Netguard, Aurora and FDroid, and have disabled bloatware. I also force-stop apps as much as possible when not in use, and enable Location and Bluetooth only when needed.
I know this is just an amateur, token attempt to reduce spying - so I may have to eventually buy a degoogled phone.
I’ve also done some of the privacy suggestions in the attachments you posted.
Could you help me with a couple of newbie questions…
1): I might have minimised some personal data harvested by most of the apps I use, but I guess my privacy precautions will have no significant effect on the amount of telemetry collected by google?
2): If my precautions really have no significant effect, I’m wondering if would it make any real difference if I was signed in as I don’t use any of the google backup services anyway?
Thanks.
I recently found a really interesting and useful website called hybrid analysis that is a sandbox scanner for files and programs of all kinds. And recently I've taken it up on myself to upload a few random small game apks that I don't have any permissions given and that I have gotten from the playstore. And all of them come back with disturbing results that they have access to files, contacts, emails and to send and receive them, to record audio from multiple inputs, and track my internet usage. How is this possible? Is there anyway I could get this kind of software scanner on android to check all my apps? Also the website is limited to apps that smaller than 100mbs so even if I wanted to just upload every APK I have on my device that wouldn't be possible. I also checked these apks on virustotal and they didn't find anything wrong with them, like really no red flags at all on them on virustotal. Or at the end of this am I just being too paranoid?
don't think it's necessary to additionally run apps downloaded / installed from Google Play Store through a malware scanner: Google does that by themselves.
spart0n said:
access to files, contacts, emails and to send and receive them, to record audio from multiple inputs, and track my internet usage. How is this possible?
Click to expand...
Click to collapse
Two words: Android, Google
Can you name a few apps with "disturbing results"?
Not sure but I get the impression that
https://www.hybrid-analysis.com/
is just another FUD to sell their "services" and it's growing nicely... but don't get me wrong such scanners are not useless per se. And the more, the merrier
https://f-droid.org/packages/org.adaway/
results in 35/100 threat score and is labeled as gray. Looking forward to feed their machine with some real bad apples...
Looking up the company leads to a German GmbH (aka Ltd) and further to CrowdStrike in the US.
https://en.wikipedia.org/wiki/CrowdStrike
xXx yYy said:
malware scanner: Google does that by itself
Click to expand...
Click to collapse
And here is how much I trust Google:
<>
Yes, it's an empty list