Related
This is a continuation of this thread: http://forum.xda-developers.com/showthread.php?t=567870, which covered cracking the original "basic" copy protection of Marketplace.
---
I have now cracked the "advanced" copy protection used by Marketplace. As you may know, this is a "better" protection than the original "CAB copy protection" Marketplace offered. This "advanced" protection uses license keys that are verified when you run the application, and given out and controlled by Microsoft.
Several developers are annoyed that Microsoft does not allow us to use our own licensing schemes, and are forced to use "no protection" (the original CAB copy protection) or use Microsoft's scheme which is essentially a single point of failure for all Marketplace protected apps.
This new "advanced" protection was released today by Microsoft, and as far as I know no app available already uses it at the time of this writing.
So I got the code snippets you are supposed to put in your app and it was simply jawdroppingly WTF. While it was not exactly easy to beat, it took me less than two hours to devise a "generic" hack, without modifying any files on the device. (Well hey, at least it's better than the 5 minutes it took for the "basic" protection, right?)
A "generic" hack? Yes, by this I mean that this single hack (actually, running an EXE in the background) will completely bypass the entire code snippet provided by Microsoft that is supposed to check and validate your license code, for all Marketplace apps that use this "advanced" protection.
I will not publish the code that performs this hack, so don't ask. My goal is not to crack Marketplace apps, my goal is to get MS off their ass and allow us to use our own licensing systems, like the good little resellers they're supposed to be. I will tell you that it has to do with runtime patching the crypto API, but that's it. All in all, I don't think it will take long for the warez people to duplicate this hack.
---
Some further reasoning about anti-piracy, solutions, etc can be found in post 13 on page 2.
if there are no apps that use it yet, how do u know your hack works?
Because the Marketplace portal provides code ("code snippet") you have to compile in your EXE, and that takes care of the whole licensing thing.
So you look at that source, spot the weak points, devise a hack. Then compile a program using said "code snippet" and try the hack on it.
If developers simply copy/paste the snippet they are given by the Marketplace portal, this hack will work.
Chainfire said:
This is a continuation of this thread: http://forum.xda-developers.com/showthread.php?t=567870, which covered cracking the original "basic" copy protection of Marketplace.
---
I have now cracked the "advanced" copy protection used by Marketplace. As you may know, this is a "better" protection than the original "CAB copy protection" Marketplace offered. This "advanced" protection uses license keys that are verified when you run the application, and given out and controlled by Microsoft.
Several developers are annoyed that Microsoft does not allow us to use our own licensing schemes, and are forced to use "no protection" (the original CAB copy protection) or use Microsoft's scheme which is essentially a single point of failure for all Marketplace protected apps.
This new "advanced" protection was released today by Microsoft, and as far as I know no app available already uses it at the time of this writing.
So I got the code snippets you are supposed to put in your app and it was simply jawdroppingly WTF. While it was not exactly easy to beat, it took me less than two hours to devise a "generic" hack, without modifying any files on the device. (Well hey, at least it's better than the 5 minutes it took for the "basic" protection, right?)
A "generic" hack? Yes, by this I mean that this single hack (actually, running an EXE in the background) will completely bypass the entire code snippet provided by Microsoft that is supposed to check and validate your license code, for all Marketplace apps that use this "advanced" protection.
I will not publish the code that performs this hack, so don't ask. My goal is not to crack Marketplace apps, my goal is to get MS off their ass and allow us to use our own licensing systems, like the good little resellers they're supposed to be. I will tell you that it has to do with runtime patching the crypto API, but that's it. All in all, I don't think it will take long for the warez people to duplicate this hack.
Click to expand...
Click to collapse
amen
hallelujah
hit me now
YEAH
have given the issue some press : http://www.1800pocketpc.com/2009/11/13/marketplace-advanced-copy-protection-cracked-in-less-than-2-hours.html
anti-piracy protection is intended to stop ordinary users from transferring cabs between devices and it is successful at that. there is no protection that will stop apps from being pirated, certainly not for handheld devices. the new advanced protection is adequate and any further techniques are redundant and a waste of time, because no matter how 'strong' they are, they WILL be cracked.
Slightly if not totally off-topic: A mainstream consumer's view
mnet said:
anti-piracy protection is intended to stop ordinary users from transferring cabs between devices and it is successful at that. there is no protection that will stop apps from being pirated, certainly not for handheld devices. the new advanced protection is adequate and any further techniques are redundant and a waste of time, because no matter how 'strong' they are, they WILL be cracked.
Click to expand...
Click to collapse
I agree with you and your premise. Now a quick story.
I consider myself a mainstream consumer... but I have been a member of XDA for, what, i think 4 years, using 2 WM phones, first the T-Mobile MDA, then the Wing (HTC Herald), and I am about to switch to Android with the HTC Hero. I am reasonably savvy about tech, just not a coder. But I've done all the hard SPL, flashing ROMS, using beta software, and supporting developers here with pretty significant donations. I am also a User Experience / Usability designer for web as a profession. THAT'S MY BACKGROUND.
To date, my experience buying WM apps has been universally AWFUL. Whether it was, just recently, Resco Picture Viewer from PocketGear, or WM Defrag from Wizcode, or PocketPlayer from Conduits. I am more than happy to buy excellent software that works, and has a decent UI. But in each case, the process of buying the app and getting it onto my phone has been absurd, and frustrating beyond belief. Each provider makes all sorts of assumptions -- often wrong -- including "you must be downloading this from a PC, so we will download for you an executable that runs on a desktop PC then installs via active sync onto your device."
Whatever the percentage is, doesn't matter: A lot of people, like me, download all my cab files, and purchase apps, on my Mac... and either email myself the .cab file or .zip files, or place my microSD card from my phone into a USB reader. Thus, what a frikkin headache to end up getting PocketPlayer on my phone... but because i didn't download it from a Windows PC, I was screwed.
This stuff is archaic. This past week it has taken 5 days to get Resco Picture Viewer on my phone after purchasing from PocketGear.com . They have a completely retarded transactional process, a terrible UI, broken software in terms of user recognition and resetting username and password, and a completely phone-UNFRIENDLY site, with most sub-level menus not even accessible from browsers like Opera Mobile, Netfront, Iris ... They are dumbass pull downs using god knows what -- flash or javascript, whatever. But fact is: a simple navigation process to access the products on the phone itself can't even be achieved by these clowns -- yet everyone is in overdrive now trying to get their version of "THE" WindowsMobile app store online, while Microsoft stumbles.
The fact is: I would LIKE to see a uniform transaction process which is designed professionally, and supports great usability design, and once I buy the app, quit making me go through absurd backflips just to get access to the cab file. Stop requiring me to use a Windows PC. And stop all the "special OUR way" authentication processes. Because if they were so good, there wouldn't be the kind of problems I have described. I'll even grant anyone who wants to -- to say "well you're just a dumb**** user who doesn't understand their particular process"... I'll grant you that, and my answer would be:
If you plan to sell a lot of apps -- ie, make money via VOLUME transactions vs pricey apps -- a la iphone -- then it makes a hell of a lot of sense to make a uniform system of delivery if you're buying it through an app store, and for god's sake, cut the crap and figure it out. It's not so hard to send an authentication code via email or text message. But it's exactly WRONG to be having 1000 developers using 1000 special "our way" authentication processes, because the odds of 1000 app developers having a great, simple, effective UI and safe authentication system that prevents priacy of their app is pretty low, based on the experiences I have had to date with MAINSTREAM products for WM.
That's my view. But I see a whole lot of clumsiness from the Windows Mobile side of the fence pertaining to this whole new way of monetizing apps. There's a reason apple succeeds in that department -- even with their bloated catalog and draconian approval processes. They understand how to deliver products to consumers -- vs repelling them from a dumbass process, no matter how good that process may be in theory.
quicksite said:
I agree with you and your premise. Now a quick story.
I consider myself a mainstream consumer... but I have been a member of XDA for, what, i think 4 years, using 2 WM phones, first the T-Mobile MDA, then the Wing (HTC Herald), and I am about to switch to Android with the HTC Hero. I am reasonably savvy about tech, just not a coder. But I've done all the hard SPL, flashing ROMS, using beta software, and supporting developers here with pretty significant donations. I am also a User Experience / Usability designer for web as a profession. THAT'S MY BACKGROUND.
To date, my experience buying WM apps has been universally AWFUL. Whether it was, just recently, Resco Picture Viewer from PocketGear, or WM Defrag from Wizcode, or PocketPlayer from Conduits. I am more than happy to buy excellent software that works, and has a decent UI. But in each case, the process of buying the app and getting it onto my phone has been absurd, and frustrating beyond belief. Each provider makes all sorts of assumptions -- often wrong -- including "you must be downloading this from a PC, so we will download for you an executable that runs on a desktop PC then installs via active sync onto your device."
Whatever the percentage is, doesn't matter: A lot of people, like me, download all my cab files, and purchase apps, on my Mac... and either email myself the .cab file or .zip files, or place my microSD card from my phone into a USB reader. Thus, what a frikkin headache to end up getting PocketPlayer on my phone... but because i didn't download it from a Windows PC, I was screwed.
This stuff is archaic. This past week it has taken 5 days to get Resco Picture Viewer on my phone after purchasing from PocketGear.com . They have a completely retarded transactional process, a terrible UI, broken software in terms of user recognition and resetting username and password, and a completely phone-UNFRIENDLY site, with most sub-level menus not even accessible from browsers like Opera Mobile, Netfront, Iris ... They are dumbass pull downs using god knows what -- flash or javascript, whatever. But fact is: a simple navigation process to access the products on the phone itself can't even be achieved by these clowns -- yet everyone is in overdrive now trying to get their version of "THE" WindowsMobile app store online, while Microsoft stumbles.
The fact is: I would LIKE to see a uniform transaction process which is designed professionally, and supports great usability design, and once I buy the app, quit making me go through absurd backflips just to get access to the cab file. Stop requiring me to use a Windows PC. And stop all the "special OUR way" authentication processes. Because if they were so good, there wouldn't be the kind of problems I have described. I'll even grant anyone who wants to -- to say "well you're just a dumb**** user who doesn't understand their particular process"... I'll grant you that, and my answer would be:
If you plan to sell a lot of apps -- ie, make money via VOLUME transactions vs pricey apps -- a la iphone -- then it makes a hell of a lot of sense to make a uniform system of delivery if you're buying it through an app store, and for god's sake, cut the crap and figure it out. It's not so hard to send an authentication code via email or text message. But it's exactly WRONG to be having 1000 developers using 1000 special "our way" authentication processes, because the odds of 1000 app developers having a great, simple, effective UI and safe authentication system that prevents priacy of their app is pretty low, based on the experiences I have had to date with MAINSTREAM products for WM.
That's my view. But I see a whole lot of clumsiness from the Windows Mobile side of the fence pertaining to this whole new way of monetizing apps. There's a reason apple succeeds in that department -- even with their bloated catalog and draconian approval processes. They understand how to deliver products to consumers -- vs repelling them from a dumbass process, no matter how good that process may be in theory.
Click to expand...
Click to collapse
Couldn't agree more!
I'll add one more reason I wrap my head in ductape every time I download/install an app.
Think it's bad with every developer having their own authentication method? How about when each developer has a DIFFERENT authentication scheme for every app they make?
I like a rant - thanks for doing it for me as I agree with you 100%.
The top of my annoyance list (which you did include) are sites selling mobile software which are NOT mobile browser friendly, WTF is that all about?
Big Up, I still don't think anyone else would have done it in two hours.
Hey you warned them didn't you.
Haha Chainfire is there anything you cant do?
More in the Dutch press:
http://tweakers.net/nieuws/63713/nederlander-kraakt-nieuwe-beveiliging-windows-marketplace.html
While I do appreciate the "rant", I think you're missing my point - or perhaps I just don't agree. (Edit: that is in response to this post http://forum.xda-developers.com/showpost.php?p=4936479&postcount=7)
When I say "use our own licensing schemes", I do not mean codes sent back and forth through websites, screen you have to type stuff in etc. This is exactly not needed because Marketplace is also the delivery mechanism. In other words, the license code can be installed by Marketplace directly without the user ever seeing or hearing about it.
This is partly how the new system works, actually. However, if Microsoft supported license codes you give them things would be more secure (though granted, for a large part by obscurity).
Some authors will not care and simply not use it all, for example with the cheap apps it may not be worth their while. Others may wish to track license key usage, so that if suddenly 10.000 users start using the same key instead of the 1 who bought it, that key can be disabled, etc. Some may want the app to call home, some will not. Imagine that developers that do employ such anti-piracy measures will write their own verification / communication code, this beats the single point of failure we currently have. The crackers are back to having to crack each app independently and even then have a much lower chance of success.
Marketplace is the perfect opportunity to implement such a system that does provide some piracy security for the authors while for once it does not unnecessarily annoy the user.
To make the obligatory bad car analogy that fails in many ways, take you car keys. Everyone thinks it's normal to have a car key, so people can't just take your car. Of course, in line with some of the arguments against anti-piracy measures, car keys aren't really that useful, as there's always a brick - the universal key, and a car thief that really wants your car will get it. (You also lock the doors on your house, right?)
Now, the current situation is pretty much that everyone has the same car key. How useful is a car key in that situation? They way I see it (and I'm sure I'm not alone in that), is more like the actual car key situation. Some car keys are laser etched, or have something RFID-like in them and a receive in the car, or simply use different shapes, etc. That's a lot more useful than everyone having the same car key.
Sure, no matter what you do, eventually things will get cracked and it is a cat and mouse game. One of the reasons this is easily doable is because of the open nature and the very few restrictions of Windows Mobile. This is a good thing. No developer in their right mind would want to get to a restrictive system like is the case on the iPhone or other mobile OS's. That is not the point. That doesn't mean anti-piracy measures are useless though, far from it. The longer you can keep a release from being warez'd, the less you lose.
There are two arguments I hear coming back in various places by various people:
(1) If the normal users can't just copy it, then that is enough (even MS says this)
(2) Piracy works as advertising, you get more eventual sales, etc. etc
Both of these, are from my own experience, completely untrue. The thing is if one person cracks it, it usually spreads on those warez sites pretty quickly.
The big thing here is, the average user is apparently tech-savvy enough to search the warez sites first before buying, and that is just how it is:
We have played the game with that one warez site, monitoring sales when (apparent) cracks were listed and when they weren't (they do remove releases on request). This made a 30-50% difference in sales (with the number being highest during the weekends, and lowest during weekdays). For me that is enough data to know that both (1) and (2) are complete nonsense in the case of mobile apps. No matter all the pretty reasons and perhaps seemingly logical reasons you may come up with for (1) and (2), the numbers don't lie.
So, how would you like to get a 30-50% paycut? It's not like us developers are getting rich here, you know. Can we be blamed for trying to prevent this?
Now, here we have the chance to implement a system that is completely transparent for the user and can be made reasonably safe (and updatable), an obvious win-win situation for everyone involved except the warez people. Why exactly shouldn't we be aiming for this?
What is also painfully apparent here, as Microsoft themselves claim reason (1), that they have no idea what they are talking about.
i am no programmer so excuse my ignorance but doesnt everything eventually get cracked. Is there any mobile platform which hasnt a non cracked market place or sites where you can download paid apps for free?
Well done Chainfire
Hello Chainfire,
I am the webmaster of the Tamoggemon Content network, and just covered you:
http://tamsppc.tamoggemon.com/2009/11/13/advanced-marketplace-drm-broken/
http://tamswms.tamoggemon.com/2009/11/13/advanced-marketplace-drm-broken/
Furthermore, an email went out to MSFT asking for a statement. but this is not the reason why I registered here (!!!) - I am instead here to vent a bit being a Symbian dev myself.
While I fully understand your frustration, I think that allowing every developer to run his own DRM is not gonna do the store good. The reason is that the store was made to make purchasing apps simple - and by allowing everyone to run his own DRM I dont see much of a venue to do this anymore.
Whenever some kind of backend gets involved, there is a single point of failure - the only trhing I can think off now would be a very complet system based on servers.
Or, of course, platform security like on S60. But trust me - we wont want that!
Thanks! However, if you read my other post carefully you'd see it wouldn't make any difference to the ease of using the store (it wouldn't make any difference for the user at all), just to a part of the backend. And of course, each DRM system has a single point of failure, but the difference is in my case there is a point of failure per app, while in the current case it's a single point of failure for everything. There is no perfect solution, but there are better solutions than the current one.
I've been contacted by a handful of big WM devs by now who are of somewhat the same opinion.
microsoft.... when it comes to security, they are clueless as usual.
only apple is worse.
I find they windows-7 VPN and "encryption" funny , is there anybody that would trust it ? - even if it was not for the backdoors ?
Just wondering, is anyone else having problems accessing the windows marketplace from the phone? I was able to download a couple of apps yesterday after I installed a custom ROM (TPC Pro Series V3.2), but today I get a message saying there is an update, it installs the update but then I get the following message:
"Windows Marketplace for Mobile cannot connect right now. Try again later."
Is this because of the custom ROM and the latest update to the marketplace, or is this something other people are experiencing?
Remember the days when purchased mp3s were DRM protected and some companies like Sony even put rootkits on music CDs? Did that stop piracy?
Hopefully Microsoft will not repeat these mistakes... There is no need for any further 'protection' for marketplace apps. If a developer isn't satisfied with this mechanism then he/she doesn't have to publish their apps on the marketplace. There's no point in having a centralized app store if every developer uses his/her own licensing scheme.
Ladies and Gentlemen,
I am opening this discussion in order to not only receive some high-quality answers on the following questions, but also to learn what everyone does in order to ensure security and integrity of Apps on their phones (especially when working in environments where attacks are likely or possible due to intersting files on the phone or similar).
Here is my question: Let's suppose a phone is ROOTED, is locked with a Pattern, is updated daily, has TitaniumBackup installed, runs Trust as well as an Antivirus App and on top of that, installed Apps are monitored in a regular basis through TitaniumBackup. Is it even possible for law enforcements or hackers to install malware? If so, what would be necessary for them to do so? Physical access? Malformed Apps with matching signature? Other types of attacks (encouraging @He3556 the owner of Smartphone Attack Vector to chime in)?
Second question (hope @jcase can answer this): What would be the best way of preventing attacks of afforementioned groups and alike? What do YOU personally do?
SecUpwN said:
Ladies and Gentlemen,
I am opening this discussion in order to not only receive some high-quality answers on the following questions, but also to learn what everyone does in order to ensure security and integrity of Apps on their phones (especially when working in environments where attacks are likely or possible due to intersting files on the phone or similar).
Here is my question: Let's suppose a phone is ROOTED, is locked with a Pattern, is updated daily, has TitaniumBackup installed, runs Trust as well as an Antivirus App and on top of that, installed Apps are monitored in a regular basis through TitaniumBackup. Is it even possible for law enforcements or hackers to install malware? If so, what would be necessary for them to do so? Physical access? Malformed Apps with matching signature? Other types of attacks (encouraging @He3556 the owner of Smartphone Attack Vector to chime in)?
Second question (hope @jcase can answer this): What would be the best way of preventing attacks of afforementioned groups and alike? What do YOU personally do?
Click to expand...
Click to collapse
Pe rooted, with common rooted apps installed? Would be easy to compromise that phone, as you have already done it for them.
Use a stock firmware, chose a vendor with a recent history of good security (Samsung, nexus, motorola in that order imo), keep it up to date, reduce the number of apps you run, don't root it. Disabled usb debugging.
jcase said:
Pe rooted, with common rooted apps installed? Would be easy to compromise that phone, as you have already done it for them.
Use a stock firmware, chose a vendor with a recent history of good security (Samsung, nexus, motorola in that order imo), keep it up to date, reduce the number of apps you run, don't root it. Disabled usb debugging.
Click to expand...
Click to collapse
Thanks for answering. So that means, in short words, buy a phone and only update official stuff. How boring, I wouldn't be here on XDA then! But I get your point. I'm especially interested in the question of detection. If such agencies have installed anything that would leak data (and I'm sure it's fairly easy to do for them), how would they hide that specific App from the list of TitaniumBackup? Also, how would they trick the Trust Even Logger created by @Dark3n to not show any installation?
Most importantly though, is there some way of detecting such installations or manipulations afterwards?
There is growing so called "Zero-Day-Exploit" Industry, with names like vupen or FinFisher , the one who are working for the German Gov. but also for countries like Saudia Arabia and Iran. They know how to find exploits, nobody knows about (zero-day) and program trojans for all kinds of platforms. So antivirus software can't help here. And it is easy to bypass security if you know one of the bugs - and we know there are many of them in firmware, operating systems, plugins, frameworks and so on... Beside this "white" marked there is also a grey and black marked. So if you need to track your woman or steal information from other companies, you will find somebody with a tool for that, i suppose.
You would need a "Intrusion Detection Software" - sorry but this won't work for Smartphones, because there is a lot of calculation, data and energy needed - you find this special hardware in big data centers.
Do not root and do not install Apps you don't really need is still a good advice, specially when people don't know so much about all this.
Another way to sneak in is to compromise the users pc, that is (maybe) connected to the phone sometimes (work with iphone sync but also with android to change DNS and get SMS with e-tan's - you will find more info it in the media)
Or if you have the "power" you can can use the cloud services (iOS, Google, Windows or other 3rd party services) to steal user data (sms, pictures, GPS history...) or just let it sync the malware to the phone. So you don't have to break in directly.
What would be the best way of preventing attacks of afforementioned groups and alike?
Click to expand...
Click to collapse
tomorrow i will have time, there are to many possibilities
Thanks for clarifying, @He3556!
Now I know that phones in general are hard to lock down for such agencies. Time to quote myself:
SecUpwN said:
Most importantly though, is there some way of detecting such installations or manipulations afterwards?
Click to expand...
Click to collapse
Hey @He3556, if you've been following security news the past weeks, this topic here is becoming more relevant with each revelation. Since the trojan-coding company FinFisher has highly likely been hacked and some cool whisteblowers are publishing very sensitve data like price lists and handbooks on their Twitter account GammaGroupPR, more details of their secret software FinSpy Mobile is being revealed. And this is exactly the type of software that I am talking about here in this thread. I want to know how users can protect themselves from crap like that. According to the video that has been leaked, It is being installed through a fake update, or even through messages via E-Mail to "please" install this "very important update":
And just to make everyone more curious, FinSpy Mobile has been leaked on Twitter! It obviously works for all operating systems, including Android, Blackberry, Windows Mobile, and Symbian. Another trophy is source code of FinFly Web, which found its way the code hosting platform GitHub. It is designed to provide remote and covert infection of a Target System by using a wide range of web-based attacks. FinFly Web provides a point-and-click interface, enabling the Agent to easily create a custom infection code according to selected modules. Target Systems visiting a prepared website with the implemented infection code will be covertly infected with the configured software. Regarding FinSpy Mobile and similar software: How would law enforcements possibly attack a cautious member of XDA (or any other site)? I mean, people that have been in the field of flashing new ROMs, updating their firmware and recovery themselves, not installing strange APKs sent via E-Mail and controlling installed Apps through TitaniumBackup should be somewhat immune to such type of attacks, right?
It appears to me as if their software might work for the general masses, but highly-likely not on people like @jcase or other Android security-gurus. Since I linked you, I'd be very happy if you could expand on that a little. I am sure such companies might even have the possibility of messing with the baseband of a target phone through only knowing the phone number of a target. But I am really curious what their "standard procedure" is if they face a target with thorough Android knowledge, maybe even a security-enthusiastic Android developer. Wouldn't their only option be to manually manipulate the handset?
There are two methods to keep away all kinds of trojan and malware...
1. use a SIM with data connections only: There are SIM cards on the marked you can use in a USB Stick for Notebooks or tablets.
You won't have a cell phone number and can't receive SMS. You won't be able to use the circuit switched (GSM & UMTS-cs) part of your cell phone. For communication you have to use a VoIP provider - with Secure SIP and SRTP.
2. Web browser, Apps, e-mail client and all other connection must be use VPN.
But there is one more stepp to take.
The virtualization of all services and Apps you are using. This works like Team Viewer on a PC. The App is running on a cloud server while you only see the desktop of the remote controlled application. This technique is already used when you want to use flash with iOS device (photon, cloudbrowse, puffin and so on..)
More details about this you can find here: http://itwatch.info/Products/ReCAppS
But i am sure there are more projects about this out there...
He3556 said:
There are two methods to keep away all kinds of trojan and malware...
1. use a SIM with data connections only: There are SIM cards on the marked you can use in a USB Stick for Notebooks or tablets.
You won't have a cell phone number and can't receive SMS. You won't be able to use the circuit switched (GSM & UMTS-cs) part of your cell phone. For communication you have to use a VoIP provider - with Secure SIP and SRTP.
Click to expand...
Click to collapse
I know this works, but the only guy who is so insane and is already doing that is probably @InvaderX.
Honestly, what's the purpose of a phone if I can't receive SMS and call anyone without internet connection?
He3556 said:
2. Web browser, Apps, e-mail client and all other connection must be use VPN.
But there is one more stepp to take.
The virtualization of all services and Apps you are using. This works like Team Viewer on a PC. The App is running on a cloud server while you only see the desktop of the remote controlled application. This technique is already used when you want to use flash with iOS device (photon, cloudbrowse, puffin and so on..)
More details about this you can find here: http://itwatch.info/Products/ReCAppS
But i am sure there are more projects about this out there...
Click to expand...
Click to collapse
Better yet: Living under a rock should solve all these problems. Seriously though, can such law enforcement agencies silently update stuff on my phone (possibly baseband) that goes unnoticed even when using TitaniumBackup and flashing a fresh ROM every month? From the things you mentioned as for protection, I highly doubt that I'll move that way. And no matter how hard I try, the bad guys (or, to put it in the wording of those companies: the agencies that are "protecting our freedom") will likely always find a way in - even if that means tapping the phone through listining in on my calls or deploying an IMSI-Catcher. But talking about this makes me wonder: It seems as if the probability is high that most of the time they are selling a fake update to the target. Is there a convenient way of knowing that stuff like FinSpy Mobile has been installed, where such agencies can't possibly tinker with any records of what was happening on the phone? I especially check the Trust - Event Logger by @Dark3n very often. Could they change such records? Is there a better App to warn about unauthorizes access or (hidden) App installation?
Trust is not a security app!
If an attacker has root, you can just alter the database of apps like Trust, which would be the easiest way.
There are probably also ways to alter the system so it does not broadcast certain events(which is how Trust monitors most things).
It is just not build to withstand such attacks.
SecUpwN said:
Seriously though, can such law enforcement agencies silently update stuff on my phone (possibly baseband) that goes unnoticed
Click to expand...
Click to collapse
Maybe? But there are much easier ways if it is not desired to target specific persons.
I'll brain storm a bit for you:
I would divide the attack vectors into those that work with root and those that don't.
Without root apps can still do plenty of malicious actions, including tracking your position or uploading all files on your sdcard (INTERNET;SDCARD;LOCATION permissions) etc.
If an attacker gains root permission he could install rootkits, modify existing apps, inject malicious code into dex files of installed apps etc.
Basicly do what the hell he wants.
While not using a rooted device would certainly make it more difficult to do malicious things, it's doesn't prevent it.
A normal app you install could still root your phone through vulnerabilities. It works the same way apps such as TowelRoot or ZergRush root your phone.
Downloading new apps that request root is also very dangerous ofc, once you pressed "grant", it's too late, anything could have been done. So be wary when trying out new root apps of devs you don't know/trust?
Abusing trust in existing apps is probably the biggest danger.
The most obvious danger here is downloading apps you usually trust but from unknown sources.
Sure there could be signature issues when updating over your current app, but what if you don't have it installed? I could also think about a few ways to inject malicious code without altering the signature (did not try, just a thought, might be impossible).
The issue is that you probably wouldn't even notice, as the compromised app retains it's original functionality.
Want a botnet?
Inject malicious code into a popular root up that is paid, crack it and upload it somewhere.
While this more dangerous (or worth for an attacker) with root apps, it's still viable for non root apps, just pick one that already aquires many permissions.
It's way too easy, people constantly underestimate the danger of this. It's not all about piracy it's bad, it's a barn door sized security hole.
A bit more difficult variant would be abusing known security holes in existing apps that can be root or nonroot apps, such as modifying files the other apps uses, such that it executes your malicious code for you, so some type of code injection. First thought would be looking for root apps that use scripts or binary files and then check the permissions on those files to see whether they are writeable.
Now those are all ways to target a broad mass of users.
If a single user is the target, it would be more difficult, but there are still plenty of options:
- MITM attacks at public hotspots,
- Pressuring developers of apps you use. What dev wouldn't implement a security hole into an app of his, if a guy in a black suit comes up and points a gun to his head? Well that escalated quickly... But with "secret courts" and all the **** that happens secretly sanctioned or is just done by some agencies because they are above the law, is it really such an impossible scenario? The ends justify the means? Do they?
- My favorite plan yet, making a popular app themselves that they know you will try
It is usually never impossible, just a matter of resources and whether its unfeasible to spend so many resources on that goal.
edit: So the best course of action? Don't install anything you don't trust. Don't trust the manufactor either? Install a custom ROM, but as those often use binary blobs for certain parts of the software, it's not really a 100% solution... There could also be compromising hardware built in, but now I'm really climing up the tinfoil tree, but as recents new story suggest that the NSA is intercepting hardware packets from manufactors such as cisco to modify them, what's really impossible?
TL;DR Best course of action that is feasible to adhere to is probably to just not install stuff one doesn't know or trust.
edit2: More specific answers to your questions.
You might be able to monitor files changes on an a system level, but if your attacker gains highlevel priviledges, what keeps him from changing the monitoring system?
SecUpwN said:
Seriously though, can such law enforcement agencies silently update stuff on my phone (possibly baseband) that goes unnoticed even when using TitaniumBackup and flashing a fresh ROM every month?
Click to expand...
Click to collapse
How does TiBu help prevent such injection? Flashing a new ROM would probably undo such changes, but what prevents "them" from just doing it again.
SecUpwN said:
And no matter how hard I try, the bad guys (or, to put it in the wording of those companies: the agencies that are "protecting our freedom") will likely always find a way in - even if that means tapping the phone through listining in on my calls or deploying an IMSI-Catcher.
Click to expand...
Click to collapse
This is the thing, with enough resources, there is always a way.
SecUpwN said:
It seems as if the probability is high that most of the time they are selling a fake update to the target.
Click to expand...
Click to collapse
Exactly disguising as something legit is the cheapest way, "trojan horse".
SecUpwN said:
Is there a convenient way of knowing that stuff like FinSpy Mobile has been installed, where such agencies can't possibly tinker with any records of what was happening on the phone? I especially check the Trust - Event Logger by @Dark3n very often. Could they change such records? Is there a better App to warn about unauthorizes access or (hidden) App installation?
Click to expand...
Click to collapse
I don't know any surefire way to detect this. The issue is that with enough priviledges (which can be gained without authorization, zero day exploits are worth a lot money to "agencies" as well as criminal organisations, though I'm no longer sure where the difference is), you can just clean up your track of malicious behavior.
Whoa, this has to be the longest answer I've received since registering here. Huge thanks! Grab a coffee..
Dark3n said:
Trust is not a security app!
If an attacker has root, you can just alter the database of apps like Trust, which would be the easiest way.
There are probably also ways to alter the system so it does not broadcast certain events(which is how Trust monitors most things).
It is just not build to withstand such attacks.
Click to expand...
Click to collapse
Ok, fair. Will keep it anyhow.
Dark3n said:
Maybe? But there are much easier ways if it is not desired to target specific persons.
I'll brain storm a bit for you:
I would divide the attack vectors into those that work with root and those that don't.
Click to expand...
Click to collapse
Just to mention it here: An awesome site to see which attack vectors and vulnerabilities exist is Smartphone Attack Vektor by @He3556.
Dark3n said:
Without root apps can still do plenty of malicious actions, including tracking your position or uploading all files on your sdcard (INTERNET;SDCARD;LOCATION permissions) etc.
If an attacker gains root permission he could install rootkits, modify existing apps, inject malicious code into dex files of installed apps etc.
Basicly do what the hell he wants.
Click to expand...
Click to collapse
Ok, I get the point. Also like @jcase already pointed out: If we root, we pwn ourselves. And if we don't, too.
Dark3n said:
While not using a rooted device would certainly make it more difficult to do malicious things, it's doesn't prevent it.
A normal app you install could still root your phone through vulnerabilities. It works the same way apps such as TowelRoot or ZergRush root your phone.
Downloading new apps that request root is also very dangerous ofc, once you pressed "grant", it's too late, anything could have been done. So be wary when trying out new root apps of devs you don't know/trust?
Click to expand...
Click to collapse
I only install trusted Applications.
Dark3n said:
Abusing trust in existing apps is probably the biggest danger.
The most obvious danger here is downloading apps you usually trust but from unknown sources.
Sure there could be signature issues when updating over your current app, but what if you don't have it installed? I could also think about a few ways to inject malicious code without altering the signature (did not try, just a thought, might be impossible).
The issue is that you probably wouldn't even notice, as the compromised app retains it's original functionality.
Click to expand...
Click to collapse
Guess if I use the F-Droid Store I should be pretty safe, right? But don't worry, I don't rely on it - as for me, smartphones are huge bugs with touchscreens. That is why I also built a phone signal blocking pouch for myself and friends. Further good recommendations can be found on the bottom of my GitHub.
Dark3n said:
Want a botnet?
Inject malicious code into a popular root up that is paid, crack it and upload it somewhere.
While this more dangerous (or worth for an attacker) with root apps, it's still viable for non root apps, just pick one that already aquires many permissions.
It's way too easy, people constantly underestimate the danger of this. It's not all about piracy it's bad, it's a barn door sized security hole.
Click to expand...
Click to collapse
Actually, no. I already have two or three. Or maybe even four?
Dark3n said:
A bit more difficult variant would be abusing known security holes in existing apps that can be root or nonroot apps, such as modifying files the other apps uses, such that it executes your malicious code for you, so some type of code injection. First thought would be looking for root apps that use scripts or binary files and then check the permissions on those files to see whether they are writeable.
Now those are all ways to target a broad mass of users.
Click to expand...
Click to collapse
Good to know we've come to an end here. Reading all this makes me want to throw my phone out of the window.
Dark3n said:
If a single user is the target, it would be more difficult, but there are still plenty of options:
- MITM attacks at public hotspots,
Click to expand...
Click to collapse
I DON'T use public hotspots. Why? Because you can be almost certain that stuff will be logged and analyzed once you use that. Over here in my town, we've got a HUGE Apple Store. And guess what - FREE WIFI for everyone! Yeyyy... not.
- Pressuring developers of apps you use. What dev wouldn't implement a security hole into an app of his, if a guy in a black suit comes up and points a gun to his head? Well that escalated quickly... But with "secret courts" and all the **** that happens secretly sanctioned or is just done by some agencies because they are above the law, is it really such an impossible scenario? The ends justify the means? Do they?
You are right, threats against family, friends and relatives are a no-go. If I remember correctly, something similar had happened to my beloved XDA developer @idcrisis who invented CrossBreeder. He left development of his toolset because starnge things occured in his life which he linked to his development. Shortly after leaving his project, he proposed a new license: The Aware License. Hope this guy is still living a happy life, though. Added to the above security-issues: Trust NOONE! How come? Well, just read this stunning story I discovered yesterday where a US critical infrastructure company last year revealed that its star developer had outsourced his own job to a Chinese subcontractor and was spending all his work time playing around on the internet adn surfing cat videos. ^^
Dark3n said:
- My favorite plan yet, making a popular app themselves that they know you will try
Click to expand...
Click to collapse
I don't quite get what you meanb by that. Please clarify, it sounds interesting.
Dark3n said:
It is usually never impossible, just a matter of resources and whether its unfeasible to spend so many resources on that goal.
Click to expand...
Click to collapse
The way I see it: The only thing that we have no real access to, is the baseband. I am sure that these are full of backdoors and switches for agencies that they just need to trigger - just like the Samsung Galaxy Backdoor discovered by Replicant.
Dark3n said:
edit: So the best course of action? Don't install anything you don't trust. Don't trust the manufactor either? Install a custom ROM, but as those often use binary blobs for certain parts of the software, it's not really a 100% solution...
Click to expand...
Click to collapse
Nope, I don't trust the manufacturer either. And I am SICK of bloatware! hence, I am a happy user of AOKP since several years - but regarding the binary blobs, I would certainly love to try out Replicant (sadly not yet available for the HTC One).
Dark3n said:
There could also be compromising hardware built in, but now I'm really climing up the tinfoil tree, but as recents new story suggest that the NSA is intercepting hardware packets from manufactors such as cisco to modify them, what's really impossible?
Click to expand...
Click to collapse
Nothing is impossible, everything can be done. A wise man once said: Everything you can imagine, will happen.
Dark3n said:
TL;DR Best course of action that is feasible to adhere to is probably to just not install stuff one doesn't know or trust.
Click to expand...
Click to collapse
Good advice, I already do follow that one. As already said, if I were a spy company, I'd just team up with manufacturers of basebands..
Dark3n said:
You might be able to monitor files changes on an a system level, but if your attacker gains highlevel priviledges, what keeps him from changing the monitoring system?
Click to expand...
Click to collapse
Highly-likely nothing. I already know that there is not much I can do to prevent them to get in, but at least I do want to detect them - and having such a detection mechanism raises the bar in disguising their actions even further - and who knows, maybe they're not interested anymore then?
Dark3n said:
How does TiBu help prevent such injection? Flashing a new ROM would probably undo such changes, but what prevents "them" from just doing it again.
Click to expand...
Click to collapse
Not much.
Dark3n said:
This is the thing, with enough resources, there is always a way.
Exactly disguising as something legit is the cheapest way, "trojan horse".
Click to expand...
Click to collapse
Absolutely right. But what I am really curious of: How do people from the security-community really protect their phones? Do you have friends that are using their phones to just communicate via VPN and VOIP, not sending SMS and never calling people? Perfect place for @InvaderX to chime in, he told me before to really do a combination of that approach.
Dark3n said:
I don't know any surefire way to detect this. The issue is that with enough priviledges (which can be gained without authorization, zero day exploits are worth a lot money to "agencies" as well as criminal organisations, though I'm no longer sure where the difference is), you can just clean up your track of malicious behavior.
Click to expand...
Click to collapse
Sigh.. mobile phones are a total threat to humanity, I get it..
At least I am not the only one paranoid about this kind of thing. LOL
lostangelintx said:
At least I am not the only one paranoid about this kind of thing. LOL
Click to expand...
Click to collapse
It doesn't have much to do with "Paranoia". The very reason you started to care about this, is because phones are in fact very insecure devices - most people just don't realize or care about it. Another very interesting thread I found lately: Android Security for Conscious Mind.
a tool against 0-day exploits
don't freak out to early - this tool is only for windows desktops.
But at least it shows how it could work for mobile devices, too.
It is called Enhanced Mitigation Experience Toolkit (EMET 5.0) ...is a utility that helps prevent vulnerabilities in software from being successfully exploited.
These technologies function as special protections and obstacles that an exploit author must defeat to exploit software vulnerabilities. These security mitigation technologies do not guarantee that vulnerabilities cannot be exploited. However, they work to make exploitation as difficult as possible to perform.
SSL/TLS certificate pinning - This feature is intended to detect (and stop, with EMET 5.0) man-in-the-middle attacks that are leveraging the public key infrastructure (PKI).
Ok, they do not guarantee 100% security - but who could? Even this software comes from Microsoft, it's still a good solution and closes the gap between anti-virus, firewall and keeping your software updated.
Here is a test from 2010 (EMET 2.0) http://www.rationallyparanoid.com/articles/emet-testing.html
And one of 2014 http://www.offensive-security.com/vulndev/disarming-enhanced-mitigation-experience-toolkit-emet/
Does anybody know a APP for Android, iOS, WP8 or BB?
Just a small side note:
In regard to device security vs. rooting.
There are essentially 2 schools of thought. On the one side we have those who believe we should trust the device manufacturers experience and knowledge to keep malware out of AOS, and you phone from spilling your data when stolen, which also means keeping users from rooting their devices, simply because they know security better, than the average user. (I think @jcase may be one of those, but he'd have to answer for himself.) On the other hand we have people like me, who firmly believe that the best way to keep your device secure is by being rooted, since we cannot trust anyone, especially large companies who scream "TRUST US". For us, we own the device and everything it does, and that your phone should not be able to send a single photon of radiation, without your permission. Then at least we have the choice to provide our own security by Firewalls, open source baseband, and encrypted phone calls etc. So no, this is not part of the majority of phone owners. But we think it should be. So who's right? Well, we're both right of course. What we need is to be able to make this choice at the time of purchase, and independent of the device you like. To be able to choose if you have a fully open device that you can secure on your own or if you like one that is claimed as secure, but you will never be able to check or control on your own. But unfortunately, this is not possible in most circumstances.
I trust neither the ODMs, nor the custom roms. However I KNOW the average custom rom is just as if not MORE vulnerable than current stock roms, add su into the mix and it is without a doubt more vulnerable. Show me a custom rom dev that claims he ships a secure firmware, and I'll show you someone ignorant of the facts. Ask most of them what CTS is, and they will look at you like you are referencing 18th century medical terms.
That is my stance. In regards to root making a device more vulnerable, I can back that statement time and time again. From key compromises of the superuser apps, to vulnerabilities in the app, to vulns in the su binaries, to vulns in apps that typical make su requests, to stupid users who will grant it to anyone. Having any access point to "root" makes turning a small vuln to a complete compromise relatively easy.
E:V:A said:
Just a small side note:
In regard to device security vs. rooting.
There are essentially 2 schools of thought. On the one side we have those who believe we should trust the device manufacturers experience and knowledge to keep malware out of AOS, and you phone from spilling your data when stolen, which also means keeping users from rooting their devices, simply because they know security better, than the average user. (I think @jcase may be one of those, but he'd have to answer for himself.) On the other hand we have people like me, who firmly believe that the best way to keep your device secure is by being rooted, since we cannot trust anyone, especially large companies who scream "TRUST US". For us, we own the device and everything it does, and that your phone should not be able to send a single photon of radiation, without your permission. Then at least we have the choice to provide our own security by Firewalls, open source baseband, and encrypted phone calls etc. So no, this is not part of the majority of phone owners. But we think it should be. So who's right? Well, we're both right of course. What we need is to be able to make this choice at the time of purchase, and independent of the device you like. To be able to choose if you have a fully open device that you can secure on your own or if you like one that is claimed as secure, but you will never be able to check or control on your own. But unfortunately, this is not possible in most circumstances.
Click to expand...
Click to collapse
@jcase : So I think we agree on that what you say, but from another perspective, we can ask ourselves whether or not a stupid user with root, can possibly endanger a smart user with root? I think this is not generally possible, apart from some automated DDOS attack, which would ultimately originate from a smart user with root, using the stupid user as a transport.
To what extent should ODM's be able to decide who is a smart root user and stupid root user? (And regardless their decision, why should we believe them?) There may not be an answer here, but the discussion is interesting also from a political point of view. How much should the "government" be responsible for a certain individual's action, regardless of their intelligence? Personally I think they're not, and should only provide security to prevent individuals from directly hurting each other, and not preventing them from hurting themselves, if they choose to do so.
Reading all this, it makes me wonder if the antivirus apps help at all..
stefeman said:
Reading all this, it makes me wonder if the antivirus apps help at all..
Click to expand...
Click to collapse
Let's put it this way.
In 6 years of heavy 24/7 PC use, my anti-virus have prevented me from a "possible" remote exploit exactly once, while having annoyed me with lengthy uninterruptible scans and ignoring my ignore settings about a 1000 times, due to adware and various other false positives. Then only god knows how many different countries governments are already present in my PC. Go figure. And yes, I have tweaked every possible setting and tried multiple well know AV's.
Forget AV's and get a good FW and with a well tuned host file, and well tuned common sense.
E:V:A said:
@jcase : So I think we agree on that what you say, but from another perspective, we can ask ourselves whether or not a stupid user with root, can possibly endanger a smart user with root? I think this is not generally possible, apart from some automated DDOS attack, which would ultimately originate from a smart user with root, using the stupid user as a transport.
To what extent should ODM's be able to decide who is a smart root user and stupid root user? (And regardless their decision, why should we believe them?) There may not be an answer here, but the discussion is interesting also from a political point of view. How much should the "government" be responsible for a certain individual's action, regardless of their intelligence? Personally I think they're not, and should only provide security to prevent individuals from directly hurting each other, and not preventing them from hurting themselves, if they choose to do so.
Click to expand...
Click to collapse
Really, I dont want to do this again, this conversation.
Most stupid people don't realize they are stupid, they assume they are smart. (We are all stupid in some regards).
I think I could endanger a user from root, pretty sure I can either screw the phone up, or possibly catch it on fire. If it had a sim in it, and was on the network I am certain I could make them regret ever rooting their device.
Here is a question, how many of you understand how these unlocks/exploits work?
I sometimes leave messages hidden in mine, and have only had ONE person reply to the hidden message, out of 100,000s of runs. People don't even know what they are running to gain root, let alone any idea what these "rom devs" do.
Open source is the answer right? Everyone can read the code, and everyone does! Thats why no backdoors or vulns have ever been in open source projects. Every open source project gets a line by line audit by a team of security professionals.</sarcasm>
I'll join back in when someone shows me a custom rom/open device that has the same or better security precautions taken by leading ODMs. Until then, it is generally just as easy or (generally) easier to abuse and exploit one of these custom roms floating around.
stefeman said:
Reading all this, it makes me wonder if the antivirus apps help at all..
Click to expand...
Click to collapse
Won't help a lick for anything originating from a government.
Found something new to me
https://prettyeasyprivacy.com/
Email encryption easy...
Found On fdroid under k9/p=p
Claims it works with your existing email account
But I have not found out how it works yet
Our how the foundation is set up.
And that's the kind of thing I like to know before I install
Anyone have any experience with them?
Personally, if you are looking for encrypted email... I'd choose Proton Mail any day of the week over p=p.
p=p just doesn't seem anywhere near the security of Proton. But that's just my opinion. Test it out and let us know how you like it. It's always nice to have options!
I'm just not at the point where I want my email provider to supply my email program.
Don't get me wrong it's not a bad idea..
(I like that it's open source, that's always good)
But I would much rather have encryption all on me and my device..
And I can pick and choose what provider I'm using.
I don't love the idea of being locked into anything...
nutpants said:
I'm just not at the point where I want my email provider to supply my email program.
Don't get me wrong it's not a bad idea..
(I like that it's open source, that's always good)
But I would much rather have encryption all on me and my device..
And I can pick and choose what provider I'm using.
I don't love the idea of being locked into anything...
Click to expand...
Click to collapse
hey @nutpants , i know you are more knowledgeable than me (and know how to search.lol) but i did find this link for p=p. you can email them i beleive.
https://prettyeasyprivacy.com/integrate/
"err on the side of kindness"
I found the instructions
https://www.prettyeasyprivacy.com/docs
I wish that people would stop hosting instructions online and include manuals with the installs.I mean seriously how much space will it take?
I will be doing some time reading everything carefully..
But would love opinions from everyone else.
Basically it appears to create extradition keys between users of the app automagiclly and then encrypt everything by default when possible.
Much like text secure was doing for text.
Hopefully things like this will become a standard for email.
(With a common method of encryption so no one it tied to just one particular email app)
And we will see more applications that can be used to encrypt mail.
I'm going to do some testing
Well ive done a little testing.
And honesty I'm looking what I see.
Sure this is in early stages and early days.
But it appears that it is as simple as they suggest.
I could even get my least technical buddies to use this email encryption.
I have not seen it try to contact anything except my mail server.
And it does not require contracts out other erroneous permissions (it asks but you can block it and no crashes(at least for me)
It's works automagiclly.
If you exchange emails with someone who is using pep (I think it's stupid that they have the three lines between the p's why not just have the E)
It figures that out and starts exchange of public pgp keys.
Art that point your messages title bar have a yellow background do you know encryption is taking place.
After you verify the "code words" with your correspondent (by voice so you verify who you are taking to is who you are really taking to(or any other method you desire)
Your messages get a green title bar do you know encryption is going on with a verified user..
So simple even a grandpa can understand it.
It uses pgp for encryption so you know it's good
Right now it's pretty basic and there are few encryption options
But they plan ad more features as time goes on
I'm liking what I'm seeing and I will do more testing and will keep an eye on this to see how fast it matures.
The only real con at the moment it that there is no way to secure the app from running with a password to keep any one who gets their hands on your device from reading everything.
But that's a little minor..
If someone had their hands on your device, you have already broken the golden rule.
This app is simply a fork of K9Mail with a few icons replaced...
It is definitely a fork.
But encryption had been built in, including auto key generation and key exchanges.
K9 is my daily driver.. And I love it.
But pEp makes encryption simple enough for anyone to use..
(As in my grandmother could use it)
When and if it matures to have all the encryption features most advanced users need
(Like easy key import, export, backup, manual key changes)
It may become my daily driver..
Sadly in the world today, encryption is almost mandatory.
And pep is on the way to make that easy for everyone.
by sophisticated government attack i mean something with virtualization technologies, several masking and hiding capabilities like FinFishers solutions.
Does:
Updating to the newest version of ios
hard reset the phone
securely remove the spyware?
1) i see more as a bonus question that is not really needed, but might be interesting too.
I would thank you for a careful but practical answer, since this question relates to some "moving parts" like: "Is it possible to load a "real" update from an infected phone, or will a sophisticated attack redirect those requests" and if there is something you can do to prevent this etc. or the question whether a hard reset really deletes everything or if the spyware can somewhat hide in "blocked" or wrongly addressed areas of the storage and so on.
On the other hand i do know that there never is absolute certainty and would be more interested in a "probabilistic view".
Thanks to the Forum!
I think your question is pointing to widespread security problems with most technology. Manufacturers often use closed source software and the same goes for most of the hardware devices. This makes security very difficult and of course these weaknesses are now being exploited by state sponsors.
Stuxnet was a good example and well worth reading about.
https://en.m.wikipedia.org/wiki/Stuxnet
http://itmanager.blogs.com/notes/20...e-protected-the-iranians-against-stuxnet.html
It infects microcontroller chips that do memory management. The introduced code returns modified data, maybe not even on each read.
So if the phone internal memory uses these microcontroller chips then even loading a new rom wouldn't help. You have to be able to have access to the microcontroller firmware and introduce your own access certification. It is very difficult to do this at present as most of the hardware information is not available, both for phone and internal chips.
Unfortunately this means that state sponsors can take the devices apart, inspect chips with an electron microscope, thus obtain a lot of secret information for their hacks.
Having had stuxnet on a laptop I became interested in these problems.
Contaminated updates again depend on the resources available. These rely on https and code signing.
https://arstechnica.com/information...ate-authorities-conspire-to-spy-on-ssl-users/
http://www.crypto-it.net/eng/theory/software-signing.html
A contaminated update requires access to the certificates and a delivery method such as intercepting a request from a known ip address.
Many states have access to the certificates and the means to target downloads. Using tor for updating might give some protection, as would a system to compare your download with that obtained by other people. We don't have this working automatically yet as far as I know.
https://www.torproject.org/docs/verifying-signatures.html.en
Phones have a second operating system where code may not be secure.
http://www.osnews.com/story/27416/The_second_operating_system_hiding_in_every_mobile_phone
https://www.rsaconference.com/event...ile-apt-how-rogue-base-stations-can-root-your
You can minimize risk by keeping a device in airplane mode and using a separate mifi device.
If you consider yourself an innocent target or just want to minimise risk then perhaps regularly buy second hand or new devices from shops, keep them in airplane mode, keep the necessary software to send by bluetooth and check the md5 sums.
Web browsers could be another security problem if they can run exploits, but this is probably outside the scope of your question.
Secure communications apps will probably work fine as long as they don't require updates. Beyond that, keep it all locked up in a safe you built yourself.
The single most important, most debated subject of being online - privacy and security.
While security is undisputed, privacy aspect is.
So what exactly is the concern? As normal people in normal professions (which is easily more than 90% of the population), is there a need for worry?
For a long time since I started using smartphones, I had a natural inclination towards remaining anonymous and private online. I would always use incognito browsing for everything I do online, never create an account with a service as much as possible (e.g. I would watch YouTube videos without signing in), etc.
With time, I began realizing that I am actually missing out on so many interesting things that matter to me, and much of the content that would interest me would be made available to me without much effort using machine learning and artificial intelligence, an area where huge investments are being made.
So slowly I started accessing content and using services with my Google account. Over time, everything from Google feed to YouTube videos were showing me content that I am interested in, and sometimes they were so intelligent that I have been amazed with the whole technology that is at works. Surely, you cannot expect a doctor to give you the right prescription without giving him complete details about your problems. You can't talk privacy there. So unless the system learns what you like and what you don't, there is no way it will present stuff (including ads) that will be interesting to you.
With that said, why are are we overemphasizing this aspect of our lives? Is the privacy lobby inflating the privacy problem more than is necessary? Especially since much of what Google learns (according to them) about you is private, and only you can access/ control it, and also because the open-source alternatives are overrated. I say overrated because there are no audit reports (from trustworthy audit entities) available. Their codes may be available for audit, but is there a trustworthy source that is actually auditing them? Are the platforms where they are available being audited? So the issue of privacy and security applies to these platforms too, and more so because they aren't scrutinized as heavily as Google products and services.
As far as more personal info is concerned, like location, age, gender, searches I perform, accounts, mobile number, etc - Google already has all those because I provided them with much of that info when I created my account. Sure, one can always provide fake info for some of them. But if you use 'Find my Device', you are pretty much giving away your location to Google REAL-TIME. While this can potentially be misused, how else is Google supposed to help you if you were to lose your device? Mobile numbers and email addresses are necessarily required to be correct because they are needed when you are locked out of your account. They are the only means to get your account back.
While I am a strong proponent of privacy, I also feel that too much is made out about a lot of stuff that aren't really something to worry about. Those stuff are essential to get the service we expect in return, in other words, putting technology to use.
That said, it is still important not to give anyone a free hand over data, and there has to be several layers of checks and balances, and accountability for safeguarding and using them.
All that said, my current position is this. Make best use of the technology at hand, because if you don't provide the necessary inputs, there cannot be a proper output.
As with some things that we do online which we might want to keep completely private, use a non-google browser (like Firefox Focus or Duck Duck Go) in incognito mode with Duck Duck Go search engine.
For everything else, use GOOGLE (assuming there is accountability and severe penalties for violations).
Reserved for additional info.
@Ultramanoid
We may continue the discussion here.
I have a few specific questions for which I haven't found answers. May be you or others could answer them. I'll compile them and post these later.
Sridhar Ananthanarayanan said:
@Ultramanoid
We may continue the discussion here.
I have a few specific questions for which I haven't found answers. May be you or others could answer them. I'll compile them and post these later.
Click to expand...
Click to collapse
I have a hard time understanding how you can say you're a strong proponent of privacy, while at the same time justifying how you exchange yours for convenient services.
I can't justify that exchange, and yet use, work in, and develop in an IT field. No Google account here. So it'd be difficult to discuss the issue when our basic premises and understanding of the situation are completely opposed.
I want a good mail service, so I PAY for it, with MONEY, and I assure you it beats all the tech prowess and illusions of magic that GMail and its indecent, immoral, and insulting data mining and tracking provide. Same for everything else.
The aberration that is 'service' ( lower quality feature set, no support, security issues, client is the product ) for information, which, as mentioned in MiX's thread, also has the tremendously damaging side effect of reducing to zero the value of good honest developer work. 'Google gives it for free' -- No, it doesn't, and no, it's not free.
Edit : And by the way, giving your data away not only puts you at risk, it puts others at risk as well. Unacceptable.
Ultramanoid said:
I have a hard time understanding how you can say you're a strong proponent of privacy, while at the same time justifying how you exchange yours for convenient services.
I can't justify that exchange, and yet use, work in, and develop in an IT field. No Google account here. So it'd be difficult to discuss the issue when our basic premises and understanding of the situation are completely opposed.
I want a good mail service, so I PAY for it, with MONEY, and I assure you it beats all the tech prowess and illusions of magic that GMail and its indecent, immoral, and insulting data mining and tracking provide. Same for everything else.
The aberration that is 'service' ( lower quality feature set, no support, security issues, client is the product ) for information, which, as mentioned in MiX's thread, also has the tremendously damaging side effect of reducing to zero the value of good honest developer work. 'Google gives it for free' -- No, it doesn't, and no, it's not free.
Edit : And by the way, giving your data away not only puts you at risk, it puts others at risk as well. Unacceptable.
Click to expand...
Click to collapse
You spoke of making 'reasonable compromises' on the MiX thread.
I have only elaborated the same. How does it matter if Google learns what I like to search on the internet? I am willing to give them that information so that they can provide me with content I am interested in, so that my news feed is mostly content I like to read/ watch, and little garbage. In the process, if they are showing me ads relevant to me, what is wrong with it?
My view is based only on this premise that this is how my data is being used. I have never had a financial security issue (like money being stolen from my account) because of what Google learns about my internet activity.
Also, I am assuming that Google won't learn anything about the searches I may do in incognito mode. They are supposed to respect the privacy. I'm aware they have been sued for not adhering to it strictly.
So assuming that they stick with usage of data as per their declared privacy policies and in accordance with laws, what is the problem?
Sridhar Ananthanarayanan said:
You spoke of making 'reasonable compromises' on the MiX thread.
Click to expand...
Click to collapse
As to security. As long as you rely on someone else's software, some company's cables and infrastructure, there's no other way.
No reasonable compromise on privacy in the "service x information" business model. It needs to die.
Edit : Have a look at this; https://privacytools.io ( "Privacy? I don't have anything to hide." )
my view on this is:
i agree, you should protect privacy as much you're able to, but if you need some services and you need "to give up privacy" for acquiring that service you need, then for me it's legit.
i wouldnt go all crazy on privacy as many go (to completely ditch google, windows, and become open source - privacy - government consipiracy evangelist), but i wouldnt rely on them for my whole life.
yes, i use google calendar and notes and all my data is on google, and if google go down or misuse my data, maybe i will lose that data but still i can easily use on another platform one stop working or is not trustworthy (publicly misuses data)
i love to use custom ROMs not to ditch google or become privacy conscious (using f-droid and living under rock without google services) but to ditch stock ROM from manufacturer as i dont like any manufacturer stock ROM, i want just their hardware, and software i want to be my choise.
for normal people storing something on google, microsoft, apple is not at all bad idea, when you store not that important or sensitive data on google. but i would never upload any top secret, sensitive data on any those services, as they WILL allow governemnt to exctract data (like edward snowden said ), so anyone from governemnt can access it or even misuse it, but if you dont store top secret sensitive info on those services you are fine.
if you want to store top secret sensitive data you would make it and encrypt it and store local copies.
and for google search, same applies, you will be fine with normal use, use firefox and duckgo , and also ingonito dont respect any privacy, it just make to browser not to store history, everything else is visible to them, unless you use firefox and duckgo.
and also many say vpn secure you (ones you buy) , but i wouldnt trust not even them (even if you pay), if you want to have encrypted connection you better MAKE your own VPN server (you can buy remote linux server online and make it as VPN), carrier to whom you pay for server dont care what you store on server (because you pay for it) and if governement comes to there he wont be able to provide anything.
but still even with all said, i dont advocate on trusting government as they dont care about freedom or rights, they care just about power, so protect privacy as much you are able to, but dont go all crazy on it, because best way to be secure on internet is not to use it at all, as at the end of the day dont forget that all intel, arm, amd chips (hardware) are hackable and exploitable to survevilance if they want to
EDIT: and also always remmeber, if you are censored for your rights, you have full right to protect your right, but i didnt got censored for searching for something on google. maybe google censored it to control media, but everyone do it, even media is manipulating you with fake news.
like if i am in china and i cant open news that reveal china government because china censorshiped that source "for greated good", i would use linux, tor and vpn so i can bypass censorship to know what's right. as long you dont face censorship for your rights it still okay to use those services, but if someone censorship for your rights, then its time to act and stand up for yourself, and not accept anyone's "censorship for greater good".
You know what's funny, people talking about privacy (intrinsically security also), yet many (and by many I mean the majority) of ROMs released on XDA are released without source code. Devs link to some other sources other than the source to be able to build the project. Here is an example. So while privacy is important, security is highly problematic with this modding model we all follow. Not to mention flashing different unchecked magiks modules.
Ultramanoid said:
As to security. As long as you rely on someone else's software, some company's cables and infrastructure, there's no other way.
No reasonable compromise on privacy in the "service x information" business model. It needs to die.
Edit : Have a look at this; https://privacytools.io ( "Privacy? I don't have anything to hide." )
Click to expand...
Click to collapse
I think the moment you are online, you are presenting yourself to be tracked. No matter what tools you use to safeguard your privacy, a country's intelligence has an upper hand because they have the resources and much more advanced technology that is not commercially available.
They can also set up something like the link you shared as just another means to track you (by misleading you into believing that you are remaining private and anonymous).
I think one can truly stay private only by staying away from technology. Otherwise, you are just opening yourself up for tracking.
atttoush said:
You know what's funny, people talking about privacy (intrinsically security also), yet many (and by many I mean the majority) of ROMs released on XDA are released without source code. Devs link to some other sources other than the source to be able to build the project. Here is an example. So while privacy is important, security is highly problematic with this modding model we all follow. Not to mention flashing different unchecked magiks modules.
Click to expand...
Click to collapse
nope, check here
XDAevDB Information
[ROM][UNOFFICIAL][10.0.0][raphael] LineageOS 17.1, ROM for the Redmi K20 Pro
Source Code: http://bigota.d.miui.com/V11.0.1.0....NGlobal_V11.0.1.0.QFKINXM_5e75bba584_10.0.zip
this is source code for ROM, they are always released somewhere, github, dont matter, but they are released, you just need to look it up
indestructible master said:
nope, check here
XDAevDB Information
[ROM][UNOFFICIAL][10.0.0][raphael] LineageOS 17.1, ROM for the Redmi K20 Pro
Source Code: http://bigota.d.miui.com/V11.0.1.0....NGlobal_V11.0.1.0.QFKINXM_5e75bba584_10.0.zip
this is source code for ROM, they are always released somewhere, github, dont matter, but they are released, you just need to look it up
Click to expand...
Click to collapse
This is not a source code ... Just because it says source code, it doesn't mean it's a source code. That's a zip file containing the OEM firmware from Xiaomi.
indestructible master said:
my view on this is:
i agree, you should protect privacy as much you're able to, but if you need some services and you need "to give up privacy" for acquiring that service you need, then for me it's legit.
i wouldnt go all crazy on privacy as many go (to completely ditch google, windows, and become open source - privacy - government consipiracy evangelist), but i wouldnt rely on them for my whole life.
yes, i use google calendar and notes and all my data is on google, and if google go down or misuse my data, maybe i will lose that data but still i can easily use on another platform one stop working or is not trustworthy (publicly misuses data)
i love to use custom ROMs not to ditch google or become privacy conscious (using f-droid and living under rock without google services) but to ditch stock ROM from manufacturer as i dont like any manufacturer stock ROM, i want just their hardware, and software i want to be my choise.
for normal people storing something on google, microsoft, apple is not at all bad idea, when you store not that important or sensitive data on google. but i would never upload any top secret, sensitive data on any those services, as they WILL allow governemnt to exctract data (like edward snowden said ), so anyone from governemnt can access it or even misuse it, but if you dont store top secret sensitive info on those services you are fine.
if you want to store top secret sensitive data you would make it and encrypt it and store local copies.
and for google search, same applies, you will be fine with normal use, use firefox and duckgo , and also ingonito dont respect any privacy, it just make to browser not to store history, everything else is visible to them, unless you use firefox and duckgo.
and also many say vpn secure you (ones you buy) , but i wouldnt trust not even them (even if you pay), if you want to have encrypted connection you better MAKE your own VPN server (you can buy remote linux server online and make it as VPN), carrier to whom you pay for server dont care what you store on server (because you pay for it) and if governement comes to there he wont be able to provide anything.
but still even with all said, i dont advocate on trusting government as they dont care about freedom or rights, they care just about power, so protect privacy as much you are able to, but dont go all crazy on it, because best way to be secure on internet is not to use it at all, as at the end of the day dont forget that all intel, arm, amd chips (hardware) are hackable and exploitable to survevilance if they want to
EDIT: and also always remmeber, if you are censored for your rights, you have full right to protect your right, but i didnt got censored for searching for something on google. maybe google censored it to control media, but everyone do it, even media is manipulating you with fake news.
like if i am in china and i cant open news that reveal china government because china censorshiped that source "for greated good", i would use linux, tor and vpn so i can bypass censorship to know what's right. as long you dont face censorship for your rights it still okay to use those services, but if someone censorship for your rights, then its time to act and stand up for yourself, and not accept anyone's "censorship for greater good".
Click to expand...
Click to collapse
As I said, we are overemphasizing on many of the things and linking them to privacy. Much of the seemingly private things have no bearing in real life, even when made public. Because, no matter where you are, you have to adhere to the local laws and your internet activity isn't important (unless one is into prohibited activities).
It is a very niche segment of people (like those working for intelligence, journalists, etc.) that must pay special attention. For most others, there isn't too much to worry about, as long as the companies providing services adhere to data regulations and act with responsibility.
atttoush said:
You know what's funny, people talking about privacy (intrinsically security also), yet many (and by many I mean the majority) of ROMs released on XDA are released without source code. Devs link to some other sources other than the source to be able to build the project. Here is an example. So while privacy is important, security is highly problematic with this modding model we all follow. Not to mention flashing different unchecked magiks modules.
Click to expand...
Click to collapse
Few months back, I made a decision to stop using custom ROMs. This decision is made easier by OEMs promising 3 to 4 years of software/ security updates.
OEM ROMs are largely scrutinized. Custom ROMs are not. You never know what they bake into their codes. There is absolutely no assurance on them respecting your privacy or security.
Sridhar Ananthanarayanan said:
Few months back, I made a decision to stop using custom ROMs. This decision is made easier by OEMs promising 3 to 4 years of software/ security updates.
OEM ROMs are largely scrutinized. Custom ROMs are not. You never know what they bake into their codes. There is absolutely no assurance on them respecting your privacy or security.
Click to expand...
Click to collapse
It's not the case with few established ROMs. Lineage OS comes to mind. As they encourage people to build ROMs from source. But device support is problematic. That's why I turn to custom ROMs. It's a great idea, but I thought XDA ROMs guaranteed security with the GPL and Open source philosophy. But it's being violated all over the place.
Sridhar Ananthanarayanan said:
Few months back, I made a decision to stop using custom ROMs. This decision is made easier by OEMs promising 3 to 4 years of software/ security updates.
OEM ROMs are largely scrutinized. Custom ROMs are not. You never know what they bake into their codes. There is absolutely no assurance on them respecting your privacy or security.
Click to expand...
Click to collapse
Which OEMs are these ? Please mention one and point to where and how their code can be reviewed. Almost none provide support for a device after 2 or 3 years. Almost none are scrutinized because their additions to Android are proprietary and closed source, they barely release kernel changes and those only because they are legally obliged, sometimes even after the device which uses that kernel is not even on sale anymore.
Partial exception for SONY, that provides repositories for AOSP support for many of their devices, and sometimes have released blobs ( not code ) for their drivers and cameras. This is the rare exception, not the rule.
Almost no OEMs provide timely security updates incorporating Google's monthly patches for critical vulnerabilities. Some pile them up in batches, leaving devices vulnerable for months and even years. Stagefright, bluetooth, Qualcomm ... They don't give a crap.
Get the facts straight.
Lineage, in contrast, is developed in plain sight by hundreds of developers revising the code every single day, include Google's vulnerability patches religiously every month and have provided fixes time and again for things Google and OEMs don't bother to fix. They also support devices securely years after OEMs have completely abandoned them.
LineageOS
A free and open-source operating system for various devices, based on the Android mobile platform. This is a mirror of https://review.lineageos.org/ - LineageOS
github.com
Edit : Remember that this is a developers' forum, by developers for developers. Checking and editing code daily is what we do.
Edit 2 : Can't comment as to other 'custom ROMs', from which it may very well be better to stay away.
Ultramanoid said:
Which OEMs are these ? Please mention one and point to where and how their code can be reviewed. Almost none provide support for a device after 2 or 3 years. Almost none are scrutinized because their additions to Android are proprietary and closed source, they barely release kernel changes and those only because they are legally obliged, sometimes even after the device which uses that kernel is not even on sale anymore.
Partial exception for SONY, that provides repositories for AOSP support for many of their devices, and sometimes have released blobs ( not code ) for their drivers and cameras. This is the rare exception, not the rule.
Almost no OEMs provide timely security updates incorporating Google's monthly patches for critical vulnerabilities. Some pile them up in batches, leaving devices vulnerable for months and even years. Stagefright, bluetooth, Qualcomm ... They don't give a crap.
Get the facts straight.
Lineage, in contrast, is developed in plain sight by hundreds of developers revising the code every single day, include Google's vulnerability patches religiously every month and have provided fixes time and again for things Google and OEMs don't bother to fix. They also support devices securely years after OEMs have completely abandoned them.
LineageOS
A free and open-source operating system for various devices, based on the Android mobile platform. This is a mirror of https://review.lineageos.org/ - LineageOS
github.com
Edit : Remember that this is a developers' forum, by developers for developers. Checking and editing code daily is what we do.
Edit 2 : Can't comment as to other 'custom ROMs', from which it may very well be better to stay away.
Click to expand...
Click to collapse
I didn't say that OEMs make their source codes available. I said they are scrutinized. Scrutinized by security researchers around the world, who may or may not be funded by competition. There is lot of benefits by doing so because OEMs can use this as an opportunity to push sales of their own devices. Example is the clipboard scandal of OnePlus, as well as others.
Compare that to custom ROMs. There are so many custom ROMs available for popular devices. Official builds, unofficial builds, nightlies, etc. etc. The ROMs are available for free. Who cares to audit/ scrutinize these? No one cares because there is nothing to gain. This is also because a very minute % of Android users actually install custom ROMs. So no one cares.
Just like root, the need for custom ROMs is decreasing by the day. OEMs are now promising upto 3 years of Android upgrades and 4 years of security updates, atleast for their flagship devices. And now the Google-Qualcomm partnership that is making these upgrades easier and faster. Unlike in the past, OEMs are much faster in releasing security updates today.
Lineage official builds, in my experience, isn't feature rich like some other custom ROMs or unofficial forks of Lineage. People may opt for Lineage official builds primarily for two reasons:
1. Debloat their OEM software like those from Xiaomi, Huawei, even Samsung.
2. OEM has stopped providing official support (this is now changing because 3 to 4 years of official support is synonymous to life of the device because a large % of people usually buy a new device every 3 or 4 years).
Some of the developers of custom ROMs are arrogant arses. That's another reason to tell them to eff-off.
Sridhar Ananthanarayanan said:
I said they are scrutinized. Scrutinized by security researchers around the world, who may or may not be funded by competition.
OEMs are now promising upto 3 years of Android upgrades and 4 years of security updates, atleast for their flagship devices.
Click to expand...
Click to collapse
1. Which security experts ? We have some in XDA whose daily job is precisely that, have you spoken to them ? I don't know of a single audit of any OEM's version of Android. Please mention or link at least one if you think they exist.
2. Which OEMs ? I don't know of a single OEM providing support of any kind for any of their devices ( maybe OnePlus barely reaches 3 for some of theirs, again, a very rare exception ) beyond 3 years, much less 4.
Provide real data points or stop speculating on vague promises and supposed security experts somewhere. When I say LineageOS is available, you can see it is. You can also build SONY's AOSP from their code. ( Edit : https://developer.sony.com/develop/open-devices/ )
One thing is to express an opinion, another to give facts.
Ultramanoid said:
1. Which security experts ? We have some in XDA whose daily job is precisely that, have you spoken to them ? I don't know of a single audit of any OEM's version of Android. Please mention or link at least one if you think they exist.
2. Which OEMs ? I don't know of a single OEM providing support of any kind for any of their devices ( maybe OnePlus barely reaches 3 for some of theirs, again, a very rare exception ) beyond 3 years, much less 4.
Provide real data points or stop speculating on vague promises and supposed security experts somewhere. When I say LineageOS is available, you can see it is. You can also build SONY's AOSP from their code. ( Edit : https://developer.sony.com/develop/open-devices/ )
Click to expand...
Click to collapse
Fact 1: OnePlus is collecting your private data without permission
Fact 2: Engineer Mode
Fact 3: Clipboard Scandal
Fact 4: Shot on OnePlus
Fact 5: MiUI stealthily sending user data back to China
Fact 6: Xiaomi Recording Millions Of People’s ‘Private’ Web And Phone Use
...
Thats just some of them. If you search, you will find more.
In most of these cases, it is some security researcher somewhere in the world who found a questionable activity that goes against acceptable privacy and security standards. In other cases, it was some random user who found a vulnerability or some unacceptable practice.
The point? Number of users of stock ROMs are way way higher than those that use custom ROMs, and as a result someone somewhere might find something either accidentally, or as part of security research work (paid by competition or otherwise).
OEMs will be careful when they make their ROMs. They are not only under scrutiny, but also need to ensure they stick with doing the right things because they have a business to run. The same isn't true for custom ROMs that some nobody will make and act like trash when questioned. Thats also because the product is free (or may not be depending on what is baked into the codes) and so the developer may think he isn't answerable.
Ultramanoid said:
One thing is to express an opinion, another to give facts.
Click to expand...
Click to collapse
Now you may point out the opinions. All the above are actually facts, that support my previous comment.
Sridhar Ananthanarayanan said:
Fact 1: OnePlus is collecting your private data without permission
Fact 2: Engineer Mode
Fact 3: Clipboard Scandal
Fact 4: Shot on OnePlus
Fact 5: MiUI stealthily sending user data back to China
Fact 6: Xiaomi Recording Millions Of People’s ‘Private’ Web And Phone Use
...
Thats just some of them. If you search, you will find more.
In most of these cases, it is some security researcher somewhere in the world who found a questionable activity that goes against acceptable privacy and security standards. In other cases, it was some random user who found a vulnerability or some unacceptable practice.
The point? Number of users of stock ROMs are way way higher than those that use custom ROMs, and as a result someone somewhere might find something either accidentally, or as part of security research work (paid by competition or otherwise).
OEMs will be careful when they make their ROMs. They are not only under scrutiny, but also need to ensure they stick with doing the right things because they have a business to run. The same isn't true for custom ROMs that some nobody will make and act like trash when questioned. Thats also because the product is free (or may not be depending on what is baked into the codes) and so the developer may think he isn't answerable.
Now you may point out the opinions. All the above are actually facts, that support my previous comment.
Click to expand...
Click to collapse
What all that proves is that OEMs are pure solid garbage, thank you for agreeing. Rest the case already. ^_^
Sorry to hear you still prefer to stand by out of date systems, unsecured protocols, and shady immoral companies. It is useless to discuss when you keep insisting on sustaining your biased opinion against hard evidence -- that YOU yourself provided.
Cheers !
Ultramanoid said:
What all that proves is that OEMs are pure solid garbage, thank you for agreeing. Rest the case already. ^_^
Sorry to hear you still prefer to stand by out of date systems, unsecured protocols, and shady immoral companies. It is useless to discuss when you keep insisting on sustaining your biased opinion against hard evidence -- that YOU yourself provided.
Cheers !
Click to expand...
Click to collapse
You are simply exaggerating it.
Like the saying goes, better to trust the known devil than the unknown angel.
Cheers!