(Sorry if this is posted in the wrong section. Mods: You may move/delete this if you feel necessary.)
Received this email from Skype today. Guess I'll uninstall Skype until they fix this. And does anybody know how to identify if we are affected?
Dear XXXXXX
Thank you for downloading and using the Skype for Android software. Unfortunately, it has come to our attention that if you were to install a malicious third-party application onto your Android device, it could access the locally stored Skype for Android files. These files include cached profile information and your instant message chat history.
We take our users’ privacy very seriously and are working quickly to protect you from this vulnerability, including securing the file permissions on the Skype for Android application. This update will be available shortly and as always we urge you to install updates to benefit from our continuous fixes and improvements.
Until the update is released, to protect your personal information, we advise that you as always take care when selecting which applications to download and install onto your device from the Android Marketplace.
For more information see our Security Blog at blogs.skype.com/security or our security section at skype.com/security.
Adrian Asher
Chief Information Security Officer
Skype Information Security
I recently got this mail to.
They will probably fix it sometimes ...
More info:
http://blogs.skype.com/security/2011/04/privacy_vulnerability_in_skype.html
http://androidjet.com/skype-for-android-data-security-issues/
Skype for Android is one of the more widely used applications on Android – on any platform for that matter. We, as consumers, generally tend to trust popular applications with our personal information and rarely seem to think twice about how that data is protected or encrypted.
Unfortunately, Skype has allowed a glaring oversight in security to take place. The application has been failing to set the appropriate level of read-permissions for certain files that it creates while you’re using the program. Android has built-in security measures to prevent one application from reading another’s data, to avoid malicious apps from accessing your secure data. The flaw, however, is that Skype has been failing to encrypt the data that is being stored and they have also not been setting the permissions appropriately, to prevent other applications from reading the aforementioned data.
Thankfully, Skype is aggressively working on a fix for this issue and should be issuing a patch or update very soon. So far, we haven’t heard any stories of malicious activity actually taking place but the threat is enough to get us worried.
Click to expand...
Click to collapse
Work-In-Progress
Domain is up
AppFeed.net
Coomon problem:
As many of you knows, there is no app or service for Android where users can request notifications of application updates, especially the price changes (mainly price drop), or updates for slow updating apps.
Solution:
My solution was to develop a website where users can add applications to a list, and get a unique RSS/Atom feed that notifies them whenever the apps gets updated (Price, Version, etc).
The feed can be added to any application that support it: Desktop Readers/notifiers (tested with Thunderbirds), Web-based readers (Tested with Google Reader).
I intended to add other forms of notifications, but later found that with the service if this then that I can create tasks that monitor my unique feed that do everything else: Email notifications, Twitter posts, or any other channel provided by the ifttt.com service.
Usage examples:
Some usage examples for such a service:
1) I like a paid app, but its cost is a bit high for me, so I add the app to my watch list to get notified if/when the app gets on sale, instead of having to check frequently or miss an opportunity to get the app during a great sale (happened to me few times already).
2) I like and played a game, and finished all levels, the developer promised extra levels, instead of leaving the game installed on my device and wait for updates, I can uninstall it and add it instead to my list and get notified when it's updated.
3) With Android Play Store auto update feature enabled, I miss most app updates, with notifications on selected apps I can see when those apps gets updated.
4) Other usages...
Status of the project
Currently this project is being developed and tested by just myself, and it seems to be working as expected. But to have a good service, I need some to extra help to test it better, to suggest features, etc.
What is mainly missing is some legal advice, such as a privacy policy and term of service, and on whether I can put up such a service (does Google allow this kind of service? knowing they do not provide API for the Google Play).
What is still missing the some text, I am not a native-English speaker so still trying to put things correctly.
Privacy
I take privacy issues very seriously.
To make this service work, I opted for using 3rd party sign-in (Google and Twitter), what is saved on the DB is a hash of the sso unique token, not even I can get the clear one. User name and email are required, and are saved encrypted in the DB (with AES), and get decrypted only during login to show your name on the top bar, nothing else.
Here is a screenshot of the main wishlist:
And here is what you get in the rss feed, through Google Reader:
Questions or Problems Should Not Be Posted in the Development Forum
Please Post in the Correct Forums & Read the Forum Rules
Moving to Q&A
lufc said:
Questions or Problems Should Not Be Posted in the Development Forum
Please Post in the Correct Forums & Read the Forum Rules
Click to expand...
Click to collapse
My topic is more development than questions, maybe not an Android App but and Android service
Updated post #1.
project is going well, anybody is interested, please let me know (by leaving a comment), if I get enough feedback, I'll get a domain and host it somewhere, currently it is running on a personal domain.
Update:
Got a domain for my new service, and now it is up and running.
check the first post for link and info
Hi,
while using google for authentication, I am actually notified that your website wants to "manage your contacts".
What is the reason behind that?
Thanks a lot
ale
alanzed said:
Hi,
while using google for authentication, I am actually notified that your website wants to "manage your contacts".
What is the reason behind that?
Thanks a lot
ale
Click to expand...
Click to collapse
For the authentication I use the HybridAuth library, and this is the minimum that I can ask for from Google for use the OAuth authentication, if there is anything less, I'll do it, but I can't find how.
Twitter authentication has just Read Only access (Minimum available).
Update:
Found the solution, now it doesn't ask for Manage Contacts...
Okay, so, I summed up some 5 articles on this subject - in the hope of starting a discussion about device security. I hope you will find this interesting and meaningful and perhaps you will find out about some of the risks of using Android.
2 months ago Juniper Networks, one of the two biggest network equipment manufactures, published a blog post (1) about an intensive research their mobile threat department had on the Android market place.
In essence they analyzed over 1.7 million apps in Google Play, revealing frightening results and prompting a hard reality check for all of us.
One of the worrying findings is that a significant number of applications contain capabilities that could expose sensitive information to 3rd parties. For example, neither Apple nor Google requires apps to ask permission to access some forms of the device ID, or to send it to outsiders. A Wall Street Journal examination (2) of 101 popular Android (and iPhone) apps found that showed that 56 — that's half — of the apps tested transmitted the phone's unique device ID to other companies without users' awareness or consent. 47 apps — again, almost a half — transmitted the phone's location to other companies.
That means that the apps installed in your phone are 50% likely to clandestinely collect and sell information about you without your knowledge nor your consent. For example when you give permission to an app to see your location, most apps don't disclose if they will pass the location to ad companies.
Moving on to more severe Android vulnerabilities. Many applications perform functions not needed for the apps to work — and they do it under the radar! The lack of transparency about who is collecting information and how it is used is a big problem for us.
Juniper warns, that some apps request permission to clandestinely initiate outgoing calls, send SMS messages and use a device camera. An application that can clandestinely initiate a phone call could be used to silently listen to ambient conversations within hearing distance of a mobile device. I am of course talking about the famous and infamous US Navy PlaceRaider (3).
Thankfully the Navy hasn't released this code but who knows if someone hadn't already jumped on the wagon and started making their own pocket sp?. CIO magazine (4) somewhat reassures us though, that the "highly curated nature of [smartphone] application stores makes it far less likely that such an app would "sneak through" and be available for download."
A summary by The Register (5) of the Juniper Networks audit reads that Juniper discovered that free applications are five times more likely to track user location and a whopping 314 percent more likely to access user address books than paid counterparts. 314%!!!
1 in 40 (2.64%) of free apps request permission to send text messages without notifying users, 5.53 per cent of free apps have permission to access the device camera and 6.4 per cent of free apps have permission to clandestinely initiate background calls. Who knows, someone might just be recording you right now, or submitting your photo to some covert database in Czech Republic — without you even knowing that your personal identity is being compromised.
Google, by the way, is the biggest data recipient — so says The Wall Street Journal. Its AdMob, AdSense, Analytics and DoubleClick units collected data from 40% of the apps they audited. Google's main mobile-ad network is AdMob, which lets advertisers target phone users by location, type of device and "demographic data," including gender or age group.
To quote the The Register on the subjec, the issue of mobile app privacy is not new. However Juniper's research is one of the most comprehensive looks at the state of privacy across the entire Google Android application ecosystem. Don't get me wrong. I love using Google's services and I appreciate the positive effect this company has had over how I live my life. However, with a shady reputation like Google's and with it's troubling attitude towards privacy (Google Maps/Earth, Picasa's nonexistent privacy and the list goes on) I sincerely hope that after reading this you will at least think twice before installing any app.
Links: (please excuse my links I'm a new user and cannot post links)
(1) forums.juniper net/t5/Security-Mobility-Now/Exposing-Your-Personal-Information-There-s-An-App-for-That/ba-p/166058
(2) online.wsj com/article/SB10001424052748704694004576020083703574602.html
(3) technologyreview com/view/509116/best-of-2012-placeraider-the-military-smartphone-malware-designed-to-steal-your-life/
(4) cio com/article/718580/PlaceRaider_Shows_Why_Android_Phones_Are_a_Major_Security_Risk?page=2&taxonomyId=3067
(5) theregister co.uk/2012/11/01/android_app_privacy_audit/
____________________________________________________________________________________________
Now I am proposing a discussion. Starting with - do we have the possibility to monitor device activity on the phone? By monitoring device activity, such as outgoing SMSs and phone calls in the background, the camera functions and so on we can tell if our phone is being abused under the radar and against our consent. What do you think?
.
I am finding it sad and troubling but even more so ironic that nobody here cares about this stuff.
Pdroid allows you to tailor your apps and what permissions your device actually allows on a per app basis. Requires some setup, and the GUI is nothing fancy.. but for those worried about permissions, it is quite ideal.
Edit : http://forum.xda-developers.com/showthread.php?t=1357056
Great project, be sure to thank the dev
Sent from my ADR6425LVW using Tapatalk 2
DontPushButtons said:
Pdroid allows you to tailor your apps and what permissions your device actually allows on a per app basis
Click to expand...
Click to collapse
Sounds good for a start, I'll look it up
pilau said:
Sounds good for a start, I'll look it up
Click to expand...
Click to collapse
Okay, so I looked it up, and Pdroid does look like a fantastic solution to control what apps have access to what information on your droid.
However, it doesn't cover monitoring hardware functions such as texts being sent, calls being placed etc. as described in the OP. Besides, it only works in Gingerbread as far as I could gather.
EDIT: looking at PDroid 2.0, it does exactly what I originally asked
pilau said:
Okay, so I looked it up, and Pdroid does look like a fantastic solution a control what apps have access to what information on you droid.
However, it doesn't cover monitoring hardware functions such as texts being sent, calls being placed etc. as described in the OP. Besides, it only works in Gingerbread as far as I could gather.
Click to expand...
Click to collapse
I actually first found out about it on an ics rom, so it's definitely not just gb. As for monitoring, no clue. Any sort of extra process logging would likely bog down resources or space eventually.
Sent from my ADR6425LVW using Tapatalk 2
DontPushButtons said:
Any sort of extra process logging would likely bog down resources or space eventually.
Click to expand...
Click to collapse
I definitely wouldn't know. This solution looks very complicated in first impression but on the Google play page it says 100% no performance effects.
Anyway, I looked up PDroid 2.0 here on XDA, which is the rightful successor of the original app. It does everything the original app does and also monitors many device activities! Here is the full list of features. I would add a working link but I'm still a n00b and I am restricted from doing so. Sigh....
forum.xda-developers com/showthread.php?t=1923576
PDroid 2.0 allows blocking access for any installed application to the following data separately:
Device ID (IMEI/MEID/ESN)
Subscriber ID (IMSI)
SIM serial (ICCID)
Phone and mailbox number
Incoming call number
Outgoing call number
GPS location
Network location
List of accounts (including your google e-mail address)
Account auth tokens
Contacts
Call logs
Calendar
SMS
MMS
Browser bookmarks and history
System logs
SIM info (operator, country)
Network info (operator, country)
IP Tables(until now only for Java process)
Android ID
Call Phone
Send SMS
Send MMS
Record Audio
Access Camera
Force online state (fake online state to permanent online)
Wifi Info
ICC Access (integrated circuit-card access, for reading/writing sms on ICC)
Switch network state (e.g. mobile network)
Switch Wifi State
Start on Boot (prevents that application gets the INTENT_BOOT_COMPLETE Broadcast)
I've always had the luxury of someone else integrating it into the Rom, then I just had to set it up through the app. It is time-consuming, but not very difficult at all. I say give it a shot and see if that's what you had in mind. Maybe the logging is less detrimental than I had previously thought.
I'm sure you could get your post count up by asking for some tips in that thread. Every forum on xda has at least one person that's EXCESSIVELY helpful, frequently more. So have a ball
Sent from my ADR6425LVW using Tapatalk 2
== THREAD PURPOSE ==
I'm opening this thread to share and learn ideas about privacy solutions, please respect the purpose and keep this thread clean. My main language isn't English so if you spot errors or omissions please PM to me so I can correct them. Thank you.
All trolling or demotivating posts, disbelieving about privacy concerns or defending Google honor will be reported for cleaning.
== PROBLEM, HYPOTHESIS, TESTS, CONCLUSION ==
For years I've been very annoyed about privacy abuse on Internet and since Snowden and Assange revelations my concerns raised. I'm sure my personal and professional life is common and boring but I want privacy with my things just like I don't want a guy next table in the coffee shop listening to my talking subjects.
My first decision was to deploy a personal server, in my home, with OwnCloud. All went fine for some months until I realized the pain it was maintaining the system working, from server attacks and system fails to energy bills nothing could justify such paranoia. The OwnCloud Android client was also very bad those days.
The second idea was hosting OwnCloud and mail services on a private host, but this didn't made any sense because data wasn't encrypted and every employee could easily see my thermonuclear projects and my banana pancakes secret recipes. It was also a paid solution for nothing.
Finally I thought "If you're using German services you should be fine, Germany privacy data laws are the toughest in the world (even better than Swiss in this matter)". I'm in Europe so using European services was a no brainier decision, preferably in Germany and owned by German companies. Yes, I know you can't trust anyone but even so I think it's a well balanced solution.
== SERVICES ==
These are my services right now, share yours and try to justify why they're equal or even better. This list will be changed as needed:
Mail - GMX (Germany)
- Generally I really don't like 1&1 services but GMX is really good and working only on European servers. I advise you to don't use their other service, mail.com, because this one use USA servers. Unfortunately all other free German providers have low storage space. If you're willing to pay for privacy try Dutch StartMail but it's beta at the moment.
Contacts & calendar - fruux (Germany)
- Amazing services, great philosophy. For privacy and decentralization purposes I've opt for don't have this services on my mail provider. Unfortunately their servers are on Amazon Ireland, but I believe fruux have implemented cryptographic code on their system.
Cloud - HiDrive (Germany)
- I NEVER upload sensitive information to the cloud, even encrypted (remember Heartbleed and AES backdoor theory?). I was using Wuala for years but gave up after have been acquired by LaCie (USA). Tresorit shouldn't be trusted either, they're using Microsoft Azure servers, each uploaded and shared link pass through USA. Mega is darkness, I don't like the smell of it.
Apps - F-Droid (UK/France)
- FOSS is the way you should go, F-Droid is the obvious choice. F-Droid client was forked from Aptoide's source code.
Aptoide (Portugal) it's good but not consensual. Recently they're processing Google with Antitrust Complaint in EU proving they're concerned. You can only trust Aptoide IF you choose to install apps from their main centralized store (the default one, be ware and don't trust any other user store). http://m.aptoide.com/about
If you can't find what you're looking for then you can use Blank Store or Opera Mobile Store. Never choose Amazon Appstore, apps installed from there have proprietary code inserted.
Search engines - DuckDuckGo (USA!)
- Technically DuckDuckGo is a meta-search engine. It's amazingly good and you have lots of options to choose (did you know you can directly search images from Google if you search !gi [image you're searching for]?).
Another great alternative is Startpage (Netherlands).
== ANDROID SYSTEM ==
My Android system:
- CyanogenMod + freecyngn + NOGAPPS + SuperSU
- TWRP recovery
- Hardening Android for Security and Privacy
== APPS ==
My essential apps are:
Apps client - F-Droid (FOSS)
- See services above.
Privacy and cleaning - AdAway and AFWall+ (both OSS)
- Obvious choices on each privacy concerned system. Block almost everything, trust no one.
Android browser - Boat (proprietary code)
- I just love the options, specs, interface and speed. I know this choice will be highly controversial for some because it's a Chinese made browser, but isn't a cloud browser (like the also Chinese Maxthon) and it's really easy to firewall it from calling home (something somehow difficult with Dolphin). The obvious FOSS choice for almost everyone would be Firefox but I really hate their Android app and I have some bad thoughts about their Google connections. The FOSS best shot would be Tint or Lightning, but they're rather limited and AOSP it's even worse. Chrome it's obviously excluded for privacy sake.
Boat devs also used to be active on Xda with many supporters. For security precautions block port range 192.241.158.0/24 and 211.151.0.0/24.
Email app - K-9 (FOSS)
- The oldest, most forked and trusted email client. Needs a deep design/interface Overhaulin' (hey, Chip Foose...)
Contacts and calendar sync - Fruux + Birthday Adapter (FOSS)
- See services above.
Password & confidential safe - KeePassDroid (FOSS)
- Believe me, I don't know a single password of my accounts and I have hundreds. The only really big and complex password I know is the one from KeePass.
Antivirus - NONE, JUST DON'T
- I will not discuss here about the needs or true benefits of these apps but I can assure your data is leaking each time you go online. All them claim about privacy but they're always collecting "unidentifiable data".
== I will post links for everything soon. Please include links in your posts when justified. Thanks. ==
== Android Alternative FOSS ==
This is a list of some well known apps and their open source alternatives. Incredibly some of them are even better than "official" or paid apps, some others are quite limited but evolving and much secure.
It's impossible to put everything here, only the best apps I've tried with success will be listed. Please keep posting your suggestions.
BitTorrent Sync > Syncthing
Chrome > Firefox
Dolphin > Tint Browser
Dropbox > OwnCloud, Seafile
Facebook > Tinfoil for Facebook
Gmail > k-9 Mail
Lux Auto Brightness > YAAB
Tasker > SwiP
Titanium Backup > oandbackup
Twitter > Twidere
Reserved, just in case.
Really great thread sancho_panzer. I never thought someone can be as paranoid as I am, but I found you.
I'd like to add a few services:
Posteo (Mail):
A german email provider that doesn't claim as much data aa most of them do. It just needs your mail, pw of course and you can add your mobile phone number if you like to (it will be saved hashed in their database). Posteo has great SSL connections and uses a the first (german) provider the new protocol DANE as well as DNSSEC. You can use their CalDav and CardDav server and choose to encrypt your address book and your calendar. The service costs 1€ per month (10 cents for additional aliases and 20ct for the next gig), that can be paid by post mail, PayPal or bank transfer. The last two way won't get linked to your account.
CalDav/CardDav
To manage my addressbook and calendar on multiple devices I use aCal from F-Droid.
For googling issues there is a browser add on for PCs that tunnels the Google searchs for you called disconnect.me
Greetz, and i appreciate your love to FOSS very much!
@traceless There are lots of people on Xda concerned about privacy on Android and the Internet. I really hope this thread could help them to take some measures about it and share alternatives.
Thank you for https://posteo.de/ suggestion. Could be a great service problem is I don't speak German. I really don't understand why the website don't have an English version. I'm also concerned with recent leaks news about *.de domains ( http://www.bbc.com/news/technology-25825784 ).
I've tried CalDav-sync and CardDav-sync and they're great little apps, but if you want a FOSS solution try DAVdroid and the very new Flock from F-Droid.
I really can't trust https://disconnect.me/ . ( http://www.darkreading.com/document.asp?doc_id=1251070& ) or Ghostery, both track you ( http://www.reddit.com/r/firefox/comments/1qkc2b/disconnect_vs_ghostery/ ). If you're using Firefox on PC or Android my advice is to install Adblock Edge (Adblock Plus is worse and heavy) + Self-Destructing Cookies (BetterPrivacy is also great) + NoScript. You should also consider CleanQuit.
@sancho_panzer
I knew, that Disconnect was founded by a former Google employee but didn't know he was linked to the NSA. Anyway my current FF configuration looks just as you recommended, but I additionally installed a plugin that's called FireGloves. This is especially useful if you want to make fingerprinting your browser harder. It disables or disguises trackable settings; if you'd like to every browsing session. How unique ones configuration is, can be seen here at Panopticlick.
I agree, that it's a pity some services aren't available in the most common languages. Posteo's webmailer can be changed to English, but the whole service is German. Btw you don't have to be worried about the de ccTLD, the 16m mail that were compromised earlier this year were most likely taken due a hack of a german online shop and as the most customers were germans, the majority of the mails end up with *.de. So it doesn't mean every german domain is compromised and mail provider are insecure.
As you don't speak german you could take a look at Secure-Mail, a mail service provided by the mainly german VPN Perfect Privacy. It hosts in NL and supposes to store no identifiable data and is also encrypted. I found no setting to change the language to english on Secure-mail, but I thought I've seen it once in english, maybe it canges only if your country is english-speaking.
Flock is really nice, but I stay with aCal, cause it comes with a calender other than the integrated one and I'm not dependent on the built-in one with the (also switchable) Googl sync.
Excellent thread, thank you for starting it.
Edit : I think HTTPS Everywhere by the EFF should be mentioned in a thread like this.
https://www.eff.org/https-everywhere
sancho_panzer said:
I'm sure my personal and professional life is common and boring but I want privacy with my things just like I don't want a guy next table in the coffee shop listening to my talking subjects.
Click to expand...
Click to collapse
It doesn't matter if you think you life is important enough to be watched or if it's just boring. The fact that you know you *could* be watched in every move you make, automatically changes your behaviour. It changes the way you think, it changes the way you speak and write. It influences the way you interact with others. Feeling watched makes you fear of what you do!
Opening a thread like this is a good thing to begin to overcome this fear. :good:
Good linux expert, my colleague, told me some finding, android wise.....
He has installed Android Firewall, and blocked every possible application and system modules, including kernel.
In apk log, found that all ip packets sent by android kernel are routed through some chinese ip address, regardless of theirs final destination.
After some research, turned out that this IP is used by NSA. Yes, all ip packets going out of our android phone are sniffed by NSA. Embedded in kernel.
My 2 cents here, and sorry if ot.
Cheers!
Sent from my GT-I9195 using Tapatalk
Nice thread, thanks! :good:
Some thoughts from my side:
I generally distrust every online service, especially if I don't pay for them. I think it is better to decentralise services and host them on self managed servers in families, groups of friends,... and thus basically only give data to trusted persons you know in real life.
Here are two good links that show alternatives to proprietary software/cloud services:
https://prism-break.org/en/
https://wiki.debian.org/FreedomBox/LeavingTheCloud
== SERVICES ==
Mail -
I think mails are generally difficult to self-host. So you need a good mail service. Posteo was mentioned here, another similar reliable german mail provider (with english translation) is mailbox.org. They even encrypt unencrypted incoming mails with your PGP-key before they store them.
Contacts & calendar -
Posteo and mail.org also include contact and calendar synchronisation via CalDav/CardDav. Even better: Host it by yourself.
Instant Messaging -
XMPP (Jabber) is an open decentralised protocol with lots of implementations for almost every platform. You can host it by yourself or use an existing server. There are also very good clients for Android like Conversations or Xabber
== ANDROID SYSTEM ==
Two additions:
Free Your Android! - campaign of the Free Software Foundation Europe
IMSI Catcher/Spy Detector
== APPS ==
sancho_panzer said:
Android browser - Boat (proprietary code)
Click to expand...
Click to collapse
Don't do this! Firefox for Android is also a good choice. And Orweb not to forget!
traceless said:
I use aCal from F-Droid
Click to expand...
Click to collapse
DAVdroid is also a very good FOSS CalDav/CardDav-provider that integrates with the contacts/calendar app of android. And it is under active development (in contrast to aCal)
I can only agree that using posteo.de is a must. Completely anonymous. I put cash in an envelop (didn't actually touch any of it myself ) and they opened my account no problem. Last time I checked their site alao had an English version. Feel free to pm me with translation issues. I speak both languages fluently. Also a thread like this without XPrivacy?
For those interested in tor along with afwall, I have posted instructions on getting them to work together in the afwall thread
I prefer the Android system to be: OMNI + NOGAPPS + SuperSU
Note that freecyngn & NOGAPPS author has switched to OMNI
Regarding OwnCloud: it's a great software, but you're right not to trust it when it runs on some server that is not under your control. That's why I run OwnCloud on a Raspberry Pi that is running at my home, behind my firewall. Syncing is made with CardDAV and CalDAV, and both apps use SSL. I think I can trust that one.
dvdram said:
Regarding OwnCloud: it's a great software, but you're right not to trust is when it runs on some server that is not under your control. That's why I run OwnCloud on a Raspberry Pi that is running at my home, behind my firewall. Syncing is made with CardDAV and CalDAV, and both apps use SSL. I think I can trust that one.
Click to expand...
Click to collapse
And what connection are you using? I thought about exactly the same solution, but it's nearly useless with ADSL.. (6 MBit/s down and just 60kbits upstream)
Thank you guys for your contribution on this thread.
Ultramanoid said:
I think HTTPS Everywhere by the EFF should be mentioned in a thread like this.
https://www.eff.org/https-everywhere
Click to expand...
Click to collapse
@Ultramanoid You're absolutely right I forgot to mention it, I use it with Firefox on my laptop and it's great.
dvdram said:
Opening a thread like this is a good thing to begin to overcome this fear. :good:
Click to expand...
Click to collapse
@dvdram I agree and don't understand why so much people just don't care to talk about it.
jukyO said:
Good linux expert, my colleague, told me some finding, android wise.....
He has installed Android Firewall, and blocked every possible application and system modules, including kernel.
In apk log, found that all ip packets sent by android kernel are routed through some chinese ip address, regardless of theirs final destination.
After some research, turned out that this IP is used by NSA. Yes, all ip packets going out of our android phone are sniffed by NSA. Embedded in kernel.
Click to expand...
Click to collapse
@jukyO Lookout, the real test here should be made on a clean system, just ROM and a Firewall. That's the only way you can say it's kernel coded. Some apps use kernel to send and receive packets, your alert could be related to one of these.
Another debatable subject should be SElinux. Many ROMs, like CyanogenMod, have it in enforcing mode by default. If you install another kernel, like Alucard, SElinux become permissive. Even if SElinux is considered OS we all should not forget that was developed and implemented by NSA (!).
bastei said:
Here are two good links that show alternatives to proprietary software/cloud services:
https://prism-break.org/en/
https://wiki.debian.org/FreedomBox/LeavingTheCloud
== SERVICES ==
Mail -
I think mails are generally difficult to self-host. So you need a good mail service. Posteo was mentioned here, another similar reliable german mail provider (with english translation) is mailbox.org. They even encrypt unencrypted incoming mails with your PGP-key before they store them.
Contacts & calendar -
Posteo and mail.org also include contact and calendar synchronisation via CalDav/CardDav. Even better: Host it by yourself.
Instant Messaging -
XMPP (Jabber) is an open decentralised protocol with lots of implementations for almost every platform. You can host it by yourself or use an existing server. There are also very good clients for Android like Conversations or Xabber
== ANDROID SYSTEM ==
Two additions:
Free Your Android! - campaign of the Free Software Foundation Europe
IMSI Catcher/Spy Detector
== APPS ==
Don't do this! Firefox for Android is also a good choice. And Orweb not to forget!
DAVdroid is also a very good FOSS CalDav/CardDav-provider that integrates with the contacts/calendar app of android. And it is under active development (in contrast to aCal)
Click to expand...
Click to collapse
@bastei Thanks for your useful input. I know Boat would be controversial talk but if you read my comments you'll see I'm aware about the dangers of such decision. Even so I'm convinced about the safety of it.
Firefox is my primary choice on my laptops since the earlier version 3. Even if I tried alternatives on some occasions I've always returned to Firefox security and true development power (I always use it to analyse code and test all websites I make), the only real alternative was Opera (the original one with Presto engine, not the crap they use these days).
Android Firefox is a completely different beast. It's heavy, buggy, need extras for simple tasks like automatic close and clean or user agent changing, but above all WHY THE HELL CAN'T WE MAKE FOLDERS and organise favorites at will? The only solution I found for favourites was to sync them with my PC, organise all there and sync them back. Did I mentioned the ridiculous times it FC? Maybe in the future, right now the only FOSS I could consider is Tint Browser.
an0n981 said:
Also a thread like this without XPrivacy?
For those interested in tor along with afwall, I have posted instructions on getting them to work together in the afwall thread
Click to expand...
Click to collapse
@an0n981 XPrivacy and Xposed could be all we need IF they were OSS. The other problem are the inevitable lags introduced by these layers.
I've tested several configurations on my phones and tablets over the time but ultimately my OP describes my options at this moment. This subject isn't closed and will never be, there aren't perfect security systems, and that's the purpose of this thread, I'm sure the OP will be changed on some occasions. Please keep suggesting alternatives and solutions, your contribution will be greatly appreciated.
aelmahmoudy said:
I prefer the Android system to be: OMNI + NOGAPPS + SuperSU
Note that freecyngn & NOGAPPS author has switched to OMNI
Click to expand...
Click to collapse
@aelmahmoudy OMNI is a valid CM alternative, developed and maintained by well know Xda developers. Unfortunately I don't really like the excessive cleanliness and limitations. The only way I could advise it would be complemented with Xposed+XPrivacy+GravityBox, besides NOGAPPS and SuperSU.
I can't talk for them but I believe @MaR-V-iN and many other ditched CM after the group became comercial oriented, the inclusion of analytical and proprietary code didn't helped either. CM it's still the base for lots of ROMs and I'm still convinced it's the best for me, provided that are VM snapshots and thoroughly cleaned and modded like mentioned on my OP.
sancho_panzer said:
...
@an0n981 XPrivacy and Xposed could be all we need IF they were OSS. The other problem are the inevitable lags introduced by these layers...
Click to expand...
Click to collapse
Both are 100% open source, just not distributed through F-Droid. You can compile them yourself, source is on GitHub. Security software will always add some lag.
an0n981 said:
Both are 100% open source, just not distributed through F-Droid. You can compile them yourself, source is on GitHub. Security software will always add some lag.
Click to expand...
Click to collapse
You're absolutely right, my mistake. Still when I used them my system felt somehow lagging.
:delete:
err on the side of kindness
traceless said:
And what connection are you using? I thought about exactly the same solution, but it's nearly useless with ADSL.. (6 MBit/s down and just 60kbits upstream)
Click to expand...
Click to collapse
I admit I have a bit more speed than you, but it depends on what you want to use OwnCloud for. I use it only for syncing calendars and contacts, and for that few bits of information even your speed is more than enough, although you should consider to do the first time syncing over WiFi. Later, when you add contacts and calendar entries, you won't notice much disadvantage.
Of course, if you want to sync pictures and movies, that speed will not be enough. But do you really need that? Is it not much more efficient to copy pictures and photos via USB cable, when you're at home? Do you really need to sync them while on the road?
That is what you need to ask yourself. Like I said: contacts and meetings are very small pieces of information, less than a text message. A 60k download (from your phone's point of view) is more than enough for that.
dvdram said:
I admit I have a bit more speed than you, but it depends on what you want to use OwnCloud for. I use it only for syncing calendars and contacts, and for that few bits of information even your speed is more than enough, although you should consider to do the first time syncing over WiFi. Later, when you add contacts and calendar entries, you won't notice much disadvantage.
Of course, if you want to sync pictures and movies, that speed will not be enough. But do you really need that? Is it not much more efficient to copy pictures and photos via USB cable, when you're at home? Do you really need to sync them while on the road?
That is what you need to ask yourself. Like I said: contacts and meetings are very small pieces of information, less than a text message. A 60k download (from your phone's point of view) is more than enough for that.
Click to expand...
Click to collapse
Thanks. Firstly I wanted to use it for an alternative to Dropbox but then I found out the Cal- and CardDAV support. And you're totally right with syncing after first initialisation. Maybe I get an RPi later and try this one and also the owncloud feed reader [emoji2]
Any idea how to use the FF sync of owncloud, since FF only supports upgrading old accs to the new mozilla ones but personally I'd prefer the old way.
Greetz