This is a continuation of this thread: http://forum.xda-developers.com/showthread.php?t=567870, which covered cracking the original "basic" copy protection of Marketplace.
---
I have now cracked the "advanced" copy protection used by Marketplace. As you may know, this is a "better" protection than the original "CAB copy protection" Marketplace offered. This "advanced" protection uses license keys that are verified when you run the application, and given out and controlled by Microsoft.
Several developers are annoyed that Microsoft does not allow us to use our own licensing schemes, and are forced to use "no protection" (the original CAB copy protection) or use Microsoft's scheme which is essentially a single point of failure for all Marketplace protected apps.
This new "advanced" protection was released today by Microsoft, and as far as I know no app available already uses it at the time of this writing.
So I got the code snippets you are supposed to put in your app and it was simply jawdroppingly WTF. While it was not exactly easy to beat, it took me less than two hours to devise a "generic" hack, without modifying any files on the device. (Well hey, at least it's better than the 5 minutes it took for the "basic" protection, right?)
A "generic" hack? Yes, by this I mean that this single hack (actually, running an EXE in the background) will completely bypass the entire code snippet provided by Microsoft that is supposed to check and validate your license code, for all Marketplace apps that use this "advanced" protection.
I will not publish the code that performs this hack, so don't ask. My goal is not to crack Marketplace apps, my goal is to get MS off their ass and allow us to use our own licensing systems, like the good little resellers they're supposed to be. I will tell you that it has to do with runtime patching the crypto API, but that's it. All in all, I don't think it will take long for the warez people to duplicate this hack.
---
Some further reasoning about anti-piracy, solutions, etc can be found in post 13 on page 2.
if there are no apps that use it yet, how do u know your hack works?
Because the Marketplace portal provides code ("code snippet") you have to compile in your EXE, and that takes care of the whole licensing thing.
So you look at that source, spot the weak points, devise a hack. Then compile a program using said "code snippet" and try the hack on it.
If developers simply copy/paste the snippet they are given by the Marketplace portal, this hack will work.
Chainfire said:
This is a continuation of this thread: http://forum.xda-developers.com/showthread.php?t=567870, which covered cracking the original "basic" copy protection of Marketplace.
---
I have now cracked the "advanced" copy protection used by Marketplace. As you may know, this is a "better" protection than the original "CAB copy protection" Marketplace offered. This "advanced" protection uses license keys that are verified when you run the application, and given out and controlled by Microsoft.
Several developers are annoyed that Microsoft does not allow us to use our own licensing schemes, and are forced to use "no protection" (the original CAB copy protection) or use Microsoft's scheme which is essentially a single point of failure for all Marketplace protected apps.
This new "advanced" protection was released today by Microsoft, and as far as I know no app available already uses it at the time of this writing.
So I got the code snippets you are supposed to put in your app and it was simply jawdroppingly WTF. While it was not exactly easy to beat, it took me less than two hours to devise a "generic" hack, without modifying any files on the device. (Well hey, at least it's better than the 5 minutes it took for the "basic" protection, right?)
A "generic" hack? Yes, by this I mean that this single hack (actually, running an EXE in the background) will completely bypass the entire code snippet provided by Microsoft that is supposed to check and validate your license code, for all Marketplace apps that use this "advanced" protection.
I will not publish the code that performs this hack, so don't ask. My goal is not to crack Marketplace apps, my goal is to get MS off their ass and allow us to use our own licensing systems, like the good little resellers they're supposed to be. I will tell you that it has to do with runtime patching the crypto API, but that's it. All in all, I don't think it will take long for the warez people to duplicate this hack.
Click to expand...
Click to collapse
amen
hallelujah
hit me now
YEAH
have given the issue some press : http://www.1800pocketpc.com/2009/11/13/marketplace-advanced-copy-protection-cracked-in-less-than-2-hours.html
anti-piracy protection is intended to stop ordinary users from transferring cabs between devices and it is successful at that. there is no protection that will stop apps from being pirated, certainly not for handheld devices. the new advanced protection is adequate and any further techniques are redundant and a waste of time, because no matter how 'strong' they are, they WILL be cracked.
Slightly if not totally off-topic: A mainstream consumer's view
mnet said:
anti-piracy protection is intended to stop ordinary users from transferring cabs between devices and it is successful at that. there is no protection that will stop apps from being pirated, certainly not for handheld devices. the new advanced protection is adequate and any further techniques are redundant and a waste of time, because no matter how 'strong' they are, they WILL be cracked.
Click to expand...
Click to collapse
I agree with you and your premise. Now a quick story.
I consider myself a mainstream consumer... but I have been a member of XDA for, what, i think 4 years, using 2 WM phones, first the T-Mobile MDA, then the Wing (HTC Herald), and I am about to switch to Android with the HTC Hero. I am reasonably savvy about tech, just not a coder. But I've done all the hard SPL, flashing ROMS, using beta software, and supporting developers here with pretty significant donations. I am also a User Experience / Usability designer for web as a profession. THAT'S MY BACKGROUND.
To date, my experience buying WM apps has been universally AWFUL. Whether it was, just recently, Resco Picture Viewer from PocketGear, or WM Defrag from Wizcode, or PocketPlayer from Conduits. I am more than happy to buy excellent software that works, and has a decent UI. But in each case, the process of buying the app and getting it onto my phone has been absurd, and frustrating beyond belief. Each provider makes all sorts of assumptions -- often wrong -- including "you must be downloading this from a PC, so we will download for you an executable that runs on a desktop PC then installs via active sync onto your device."
Whatever the percentage is, doesn't matter: A lot of people, like me, download all my cab files, and purchase apps, on my Mac... and either email myself the .cab file or .zip files, or place my microSD card from my phone into a USB reader. Thus, what a frikkin headache to end up getting PocketPlayer on my phone... but because i didn't download it from a Windows PC, I was screwed.
This stuff is archaic. This past week it has taken 5 days to get Resco Picture Viewer on my phone after purchasing from PocketGear.com . They have a completely retarded transactional process, a terrible UI, broken software in terms of user recognition and resetting username and password, and a completely phone-UNFRIENDLY site, with most sub-level menus not even accessible from browsers like Opera Mobile, Netfront, Iris ... They are dumbass pull downs using god knows what -- flash or javascript, whatever. But fact is: a simple navigation process to access the products on the phone itself can't even be achieved by these clowns -- yet everyone is in overdrive now trying to get their version of "THE" WindowsMobile app store online, while Microsoft stumbles.
The fact is: I would LIKE to see a uniform transaction process which is designed professionally, and supports great usability design, and once I buy the app, quit making me go through absurd backflips just to get access to the cab file. Stop requiring me to use a Windows PC. And stop all the "special OUR way" authentication processes. Because if they were so good, there wouldn't be the kind of problems I have described. I'll even grant anyone who wants to -- to say "well you're just a dumb**** user who doesn't understand their particular process"... I'll grant you that, and my answer would be:
If you plan to sell a lot of apps -- ie, make money via VOLUME transactions vs pricey apps -- a la iphone -- then it makes a hell of a lot of sense to make a uniform system of delivery if you're buying it through an app store, and for god's sake, cut the crap and figure it out. It's not so hard to send an authentication code via email or text message. But it's exactly WRONG to be having 1000 developers using 1000 special "our way" authentication processes, because the odds of 1000 app developers having a great, simple, effective UI and safe authentication system that prevents priacy of their app is pretty low, based on the experiences I have had to date with MAINSTREAM products for WM.
That's my view. But I see a whole lot of clumsiness from the Windows Mobile side of the fence pertaining to this whole new way of monetizing apps. There's a reason apple succeeds in that department -- even with their bloated catalog and draconian approval processes. They understand how to deliver products to consumers -- vs repelling them from a dumbass process, no matter how good that process may be in theory.
quicksite said:
I agree with you and your premise. Now a quick story.
I consider myself a mainstream consumer... but I have been a member of XDA for, what, i think 4 years, using 2 WM phones, first the T-Mobile MDA, then the Wing (HTC Herald), and I am about to switch to Android with the HTC Hero. I am reasonably savvy about tech, just not a coder. But I've done all the hard SPL, flashing ROMS, using beta software, and supporting developers here with pretty significant donations. I am also a User Experience / Usability designer for web as a profession. THAT'S MY BACKGROUND.
To date, my experience buying WM apps has been universally AWFUL. Whether it was, just recently, Resco Picture Viewer from PocketGear, or WM Defrag from Wizcode, or PocketPlayer from Conduits. I am more than happy to buy excellent software that works, and has a decent UI. But in each case, the process of buying the app and getting it onto my phone has been absurd, and frustrating beyond belief. Each provider makes all sorts of assumptions -- often wrong -- including "you must be downloading this from a PC, so we will download for you an executable that runs on a desktop PC then installs via active sync onto your device."
Whatever the percentage is, doesn't matter: A lot of people, like me, download all my cab files, and purchase apps, on my Mac... and either email myself the .cab file or .zip files, or place my microSD card from my phone into a USB reader. Thus, what a frikkin headache to end up getting PocketPlayer on my phone... but because i didn't download it from a Windows PC, I was screwed.
This stuff is archaic. This past week it has taken 5 days to get Resco Picture Viewer on my phone after purchasing from PocketGear.com . They have a completely retarded transactional process, a terrible UI, broken software in terms of user recognition and resetting username and password, and a completely phone-UNFRIENDLY site, with most sub-level menus not even accessible from browsers like Opera Mobile, Netfront, Iris ... They are dumbass pull downs using god knows what -- flash or javascript, whatever. But fact is: a simple navigation process to access the products on the phone itself can't even be achieved by these clowns -- yet everyone is in overdrive now trying to get their version of "THE" WindowsMobile app store online, while Microsoft stumbles.
The fact is: I would LIKE to see a uniform transaction process which is designed professionally, and supports great usability design, and once I buy the app, quit making me go through absurd backflips just to get access to the cab file. Stop requiring me to use a Windows PC. And stop all the "special OUR way" authentication processes. Because if they were so good, there wouldn't be the kind of problems I have described. I'll even grant anyone who wants to -- to say "well you're just a dumb**** user who doesn't understand their particular process"... I'll grant you that, and my answer would be:
If you plan to sell a lot of apps -- ie, make money via VOLUME transactions vs pricey apps -- a la iphone -- then it makes a hell of a lot of sense to make a uniform system of delivery if you're buying it through an app store, and for god's sake, cut the crap and figure it out. It's not so hard to send an authentication code via email or text message. But it's exactly WRONG to be having 1000 developers using 1000 special "our way" authentication processes, because the odds of 1000 app developers having a great, simple, effective UI and safe authentication system that prevents priacy of their app is pretty low, based on the experiences I have had to date with MAINSTREAM products for WM.
That's my view. But I see a whole lot of clumsiness from the Windows Mobile side of the fence pertaining to this whole new way of monetizing apps. There's a reason apple succeeds in that department -- even with their bloated catalog and draconian approval processes. They understand how to deliver products to consumers -- vs repelling them from a dumbass process, no matter how good that process may be in theory.
Click to expand...
Click to collapse
Couldn't agree more!
I'll add one more reason I wrap my head in ductape every time I download/install an app.
Think it's bad with every developer having their own authentication method? How about when each developer has a DIFFERENT authentication scheme for every app they make?
I like a rant - thanks for doing it for me as I agree with you 100%.
The top of my annoyance list (which you did include) are sites selling mobile software which are NOT mobile browser friendly, WTF is that all about?
Big Up, I still don't think anyone else would have done it in two hours.
Hey you warned them didn't you.
Haha Chainfire is there anything you cant do?
More in the Dutch press:
http://tweakers.net/nieuws/63713/nederlander-kraakt-nieuwe-beveiliging-windows-marketplace.html
While I do appreciate the "rant", I think you're missing my point - or perhaps I just don't agree. (Edit: that is in response to this post http://forum.xda-developers.com/showpost.php?p=4936479&postcount=7)
When I say "use our own licensing schemes", I do not mean codes sent back and forth through websites, screen you have to type stuff in etc. This is exactly not needed because Marketplace is also the delivery mechanism. In other words, the license code can be installed by Marketplace directly without the user ever seeing or hearing about it.
This is partly how the new system works, actually. However, if Microsoft supported license codes you give them things would be more secure (though granted, for a large part by obscurity).
Some authors will not care and simply not use it all, for example with the cheap apps it may not be worth their while. Others may wish to track license key usage, so that if suddenly 10.000 users start using the same key instead of the 1 who bought it, that key can be disabled, etc. Some may want the app to call home, some will not. Imagine that developers that do employ such anti-piracy measures will write their own verification / communication code, this beats the single point of failure we currently have. The crackers are back to having to crack each app independently and even then have a much lower chance of success.
Marketplace is the perfect opportunity to implement such a system that does provide some piracy security for the authors while for once it does not unnecessarily annoy the user.
To make the obligatory bad car analogy that fails in many ways, take you car keys. Everyone thinks it's normal to have a car key, so people can't just take your car. Of course, in line with some of the arguments against anti-piracy measures, car keys aren't really that useful, as there's always a brick - the universal key, and a car thief that really wants your car will get it. (You also lock the doors on your house, right?)
Now, the current situation is pretty much that everyone has the same car key. How useful is a car key in that situation? They way I see it (and I'm sure I'm not alone in that), is more like the actual car key situation. Some car keys are laser etched, or have something RFID-like in them and a receive in the car, or simply use different shapes, etc. That's a lot more useful than everyone having the same car key.
Sure, no matter what you do, eventually things will get cracked and it is a cat and mouse game. One of the reasons this is easily doable is because of the open nature and the very few restrictions of Windows Mobile. This is a good thing. No developer in their right mind would want to get to a restrictive system like is the case on the iPhone or other mobile OS's. That is not the point. That doesn't mean anti-piracy measures are useless though, far from it. The longer you can keep a release from being warez'd, the less you lose.
There are two arguments I hear coming back in various places by various people:
(1) If the normal users can't just copy it, then that is enough (even MS says this)
(2) Piracy works as advertising, you get more eventual sales, etc. etc
Both of these, are from my own experience, completely untrue. The thing is if one person cracks it, it usually spreads on those warez sites pretty quickly.
The big thing here is, the average user is apparently tech-savvy enough to search the warez sites first before buying, and that is just how it is:
We have played the game with that one warez site, monitoring sales when (apparent) cracks were listed and when they weren't (they do remove releases on request). This made a 30-50% difference in sales (with the number being highest during the weekends, and lowest during weekdays). For me that is enough data to know that both (1) and (2) are complete nonsense in the case of mobile apps. No matter all the pretty reasons and perhaps seemingly logical reasons you may come up with for (1) and (2), the numbers don't lie.
So, how would you like to get a 30-50% paycut? It's not like us developers are getting rich here, you know. Can we be blamed for trying to prevent this?
Now, here we have the chance to implement a system that is completely transparent for the user and can be made reasonably safe (and updatable), an obvious win-win situation for everyone involved except the warez people. Why exactly shouldn't we be aiming for this?
What is also painfully apparent here, as Microsoft themselves claim reason (1), that they have no idea what they are talking about.
i am no programmer so excuse my ignorance but doesnt everything eventually get cracked. Is there any mobile platform which hasnt a non cracked market place or sites where you can download paid apps for free?
Well done Chainfire
Hello Chainfire,
I am the webmaster of the Tamoggemon Content network, and just covered you:
http://tamsppc.tamoggemon.com/2009/11/13/advanced-marketplace-drm-broken/
http://tamswms.tamoggemon.com/2009/11/13/advanced-marketplace-drm-broken/
Furthermore, an email went out to MSFT asking for a statement. but this is not the reason why I registered here (!!!) - I am instead here to vent a bit being a Symbian dev myself.
While I fully understand your frustration, I think that allowing every developer to run his own DRM is not gonna do the store good. The reason is that the store was made to make purchasing apps simple - and by allowing everyone to run his own DRM I dont see much of a venue to do this anymore.
Whenever some kind of backend gets involved, there is a single point of failure - the only trhing I can think off now would be a very complet system based on servers.
Or, of course, platform security like on S60. But trust me - we wont want that!
Thanks! However, if you read my other post carefully you'd see it wouldn't make any difference to the ease of using the store (it wouldn't make any difference for the user at all), just to a part of the backend. And of course, each DRM system has a single point of failure, but the difference is in my case there is a point of failure per app, while in the current case it's a single point of failure for everything. There is no perfect solution, but there are better solutions than the current one.
I've been contacted by a handful of big WM devs by now who are of somewhat the same opinion.
microsoft.... when it comes to security, they are clueless as usual.
only apple is worse.
I find they windows-7 VPN and "encryption" funny , is there anybody that would trust it ? - even if it was not for the backdoors ?
Just wondering, is anyone else having problems accessing the windows marketplace from the phone? I was able to download a couple of apps yesterday after I installed a custom ROM (TPC Pro Series V3.2), but today I get a message saying there is an update, it installs the update but then I get the following message:
"Windows Marketplace for Mobile cannot connect right now. Try again later."
Is this because of the custom ROM and the latest update to the marketplace, or is this something other people are experiencing?
Remember the days when purchased mp3s were DRM protected and some companies like Sony even put rootkits on music CDs? Did that stop piracy?
Hopefully Microsoft will not repeat these mistakes... There is no need for any further 'protection' for marketplace apps. If a developer isn't satisfied with this mechanism then he/she doesn't have to publish their apps on the marketplace. There's no point in having a centralized app store if every developer uses his/her own licensing scheme.
This is a long shot, but I since the demise of Google Reader (which this app supported) the developer has decided to no longer continue the development of this app. A tragedy; I think we as a community should try and sway him to continue it instead, adding new back ends, both Feedly and TOR (TheOldReader) support would be great. I would love to continue using this app, as it is probably the best RSS reader I have encountered on Android. It is my hope that we can either convince him to continue the project or allow someone else to (any volunteers ?).
Flow Reader gives you an easy way to be on par with your RSS/Google Reader feeds on the go. It was built to provide a minimalist and seamless experience for offline browsing, while delivering additional features not found in similar apps.
Some of the main features include:
- A sleek and fast user interface;
- Offline item content and state caching;
- Multiple simultaneous downloads for fast content synchronization;
- Content filters that automatically mark as read the items you're not interested in;
- Sort items by state (latest/unread/starred) or author;
- Smart algorithms that remove ads and other undesirable content from items;
- No ads.
Click to expand...
Click to collapse
The Developer posted this statement in the most recent app update:
As you sure know by now, Google has discontinued the Reader service, so this app is no longer functional.
Although I am very happy with the (unexpected) success of this app, I've decided to no longer update Flow Reader. This is due to several reasons: a) I built this app "for fun" and to my very specific RSS reading needs. Although I very happy to see that a lot of other people enjoyed it, I was in no way ready for attention it received (due to multiple technical and logistic reasons); b)This app was essentially just a prototype turned into a final product. The Code is very messy right now and it's becoming harder and harder to make any further changes, let alone any major ones (like background updates). c) The app is *very* tied to Google Reader backend, which means that giving proper support to another service would require a very significant amount of effort.
I am very thankful to all my users (especially the ones who donated and gave feedback!), but I hope you can understand the reasons behind this decision - continuing to work on this app would require a major rewrite and too much time trying to (once again) and make the pieces all fit with "spit and glue".
If you are interested in any future app I might develop, you can be notified about it by sending me an e-mail using the button below. You will know beforehand of any project I might be working on (and maybe even receive an alpha/beta version of it?).
Thank you again - and hopefully this won't be the end
The Developer
Click to expand...
Click to collapse
Those who have used the app please voice your support to continue the project as I have emailed the developer the link to this thread.
(Flow Reader dev here)
Right, here's what's going on:
Personally, I'm not very happy with any of the current readers on the Play Store, so the idea of building the next iteration of Flow Reader is one that I really enjoy. Unfortunately, I simply don't have the time that I would need to keep developing it any further. I now have a full time job and not much patience to keep working on the app on my spare time.
The thing is, I have several unique ideas that I believe would greatly improve the experience of Flow Reader. Actually, some of these already graduated from just ideas, as some prototyping is already done and working. I also think there is a decent amount of money that could be made from them, so I'm not very willing to just leave them out in the open.
The fact is, though, it is very unlikely that I'll ever finish this new version of the app that I'm building. I can see two options right now:
OPTION 1 - The cooperation route:
- I will pair with another developer (or a small group of developers). Bear in mind that the code is reasonably complex, so i'd rather work with someone that feels confortable around code.
- The code of Flow Reader will remain closed, but shared with the people that want to be part of this project;
- I will take care of the things that I believe to be my greatest strength: UIX and prototyping. But I will always be open to suggestions on these areas.
- The profit of the app will be split 25% (for me) and 75% (for the other developer(s)).
OPTION 2 - The free route:
- I open up the code of Flow Reader under the condition that it will forever remain open-source and free (under an attribution, no derivatives and no commercial use licence).
- I will no longer will have any direct input or cooperation on the app.
Also, I honestly think it would be better to start the app from scratch. The code is a complete mess right now so trying to build more features upon it would just be less efficient. Still, some techniques and code used in Flow Reader could be reused to save some time.
Choices
I have been a user of Flow Reader for some time and was really sad when it stopped working and that the dev stated that there was no longer going to be updates to continue after the demise of Google Reader.
That said, I totally agree that it should be continued into the post-Google Reader era of RSS news. I originally created a post on Reddit in which I stated that for the continuality of Flow one idea would be to open source the code on a git site to allow others to progress his work further.
Understandably this poses the risk of Flow Reader loosing it's (work)Flow. All that time and effort the dev put in to creating a stunning, and above all easily functional, UIX could well be lost. On the other hand the simplicity of this RSS reader coupled with its parallel article downloading feature would live on and enrich many an Android RSS fans.
So here I am on XDA, stating my opinions for the two options presented.
For the Closed Sourced Approach:
The idea of sharing the workload will mean that whoever is chosen to work on Flow Reader will most likely have a great deal of knowledge to input in to this project. It also means that the UIX will not change without considerable thought first. This I applaud.
The fact that the developer says that the proceeds of the app will be divvied up indicates to a paid app, further indicating to (hopefully) a group of developers with the incentive to push great work "out the door".
For the Open Sourced Approach:
The hands of many a developer could make this app into something even better than it already is....
...or it could ruin it with out the guidance of the one who had the vision in the beginning.
Usually in the open source community when there is a bug and/or a missing feature, if someone with the appropriate know how can fix it, it shall be done.
A question, then, to WildMoves. Would those who have donated need to pay again once it arrives back on the play store? That is if you are going to make it a paid for only app?
Either way, with the way that Flow Reader handles feeds I honestly have never, and believe never shall, discover one better. To which I would like to say that no matter which direction the dev goes, I will support and give as much feedback as I can.
Again, great work mate and keep on coding,
Skinna a.k.a Skinnx86
Skinna said:
I originally created a post on Reddit in which I stated that for the continuality of Flow one idea would be to open source the code on a git site to allow others to progress his work further.
Click to expand...
Click to collapse
Yes, when I posted my answer I was still trying to develop the next iteration of Flow Reader. I built a prototype to test several ideas before I came to the realization that I couldn't build the full app the way I wanted to in a feasible amount of time and still... well... live. :\ So I am now receptive to offset most of the workload to a developer or group of developers (hence the 25/75 profit split).
Skinna said:
A question, then, to WildMoves. Would those who have donated need to pay again once it arrives back on the play store? That is if you are going to make it a paid for only app?
Click to expand...
Click to collapse
I have the email addresses of everyone who donated, so I could probably create a mailing list to deliver full versions of the (paid) app outside the Play Store. Assuming that I would have the approval from the other developers, it would be a good sign of gratitude to those who donated, IMO.
Reasonable Thoughts
Well a man has to live. To spend your free time developing and building something you would expect some payback of some sort. But thank you for remembering us early adaptors. I know I for one will be thankful, I can but imagine others will be too.
As much as I was appreciative of the beta's being sent to us, but in case you did not hear, Facebook updated some peoples app out side of the play store. Now Google have banned out-of-market beta testing. I believe that sending an apk to install initially will work and should update through the play store correctly.
Ive been through the entire security forum. Must say till a little raw but it will mature hopefully. Still a lot of noobs talking and no serious dev talk. Im not a developer but I have done some research esp on encryption systems and keep myself updated with the loopholes in various apps. Until such time when they do join in I think it would be a good idea (esp if the higher-level know-its) would share their list of apps they use for their everyday functioning and especially how you currently protect yourself best against unwarranted attacks to the types other forums are talking about.
My list is:
K-9 mail : for email. I use APG with that though im still not convinced its worth it cause the keys would be a easy to 'reverse engineer' as you can easily detect the device you use to send the mail and thus an estimate of the computing power essentially showing them the narrow range of prime numbers in which the key could have been generated. But you would need to be a dedicated target for that. Plus its open-source and very popular.
Xprivacy: its good for apps with too many unnecessary permissions but it wont protect you against intruder attacks.
network connections: just switched over to this from wire shark. Still undergoing testing. But it tell you the current internet connections and seem promising. You can block the suspicious IPs using xposed framework called peerblock (look into the xposed mod index). Needless to say but I think blacklisting google would be perhaps make you life considerably old-fashioned esp if your plugging the google 'backdoor' access they provide to 'he-who-shall-not-be-named' organizations.
Browser: im using the native AOSP browser. Firefox would be a better alternative in my opinion to chrome or others. I wish we had chromium for android.
Quickpic: using it instead of the native gallery after i found that it was connecting to the internet.
Calander: using the native AOSP calander but deleted the calander sync cause i try to avoid relying on google too much. selectively Denied internet permission.
ES file manager: a very complete tool. root explorer with checksum built-in. denied internet permissions.
TextSecure : Using this for standard texting because it seems to offer more encryption that any other texting app at the moment. Plus its going to be the default messaging app in Cyanogen ROMs in the future. Offers One-Time-Pad system encryption which is encryption theoretically secure (what that means for the common man is that this encryption is the only one that has stood the test of time to be unbreakable of used properly. All other encryption systems rely on the fact that the decrypting systems used to 'crack' the encryption lag behind the algorithms. Lets hope the devs did implement it properly)
Remove Google from CM10+ ROMs : http://www.xda-developers.com/android/remove-the-google-from-cyanogenmod-with-freecygn/
"Not every user particularly cares for Google’s proprietary bits and its tendency to put them everywhere. As such, XDA Senior Member MaR-V-iN has created a script to clear out Google proprietary binaries from all CM10+ ROMs. Freecyngn disassembles the CyanogenMod settings app and replaces Google Analytics library with the free NoAnalytics. The whole process doesn’t break the Settings app, and turns your device into one that is Google-free"
Click to expand...
Click to collapse
Thanks to @SecUpwN for the site: www.prism-break.org As you will see by visiting this site its not secure but just a list of more open-source projects.
I dont use a lot of google products like gmail or chrome or maps but i would like to minus the uneasiness that i have using it. And i dont use public wifi at all. The great things in life are hardly ever free!
Needless to say but i use CM 10.1 since its well developed and open-source. Looking forward to omniROM by chainfire and other great devs. I do believe we need some serious stenographic programs for android because encryption alone is not the way to go. Maybe they will take this more seriously. This remains a work in progress. As always hit thanks if it helps.
CM is now for profit. It's CyanogenMOD Inc. Anyway, this is a pretty naive approach, IMHO. You want to keep something secret you can't tell technology about it. Check out "Schneier on Security."
where did you download "network connections" from?
@aejazhaq: See www.prism-break.org!
runwithme said:
where did you download "network connections" from?
Click to expand...
Click to collapse
I downloaded it when the dev was giving the pro version free for a limited time to XDA members. How ever its available on the play store...https://play.google.com/store/apps/details?id=com.antispycell.connmonitor&hl=en
SecUpwN said:
@aejazhaq: See www.prism-break.org!
Click to expand...
Click to collapse
Yes i cam across that just a week ago. It seems to me as my knowledge progress' that the apps available are just to keep the selective data eg your mails private if you use APG with that. @pan.droid I think anything on your device is still as vulnerable as can be honestly and don't think, at least as of now that you can protect your data on you device with any satisfactory means, at least not yet. I'm interested in stenographic means more now than ever because I think encryption alone wont cut it esp keys generated on the phone; the prime numbers needed for a foreseeable future (3+ yrs) protection are elusive on the phone, perhaps the PC can do a better job, but again with its fallacies esp with emails being stored in the cloud permanently means that there's an expiration date on such material you choose to share. And given it lacks forward secrecy and anyone using PGP in emails is definitely shouting encrypted msgs being transmitted perhaps arousing more suspension and the subsequent package.
Thus I do agree the list is currently very naive but perhaps the best we can do at the moment. Thats why I'll leave people to share their opinions on this because this is perhaps an ongoing discussion.
I'm really interested in a contacts replacement. I hate the new style google version but I don't trust ANYTHING free from the app store. They all download your contacts!
You didn't mention AFWall+, the iptables firewall I consider instrumental in blocking most phone home attempts.
SecUpwN said:
@aejazhaq: See www.prism-break.org!
Click to expand...
Click to collapse
Actually, pretty great site!
pan.droid said:
Actually, pretty great site!
Click to expand...
Click to collapse
You're welcome. If you're interested in security projects, have a look!
I'd totally jump on board with that, but all I have is a WI-FI tablet, ATM. Great activist project for anyone serious about security.
pan.droid said:
I'd totally jump on board with that, but all I have is a WI-FI tablet, ATM. Great activist project for anyone serious about security.
Click to expand...
Click to collapse
Sadly, our project is missing real security enthusiasts and DEVELOPERS. Do you know anyone I should get in touch with?
I use "Keepass2Android Offline" to manage my passwords. This "offline" version removes Internet access permissions which I consider essential for security of my database.
Okay, first, I do not know where I should put this thread, it is for the HD2 specifically, but might one day be useful for other devices.
So, I have an idea, I would like to create an app store for Windows Mobile, specifically Windows Mobile 6.5, NOT Windows Phone, NOT Windows Phone 8/10, NOT Android, NOT Ubuntu or Meego or Firefox OS.
This app store would be updated, it would contain apps that are compatible with WM6.5, also, you would be able to select your device resolution, and get apps that work with your resolution, it could have a tweaks section, so any tweaks could be installed with just a few clicks.
Also, developers would be able to submit their own apps, and people should be able to submit older apps that work on WM 6.5.
So, what do you guys think, would you support such a project.
P.S. What would you think about me trying to get a HTML5 render engine running on WM6.5, so it could use some new mobile-web apps?
P.P.S. Recently, someone with an Android phone, was able to de-solder the NAND chip(with some equipment), and upgrade the internal flash storage, does anyone think this would be possible with the HD2?, maybe we could get 4GB of internal flash instead of 1GB?
Not bad idea.
My company done more basic idea with a repository of apps with description for our WM6.5 users.
Was some quality software for WM, when compare to junk apps you get on android it really night & day, shame Microsoft didn't see potential & develop it more back in late 2000's as it was far better code than android & was the birth of the smart phone & many parts of it copied by iphone & android .
Mister B said:
Not bad idea.
My company done more basic idea with a repository of apps with description for our WM6.5 users.
Was some quality software for WM, when compare to junk apps you get on android it really night & day, shame Microsoft didn't see potential & develop it more back in late 2000's as it was far better code than android & was the birth of the smart phone & many parts of it copied by iphone & android .
Click to expand...
Click to collapse
So, do you think that it would be feasible to make an app store, like this? And what do you think would be a good name for an app store?
I could easily set up a website, however, I do not know how hard it would be to make an installable cab for it.
I could have a basic website, set-up in just a few minutes(without SQL server, which would be needed for an app store).
The main problem though, is getting permission from app developers to put their old apps on the app store, some of the companies don't even exist anymore. And we would need to get NEW developers to make apps and put them in the app store.
You not likely get much support for new apps as just such minority of WM6.x.x devices in use .
Problem 2 is like you say most old apps dropped by developers, many recent apps I got hold of are technically warez but that only way get them & activate them as devs dropped them & purchase option from websites. IM+ was example of this, I wanted purchase a licence but they dropped WM & wouldn't help me out so I had do work around making it a non expiring trial using mortscript to launch app .
If you do any sort of app store and want worthwhile apps then it not going be possible do it 100% legal unfortunately.
Our work web repository is not exactly legal but it keeps WM6 alive & we got about 30 WM6 users who happy
Personally I would do just a good designed web repository with app sections & details & downloads linked to account logins.
If you can build a software app to act as store it would be good, building cab is the easy part .
Mister B said:
You not likely get much support for new apps as just such minority of WM6.x.x devices in use .
Problem 2 is like you say most old apps dropped by developers, many recent apps I got hold of are technically warez but that only way get them & activate them as devs dropped them & purchase option from websites. IM+ was example of this, I wanted purchase a licence but they dropped WM & wouldn't help me out so I had do work around making it a non expiring trial using mortscript to launch app .
If you do any sort of app store and want worthwhile apps then it not going be possible do it 100% legal unfortunately.
Our work web repository is not exactly legal but it keeps WM6 alive & we got about 30 WM6 users who happy
Personally I would do just a good designed web repository with app sections & details & downloads linked to account logins.
If you can build a software app to act as store it would be good, building cab is the easy part .
Click to expand...
Click to collapse
So, it looks like, my website host will not work then, I just made a new account with them too(it is free tho ), my web host says ABSOLUTELY NO warez , however there is this site called "umnet", they have a lot of stuff for lots of devices, including Windows Mobile CAB's. It is not very easy to browse umnet, and there is a lot of garbage, and it is not very easy to sort out what you DO want from what you DONT want. Back on-topic, if I am to make a app-store, I will need to find another host, or something like that.
P.S Is your work app repository, publicly available, or no?
No it on our own server & requires account.
Mister B said:
No it on our own server & requires account.
Click to expand...
Click to collapse
Okay, too bad.
Now, about the app store, I have identified all of the main challenges:
1. Getting a server and/or host.
2. Getting all of the apps.
3. Getting permission from developers to put their paid/non-distributable apps on the server.
4. Setting up a search/description system(will probably be SQL based).
5. Getting the .CAB set up.
6. Getting people to use it.
I have an idea for, convincing developers to make new software for WM6.5, a development fund/bounty. Right now, many people who were once WM6.5 die-hards have stopped developing programs for WM6.5, maybe we can get some new developers, AND get some old developers back, by giving them an incentive to develop for WM6.5. This could be a bitcoin fund/bounty, when a developer wants to make an app, he/she can ask for some bitcoins from the bounty and that could help fund development if his/her app.
Also, ROM's, many ROM's are inactive, my next idea is to, create new ROM's with WEH builds, they will have ALL of the same features and apps and drivers, and versions(6.5.5, the best), but be based on WEH, because WEH has some new under-the-hood stuff like newer security standards, WiFi encryption standards, etc...
Possibly, we could even create new/improved drivers, via reverse engineering or something like that, AND possibly, dig up enough information to implement some of the features of Photon(what WM7 was supposed to be as of 2008), like an unofficial WM7(NOT WP7).