Just read this article via gizmodo and this is definetly a must have for some of us who are paranoid which is just about everyone .
Overview
A joint study by Intel Labs, Penn State, and Duke University has identified that publicly available cell-phone applications from application markets are releasing consumers' private information to online advertisers. Researchers at the participating institutions have developed a realtime monitoring service called TaintDroid that precisely analyses how private information is obtained and released by applications "downloaded" to consumer phones. In a study of 30 popular applications, TaintDroid revealed that 15 send users' geographic location to remote advertisement servers. The study also found that seven of the 30 applications send a unique phone (hardware) identifier, and, in some cases, the phone number and SIM card serial number to developers.
Source:http://www.appanalysis.org/
It´s not released yet. Are there any other similar monitoring apps out there? This was something I´ve been thinking / worrying about since getting my sgs 3 weeks ago...
Near enough every app you install requires / wants at least full internet access. Not sure what private data is accessible, but this is a great source for profiling and could of course be used maliciously.
markwil said:
It´s not released yet. Are there any other similar monitoring apps out there? This was something I´ve been thinking / worrying about since getting my sgs 3 weeks ago...
Near enough every app you install requires / wants at least full internet access. Not sure what private data is accessible, but this is a great source for profiling and could of course be used maliciously.
Click to expand...
Click to collapse
It looks like it will be soon.
Where can I get TaintDroid?
We will be making TaintDroid open source. Information to obtain the TaintDroid source code will be posted to this page.
Won't be an APK though, they have updated to say it's need to be built in to the ROM. Source should be realised and nothing stopping the modders from adding to their ROMs.
Update for those interested in installing TaintDroid: Tracking how apps use sensitive information required integrating our software into the Android platform at a low level. As a result, it was not possible to implement TaintDroid as a stand-alone app. Instead, to use TaintDroid you must flash a custom-built firmware to your device, similar to a number of popular community-supported Android ROMs. In the coming days we will open-source our code through a publicly-accessible repository. Please send an email to [email protected] if you are interested in receiving a notification when the source code is available. Thank you for your interest in TaintDroid!
Click to expand...
Click to collapse
That works for most off us here who are rooted.
Sent from my Nexus One using XDA App
Sounds interesting, but I have to laugh at the use of the word 'taint'. Was DurfDroid taken?
The source code and instructions for compiling into kernel (Nexus One) are now given at the site:
http://appanalysis.org/download.html
This cannot be installed as an app (.apk), it's a compile into your own kernal effort at this stage.
Related
Any chefs want to cook this into a DI18 kernal?
Forgive the ignorance, but what is this exactly?
NM....searched around and found it
Sent from my SPH-D700 using XDA App
What is this "kernal" you're speaking of?
KERNEL KERNEL KERNEL
Mutiny32 said:
KERNEL KERNEL KERNEL
Click to expand...
Click to collapse
Haha thank you
Here's a great demo of what it does. http://appanalysis.org/demo/index.html
Basically TaintDroid is a privacy monitor app baked into the kernel that alerts you when an application is sharing info with or without your consent.
It stops the malicious activity dumps you back to the home screen and then throws an alert in the notification bar about the specifics of the activity.
A joint study by Intel Labs, Penn State, and Duke University has identified that publicly available cell-phone applications from application markets are releasing consumers' private information to online advertisers. Researchers at the participating institutions have developed a realtime monitoring service called TaintDroid that precisely analyses how private information is obtained and released by applications "downloaded" to consumer phones. In a study of 30 popular applications, TaintDroid revealed that 15 send users' geographic location to remote advertisement servers. The study also found that seven of the 30 applications send a unique phone (hardware) identifier, and, in some cases, the phone number and SIM card serial number to developers.
Click to expand...
Click to collapse
They provide instructions for getting it into a custom kernel at their site but it's way over my head. I thought some chefs could work in into one for us. Like Voodoo color, etc.
Hi All,
Has anyone gotten any details of Android bug 8219321 being discussed in the media? That's the Android master key talk coming up at Black Hat. AOSP bugs reporter is not showing any information (http://code.google.com/p/android/issues/list).
I'm wondering if the platform builders are using the default keys. Marko Gargenta discusses the four default keys briefly in http://www.youtube.com/watch?v=NS46492qyJ8. (Excellent video, btw).
Are there any controls we can place to mitigate the possible threats (assuming they are threats)?
Jeff
noloader said:
Hi All,
Has anyone gotten any details of Android bug 8219321 being discussed in the media? That's the Android master key talk coming up at Black Hat. AOSP bugs reporter is not showing any information (http://code.google.com/p/android/issues/list).
I'm wondering if the platform builders are using the default keys. Marko Gargenta discusses the four default keys briefly in http://www.youtube.com/watch?v=NS46492qyJ8. (Excellent video, btw).
Are there any controls we can place to mitigate the possible threats (assuming they are threats)?
Jeff
Click to expand...
Click to collapse
From everything I have read, this 'bug' won't really affect anyone unless somebody manages to get malicious code onto your Android device. Therefore, the best way to limit the risk is to only install reputable apps from the Play Store - don't use other dubious sites or .apk copies, don't install brand new, unproven apps etc.
SimonTS said:
From everything I have read, this 'bug' won't really affect anyone unless somebody manages to get malicious code onto your Android device. Therefore, the best way to limit the risk is to only install reputable apps from the Play Store - don't use other dubious sites or .apk copies, don't install brand new, unproven apps etc.
Click to expand...
Click to collapse
Thanks, I've been reading that stuff too. From http://bluebox.com/corporate-blog/bluebox-uncovers-android-master-key/:
Device owners should be extra cautious in identifying the publisher of the app they want to download.
Enterprises with BYOD implementations should use this news to prompt all users to update their devices, and to highlight the importance of keeping their devices updated.
IT should see this vulnerability as another driver to move beyond just device management to focus on deep device integrity checking and securing corporate data.
This advice is useless. For example, "device owners should be extra cautious in identifying the publishers [sic]." The code signing model using self signed certificates does not lend itself to identifying anyone. The relationship that exists is between Google and the publisher; and does not extend to the user. The only thing self-signed certificates ensures is that an app can only be updated by the same author. Even Apple or Microsoft's PKI and code signing model do not make those guarantees (read their CPS'es some time).
Below is from Nikolay Elenkov in an off-list reply. Nikolay does excellent work with Android security (http://nelenkov.blogspot.com/), and can be often found hanging out on Android Security Discussions (https://groups.google.com/forum/#!forum/android-security-discuss).
They are using the 'master key' phrase to hype this up, but this has nothing to do with keys. This is related to the way Android verifies APK (JAR) signatures. A specially crafted APK can be repackaged without invalidating the original signature....
Click to expand...
Click to collapse
Jeff
Hi everyone,
I am a privacy guy and I just started a new project called Articul8 with the aim of building a new lightweight Android ROM that is both secure and has privacy built in to the core. I recently wrote about the project on LinkedIn (but I am not allowed to post links yet on this forum) and there has been quite a lot of interest from the privacy arena.
The plan is to develop apps which host all their data off the device on private remote servers - but more than that, the project will seek to develop popular apps which are hosted serverside, to prevent tracking and profiling.
I have already written a serverside Twitter app which does exactly this (I just need to write the client interface for Android) some time ago as explained in the linked article and I have also recently written a contacts app for Android using Ionic Framework. The purpose of this post is to try and gather some feedback and support in developing the project further. I expect this project to be a long term project which grows significantly over time and I am already planning server hosted apps for LinkedIn, Facebook, G+ as well as looking into SIPjs to create a VOIP client as well. What I haven't managed to plan out yet is how to build the ROM with most of the native apps stripped out and replaced with these new remote services.
I would like to make the entire project open source and publicly available - none of the apps will include any advertising or third party APIs - the whole point of the project is to firewall the device from all third parties as well as firewalling all the data from the device (in the event the device is compromised). All services should require passwords to open to prevent data being compromised should a device be stolen or taken from the owner. In essence the hardware will become dumb.
All feedback appreciated and if you are interested in contributing, please get in touch.
First I want to make this clear right from the start that I am the developer/author of the app I am wanting to reverse engineer. There is nothing illegal or questionable about my intentions.
If I have posted this in the wrong section I do apologize and would ask that it be moved to the appropriate section.
Before I go into any specifics of what the app does or what it is used for; the reason why I am wanting to reverse engineer the apk back into source code has a somewhat unique origin that very few people will ever encounter. About 4 years ago I began development on my app that is now known as Ls Droid. I did not know any Java code and I had an idea at the time that lead me to find a development tool created by MIT that was known as App Inventor 2. If you've never heard of this before, App Inventor is a GUI based programming language based on Googles Blocky that allows the user to combine various types of blocks that each represent different code functions and create working Android apps. I'm not going to discuss how App Inventor works but you can read the overview of it at appinventor.mit.edu/ . Over time my app outgrew what MIT's version of App Inventor was capable of and I moved my app to another platform(Thunkable) that was still based on App Inventor but greatly expanded on it's functionality and was capable of dealing with larger projects than what the MIT servers would allow. I used Thunkable for several years and ran my app though it's entire Alpha development life cycle and into an open Beta. Unfortunately Thunkable had been creating their own(improved) version of App Inventor from the ground up and not only was it incompatible with app's created on the App Inventor platform but they did not include many of the things my app required to work and I was forced to look for another platform to move my app to in order to continue development. Unfortunately by this point all of the spin off versions of the original MIT App Inventor had created advertising components and the majority of people using these GUI based programming platforms were now focused on creating earning apps. As a result the people running spin off versions of App inventor are now focused on providing tools based around add based apps and less interested in fixing basic functionality for core components as they are rarely used in earning app.
So this brings me to my current situation. The compiler used by the current GUI programming platform I have been using for the last 8 months or so has become unreliable and buggy. Core functionality of how specific blocks function has also been altered several times in the last 6 months and each time a change like this is made requires dozens of hours to restructure my apps logic to work with the new changes. I have tried to leave these GUI based programming platforms several times and move my app into Android Studio but have never been successful. Attempting to recreate my app from scratch in Android Studio would be a massive undertaking even for someone fluent in Java and I only have a basic understanding of Java at best. I can however work from existing code and alter or restructure it with out a lot of trouble and that's basically all I need to do in my app at this point.
I have worked with a number of people in the past who have tried to help me turn an APK back into source code that worked in Android Studio and about a year and a half ago I was working with someone who was able to decompile the app and successfully import it into Android Studio where it did mostly work with the emulator. Unfortunately this person was killed in a car accident, I do have a copy of what they had done that was close to a working version but I was never able to get a copy of the source they had working in Android Studio. I have had a couple of other people look at this code since then but no one else was able to do anything with it. At this point the version that was being worked on that did open in Android Studio is old enough that it bears very little resemblance to the current version of the app and attempting to even work from this code now would be a massive step backwards.
In the past I have always looked for help from automotive reverse engineering forums since my app has a very unique purpose, it is used to read and write the binary code from an engine's computer on a number of General Motors vehicles that are popular/common in the hot rod community using a Bluetooth tool connected to the vehicles OBD II data port. I created this app to remove the cost barrier that had previously been required when you wanted to make changes to an engines program on fuel injected vehicles....my app is free and uses a relatively cheap OBD II tool. There are thousands of people that have used my app over the last couple of years and successfully re-tuned their vehicle with many of these people being able to do this with no cost out of pocket as they already had the tool my app was designed to work with.
My app is now at the point where even making basic changes or bug fixes is becoming an issue due to constant changes in the GUI based programming language. I have exhausted the help of various automotive community's, mixing smart phones and cars was a long shot in the first place and here I am 4 years later with a very successful app but it's well beyond what my network of car hacking colleges are able help me with. It's no secret that XDA has some of the best Android developers(and hackers) anywhere on the web so I figured this would be the best place to turn to for help.
Maybe this would be fun for someone here? I doubt people get a chance to decompile and reconstruct an app legally....and if they do it's extremely unlikely it was done on an app built with a program like App Inventor. I have no issues making my apps source code public so I have no issues discussing anything to do with this publicly, but if someone would prefer to discuss this by PM or Email I'm fine with that as well.
My app can be found at ls-droid . com near the top of the page, there are a couple of versions posted currently with 2.2B being the last public release but it's not exactly current. I do not want to post the APK for the most recent version of the app I have been working on at the moment on the off chance someone wanting to use the app were to find it since it has some pretty nasty bugs right now due to compiler changes. You can search Youtube or Facebook and should have no trouble finding information on my app if your wondering how it works.
Hi everyone,
Here is a little history first. In 2014 I helped develop a traffic counting app for an engineering buddy. I designed the UI's, the flow charts and wrote the 275-page illustrated, developers manual. The developer had it working in less than 6 weeks, thanks to, as he said, "to the awesome documentation provided". The app has been in use since then and has worked flawlessly on the original 24 tablets I originally purchased for him.
Recently, we have been asked to bring the app to a wider audience so, my question is, "Is there a way to prepare an image of the Android OS containing only the setup we need, and then clone it to the new tablets?" The app is designed as engineering tool and is not listed through Google Play and as such, it does not require most of the bloatware found on the new tablets. The app does require the use of photos, some file management along with network connectivity to send and receive the various data files required and produced by the app.
I have limited experience in rooting, but I have been successful when I done it on my Samsung phones.
As a certified Graphics Designer/Windows and Mac tech/COVID-19 survivor (nearly killed me, literally...LOL), I am aware of the amount of work that goes into aiding people with their "little" projects. Any help or direction in this matter would be deeply appreciated.