Read full article here
What is your opinion?
Dont like it. I want my phone to be MY phone. My phone should work for me not google and not some mysterious random company. My private life should not be reduced to some advertising opportunity for a business. Why people accept this I do not know. It dosent matter if an XDA developer will find a way to stop it. It shouldn't be happening in the first place.
OK, so I'm a WM developer, not Android, but if the program turns on the GPS receiver, surely the GPS LED would givaway the fact that it has been triggered. On a Kaiser the right LED flashes orange every other GSM connection flash.
Alternatively, it could just grab the CellID from the GSM connection. Not as accurate, but it can still be used as a crude location pointer. In cities it is probably accurate to a couple of hundred metres.
As the article mentions, Google have a pretty strict policy on what apps can do with users data, but whether they are adhered to is another matter.
It would be quite difficult to stop it, if the Android equivalent of WM's 'GPSAPI.DLL' exists in ROM, as you can't modify it to overide any calls to the functions within it.
On android, it is not possible for a user application to ENABLE GPS (if it was turned off in settings). The only apps that can do so are those in /system, which requires root to write to, or the app to be installed on the ROM itself.
I personally leave GPS off all the time, and do actually read all permissions used before installing an app. In the past, I have actually decompiled applications and removed their GPS/location permissions and "spy code", but now I just use another app that doesn't need excessive permissions.
In Android, permissions do block access to both network location and GPS location, using separate permissions, so it's possible for an app to use network location, but not get access to gps. But I see no need for it, when IP address gives a country/very rough location (enough for a dev to know his/her user base's nationality demographics)
Really don't like that.
I pay for the phone, the bandwidth and the calls.
I do not to be harassed by people trying to sell me stuff on my own telephone, and I especially not want to give an anonymous company my own private data!
stephj said:
OK, so I'm a WM developer, not Android, but if the program turns on the GPS receiver, surely the GPS LED would givaway the fact that it has been triggered. On a Kaiser the right LED flashes orange every other GSM connection flash.
Alternatively, it could just grab the CellID from the GSM connection. Not as accurate, but it can still be used as a crude location pointer. In cities it is probably accurate to a couple of hundred metres.
As the article mentions, Google have a pretty strict policy on what apps can do with users data, but whether they are adhered to is another matter.
It would be quite difficult to stop it, if the Android equivalent of WM's 'GPSAPI.DLL' exists in ROM, as you can't modify it to overide any calls to the functions within it.
Click to expand...
Click to collapse
Unfortunately, on most Android devices you don't get the amber LED to indicate GPS usage. But as pulser_g2 has said, if you have GPS turnt off then only /system apps or root apps will be able to use it.
Pulser, what app do you use to check them out for malicious code?
incredulous said:
Unfortunately, on most Android devices you don't get the amber LED to indicate GPS usage. But as pulser_g2 has said, if you have GPS turnt off then only /system apps or root apps will be able to use it.
Pulser, what app do you use to check them out for malicious code?
Click to expand...
Click to collapse
I use apktool to disassemble the APK, then check the permissions inside AndroidManifest.xml.
Notepad2 used to view the smali code, and AstroGrep (windows) or just a recursive grep on linux, and I look for "http" and "location", since you'd be amazed what you find when recursively grepping the code for "http"
Let's just say I have found pages containing lists of authorised IMEIs for applications, I've found callback code to give a remote server information etc...
I tend to notify the developer if there is anything at issue like IMEIs... But often they do nothing
Get familiar with apktool, and learn to read smali, which is like intermediate java code, slightly more like machine code, but mainly like java...
As for what you do once identifying such an app, I suggest just not using it. It is possible to remove such callback code, but it's complex and much easier to use an alternative.
As the-equinoxe said, I own the phone, and therefore anything going on it has to obey MY rules. So regardless of what an app's license agreement says, my device has its own licence agreement, saying that "pushing an APK to this device via the market/gtalk service hereby provides consent for it to be disassembled and decompiled, and scrutinsed by geeks before installation..."
HTH
If you don't like it, then don't install the fart app that needs access to your GPS.
Any app that needs access to your location but doesn't have an obvious reason to do so is using it for advertising purposes.
Don't like it, don't use the apps. It really is pretty simple and it doesn't require you to decompile the app!
If your personal information is so private, don't give it away to someone who EXPLICITLY asks for it.
Any app that needs access to your location but doesn't have an obvious reason
Click to expand...
Click to collapse
Main problems are other types of apps. Apps that need access and then exploit it. For example a weather app needs internet to download weather and at the same time it can send bunch of personal data to it's developer, without user knowing it.
AFAIK there is no effective way to get rid of that problem, other than manually analyzing each application at the market.
Maybe solution would be a policy in Market that will require application to ask user before sending any personal data or else application gets banned from the market. But again it will require someone to check application manually if it's sending data.
I can see a solution that would work.
Android would need to use a UAC style prompt, saying "allow once or always", and same for deny. Like SuperUser apk does.
If an app couldn't use the permission without express approval, controlled by the individual intent or method/subroutine in use, you could easily see when an app was actually using a permission, and allow it one individual GPS reading.
The only problem with this? It would be really annoying for 99.9% of users, and ultimately there would be ways to cheat the system.
The above suggestion where apps request permission would work in an ideal world where every developer can be trusted implicitly.
But this is no ideal world, and even if it were on the scale of xda (few hundred apps), there would be no way to check it happened. And then it would be unenforced, and in my view, and unenforced rule is worse than no rule, since users would be led to believe it was enforced, and thus protecting them.
Bottom line? Trust nobody, write your own apps, and apktool everything. Until then, just be careful what apps you install and give GPS access to... don't use that third party weather app if you don't trust it...
Related
I am new to Android. Just got my Vibrant. I want to protect this phone so that in case it is lost or stolen I can recover it. Could you tell me what are some of the best apps for this?
Here is a list of names I know about for now:
Where's My Droid - This is currently installed, but required me to send a text to my phone to activate the GPS and even then it won't keep the GPS active long enough to get a precise location. Furthermore, it can alert the would be robber.
Glympse - well, this is not for stolen phones
Wavesecure - couldn't find any good threads on this. Seems to have an annual subscription fee of $19. I don't want that. Just want a standalone tracker.
Remote security - Not clear that this is a good app.
TheftAlarm - Again, developed in foreign language and I don't know how good it is
MobileDefense - Maybe this is the best app, but it is still in beta and no more users are accepted. I already filled out a request.
Find My Android - Was suggested in this thread, but it doesn't seem to be different from Where's My Droid, except the notification when SIM is replaced.
Lookout Mobile Security - Doesn't seem bad, but it doesn't lock your phone remotely. Can easily uninstall the program. I also found out that I better use a different email address than the one my phone gets otherwise the phone gets an email with "location" of the phone when you look it up online. This is better than Where's My Droid since you can do it more discreetly online, without sending texts (but have to make sure the email you use is not managed by the phone).
Am I missing something? I really want to protect this phone and it is frustrating that among so many apps, we seem to be missing good anti-theft solutions. Preferably I want something that can lock the phone remotely and allow me to do things without interruptions from the thief or at least discreetly. What would you recommend?
Also, I have a rooted (stock) Vibrant.
Thanks.
Where's My Droid isn't exactly very subtle about sending out replies, the author basically said there's nothing he can do.
Most of the other options include AntiVirus and other nonsense, and are expensive or questionable.
Tasker can automatically upload GPS, respond to an email or SMS to do so.. If you send it the right command it could take pictures periodically, make an outgoing call, whatever... It's extremely flexible in what it can do.
khaytsus said:
Where's My Droid isn't exactly very subtle about sending out replies, the author basically said there's nothing he can do.
Most of the other options include AntiVirus and other nonsense, and are expensive or questionable.
Tasker can automatically upload GPS, respond to an email or SMS to do so.. If you send it the right command it could take pictures periodically, make an outgoing call, whatever... It's extremely flexible in what it can do.
Click to expand...
Click to collapse
WOW! Ok, but the question is - 1.can it lock the phone remotely? 2.What happens if the thief uninstalls Tracker or changes the SIM (can you password protect it)? Finally, 3.can it take picture AND email them remotely? Otherwise, I don't see much use to this feature if the phone is gone.
Lookout seems rather good, but I have not tested it personally. I'd add a link, but I'm a new user. Should be easy to find with a Google/Market search, though.
Well that (un installing tasker)may be the case with any tech anti theft, if the thief is smart and careful they will wipe/reset/format whatever they took, rendering a soft lo jack useless
I would just get tasker and lookup findmyandroid on lifehacker, its the best current option
Captiv
Yeah, I found out about LookOut on Android forums. I have installed it. It doesn't allow you to lock the phone remotely and can easily be uninstalled.
As for Find My Android, I don't see how is it different from Where's My Droid., maybe except the part where you're notified if the SIM card is replaced.
I updated the original post.
Find my android isn't the name of the app, its what the lifehacker post is tagged as (#findmyandroid)
The program is tasker, and its more customizable and it can turn on gps
Captiv
Sure, Lookout can be uninstalled, as can any other app. But really, you should have some sort of password on your device. With pattern unlock, there's really no reason not to do so.
According to one of the devs on their forums, remote locking as well as "other features" will be coming to Lookout "very soon".
https://lookout.zendesk.com/entries/24881-remote-lock
In the meanwhile, I use WaveSecure for locking my phone and Lookout for tracking, as its mechanism seems much better.
If you want to prevent Lookout from being uninstalled, just move the apk to /system/app (assuming your phone is rooted).
I have had Wave Secure since the Beta (it is free to beta testers) and love it. I can understand not wanting to pay, but it really is a great app. They have a zip file that you can flash in recovery if you are rooted. That will prevent the app from being erased if the phone is factory reset. I have also been using an app lately called "Tasker". It can track your phone, although I have not used it for this. Here is a link to the Wiki.
http://tasker.wikidot.com/locatephone
GPS Tracker by Instamapper is the one I use most. With a text message, it will return its location via Google maps. It will continually do so for as long as you have it set up for. Every 10 Seconds, Every 2 minutes, Every half hour, etc. I used it to track my stolen phone with the laptop in the car. This app saved me from buying a new phone.
stickerbob said:
I have had Wave Secure since the Beta (it is free to beta testers) and love it. I can understand not wanting to pay, but it really is a great app. They have a zip file that you can flash in recovery if you are rooted. That will prevent the app from being erased if the phone is factory reset. I have also been using an app lately called "Tasker". It can track your phone, although I have not used it for this. Here is a link to the Wiki.
http://tasker.wikidot.com/locatephone
Click to expand...
Click to collapse
Same here. Glad I got it while it was still a beta!
Worrying article on how apps are using personal information.
www.theregister.co.uk/2010/09/30/suspicious_android_apps/
I'm sick that they had to go too such lengths to find out. We need a better net architecture to enable a proper firewall to work.
Sent from my HTC Desire using XDA App
Also, app naming FAIL!
Well, since they only tested 30 apps and won't release the names of the ones they tested, only saying that they are "the most popular", personally I don't buy it.
And the information these apps are sending out is primarily geolocation. Well, no ****. If an app wants your location and you don't think it should have it, it's either using it for ads or you should decline to install the app and just send an email to the dev asking him why he needs that information.
tjhart85 said:
Well, since they only tested 30 apps and won't release the names of the ones they tested, only saying that they are "the most popular", personally I don't buy it.
And the information these apps are sending out is primarily geolocation. Well, no ****. If an app wants your location and you don't think it should have it, it's either using it for ads or you should decline to install the app and just send an email to the dev asking him why he needs that information.
Click to expand...
Click to collapse
Agreed... geolocation is pretty obviously straight forward. I don't know about the 'transmissing every 30 seconds' thing though.
Any thoughts ont he transmitting sim card and IMEI info?
http://www.youtube.com/watch?v=qnLujX1Dw4Y
Also discussed here:
http://forum.xda-developers.com/showthread.php?t=795702
With explanation where to get it from http://www.appanalysis.org/
A very well-written reply by "Steven Knox" on The Register, demonstrating how this 'research' is simply a pile of intentionally-misleading statistical rubbish:
By selecting only from applications that access both personal data and the internet, they're overstating the significance of their study by about 3x. Furthermore, their summaries blur this distinction unnecessarily.
Specifically, their FAQ says "We studied just over 8% of the top 50 popular free applications in each category that had access to privacy sensitive information in order to get a sense of the behaviors of these applications." Since there were 22 categories at the time they did the study, that would imply (22*50=1,100 * 8% =) 88 applications. However, they actually only tested 30, because of the 1,100 top 50 applications only (from the PDF) "roughly a third of the applications (358 of the 1,100 applications) require Internet permissions along with permissions to access
either location, camera, or audio data." -- meaning that the other 742 apps don't have the necessary permissions to play badly. The clause "..that had access to privacy sensitive information in order to get a sense of the behaviors of these applications." from the FAQ is grammatically ambiguous in this case (it may refer to "applications" or "category"), and not specific enough to indicate that over 2/3 of the applications are (relatively) safe by dint of not having the necessary permissions.
They also didn't include in their study apps from 10 of the 22 categories, but they don't explain whether that was due to a) there not being any or enough applications in those categories that required internet and personal data permissions, b) a conscious choice to focus on the other 12 categories, or c) the results of random selection (with an explanation of why they did not use a stratified sample).
Once you factor back in the applications they ignored, the numbers don't look quite so bad. Assuming their sample was representative, 2/3 of the 358, or about 239 applications of the top 1,100 of the time use personal data suspiciously. That's about 21.7% or just over 1 in 5 -- still significant, but a far cry from 2 out of 3. In fact, the worst case maximum is actually 358 of 1,100 or just under 1 in 3 (32.45%) because they are as mentioned above the only ones that actually acquire the permissions necessary to do anything "suspicious".
I understand why both the researchers and the reporter used the 2/3 figure -- you all believe you have to sell the point as hard as possible*. But the real story is that it's likely that at least 1 in 5 Android Apps use private data "suspiciously" -- and that number is still high enough to cause concern and to justify the further use of tools like TaintDroid. It's a pity you didn't trust the facts enough to avoid the unnecessary sensationalism.
*I am assuming, here, that Mr. Goodin did actually read and digest the paper as I did, rather than simply picking out the figures from the study, the FAQ, or a press release.
Click to expand...
Click to collapse
good spot. But one in ten woolf be too many. The point is we should have more fine grained control and transparency off what apps do over the net, and we can't, by design.
Sent from my HTC Desire using XDA App
We need to develop a shim that reports modified IMEI/SIM data for different apps. IMO, very few apps need that information. We may not be able to keep all those apps from sending our private information, but we can make that information useless if it appears that we all are using the same IMEI/SIM...
patp said:
...The point is we should have more fine grained control and transparency off what apps do over the net...
Click to expand...
Click to collapse
agreed....
if you are rooted. With Root Explorer go to /data/system/ and open accounts.db you might be surprised what you find in it... Some people it will be fine for but mine it shows my exchange email and password in plain text and a few others show up as plain text has well...Its not geo they are worried about (for the most part) and...this file has been known about for awhile
Don't worry though unless your downloaded android specific virus holding apps you wont have any problem. And if your getting all your apps legally through the market then its no big deal =) and if your pirating them...well I don't feel bad for you...
echoside said:
if you are rooted. With Root Explorer go to /data/system/ and open accounts.db you might be surprised what you find in it... Some people it will be fine for but mine it shows my exchange email and password in plain text and a few others show up as plain text has well...
Click to expand...
Click to collapse
Opened it, my accounts are there, but no passwords....
rori~ said:
Opened it, my accounts are there, but no passwords....
Click to expand...
Click to collapse
my gmail is somesort of encrypted but doesnt look that great.
Exchange shows up
facebook doesnt show anything at all aha
Thats why I said some might not have anything. Awhile back when I first heard about it one of my friends had two or three right there in plain English I didn't have a phone at the time to check...
Its been reported before but kind of just brushed over no biggy. To go real conspiracy theorist....I think apple is submitting all these articles...
ButtonBoy said:
We need to develop a shim that reports modified IMEI/SIM data for different apps.
Click to expand...
Click to collapse
Great idea
The source code/instructions for TaintDroid are now out:
http://appanalysis.org/download.html
Anybody found a (recent) kernel with built-in TaintDroid-support?
Ok, I'm a Noob on here. I just got a Android phone & I am interested in various apps from the Android Market but when I read the permissions that most of the apps have listed as to what they can do to the phone and to your privacy I am quite concerned. Is this really an issue as people seem to download apps without worrying about what the app is or could do without your knowledge. I have searched on here & elsewhere & no one seems to be address the issue. Am I just being paranoid?
I have seen that a lot of these apps will prevent the phone or tablet from going into sleep mode, is this true?
Thanks hope I haven't stepped on any toes by asking this, but I can't seem to find anything on the subject. So far I have decided not to download much a select few apps.
Rebel60 said:
Ok, I'm a Noob on here. I just got a Android phone & I am interested in various apps from the Android Market but when I read the permissions that most of the apps have listed as to what they can do to the phone and to your privacy I am quite concerned. Is this really an issue as people seem to download apps without worrying about what the app is or could do without your knowledge. I have searched on here & elsewhere & no one seems to be address the issue. Am I just being paranoid?
I have seen that a lot of these apps will prevent the phone or tablet from going into sleep mode, is this true?
Thanks hope I haven't stepped on any toes by asking this, but I can't seem to find anything on the subject. So far I have decided not to download much a select few apps.
Click to expand...
Click to collapse
No worries, no toes are being stepped on.
I agree that the permissions required by apps can sometimes look worrying.
But the description is often misleading. Some times it just looks very intrusive but that permission is needed for something alot more simple. It's a broad topic.
Also alot of users are just not concerned by this or just go with the crowd.
Write the developer and ask him what the permissions are needed for, if his apps description is unclear on that or the permissions seem unrelated to the apps purpose.
When it says, prevents your device from sleeping, it is most likely used to prevent the screen from turning off or dimming while something is progressing on screen. It is also needed to ensure that the cpu finishes the current operation if you press the devices sleep button, so it doesn't stop at some random point which might lead to problems for the app.
If there is a specific app and its permissions you are worried you could just SEARCH and then make a thread and ask about it.
If rooted, search for "PDroid" on XDA to control permissions, or search for "Betterbatterystats" to find programs producing wakelocks and preventing deep sleep.
Sent from CDMA V6 SC GNexus w/Liquid & Franco.kernel
Aerocaptain said:
If rooted, search for "PDroid" on XDA to control permissions, or search for "Betterbatterystats" to find programs producing wakelocks and preventing deep sleep.
Sent from CDMA V6 SC GNexus w/Liquid & Franco.kernel
Click to expand...
Click to collapse
But then don't complain if the apps malfunction as a result of interferring with permissions or wakelocks.
Also this is kinda missing the question of the thread.
Dark3n said:
But then don't complain if the apps malfunction as a result of interferring with permissions or wakelocks.
Also this is kinda missing the question of the thread.
Click to expand...
Click to collapse
Trying to figure out how either of the options I listed does not address the concerns in the OP......
I think you should re-read the OP. Perhaps slower.
Betterbatterystats- used to indicate apps that are using wakelocks that prevent or interrupt deep sleep. Does nothing else. Does not stop them or even hinder them in any way. Its simply a tool to identify problem apps. How does that interfere with the apps themselves?
Pdroid-gives the ability to block (or regulate) unwanted actions from the apps specified by the user. Basically solves the permissions concern in the OP. And does not require root access to operate. The whole point of this software is to interfere with the users apps. If a program is looking into my contacts, I'd like to be able to stop it. If a downloaded app stops functioning because it wants access to my contacts for no discernable reason, delete the app. This app is only needed because of the plethora of greedy sometimes malicious developers releasing software that invades user privacy.
Rebel60, feel free to peruse these threads and see if either is the right fit for you.
http://forum.xda-developers.com/showthread.php?t=1357056
http://forum.xda-developers.com/showthread.php?t=1179809
Sent from CDMA V6 SC GNexus w/Liquid & Franco.kernel
Aerocaptain said:
Trying to figure out how either of the options I listed does not address the concerns in the OP......
I think you should re-read the OP. Perhaps slower.
Betterbatterystats- used to indicate apps that are using wakelocks that prevent or interrupt deep sleep. Does nothing else. Does not stop them or even hinder them in any way. Its simply a tool to identify problem apps. How does that interfere with the apps themselves?
Pdroid-gives the ability to block (or regulate) unwanted actions from the apps specified by the user. Basically solves the permissions concern in the OP. And does not require root access to operate. The whole point of this software is to interfere with the users apps. If a program is looking into my contacts, I'd like to be able to stop it. If a downloaded app stops functioning because it wants access to my contacts for no discernable reason, delete the app. This app is only needed because of the plethora of greedy sometimes malicious developers releasing software that invades user privacy.
Sent from CDMA V6 SC GNexus w/Liquid & Franco.kernel
Click to expand...
Click to collapse
How is viewing aquired wakelocks helping the OP understand what aquiring a wakelock does, and why the app did it? It's not about who, but what and why. Any type of wakelock an app aquires prevents deep sleep and a wakelock can not be used to interrupt a device that is in deep sleep.
Again the question was not about blocking permissions, but why some apps want all those permissions and why no one seems concerned with the obvious privacy issue.
While PDroid does not require root to operate, it does require it to be installed, so in the end it still needs a rooted device.
Why did you install an app that needs a worrying permission for no discernable reason anyways?
Thanks for the general developer insult. Developers really are the greediest folks *sarcasm* of them all.
Where did you take that from? How many developers of greedy apps did you ask about the permissions they request?
You can't really make that assumption as just a requested permission doesn't do anything at all by itself and what the app is actually doing with it, is unknown without sourcecode.
...and now i jumped aboard the off topic train, damn
In most cases, it does not matter why an app uses wakelocks. The fact that it does alone is important. It allows the user to identify the trouble app and either tinker with its settings to reduce the wakelock or delete it altogether if the app is not important to the user. Generally speaking, if I would like to maximize my battery endurance, the need to minimize wakelocks is a necessity. After several months of use, a user may not remember every setting he/she setup in their apps. Utilizing betterbatterystats, one could identify the apps that use short sync intervals such as email syncing every 15 minutes or weather syncing every 30 minutes and change them to longer sync periods which would dramatically decrease those pesky wakelocks and save some battery life. Both of those simple examples illustrate in general terms, how important knowledge of wakelocks could be to the battery hungry user. This of course is only one of many applications this program can be used for.
My Pdroid example, once again was a generic sample of the many ways app privacy is a concern. There are a ton of apps on the market that uses the internet even though the internet isn't needed to run the program. Yes more than not, the app is either varifying license files or uploading "anonymous user stats," however that is not all cases and users should be able to control that app and the information it transmits.
Finally, yes I looked up your information and noticed the developer notation and knew you would be offended by my developer comment. But I did not mean to insinuate that you were in that minority. I am unfamiliar with your work. Android is an open source platform and users should have full control over their devices. That is why I through those options out there. Anyone that disagrees with my full control statement should move to the iPhone and enjoy its closed platform.
Rebel60, I hope you find a way to fully utilize your device without fear of privacy infringement or apps that excessively deplete your battery. There are many people on XDA with a passion for these devices. And many different opinions. Take the time to evaluate your options and pick the right solution for you.
Sent from CDMA V6 SC GNexus w/Liquid & Franco.kernel
Aerocaptain said:
In most cases, it does not matter why an app uses wakelocks. The fact that it does alone is the issue. Generally speaking, if I would like to maximize my battery endurance, the need to minimize wakelocks is a necessity. After several months of use, a user may not remember every setting he/she setup in their apps. Utilizing betterbatterystats, one could identify the apps that use short sync intervals such as email syncing every 15 minutes or weather syncing every 30 minutes. Both of those simple examples illustrate in general terms, how important knowledge of wakelocks could be to the battery hungry user. With that knowledge one could change their sync intervals and save precious battery life.
Click to expand...
Click to collapse
True, it would definitely help a user identifying battery drainers and in those cases it does not matter why the wakelock was aquired if it is what causes the drain. But the question was not about batteries, but about what/why wakelocks are and the description of the wakelock permission itself.
While BetterBatteryStats being a great tool, it does not answer that question. (Hence my offtopic remark)
Aerocaptain said:
My Pdroid example, once again was a generic sample of the many ways app privacy is a concern. There are a ton of apps on the market that uses the internet even though the internet isn't needed to run the program. Yes more than not, the app is either varifying license files or uploading "anonymous user stats," however that is not all cases and users should be able to control that app and the information it transmits.
Click to expand...
Click to collapse
While bug reports or anonymous statistics are one part of it, i think most of the internet permission needs come from ads that are displayed. I don't use ads, so i'm a bit unfamiliar on that topic.
If solely googles licensing service is used, the internet permission is not needed, just the 'CHECK_LICENSE' permission (which is an extra permission just for that purpose).
It is also often used to update the welcome dialogs with news, if a dev does not want to release a new version everytime he wants to tell his users something.
Aerocaptain said:
Finally, yes I looked up your information and noticed the developer notation and knew you would be offended by my developer comment. But I did not mean to insinuate that you were in that minority. I am unfamiliar with your work. Android is an open source platform and users should have full control over their devices. That is why I through those options out there. Anyone that disagrees with my full control statement should move to the iPhone and enjoy its closed platform.
Click to expand...
Click to collapse
I'm not denying that there are greedy and or malicous devs out there. It was the 'plethora of greedy sometimes malicious developers' that threw me a bit off. I see you meant it differently, as you wrote 'in that minority'. As english is not my main language, i might have understood it a bit too harsh too .
Most of my work falls into the 'Tools' category, if you have question about them (or the permissions ), write me a PM.
I fully agree that everyone should have full control over their devices and i also think that users should have the possibility of choice (i.e. apple selecting apps that are published vs androids more or less freedom of apps, though one might have to sort through a 'plethora' of useless apps, i wouldn't trade it for apples store).
[I needed all those big quotes to reflect what i'm responding to as you seem to edit your posts alot after you made the. Makes it a bit difficult to answer ]
Thanks
Dark3n said:
No worries, no toes are being stepped on.
I agree that the permissions required by apps can sometimes look worrying.
But the description is often misleading. Some times it just looks very intrusive but that permission is needed for something alot more simple. It's a broad topic.
Also alot of users are just not concerned by this or just go with the crowd.
Write the developer and ask him what the permissions are needed for, if his apps description is unclear on that or the permissions seem unrelated to the apps purpose.
When it says, prevents your device from sleeping, it is most likely used to prevent the screen from turning off or dimming while something is progressing on screen. It is also needed to ensure that the cpu finishes the current operation if you press the devices sleep button, so it doesn't stop at some random point which might lead to problems for the app.
If there is a specific app and its permissions you are worried you could just SEARCH and then make a thread and ask about it.
Click to expand...
Click to collapse
Thanks for the answer. I think this best answers what I was concerned about. A lot of apps say that they can dial numbers in your contacts, alter settings, and a lot of other things that make me hesitant to download the app.
My phone is not rooted, although I would like for it to be, but am afraid I will brick it if I don't do something right. I don't know anything about wavelocks etc.
Rebel60 said:
Thanks for the answer. I think this best answers what I was concerned about. A lot of apps say that they can dial numbers in your contacts, alter settings, and a lot of other things that make me hesitant to download the app.
My phone is not rooted, although I would like for it to be, but am afraid I will brick it if I don't do something right. I don't know anything about wavelocks etc.
Click to expand...
Click to collapse
Whether your new to android or a veteran, XDA has all of the information you'll need to educate yourself. Rooting is not for everyone and should only be attempted by someone comfortable with the process. It does however open huge doors to more control and customization with your device. My advice to you is first get to know the Android platform for a few months. In the meantime do some research and see for yourself the pros and cons of rooting. There are dozens of threads with people that are in the same situation as you. Learn from them and talk with them. If you have a direct question about android, feel free to PM me. I'd be more than happy to help in any way I can. Good luck & enjoy your device.
Sent from CDMA V6 SC GNexus w/Liquid & Franco.kernel
Rooting is pretty simple if you invest some reading time. Just make sure to search alot before asking .
Also be aware that giving an app root access is equivalent to granting every possible permission there is and more.
I'm sure most users are not fully aware of that.
So allowing an app root access is a huge trust investment in the dev, don't do it for fishy looking apps .
Read the description
Try reading through the apps full description. A lot of developers will explain why their app needs those scary sounding permissions.
If they don't explain, you could always contact the developer (seems almost like google requires app listings to include a 'contact the developer' link somewhere).
Hi,
I've discovered the description of "Signal Private Messenger" app, but I don't know what thinking about it.
Its description seem's to indicate that you can communicate voice and text securely end to end with your smartphone, and that it's open source.
What is really securely ? I don't know and "I want to know"
Thanks in advance for your answers.
Hi, The short answer is Yes. Signal is by Open Whisper Systems & runs on iOS and Android. You can use it as a regular SMS/MMS app; as well as encrypted SMS/MMS/phone calls. To activate the encryption you need to exchange keys with the person you want to message.
Hope this helps!
equi_design said:
Hi, The short answer is Yes. Signal is by Open Whisper Systems & runs on iOS and Android. You can use it as a regular SMS/MMS app; as well as encrypted SMS/MMS/phone calls. To activate the encryption you need to exchange keys with the person you want to message.
Hope this helps!
Click to expand...
Click to collapse
Hi,
Thanks for your answer.
Your answer is a good summary of the app's features.
But what are you thinking about the word "securely" ?
Is it a dream or a reality ?
The app's editor highlights testimonies from known people who use it. Is it sufficient to trust this app ?
Has someone in this forum examined the code of this app ?
Nothing is completely secure.
In my opinion, & from my use, Signal is more secure than a normal messengering app - but less secure than a talk in real life.
If you are interested in security, please check out this XDA subforum; http://forum.xda-developers.com/general/security
And read up here: www.eff.org
Hm, nice to see a discussion going on. Have just heard Snowden recommend the app so I thought I'd check it out. BUT, there is a but ... I intentionally blocked the app from any internet usage whatsoever with AFWall+ donate. I've set up my AFW to show a toast whenever it blocks an app trying to use the internet so that I know which apps try to use the net in the background without my permission or intention. To my surprise my AFW blocks Signal all the time when I use Signal. And I mean ALL the time. How does this make sense? Why would a privacy app try to connect to the internet constantly? I've not got WiFi calling and I've not even enabled it in Signal's settings. Am I missing something here or is there sth wrong with the app? It's making me feel that it is constantly trying to leak data and that's why it attempts to use the internet. Good thing I have a robust thing on board such as AFWall... best firewall out there.
jonathansmith said:
Hm, nice to see a discussion going on. Have just heard Snowden recommend the app so I thought I'd check it out. BUT, there is a but ... I intentionally blocked the app from any internet usage whatsoever with AFWall+ donate. I've set up my AFW to show a toast whenever it blocks an app trying to use the internet so that I know which apps try to use the net in the background without my permission or intention. To my surprise my AFW blocks Signal all the time when I use Signal. And I mean ALL the time. How does this make sense? Why would a privacy app try to connect to the internet constantly? I've not got WiFi calling and I've not even enabled it in Signal's settings. Am I missing something here or is there sth wrong with the app? It's making me feel that it is constantly trying to leak data and that's why it attempts to use the internet. Good thing I have a robust thing on board such as AFWall... best firewall out there.
Click to expand...
Click to collapse
It's encrypted, end to end. It's not leaking anything. The code is opensource, you can go and review the code and build it yourself.
If you're blocking it from accessing the internet, then it's going to try again, probably because it can see that there is a network connection live.
@jonathansmith
Thanks for your detailed feedback.
It will be nice if someone in this forum could analyze the code of this open source app.
As for me, I am unfortunately not competent.
Were you able to identify with AFW the site the app was trying to connect ?
dtective said:
It's encrypted, end to end. It's not leaking anything. The code is opensource, you can go and review the code and build it yourself. If you're blocking it from accessing the internet, then it's going to try again, probably because it can see that there is a network connection live.
Click to expand...
Click to collapse
Thank you, that's exactly what I don't get. Why would it attempt to establish a connection. Ofc I'm blocking it. I'm blocking tons of others apps as well, but unlike Signal (and a few other suspicious apps) the other apps do not try to establish a connection.
As I said, when you block an app from accessing the net with AFWall you can tell AFWall to give you a toast showing you when every signle time when AFWall blocks a certain app trying to access the net. So, with 99% of my AFWall-blocked apps I don't get this toast, meaning that those apps don't even attempt to access the net (but better stay safe and have em blocked.) With some tricky apps though, AFwall shows that toast msg indicating that it successfully blocks a certain app from accessing the net. That's what I don't get - why would Signal be set up in a way that it would attempt to access the net. Prolly WiFi calling or sth but I'd rather use it for now only as a default SMS client.
Yes, you are right. Signal can see that there is a network connection live and that's why it constantly tries to connect to it. Just wish Signal would get it once and for all that it is blocked for good and stop trying to access the net.
If anyone knows which Services, Broadcast Receivers, or Activities from Signal should be disabled (using MyAndroidTools for example) please do share which ones they are so I can disable them and thus prevent Signal from constantly trying to establish a connection. The toast msg from AFW does become annoying when it is every second second
---------- Post added at 11:39 AM ---------- Previous post was at 11:33 AM ----------
iwanttoknow said:
Were you able to identify with AFW the site the app was trying to connect ?
Click to expand...
Click to collapse
Maybe gotta look into the log of AFW. The toast msg only shows the ip address which Signal ties to connect but AFwall prevents it form doing. But that's not the prob for me. Doesn't matter too much what it tries to access cos I know AFWall is good enough at preventing that. Just want to stop Signal from trying to access whatever it is trying to access! Will let you know if I figure it out!
---------- Post added at 12:00 PM ---------- Previous post was at 11:39 AM ----------
equi_design said:
Nothing is completely secure.
And read up here: www.eff.org
Click to expand...
Click to collapse
I second that. Nothing is, indeed! And thanks for reminding me about eff ... here's a good one - https://www.eff.org/https-everywhere @iwanttoknow check it out!
And here's a bit of a follow-up. Managed to catch the toast. Not sure if it is always the same ip that AFW blocks, but will try to pay attention. A reverse search reveals that the geo location of the ip is some place in Washington, US.
https://imgur.com/a/5fhIf
As I understood it
(And I could be wrong I left signal years ago when it was text secure)
Signal does NOT use sms to send messages
That functionality of the app was dropped a while back
It uses internet only to transmit encrypted messages
And it uses its own message server to host your messages.
It seems like decent software
I abandoned it because it uses your personal phone number as your identifier..
And it will not work with out a phone number..
Which for me is just crazy as every government in the world and most phone companies are selling /tracking your "meta" data based on your smart phone and it's phone number.
Think of it as any other encrypted internet message system
But it uses your phone number as an identifier...
Everyone gets my pubic email address now for communication.
Cops, government, hospital, work, stores,etc
It's the 21st century. Why use a phone number for anything anymore?
nutpants said:
As I understood it
(And I could be wrong I left signal years ago when it was text secure)
Signal does NOT use sms to send messages
That functionality of the app was dropped a while back
It uses internet only to transmit encrypted messages
And it uses its own message server to host your messages.
It seems like decent software
I abandoned it because it uses your personal phone number as your identifier..
And it will not work with out a phone number..
Which for me is just crazy as every government in the world and most phone companies are selling /tracking your "meta" data based on your smart phone and it's phone number.
Think of it as any other encrypted internet message system
But it uses your phone number as an identifier...
Everyone gets my pubic email address now for communication.
Cops, government, hospital, work, stores,etc
It's the 21st century. Why use a phone number for anything anymore?
Click to expand...
Click to collapse
You have to go back in time when the app was called Textsecure and it provided end to end encryption for SMS. The app was available on F-Droid until someone discovered that plain text sms were saved unencrypted on device. After that, the dev temporarily closed the source and also demanded that the app be removed from F-Droid, because in his view distribution on F-droid was "insecure." Well, that hole was fixed and the following versions worked pretty well. About the same, time, the dev started to be bothered by TSA every time he travelled by air. Then, within a few subsequent releases, google binaries and internet permission were included. Then, the app started to crash if internet service was restricted. In addition, you could only get the app from Googleplay, which means, you must have Gapps and Google Services Framework, which has total control over the phone and regularly "phones" home (obviously not your home). GSF can get your outgoing text before encryption and incoming text after.. Despite all of the above, one could still compile the app and use it without GSF. Then suddenly, the dev announced that he would no longer support encrypted SMS. About that time, he started receiving literally millions of $ from a US government's backed foundation. In addition, he was offered a lucrative contract to do encryption for What's UP, which later became Facebook. Quite a change after being harassed in airports So, encrypted sms were dropped and the app turned into an internet messenger. You must register with your phone number; your data goes through Google servers and Whisper System's servers. And by the way, neither the Signal servers nor Redphone servers are open source. You can't use the app unless you have Gapps and GSF and if you use the app, you are known to Whisper Systems, Google and all 3-letter agencies...
This is not the first time I am posting on Textsecure/Signal, just do a search on XDA and F-Droid forums and you will find more info with links. I would stay away from anything coming out of Whisper Systems. Use Silence, which is a fork of Textsecure with encrypted SMS. For over-the-internet services, use Conversations.
And by the way, never use an app where everything: encryption, encryption method, registration, servers are in the hands of one entity, which won't allow you to use other servers...
nutpants said:
As I understood it ...
Click to expand...
Click to collapse
You might be right but for normal unencrypted messages Signal uses simple SMS. Have tried it and without any WiFi or data it simply sends a msg as an SMS. So far so good but u might have a point. I'm yet to test with someone who also has the app installed and see how encrypted msgs are transferred. I'd imagine it NOT to be over the internet, but then again you might have a point? Why? Because as I said I've blocked Signal with AFWall and I get a toast showing that Signal CONSTANTLY tries to connect to the internet when there is currently a live connection to the internet, be it Data or Wifi. So yeah, you might be right, but I need to test it out. In the meantime someone who has already done this would do us a favour by telling us how it works.
Using my personal phone number as identifier does not sound cool indeed. If you are right about this: 'It uses internet only to transmit encrypted messages. And it uses its own message server to host your message' then I guess I'm ok with using the net for transmitting encr. msg since they are encrypted with E2EE. As to where the msgs are hosted. I guess I'm better off having them stored at Signal's server than at Verizon's cos from Verizon they end up DIRECTLY to the government. I guess with nuff persuasion and money though they'd also end up there from Signal. It's the way of the world, isn't it? Also, as I mentioned in my last post, the IP which Signal constantly tries to connect to is in Washington. That's already fishy enough .... very fishy!
optimumpro said:
Use Silence, which is a fork of Textsecure with encrypted SMS. For over-the-internet services, use Conversations.
Click to expand...
Click to collapse
How about apps like 'Wire' and 'Wickr - Top Secret Messenger'? Are they any good? Will give Silence and Conversations a try! 10x for bringing them up.
unknown404 said:
How about apps like 'Wire' and 'Wickr - Top Secret Messenger'? Are they any good? Will give Silence and Conversations a try! 10x for bringing them up.
Click to expand...
Click to collapse
Wickr is not open source. So, for me it is out of the question. Wire sounds good, although they say they can terminate your account at any time. Also, they say the company is based in Switzerland, but the location for dispute resolution is San Francisco. They also say they can require you to download/upgrade the app, which means that if you want to stay on older version, they won't let you...
Again, I am against models where everything is concentrated in the same hands...
optimumpro said:
Wickr is not open source. So, for me it is out of the question. Wire sounds good, although they say they can terminate your account at any time. Also, they say the company is based in Switzerland, but the location for dispute resolution is San Francisco. They also say they can require you to download/upgrade the app, which means that if you want to stay on older version, they won't let you...
Again, I am against models where everything is concentrated in the same hands...
Click to expand...
Click to collapse
I guess I'm ok with Wickr's being closed source (but then again what do I know ... the discussion about open vs closed source goes both ways so more opinions are welcome). Just don't get why I made an account there and now trying to log back in I'm told the credential are wrong. Weird!
Hi,
In my first post, I was asking your opinions about "Signal Private Messenger" app.
Thanks all for your answers.
In your answers, I have discovered the names of Silence and Conversations apps.
Which level of confidence for them and why ?
iwanttoknow said:
Hi,
In my first post, I was asking your opinions about "Signal Private Messenger" app.
Thanks all for your answers.
In your answers, I have discovered the names of Silence and Conversations apps.
Which level of confidence for them and why ?
Click to expand...
Click to collapse
I'll be happy to hear more opinions as well but as optimumpro said, Silence really seems solid and offers E2EE, which is what I need. Have tested it with other users and seems good so far. Can't say anything about Conversations cos I've not used it yet. I read good stuff about Wickr as well, but yeah ... closed source deters many.
unknown404 said:
I'll be happy to hear more opinions as well but as optimumpro said, Silence really seems solid and offers E2EE, which is what I need. Have tested it with other users and seems good so far. Can't say anything about Conversations cos I've not used it yet. I read good stuff about Wickr as well, but yeah ... closed source deters many.
Click to expand...
Click to collapse
Both Conversations and Silence are open source, unlike Signal, which contains prebuilt binaries and jar files. Also, neither Conversations nor Silence forces you to register or use their servers, which Signal does.
optimumpro said:
Both Conversations and Silence are open source, unlike Signal, which contains prebuilt binaries and jar files. Also, neither Conversations nor Silence forces you to register or use their servers, which Signal does.
Click to expand...
Click to collapse
That I do second and that I do like!
Hi,
After reading some articles, I discovered that it was "easy" to assure End-to-end encryption (E2EE) for our communications. I share my understanding here, knowing that it's well known by experts in the domain. So thank you for being kind to me.
In fact, there is a difficulty for communicating parties who wanted to communicate without anyone spying their voice or written messages. They have to use cryptographic protocols relying on a shared secret. But how to share a secret on unsecure communication channels ?
It's "easy", due to the Diffie-Hellman cryptographic protocol which permits to do that. There are a lot of explanations about it on the Net. But it could be defeated by the man-in-the-middle attack (MITM). To counter this attack, you have "simply" to sign the shared secret with asymetric keys (with your secret key to sign the shared secret, and with your public key permitting to the other part verify it). If you are interested, see more explanations on the Net about asymetric cryptographic protocols.
I sincerely hope that I didn't say too much nonsense.
Silence app is based on Diffie-Hellman protocol, like other apps in the domain.
In summary, after reading your answers to my initial post :
- Silence app permits to exchange SMS/MMS, using E2EE.
- Conversations app is an instant messaging (IM) client for Android, using E2EE.
Signal Private Menssenger is an E2EE IM and voice calling app.
I have noted what has been written about Signal Private Menssenger in this thread, so is there a "less intrusive" E2EE voice calling app, in the same way as Silence ?
Thanks for your participation.
I want to beef up my security on my tablet. I want a program that can lock and encrypt selected applications. But I don't just want a basic app locker. I don't want a program that just prevents apps from running unless I have a password. A lot of programs can do that. I want encryption. I want the app's data secure, so even if someone boots it into recovery and goes in with ADB or something, they can't get any data. I don't necessarily need to encrypt the apk or the odex or anything like that, but the data for sure.
Basically, I want something like this: https://www.amazon.com/Hackerso35-Crypto-App-Locker/dp/B074FJPFPN . That description really seems to be what I'm looking for. "Protects your apps data with SHA3 / AES 256-bit encryption." BUT that program was released back in 2017 with no apparent updates since, it only has one review, and searching for it on Google only gives two pages of results. So I don't know if I want to trust that particular program. I want something like it.
I want something that can do what that program purports to do, regarding encrypting app data. I want something with a strong reputation. I want something a lot of people use and trust. Any recommendations? Thanks.
Recommendation only. I will not be here to reply.
Smart AppLock: Privacy Protect - Apps on Google Play
Lock apps with password!
play.google.com
As for not having it unable to be uninstalled, do some research on how to set it as a device admin app.
Also, you mentioned"connecting through adb"
just disable USB debugging, etc
All the best.
ps, contact the developer of the app you mentioned ,and im sure he could point out why he hasnt updated, maybe "they" are already on other projects...
Not quite what I was asking for. The Crypto App Locker program above says that it "encrypts the app's data as well." The one you recommended doesn't say anything about that.
Like I say, I'm only hesitant about that particular app because it has so few reviews and hasn't been updated in so long. As for the developer, this very forum reports: "Last seen Nov 26, 2017"
Well that all depends(regarding your first post) Have you heard of Trust Wallet?
Also if you're rooted, you can compress the app..etc. With a vital key. Then, unfreeze it.
The reason I suggested contacting the Dev, was he/she could point you in the right direction.
But if its an app you open every day, that could be a pain. Perhaps telegram group could give you some insight. Maybe As the guys at airdrop...