[Q] Do Android apps like twitter, dropbox encrypt passwords? - Android Apps and Games

On a browser, you can initiate an SSL connection to log into your facebook or twitter account by using https...what about these apps on Android? Do I need to worry about people intercepting my passwords??

That's entirely dependent on the application. Dropbox can use a secure channel of communication or it could communicate in the open. Based on it's methods, I'm inclined to believe it's secure but I've not tested it.
Twitter had a large push towards it's OAuth login mechanism. However, there are documented methods that don't require applications to use it. So, again, it entirely depends on the application. Really, regardless of how this is done, your password shouldn't be passed in the clear.

Related

Dashwire - Is it secure?

I have an account with Dashwire. I like the service, but worry that it does not seem to be a secure site. Does this mean that it is possible that someone could see all the associated data (like contacts and texts) on my phone if they are able to hack the Dashwire website?
From their website:
Dashwire said:
In the event that you place an order through the Service, your credit card information will be encrypted using SSL technology before being transmitted over the internet. Because any other personally identifiable information you submit to Dashwire is purely voluntary and should not be of a particularly sensitive nature, we employ our standard security measures with respect to this information and do not use special encryption methods at this time. Dashwire user accounts are secured by user-created passwords and HTTPs when signing in. Please note that Dashwire cannot guarantee the security of user account information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.
Click to expand...
Click to collapse
While I can understand a disclaimer or two, to me, that's a pretty bold statement that security isn't a number one priority.
Especially when I log into http://my.dashwire.com/ it is not a secure site, which tells me that neither is the information it pulls from my phone.

[Q] Is there a way around Exchange email -no root- rule

My employer just opened up Android native email capability (to receive work email, calendar, apps) for my Note i717. Problem is, they won't allow Rooted devices.
I know there's several (6 I think) security certificates that get installed, but I was wondering if there's a way around this no-root rule.
1. If I unroot, get all certificates installed and then re-root will it nullify the certs?
2. Does anyone know enough about certs to answer if they're something that can be backed up and restored if I move to a different ROM in the future?
I've scoured the forum and have found info on bypassing the credential logins, but not pertaining to these questions above. Answers would be greatly appreciated.
It isn't really a rule...depending on your environment
b3furuya said:
My employer just opened up Android native email capability (to receive work email, calendar, apps) for my Note i717. Problem is, they won't allow Rooted devices.
I know there's several (6 I think) security certificates that get installed, but I was wondering if there's a way around this no-root rule.
1. If I unroot, get all certificates installed and then re-root will it nullify the certs?
2. Does anyone know enough about certs to answer if they're something that can be backed up and restored if I move to a different ROM in the future?
I've scoured the forum and have found info on bypassing the credential logins, but not pertaining to these questions above. Answers would be greatly appreciated.
Click to expand...
Click to collapse
Unless your company is using a type of MDM platform (Codeproof, Good, MobileIron, AppSense), they will not be able to detect that you have root access to your phone. Some companies instruct users to install a separate MDM application in order to access their email. Most Exchange servers can be connected to without installing the MDM software. If they don't force an MDM client, they won't know you are rooted.
Depending on the version of Exchange, you can use a 3rd party email app like K-9 to access the email which would also bypass the additional security policies that will be installed if you were using the built-in Exchange support. I use Touchdown, therefore the app is protected by a PIN but not my phone, so I can still unlock the phone without having to type a 6 digit number every, single, time.
The way I see it, the company's data is still protected, and I am not overly inconvenienced, it is a win-win.
Unless your company is using a type of MDM platform (Codeproof, Good, MobileIron, AppSense), they will not be able to detect that you have root access to your phone. Some companies instruct users to install a separate MDM application in order to access their email. Most Exchange servers can be connected to without installing the MDM software. If they don't force an MDM client, they won't know you are rooted.
Depending on the version of Exchange, you can use a 3rd party email app like K-9 to access the email which would also bypass the additional security policies that will be installed if you were using the built-in Exchange support. I use Touchdown, therefore the app is protected by a PIN but not my phone, so I can still unlock the phone without having to type a 6 digit number every, single, time.
The way I see it, the company's data is still protected, and I am not overly inconvenienced, it is a win-win.
Click to expand...
Click to collapse
Apologies, I did forget to mention they instruct to install Mobile-Iron.
Their process is such:
1. Install Mobile-Iron
2. Encrypt Device & set 6 digit pin
3. Install Certificates
4. Email configuration
5. Sync email, calendar, clients to phone
They do note "If your device is rooted, this process will not complete successfully."
Reviewing the steps, it looks like the whole process is done within Mobile-Iron.
No dice so far
Still can't find anything on the net for this. If anyone can help answer this I'd greatly appreciate it.
I'd love to be able to check on emails without having to open and boot my laptop. Also, it would be great to have my calendar sync so I don't miss meetings.

Fitbit/Jawbone/... hack

Hi,
With our smartphones and apps we already send quite a lot of data to third parties.
I am interested by a wearable device such as a Fitbit or Jawbone (to mention only popular ones) to track my daily activities but I don't want to send more data to more third parties. In addition, if one of these companies decides to stop some products or shut down their servers, these devices would probably stop working.
As they all provide an Android app to sync the smartphone and the device to fetch the data and display it, I am wondering why it would be requested to send data to their servers. Does anyone know if these app is working properly without an active connection to these servers? Is there any way to block these connections without a rooted phone? If rooted, do you think updating the hosts file would be enough to block connection?
Aside it, I am wondering if it would be possible to redirect this traffic to a personal server to fill a personal database? Is the traffic secured, via SSL for example, between the app and the server? We can imagine creating an open source project to be installed on our personal RaspberryPi (for example) to display data in a more friendly way on desktop without giving access to private data to big companies.

Encrypting All Outgoing Traffic

Hey there XDA
So I was reading this article the other day that pertains to security and encryption on the Android Operating System
http://www.bibliotecapleyades.net/sociopolitica/sociopol_cia38.htm
Basically what is says is that even if you use encryption in apps there's nothing preventing people from accessing your devices mic or camera
But I was thinking what if you encrypt ALL outgoing traffic? Now I'm not the most well versed guy when it comes to technology but I've heard about for example SSH tunnels
So I found this guide on how to setup one on Android: https://www.howtogeek.com/121698/how-to-route-all-your-android-traffic-through-a-secure-tunnel/
Would this effectively encrypt all outgoing data?
Eklondh said:
Hey there XDA
So I was reading this article the other day that pertains to security and encryption on the Android Operating System
http://www.bibliotecapleyades.net/sociopolitica/sociopol_cia38.htm
Basically what is says is that even if you use encryption in apps there's nothing preventing people from accessing your devices mic or camera
But I was thinking what if you encrypt ALL outgoing traffic? Now I'm not the most well versed guy when it comes to technology but I've heard about for example SSH tunnels
So I found this guide on how to setup one on Android: https://www.howtogeek.com/121698/how-to-route-all-your-android-traffic-through-a-secure-tunnel/
Would this effectively encrypt all outgoing data?
Click to expand...
Click to collapse
Not really, setting up an SSH tunnel will only encrypt your traffic between your device and your server, at some point most traffic will have to enter the internet in just as secure manner as it does now so that you can view a website for example, it will add another layer of security, but really only useful for privacy from those on your local network or (if your server is outside your ISP network) from your ISP also (but you'd have to change your DNS servers also or they can get info from there about sites you visit)
Also non of that will stop the issue you mention above about gaining access to your camera, mic, files etc that to beat encryption they just have to gain access to your phone, that could be as simple as sending you a malware link to your email, Whatsapp or whatever, which you visit. Which seems to be what my mum did 2 days ago, there was a well crafted email that appeared to be from Genes Reunited making specific reference to her personal private data & contacts in her account so she clicked the link, now she has no internet access & other issues on tablet, but of course I can't log in to fix from here & she can't follow my instructions over the phone properly! The email password she gave me doesn't work (I wanted to examine the file she clicked on), though there was no confirmation via txt of password changed. So right now I'm not sure as could be related to the TalkTalk hacks.... Or just my mum! Rant over!
So in short no, ssl is not a simple solution
this might help. https://www.torproject.org/
"err on the side of kindness"
IronRoo said:
Not really, setting up an SSH tunnel will only encrypt your traffic between your device and your server, at some point most traffic will have to enter the internet in just as secure manner as it does now so that you can view a website for example, it will add another layer of security, but really only useful for privacy from those on your local network or (if your server is outside your ISP network) from your ISP also (but you'd have to change your DNS servers also or they can get info from there about sites you visit)
Also non of that will stop the issue you mention above about gaining access to your camera, mic, files etc that to beat encryption they just have to gain access to your phone, that could be as simple as sending you a malware link to your email, Whatsapp or whatever, which you visit. Which seems to be what my mum did 2 days ago, there was a well crafted email that appeared to be from Genes Reunited making specific reference to her personal private data & contacts in her account so she clicked the link, now she has no internet access & other issues on tablet, but of course I can't log in to fix from here & she can't follow my instructions over the phone properly! The email password she gave me doesn't work (I wanted to examine the file she clicked on), though there was no confirmation via txt of password changed. So right now I'm not sure as could be related to the TalkTalk hacks.... Or just my mum! Rant over!
So in short no, ssl is not a simple solution
Click to expand...
Click to collapse
Heh, **** man.. Hope she sorts it out
Now I think I've decided to use an SSH tunnel paried with RSA authentication for the time being, it seems good enough for me
mrrocketdog said:
this might help. https://www.torproject.org/
"err on the side of kindness"
Click to expand...
Click to collapse
Tor seems awesome
The proper way to achieve this is using a vpn which permits flexibility on the networking side. I use openvpn server on my home computer and i connect my phones to it. It is set to redirect all traffic through the encrypted tunnel which is forwarded to the internet through my home computer.
Now as noted before the information still goes out to the net at some point and comes back. Encrypting traffic does not help if you click on something malicious out there.
It does help to prevent the directly connected network to snoop on your actual traffic though. Handy when you connect to free wifi etc. Also you can filter traffic by application on the phone or by destination on the other side on the server.

How can I isolate my android from my desktop PC and continue to use chrome on each ?

I have saved usernames and passwords for various websites on the desktop (Windows) PC, for my convenience via Google Chrome. I have several android devices (phones) which are able to access these saved passwords since they are linked together. I want to save these passwords to my PC only. And restrict some from my androids, ie. banks, brokerage houses, Amazon and pay-pal. Now, if I have mobile apps associated with these sites, I can block the passwords and usernames. But, a search via google for the website login page (by-passing the app) will display my username and password. Although the password is not visible, it's still there and allows access to my account. I'm not sure if anyone would know what to look for if my cell was lost or stolen, but it's still unnerving to think it could possibly happen. So, I am searching for a way to segregate my PC from my androids, and still be able to use Crome on all. A Google search gets me answers to all imaginable questions, except for the one I ask. Maybe, I just don't know how to form the question to where Google can understand it.
You should be able to sign out on the other devices.
Sent from my HTC_0P6B using Tapatalk
DudeBoy1 said:
I have saved usernames and passwords for various websites on the desktop (Windows) PC, for my convenience via Google Chrome. I have several android devices (phones) which are able to access these saved passwords since they are linked together. I want to save these passwords to my PC only. And restrict some from my androids, ie. banks, brokerage houses, Amazon and pay-pal. Now, if I have mobile apps associated with these sites, I can block the passwords and usernames. But, a search via google for the website login page (by-passing the app) will display my username and password. Although the password is not visible, it's still there and allows access to my account. I'm not sure if anyone would know what to look for if my cell was lost or stolen, but it's still unnerving to think it could possibly happen. So, I am searching for a way to segregate my PC from my androids, and still be able to use Crome on all. A Google search gets me answers to all imaginable questions, except for the one I ask. Maybe, I just don't know how to form the question to where Google can understand it.
Click to expand...
Click to collapse
Create an alternate Gmail address to use on the androids and don't use that Gmail on PC.
Or
Have you tried signing out of chrome browser on the androids and set it to not remember your username and password?
Sent from my SM-S903VL using Tapatalk

Categories

Resources