Related
Exchange/Password
Now with Android 2.1 it now makes me use a password word. Is there a way to bypass this as it is annoying, or maybe use a pattern instead?
With 1.5 i didn't have to use a password, but with 2.1 now i do.
This works
just thought i would update with my latest info. So here is the scoop. You can disable the exchange password lock and have it survive reboot/and mail checks. To do this follow these steps:
[APP] LockPicker - disable Exchange lock screen [30-03-2010]
Hi all,
"j0bro"
Just whipped an app together that disables the Exchange lock screen as soon as the server has enforced its policy by using a background service and an observer on the system setting. This requires no polling, scripting, etc. and survives reboots/enforcements
If you want to use the pattern lock follow the next steps if not just skip the next steps., First set the lock pattern before you setup your exchange server, Then after you set your pattern lock setup your exchange and it will ask you to set your password after complete download Lockpicker in the market and install & run. Iit will bypass the Password lock and the pattern will now work.
Or
klaus27
Originally Posted by klaus27
Ok, my app is ready. I have sent it to tamburylar for testing.
Version 1.0 is ready for testing. Working with HTC Sense. Waiting for reply for Milestone support. HERE
__________________
HTC Sense or Motorola Droid with Exchange and password policy? Get rid of it: http://forum.xda-developers.com/showthread.php?p=6044673
networx2002 said:
Exchange/Password
Now with Android 2.1 it now makes me use a password word. Is there a way to bypass this as it is annoying, or maybe use a pattern instead?
Click to expand...
Click to collapse
Not sure what you're trying to say here...
I'm using Exchange through my work, and the process is exactly the same as it has been on 1.5. Can you clarify your issue? Thanks!
networx2002 said:
Exchange/Password
Now with Android 2.1 it now makes me use a password word. Is there a way to bypass this as it is annoying, or maybe use a pattern instead?
Click to expand...
Click to collapse
This has to do with the exchange active sync policies your IT dept has implemented. I believe you can remove that option from EAS on the exchange server.
As a workaround, you can use touchdown for your exchange needs as it doesnt lock down your phone but just your exchange email.
swornenemy said:
This has to do with the exchange active sync policies your IT dept has implemented. I believe you can remove that option from EAS on the exchange server.
As a workaround, you can use touchdown for your exchange needs as it doesnt lock down your phone but just your exchange email.
Click to expand...
Click to collapse
Thanks,
With 1.5 i didnt have to use a password, but with 2.1 now i do.
Thanks
networx2002 said:
Thanks,
With 1.5 i didnt have to use a password, but with 2.1 now i do.
Thanks
Click to expand...
Click to collapse
Yeah android 2.1 is more EAS compliant and can actually do remote wipes if you ever lose your phone which is nice. I did this on my hero and it wacked everything off and would only boot into recovery. Thank god for nandroid.
Be advised that if you enter your password wrong 10 times, (provided that you are still using the built in android exchange support) it will format your phone as well.
I've got it backup, Just hate to have to unlock it all the time.
Wish they would let you use a pattern
networx2002 said:
I've got it backup, Just hate to have to unlock it all the time.
Wish they would let you use a pattern
Click to expand...
Click to collapse
I am in the same position as you. Delete your exchange account and use touchdown for your exchange mail. This way it doesnt require you to use a pin to use your phone except when accessing your exchange mail through touchdown
swornenemy said:
I am in the same position as you. Delete your exchange account and use touchdown for your exchange mail. This way it doesnt require you to use a pin to use your phone except when accessing your exchange mail through touchdown
Click to expand...
Click to collapse
i have never been able to get touchdown to work for me
Just thought I'd join this thread, as I was shocked to find the exchange password on 2.1 too. Personally I love the idea of password and secure wipe, but the problem is the keypad is so difficult to type passwords on it takes me forever to login. I prefer just using the sliding password. And lets face it if someone wants into your password protected phone all they need is a USB cable, laptop, and SDK and they can bypass it.
To this end I've been playing with a way to bypass the password and I have been somewhat successful. I am VERY new to this stuff I've been basically teaching myself as I go, so if there are any experts around with an interest please feel free to take this knowledge and run with it.
** DISCLAIMER ** I've no idea what this will do to your phone or your email so make sure you backup, i've had no problems with any of these settings and I've always been able to just delete the exchange account and readd it when there was a problem. That being said.. you've been warned, Backup. Also bypassing your companies pointless security measures may be dangerous and cause for termination.
To get started you'll need the SDK and working ADB. It appears all the exchange info is stored in a database file that you can read/edit with sqlite3. Here is what I've found so far:
adb shell (probably need root, not sure)
cd /data/data/com.android.providers.settings/databases
sqlite3 settings.db
Optional sqlite3 settings to make reading easier:
.headers on
.mode column all
.width 2 40
There are two tables of interest here:
select * from secure;
select * from system;
The following update commands are what I used:
update secure set value=0 where name='DevicePasswordEnabled';
** This command will turn off the DevicePasswordEnabled and let you use a slide unlock pattern, but the password is still set from before.
update system set value=0 where name='lockscreen.lockexchange.enable';
** This command is the magic, I found out by watching logcat that when you unlock your phone it does an IF check on this variable and if it's set then it requires you to enter a password. Once this is set to 0 it skips the password and will ask for your slide unlock pattern instead. If you don't have an unlock pattern it will just jump to your home screen.
update secure set value=0 where name='MaxInactivityTimeDeviceLock';
** This one isn't too critical but I found it and thought I would share it. It basically removes the Exchange requirement for a idle timeout.. mine was set to 30 mins which was perfectly reasonable, but I removed it anyway.
Now once you run these update commands the changes are "done" no need to reboot or do anything special (don't even need to quit sqlite3) if you try to unlock your phone it might ask for a password the first time but enter it and lock the phone again. When you try to unlock it now the password has been removed. WOOOT!!
Now if you recall at the begining I mentioned that I've been "somewhat" successful, this fix appears to work perfectly and survives Mail client refreshes and reboots. BUT to my dismay every morning when I wake up and unlock my phone I'm presented with the same "You must enable security settings" msg from exchange. When you click OK it resets all the changes we made and we are back to square one and have to unlock it again.
I am guessing there is some type of refresh of the Exchange provisioning. I've not found how to disable this as of yet. I'm presently playing with the files located in /data/data/com.htc.android.mail/app_config it appears to store all the provisioning data in a file called eas_provision.prefs. I've just tried to change the two changes we made in this file in the hopes that perhaps it looks here to compare against the database settings and if it finds a difference it refresh, but I have my doubts.
Unfortunately I cannot test this until morning as I've found no way to replicate whatever causes the exchange security check.
My guess however is that the mail client itself is re-requesting the security settings.. if thats the case we'd have to either "decompile the mail cient" which I don't have the expertise to do. Another option might be to try using an older mail client (assuming this is where the check is).
I hope this helps some folks out there, please share comments and questions hopefully we can find a good solution. Remember my objective isn't to bypass the security completely but utilize the slide unlock which I feel is just as secure as the password (thought I am not certain if the wipe will happen with the slide unlock).
Good Luck
My employer is one of the paranoid companies that require the full password, so I'm also pretty interested in the answer. Changing values in the database show promise, but we'll need to see how this impacts what data is sent back to Exchange. For example, if I change the value to not requiring a lockscreen password, does Exchange know? If so, I get in trouble with Exchange admins, and they probably wipe my phone at their will. Ultimately, the device sends data back to Exchange, and the real solution is to find where the connection between Exchange and the lock screen is, and cut the cord.
For what it's worth, on the Pre this was handled in the lockscreen app and not anywhere near Exchange. The result was bypassing the lockscreen app altogether (return true; - elegant, right?), but that wouldn't meet the needs here of still having something. Once I get it reflashed with Damage's ROM tonight, I'll be playing with this.
And for the record - I'm also not trying to work around security policies enacted by my employer. This is purely for research and educational purposes.
say I wanted to go the other way, my Exchange server doesn't require a password but I want to use a pass... will following inverse instructions enable the policy?
networx2002 said:
Exchange/Password
Now with Android 2.1 it now makes me use a password word. Is there a way to bypass this as it is annoying, or maybe use a pattern instead?
With 1.5 i didn't have to use a password, but with 2.1 now i do.
Click to expand...
Click to collapse
My company has the security enforced on our Exchange server. Keyguard Disabler (look it up in Market) will do this, but it also disables the slide-to-unlock. You can toggle it on and off as you need it.
-Daryel
Ill have to try it.
Installed Keyguard Disabler from the market and it works great. Well worth the buck 50. Buggy when set to auto start on boot so I just put in the password once at boot and run the app. Completely bypassed the lock enforced by my exchange server.
Hell, I just logged into my Exchange server and disabled the pin requirement.....
tamburylar said:
Now if you recall at the begining I mentioned that I've been "somewhat" successful, this fix appears to work perfectly and survives Mail client refreshes and reboots. BUT to my dismay every morning when I wake up and unlock my phone I'm presented with the same "You must enable security settings" msg from exchange. When you click OK it resets all the changes we made and we are back to square one and have to unlock it again.
I am guessing there is some type of refresh of the Exchange provisioning. I've not found how to disable this as of yet. I'm presently playing with the files located in /data/data/com.htc.android.mail/app_config it appears to store all the provisioning data in a file called eas_provision.prefs. I've just tried to change the two changes we made in this file in the hopes that perhaps it looks here to compare against the database settings and if it finds a difference it refresh, but I have my doubts.
Unfortunately I cannot test this until morning as I've found no way to replicate whatever causes the exchange security check.
My guess however is that the mail client itself is re-requesting the security settings.. if thats the case we'd have to either "decompile the mail cient" which I don't have the expertise to do. Another option might be to try using an older mail client (assuming this is where the check is).
I hope this helps some folks out there, please share comments and questions hopefully we can find a good solution. Remember my objective isn't to bypass the security completely but utilize the slide unlock which I feel is just as secure as the password (thought I am not certain if the wipe will happen with the slide unlock).
Good Luck
Click to expand...
Click to collapse
I remember from the windows mobile days that most exchange servers automatically refresh the policies each night just after midnight. I used to have a program that ran every so many minutes that looked for that policy to be set and would unset it again. Maybe we can get a DEV here to write us a program that runs in the background on android that will chech and apply your changes above at some periodic amount of time. I would donate for it.
kranz68osu said:
I remember from the windows mobile days that most exchange servers automatically refresh the policies each night just after midnight. I used to have a program that ran every so many minutes that looked for that policy to be set and would unset it again. Maybe we can get a DEV here to write us a program that runs in the background on android that will chech and apply your changes above at some periodic amount of time. I would donate for it.
Click to expand...
Click to collapse
That would be nice
magic answer to fixing this password stuff
i had the same problem with my work email server, i tried touchdown, didnt like. here's th eanswer people, download lockbot, the free version , from the market. use it, and if your like me, you will have no problem.
damn it feels good to finally help and not be helped by these forums. lol. hope i tworks. post back
ukcatsfan said:
i had the same problem with my work email server, i tried touchdown, didnt like. here's th eanswer people, download lockbot, the free version , from the market. use it, and if your like me, you will have no problem.
damn it feels good to finally help and not be helped by these forums. lol. hope i tworks. post back
Click to expand...
Click to collapse
Downloading now
It works. Thanks
one happy hero user
My phone is both unlocked and rooted. I couldn't stand the crap. I just froze it since all the apps I want install on the card anyway.
With this leak for Android (which Google is patching) is there any app or ROM that will make password entry required (no saved passwords - I don't save them on the computer, so it's no hardship)
I do have wifi calling, and I will use it over public wifi. I go to places where I get one bar at the most, and the motel has free wifi. I want my pet sitters and house watcher to be able to contact me at any time. My daughter moved to England, so I need Skype, and Skype only works on wifi on Android.
I don't use Picasa, sync the calendar, but I don't want my contacts to be bothered if that is what a hacker has in mind. There is no personal info saved on my phone. I also don't game. I don't watch movies.
Also, I would like a firewall. I have both Bing and Groupon banned in the firewall and in the hosts file. Bing is getting too far ahead of itself. It's allied with Yahoo and I do have a Yahoo mail account.
I use the phone as a PDA reference guide, and the processor speed and screen is why I bought it. I have frozen all the social apps and I might delete them. The phone has been working super since it's been rooted and I enjoy it.
Thanks,
Zuben
I am not sure what you are exactly asking?
You mention password entry? If you are talking about accessing the phone, there is the lockscreen that you can either password enable or choose a pattern to lock the device.
You also mentioned about a firewall? There is webroot security which you can manage things. But, you said that you blocked a few things already? I dont understand.
fknfocused said:
I am not sure what you are exactly asking?
You mention password entry? If you are talking about accessing the phone, there is the lockscreen that you can either password enable or choose a pattern to lock the device.
You also mentioned about a firewall? There is webroot security which you can manage things. But, you said that you blocked a few things already? I dont understand.
Click to expand...
Click to collapse
I want the apps to ask for a password - not the phone. If I use app market I want to log in every time - do not save the password.
Google mail and Tmobile I could stop from automatic sync. I don't want them syncing automatically unless it's a needed function.
Example: I got a list of updates today, and I can't block the ones I don't want.
There's one in the list for Youtube and Youtube is frozen. So is Facebook. So I didn't allow the updates.
So does anyone have a custom ROM or an app that does this? And where do you find info on webroot security?
Unfortunately the SGS4G is still in its early stages of development, there are a couple good roms out there but they are still stock and not custom, however they do improve the performance of the phone. As for what your asking for, no there are no roms that do this yet
dsexton702 said:
Unfortunately the SGS4G is still in its early stages of development, there are a couple good roms out there but they are still stock and not custom, however they do improve the performance of the phone. As for what your asking for, no there are no roms that do this yet
Click to expand...
Click to collapse
Thanks, do you think there will be one?
How far can developers go to get rid of stuff?
I saw this:
http://www.usatoday.com/tech/news/2011-05-09-emergency-alerts_n.htm
and I don't want it. Especially presidential alerts. I would guess that the final version isn't out yet, but I'm curious. I think it would eventually lead to abuse.
I buy my phones for my own reasons and use them in my own way, so I'm not your typical user. I see the phone as a PDA, only voice/text is communication.
The rest is all my required information at my fingertips, and the new screens and processors on the phones are great.
2 Factor Authentication for Windows alpha
Hey folks,
this is my alpha preview of my 2Factor Authentication App for Android/Windows.
Disclaimer: By installing this app you will possibly harm your Windowssystem.Expect many bugs in the Phone app, but especially in the Windows app. Use it at your own risk. By downloading the app you agree to this.
This app could make Windows unusable*
*Well, better use Linux or Mac anyway.
What does this app do?
It adds a second screen after you entered your password, asking for a pin. This pin can be generated by your mobile phone and only used once.
The screen will open everytime you login, even after Standby/Hibernate/LockScreen.
Who should use it?
Paranoid people like me, especially these that own a laptop. If someone gets your windowspassword via keylogger or phishing, he still can't login.
In addition you could use the Windows auto-login (loads up all your autostarts) and would be still required to enter a code.
Who shouldn't use it?
People who are working with restricted rights (no Admin/root rights!), as these won't get past the login screen ;-) (might be fixed in final).
People who have multiple accounts on their computer, as every user is required to enter the same pin (will be fixed in final).
People who think this adds an extreme amount of security. Even though it does work in failsafe mode, there are some ways to get around it. If the "bad guy" has physical access to your computer, this is almost as (un-)safe as the Windowspassword.
Installation
Extract all files from the zip to a folder, e.g. C:\IdislikeWindows\. Then run installtion.exe, make sure you run the installer with administrator rights. You need an internet connection for that, so the progamm can generate a QR Code, that you then scan with your phone (apk attached below).
After entering your first generated key you're good to go.
Make sure that you never remove or rename that folder or any files in it!
Removal
Just double click on Uninstall.exe. If you used the graphical login before, select that option. Make sure you run the uninstaller with administrator rights.
What works doesn't work (yet)
- Impress with a fancy UI
- It won't work on Windows 9x (won't be supported)
- Users can still Alt+Tab / Win+R
- Users can still open Taskmanager (this is done for debugging)
- Synchronize if you have to phones
- Multiple Accounts
- Non-admin Accounts
- Phone App stores only one passphrase
... and much more I guess.
Tested on
- Windows XP
For safety reasons, the Windows part won't work after 2nd of July. But I will upload a new version until then
So go ahead, test this app and report many bugs I bet there are a lot. In addition I'm curious if it works on Win7 and Vista as well.
If something goes wrong, you can always start uninstall.exe with your taskmanager.
I'm looking forward for your feedback!
Thanks,
Marc
Update 22/06/2011:
- added Vista/Win7 Manifests
- Ping not done via RawSocket, so it is possible to install on Vista/Win7
- Remote Sessions should trigger 2FA as well.
Screenshots:
forceu said:
2 Factor Authentication for Windows alpha
Hey folks,
this is my alpha preview of my 2Factor Authentication App for Android/Windows.
.......
What does this app do?
It adds a second screen after you entered your password, asking for a pin. This pin can be generated by your mobile phone and only used once.
The screen will open everytime you login, even after Standby/Hibernate/LockScreen.
Who should use it?
Paranoid people like me, especially these that own a laptop. If someone gets your windowspassword via keylogger or phishing, he still can't login.
In addition you could use the Windows auto-login (loads up all your autostarts) and would be still required to enter a code.
......
Click to expand...
Click to collapse
Man, you are a genius, I was really looking for something like this.
One question: does it work over RDP? I have a computer a work (encased in a rack in a renderfarm) and I work by log in with Remote Desktop Connection.
Cool... Will be keeping eye on this one!
daniel.mitran said:
Man, you are a genius, I was really looking for something like this.
One question: does it work over RDP? I have a computer a work (encased in a rack in a renderfarm) and I work by log in with Remote Desktop Connection.
Click to expand...
Click to collapse
It probably won't work, but I will try it today. And I know there is a way to trigger it after someone started a remote session. I guess I will have it coded today or tomorrow
I uploaded a zip, replace the service.exe with the one in your folder and try it. As I posted above, it is not tested, so I don't know if its actually working ;-)
Feedback is always appreciated.
/edit: Sorry for double post
First of - I'm just an everyday user of Android device, never interested in hacking or any other "advanced" use of computers and likes. My greatest achievements so far are jailbreaking Iphone, rooting an Android phone and installing stock ROM on it. You can call me a noob. However - I like to improve things I use and I also value my privacy. That's why I installed a software that locks access to certain apps on my phone. I recently found this app actually made an opposite - it made my device vulnerable to identity theft and potential financial loss. I wouldn't really bother telling my story if developers didn't delete my one-star-rating with a brief description of the problem right after I posted it in Play store.
So, to the point. I installed CM Security and app lock app (nearly 14 millions of users and 4,7 rating) and locked some of the "sensitive" apps with it. One evening I was bored enough to try and play "a hacker" who "found my phone" and see what such person could do. Considering "a hacker" somehow managed to unlock the device he'd now encounter my second line of the defense - the mighty app locker. And now, in a few short steps I'll show you how much damage you can do with it:
1. First it obviously asks you for an unlocking password/pattern, but -as you don't know it - you hit in-app menu button and choose "forgot password?" option.
2. It asks you to log in to your Google account in order to reset the password (YES, you can access Google password recovery from inside the app, so even if you lock your device's Settings, your mail client and so on, you can still access the most vulnerable option of your account from "security" app).
3. As you don't know a Google password you hit the "forgot password" link that starts Google password reset process.
4. It will ask you for the "last password you remember", but you can just say you don't know it and then it gives you an option to get a verification code by SMS - chances are it will be sent to the device you're just holding in your hands. And these chances are big.
5. After you get a verification code you're in. You can now set a new Google account password and reset app locker password/pattern.
It's that easy. You not only unlocked an app locker but also got access to Google account which gives you pretty much endless possibilities, including purchase of some apps in the Play Store as it stores your card details and you only need an account password to authenticate the purchase. You can also try to restore Ebay or Paypal passwords or even try to get directly into bank accounts via banking apps. Sky is the limit.
I already deleted CM "security" app and looked for some replacement. I wasn't really surprised it's kind of a standard that when you install them, security apps ask you to give your Google account details just in case you need to recover your password in a future. And they often make you think that giving these details is an integral part of installation process, a must-do that is necessary for an app to install and work. Some apps, like CM "security" don't even ask - they just use your Google account details and don't give you a chance to give up such option.
After all - here's some advice I can give:
1. Don't install any security software that connects to your Google account and gives "password reset" options;
2. Don't give Google your mobile number, even if it seems convinient;
3. Don't use your Google account address as your contact information in "owner info" option of your device.
If you have any other suggestions that may improve security, please share.
Cheers
Question is why you didn't lock your device in the first place.
I think you are misappling this feature 's benefit/use. It is not there, IMO, to secure your phone from an advesary that has even brief access to your phone.
That is what a combination of a lock screen pwd,short for convenience, and full encryption using a separate and longer pwd of high entropy/randomness is for. Even with that its important to understand how it works and its limitations. Such as it does not encrypt.the ext sd card data. So if you put apps or privledged data there you either should not or using other means to encrypt it. One such way would be to use truecrypt to encrypt it using a pc, being the easiest and then use one of the apks that gives suports accessing those types of partitions/files.
The function you are speaking of is ther to prevent people you have a large degree of trust in such as a family member or close.friend possibly that you may allow to use your phone but do not want them to be able to access private data. Think of a parent allowing their child to use the phone to play a game but does not want them scewing up email or going into their bank app and randoming clicking around etc...
I hope you get the idea. Its not there to prevent someone that means to do you direct intentional harm.
I also want to point out my comments are only directed at the most basic level and only deal with physical secure of data on the phone and not the phone itself nor from remote access or privacy.
Also want to point out that a screen lock pwd is nothing but a inconvenience at best to someone wanting access to your data. A quick reboot into recovery and a bkup to a sd card will get them all your data and any weakly secured credentials there in. Its only one part of physical security, of which, is only itself one part in over all data security, which itself, is only a part of data privacy. Its a large house of cards and removing one or putting one little piece in just slightly the wrong place and collapse the whole house.
Its hard to do just the small piece of each of these parts correctly and exrremely hard to.combine all the small and large parts together for a total protection scheme. It takes considerable research and learning to do these things especially if your goals are for higher levles of security and privacy.
As an example someone that really wants their phone data ue on android to be private from commerical.data collection which via proxy means all gov access to said data would never install goggle play store or any google app on their device. That is just one glaring example of many.
http://ad.cmcm.com/en/?f=home-en-top
Cheetah Mobile is spyware. watch the video on their website
I would suggest using the built-in encryption on Android. I don't use it myself, but have the Avira app installed. I like their PC software, and gave it a try.
It can be used to track a lost phone or lock it remotely. Since I have rooted my Huawei G300 it complains a bit, but still scans all apps being installed.
bigeasy911 said:
I think you are misappling this feature 's benefit/use. It is not there, IMO, to secure your phone from an advesary that has even brief access to your phone.
Click to expand...
Click to collapse
Fact is still that this app claims it provides certain security, yet it doesn't. Not everyone will realize this. So it's always good that people keep pointing this out.
Nearly a year gone since I posted this and now I returned to "AppLockers" during my mobile security research. This is such a bad thing I can't believe apps of this kind are accepted by PlayStore and not banned eternally as the most fake security solution that ever existed. What surprised me even more, "serious" companies, eg. Norton are also in this business... anyway
I checked this one first - Best App Lock - it's "best", right? And it's got 4.5 stars rating with 1,000,000 - 5,000,000 downloads.
I set it up, set the PIN, locked test app - everything seems fine.. as long as you don't go to Settings > Apps and don't force stop Best App Lock, because then - your protection is gone. But OK, you can also lock Settings and prevent such tricks and it works... as long as you don't use Activity Launcher to call App Lock's pin reset activity... Yes, you can reset the PIN without even opening the app itself.
Now, Best App Lock was clearly made by some amateur, so let's see what pros got for us, the big ones. I checked mentioned Norton App Lock, with 4.6 rating and surprisingly not as popular, with "only" 500,000 - 1,000,000 downloads. It's a bit better, it only contains one activity, so you can't bypass it easily, because the app itself is protected with a pattern, but here's another trick - reboot device in Safe Mode and you can disable Norton's permission to draw over other apps to make it helpless as a baby. Or you can just uninstall it in SM. I didn't check anything else, because what more you can do to prevent such workaround, than Norton already did?
If someone is aware of a way to disable power menu, or at least the ability to disable Safe Mode on unrooted Android please share. Until then I call all the App Lock apps the biggest scam in mobile security.
minimale_ldz said:
Nearly a year gone since I posted this and now I returned to "AppLockers" during my mobile security research. This is such a bad thing I can't believe apps of this kind are accepted by PlayStore and not banned eternally as the most fake security solution that ever existed. What surprised me even more, "serious" companies, eg. Norton are also in this business... anyway
I checked this one first - Best App Lock - it's "best", right? And it's got 4.5 stars rating with 1,000,000 - 5,000,000 downloads.
I set it up, set the PIN, locked test app - everything seems fine.. as long as you don't go to Settings > Apps and don't force stop Best App Lock, because then - your protection is gone. But OK, you can also lock Settings and prevent such tricks and it works... as long as you don't use Activity Launcher to call App Lock's pin reset activity... Yes, you can reset the PIN without even opening the app itself.
Now, Best App Lock was clearly made by some amateur, so let's see what pros got for us, the big ones. I checked mentioned Norton App Lock, with 4.6 rating and surprisingly not as popular, with "only" 500,000 - 1,000,000 downloads. It's a bit better, it only contains one activity, so you can't bypass it easily, because the app itself is protected with a pattern, but here's another trick - reboot device in Safe Mode and you can disable Norton's permission to draw over other apps to make it helpless as a baby. Or you can just uninstall it in SM. I didn't check anything else, because what more you can do to prevent such workaround, than Norton already did?
If someone is aware of a way to disable power menu, or at least the ability to disable Safe Mode on unrooted Android please share. Until then I call all the App Lock apps the biggest scam in mobile security.
Click to expand...
Click to collapse
The first step to real security is removing all Googleapps and Google account. There is no other way around this. Next, don't install any app that is not open source. Also, don't use any recovery. And finally, either epoxy your entire usb port, if you have let's say a magnetic charging port or cut all usb port pins except for 2 for charging. In addition, you should open the phone and epoxy usb port and contacts from inside, so that it can't be replaced. Or even better: epoxy your entire motherboard. That would take care of UART socket or any other way of entering CPU/GPU/RAM from inside. Encrypt your phone. After that, your phone couldn't be penetrated (other than through the air/baseband, which is a whole different level of sophistication). If someone targets you over the baseband, throw your phone and run for your freedom...
Seriously, in the above scenario, no one can have access to your data: no fastboot, no adb, no recovery. They wouldn't be able to replace kernel, recovery, system or use any OEM official flashing method... . I welcome any suggestion to hack such a device...
minimale_ldz said:
Nearly a year gone since I posted this and now I returned to "AppLockers" during my mobile security research. This is such a bad thing I can't believe apps of this kind are accepted by PlayStore and not banned eternally as the most fake security solution that ever existed. What surprised me even more, "serious" companies, eg. Norton are also in this business... anyway
I checked this one first - Best App Lock - it's "best", right? And it's got 4.5 stars rating with 1,000,000 - 5,000,000 downloads.
I set it up, set the PIN, locked test app - everything seems fine.. as long as you don't go to Settings > Apps and don't force stop Best App Lock, because then - your protection is gone. But OK, you can also lock Settings and prevent such tricks and it works... as long as you don't use Activity Launcher to call App Lock's pin reset activity... Yes, you can reset the PIN without even opening the app itself.
Now, Best App Lock was clearly made by some amateur, so let's see what pros got for us, the big ones. I checked mentioned Norton App Lock, with 4.6 rating and surprisingly not as popular, with "only" 500,000 - 1,000,000 downloads. It's a bit better, it only contains one activity, so you can't bypass it easily, because the app itself is protected with a pattern, but here's another trick - reboot device in Safe Mode and you can disable Norton's permission to draw over other apps to make it helpless as a baby. Or you can just uninstall it in SM. I didn't check anything else, because what more you can do to prevent such workaround, than Norton already did?
If someone is aware of a way to disable power menu, or at least the ability to disable Safe Mode on unrooted Android please share. Until then I call all the App Lock apps the biggest scam in mobile security.
Click to expand...
Click to collapse
Reviews or star ratings are not always very reliable, just use as a rough guide .... (In my opinion SOME of those Chinese apps seem to be amongst the worst offenders)
https://techcrunch.com/2014/05/27/f...unes-but-google-play-has-the-worst-offenders/
optimumpro said:
The first step to real security is removing all Googleapps and Google account. There is no other way around this. Next, don't install any app that is not open source. Also, don't use any recovery. And finally, either epoxy your entire usb port, if you have let's say a magnetic charging port or cut all usb port pins except for 2 for charging. In addition, you should open the phone and epoxy usb port and contacts from inside, so that it can't be replaced. Or even better: epoxy your entire motherboard. That would take care of UART socket or any other way of entering CPU/GPU/RAM from inside. Encrypt your phone. After that, your phone couldn't be penetrated (other than through the air/baseband, which is a whole different level of sophistication). If someone targets you over the baseband, throw your phone and run for your freedom...
Seriously, in the above scenario, no one can have access to your data: no fastboot, no adb, no recovery. They wouldn't be able to replace kernel, recovery, system or use any OEM official flashing method... . I welcome any suggestion to hack such a device...
Click to expand...
Click to collapse
Well you forgot SD card, unless you encrypt that as well, which for a user who uses the card for transferring files across different devices is not such a bright idea.
using epoxy could slow down the hack, and seriously give more trouble to the user than the hacker.
that being said your idea of securing the data is somewhat clear but really a secured device? cause epoxy can be penetrated as well, lock screen can also be bypassed, even without Google and a recovery.
it might take more time than hacking an average device, but still it can be done and most probably the hacker would be the same owner. cause he forgot the damn password and is looking to get back the data.
the more we try to secure, the more we make our lives tough.
billysam said:
Well you forgot SD card, unless you encrypt that as well, which for a user who uses the card for transferring files across different devices is not such a bright idea.
using epoxy could slow down the hack, and seriously give more trouble to the user than the hacker.
that being said your idea of securing the data is somewhat clear but really a secured device? cause epoxy can be penetrated as well, lock screen can also be bypassed, even without Google and a recovery.
it might take more time than hacking an average device, but still it can be done and most probably the hacker would be the same owner. cause he forgot the d
amn password and is looking to get back the data.
the more we try to secure, the more we make our lives tough.
Click to expand...
Click to collapse
Epoxy: Knowing how small and fragile phone motherboards are, I think you will most likely damage the board while trying to penetrate epoxy... Maybe you shouldn't epoxy the usb port on the ouside, but cut the data pins and epoxy on the inside to not give a hint to an attacker. Anyway, I wish an attacker fun time trying to remove epoxy...
The point of encryption is to protect data when the phone is off. So, it makes sense that for someone without a password, the phone turns into a brick. And if you tend to forget the password, then write it down somewhere other than the phone...
Mobile security is a myth. At best it is a door knit lock. Will keep honest People honest but won't stop someone from. Really trying and doing it.
I see lots of talk from people about security and yet these same people use Facebook which has enough holes in it that anyone could hack someone else pc. I use it all the time to mess with people. The looks on their faces are priceless.
Full disclosure: I dont normally do forums so sorry if I do this wrong.
I purchased a Bluetooth Purification Mask named Atmoblue.
It originated in China. Ive had it for a few months now and it has bluetooth and there is an app for it but it looks like its taking forever for it to be moved over to English.
My question is how hard would it be for a person (or me, with no experience at all) to pull the basic functions out of the app?
For example I want to bypass the wechat login (cause, no) and basically get the pairing function up and running along with the fan speed and some of the auto features in the app and create a basic app til they release the full thing.
If any of you also want to try I can send you the link to the apk. Or if you would do it and require payment at completion how much would that cost?
In case you need to see the device just google Atmoblue.
Thanks again everyone.
mastershino said:
Full disclosure: I dont normally do forums so sorry if I do this wrong.
I purchased a Bluetooth Purification Mask named Atmoblue.
It originated in China. Ive had it for a few months now and it has bluetooth and there is an app for it but it looks like its taking forever for it to be moved over to English.
My question is how hard would it be for a person (or me, with no experience at all) to pull the basic functions out of the app?
For example I want to bypass the wechat login (cause, no) and basically get the pairing function up and running along with the fan speed and some of the auto features in the app and create a basic app til they release the full thing.
If any of you also want to try I can send you the link to the apk. Or if you would do it and require payment at completion how much would that cost?
In case you need to see the device just google Atmoblue.
Thanks again everyone.
Click to expand...
Click to collapse
There is pretty much a 99.9% chance that you won't find anyone to do this for you. The best you can hope for is someone might give you some links to guides showing how to decompile and edit apk files. What you would modify in the apk file to achieve your purposes would require you doing your own research to figure it out. You can ask further questions along the way about the things that you don't understand, but there are no guarantees that you will get any useful answers.
In other words, be prepared to dig in and do the work yourself, if you really want to accomplish this feat. If not, get used to dealing with the app the way it is.
Sent from my SM-S767VL using Tapatalk
Yea, i started researching the day I posted this. I've been reading and reading and reading. Ive gotten to the point where I now have access to the battery percentage. Currently, trying to figure out the characteristics in the device itself and the values needed to change each of the modes. Also, it looks like the app from the company is pretty much useless to try to use. Based on the code (from what I can understand after 2 days of research and starting off with 0 coding knowledge) the app has to use wechat to basically be able to access a server and then the server sends it back to the phone then the device. Meaning I can't just look in the code for what values I need, unless I was able to actually sign into wechat and record the log. Which I can't do since I don't have access to wechat.
So now I'm currently looking up how to write code in the programs I've found to write it and create a ui. Ive at least figured out uuids and figured out how to call up the battery percentage now. Only like 3 more settings to go! Wish me luck lol