Related
Introduction
I have not seen much talk about security in XDA, and not at all on Neo Section.
SO here's just one informative link talking about using and developing apps and security risks involved
http://www.technologyreview.com/computing/25921/?mod=related
Any bug in software could potentially be used as a security loophole to gain access to private information, spy on you, get your credit card info(should you do such things on phone).
What is kind of unsettling is that everyone seems fine with modding, tweaking, developing and using those ROMs made in XDA without worrying if there could be that kind of bug in your made or used ROM.
You don't need a malicious app only to have risks. Most people use Windows so they should know that it is OP systems bugs and vulnerabilities that allow for unwanted access to your files, data, etc.
Android itself is having very non-foolproof security system. All apps on unrooted phone are in sandbox. That's no security measure at all. It doesn't limit app from stealing your private info at all, it only cant delete the whole ROM. That's just idiotic security system, for it is the only thing beside encrypting shut off phone on 3.0 and 4.0. So that means Android on it's own has no security measures while it's working. Even Windows has... some... but not too much... so you could pay for antivirus and antispyware software ofc.
It has always been the goal of big corporations to make money from insecurity, be they software developers, arms dealers and you name it. They all benefit from insecurities existing. Same is with Google and it's Android. But the good news is that we the users can modify Android. We could all say "Au revoir security bugs and loopholes!" if we would care about developing ROMs designed to make Android more secure... alas that's not happening yet!
Overview of Linux/Android security issues.
It's a short condensed description just to get you interested in the topic. There's lots of material on net, you only need to search, read, watch videos.
Linux becomes more vulnerable with more applications with different permissions installed. Same is true for Android.
Say your Phone Exporer has root access, that means it has root access to whole Android. To remove unnecessary risks, this app's root access should be limited to only most necessary functions it needs to operate.
Currently for Android there is no such solution. For Linux there is Apparmor.
http://en.wikipedia.org/wiki/AppArmor
Total root access is obvious vulnerability, but it is at least known one. Let's look at possibility of apps having hidden permissions and what that could mean to you.
Blade Buddy from Market.
On market it does not list permission to "Unique Device ID"(IMEI for GSM and MEID; ESN for CDMA) for free nor for paid version.
That means the author of BB has left the code from free version in paid one. This permission is used by ads to track you. It's not necessary code for ads, but it helps the dev know who clicked on the add and generated him some money. To see your money generating zombie empire stretch across the whole globe.... quite a thrill, isn't it?
So it's a latent code, with no benefit to user and an exploit only calling to be abused.
Unique Device ID allows you to be tracked on net and also where you are physically. GPS is just one way to find you, police for example have scanners to locate your devices physical location by the IMEI code. You can count on the "bad guys" having this technology as well, for it's quite a tool for burglars and other criminals.
The risks of your home being marked as the next dungeon to be looted by some raiders, I mean criminals(or perhaps WoW players sleepwalking and sleepraiding?) or getting your ID and bank details stolen by trojan/hacker is random. Yet the threat would not exist without apps having so flagrant hidden permissions.
Next app with ludicrous permissions
Brightest Flashlight
It does list many permissions, among them "Hardware controls - take pictures and videos ". No, it does not need a permission to take photos through cameras to operate the flashlight. But it's fun nonetheless for the dev to see his trusty peasants, or maybe he just likes to observe people like some watch fish in aquarium or hamsters in cage( "Look at that dork!", "You're one ugly m...f...er","ummm a couple kissing in dark with ma flashlight, what are they searching?", "what's that you eat, mr Korean, brains?" "hey show me that document again.")
You don't even need to run the app yourself. It can be triggered by hacker on background and take a snapshot of you.
On top of this little needless permission it has following hidden permissions:
1. Unique IMSI, read about here http://en.wikipedia.org/wiki/IMSI
2. MCC+MNC (CDMA)
3. Unique Devide ID
4. Cell Tower Name.
That's a lot of needless permissions for flashlight, these are there just to track you the app user and have nothing to do with your comfortable use of the app.
These are just 2 apps with totally needless permissions for their intended functioning. If you don't want your Windows and Linux have such security holes then why do you want your Android have them?! You don't want, that's the point and these apps would not be so popular if people would really know and care about their phone being secure.
It can be stated for sure that above exemplified permissions not listed on market are more useful for pranksters, criminals or someone plainly looking-down-on-all-the-dumb-sheep and not at all for any legitimate, user or customer friendly purposes.
There are very few tools to check for security and privacy problems in apps. That gives a sense that majority of devs do not want Android to be secure and private, because Android is another revenue generating platform through Google ads business of course. Were people more educated about the matter then Google ads business would shrink down as well. A private and secure Android can't be tracked or annoyed with ads. No ads, no profit. No security therefore means profit. Unfortunately this lack of security can be exploited by anyone with criminal or malignant intentions so very easily.
The most important thing is to read the permissions before installing.
If you had read the article I linked. Those permissions don't matter anything really if stuff developers use doesn't reveal what it does, or developer itself doesn't disclose what the app does.
We can safely say that those permissions asked are just to make ordinary users of Android think that all is under their control.
I use Privacy Blocker app and it keeps finding app permissions that are not listed. Even that app doesn't find those permissions which Cyanogenmod permission manager shows. And I've sanitized all my apps, still I find my phone connecting to some odd servers while using certain paid and seemingly legit apps. I even found shapshots from front camera made by some app... and I am checking all permissions I can, even for those not listed.
What seems harmless but could reveal your IP address and potentially other data about you is... advertisements used by apps.
Ads can be far more than just a little annoyance that slows your device. Any file, picture loaded from some location in internet can be used to locate you.
I had a problem of getting phone call bills for calls lasting 10 to 20 secs that I never made after using a slew of market apps, flashlights, fun stuff, etc.
I paid two months for such calls trying to find out which app did it and still don't know which one it was. Skype(phone app has fake IP of Holland but actual connection goes to Moscow... oh come one what is this? Why such hiding? Like anyone would trust their phone's Skype connection stream through Moscow... no thank you! Then wonder still if the phone gets so slow and Skype call quality is so bad even over wifi while Windows Skype does just fine?), Brighest flashlight, some photo editors, and slew of other garbage I've already forgotten about cause I don't use any of it anymore.
First post updated
How about the new 4.3 update..in includes some security and privacy control..will this thing prevent you had mentioned?
Is there any way to reactivate this post? maybe start working on a security enhanced android ROM? I'm agree, Security does matter!
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
The term "privacy" means many things in different contexts. Different people, cultures, and nations have a wide variety of expectations about how much privacy a person is entitled to or what constitutes an invasion of privacy. Information or data privacy refers to the evolving relationship between technology and the legal right to, or public expectation of, privacy in the collection and sharing of data about one's self. Privacy concerns exist wherever uniquely identifiable data relating to a person or persons are collected and stored, in digital form or otherwise. In some cases these concerns refer to how data is collected, stored, and associated. In other cases the issue is who is given access to information. Other issues include whether an individual has any ownership rights to data about them, and/or the right to view, verify, and challenge that information.
This post does not intend to address the many definitions of privacy or the many technical means of protecting and invading one's privacy. There are already many posts addressing this aspect and brief search can turn up lots of answers for you.
This post is only intended to help the least technically savvy among us in maintaining some small amount of data security and privacy without getting very technical about things. It was derived from many diverse sources on basic privacy.
Note that I do NOT have a DONATE button anywhere.
I am not looking for donations.
If you feel that you should donate something, by all means,
send it to your favorite XDA developer and/or XDA itself!
And don't be shy about the
button for the many posters who were of help to you!
Recently, a friend handed me his phone and asked me to take a picture. “What’s the password?” I asked. “I don’t have one,” he said. I think I must have had a puzzled look on my face as, I suppose, I tend to grimace when someone I know tells me they’re choosing not to take one of the very simplest steps for privacy protection, allowing anyone to look through their phone with the greatest of ease, to see whichever messages, photos, and sensitive apps they please.
So, this post is for you, big guy with no password on your Galaxy/iPhone/Nexus/whatever, and for you, girl who stays signed into GMail on your boyfriend’s computer, and for you, person walking down the street having a loud conversation on your mobile phone about your recent doctor’s visit of that odd ailment you have. These are the really, really simple things you could be doing to keep casual intruders from invading your privacy.
1 Password protect your phone! It is one of the simplest things you can do to most devices (smartphones, tablets, etc.) with the least amount of effort. Many people tell me it is “annoying” to take the two seconds to type in a password each time before using the phone. Gimme a break, everyone!. Choosing not to password protect these devices is the digital equivalent of leaving your home or car unlocked. If you’re lucky, no one will take advantage of you. Or maybe the contents will be ravaged and your favorite speakers and/or secrets stolen. If you’re not paranoid enough, spend some time reading entries in Reddit, where many Internet users go to discuss issues of the heart. A good percentage of the entries start, “I know I shouldn't have, but I peeked at my gf’s phone and read her text messages, and…” Oh, and before you pick a password like "123456" or "password" do yourself a big favor and visit the Worst passwords of all time web page! No laughing allowed!
2 Turn on 2-step authentication in GMail (that is, if you use GMail, of course). The biggest conclusion you can derive from the epic hack of Wired’s Mat Honan is that it probably wouldn't have happened if he’d turned on “2-step verification” in GMail. This simple little step turns your device into a security fob — in order for your GMail account to be accessed from a new device, a person (you?) needs a code that’s sent to your phone. This means that even if someone gets your password somehow, they won’t be able to use it to sign into your account from a strange computer. (How it works - video) Google says that millions of people use this tool, and that “thousands more enroll each day.” Be one of those people! Yes, it can be annoying if your phone battery dies or if you’re traveling. Of course, you can temporarily turn it off when you’re going to be abroad or phone-less. Alternately, you can leave it permanently turned off, and increase your risk of getting epically hacked. Which do you like better?
3 Put a Google Alert on your name! This is an incredibly easy way to stay on top of what’s being said about you online. It takes less than a minute to do. Go here: http://www.google.com/alerts; anyone can do it easily. Google Alerts are email updates of the latest relevant Google results (web, news, etc.) based on your queries. Enter your name, and variations of your name, with quotation marks around it. Boom. You’re done. Now, that wasn't too tough, was it? I didn't think so. :-]
4 Sign out of your Facebook / Twitter / GMail / etc. account! Do it each time you are done with your emailing, social networking, tweeting, and other forms of general time-wasting. Not only will this reduce the amount of tracking of you as you surf the Web, this also prevents someone who later sits down at your computer from loading one of these up and getting snoopy. This becomes much more important when you’re using someone else’s or a public computer. Yes, people actually forget to do this, with terrible outcomes. Incidentally, if you have the Chrome browser on your PC and you use “incognito” (Ctrl Shift N) or Internet Explorer and you use “InPrivate” (Ctrl Shift P) you will automatically be logged out when you close the window, and no cookies or passwords will be stored. Pretty cool, right?
5 Don’t give out your email address, phone number, or zip code when asked. Hey, if some scary (or weird) looking dude in a bar asked for your phone number, you'd say no, wouldn't you? But when the person asking is a uniform-wearing employee at a local store, many people hand over their digits without hesitation. Stores often use this info to help profile you and your purchase. Yes, you can say no. If you feel badly about it, just pretend the employee is that scary looking dude!
6 Change Your Facebook settings to “Friends Only.” I really thought that by now, with the many Facebook privacy stories which have been published, everyone would have their accounts locked down and boarded up like a cheap Florida house before a hurricane. Not so. There are still lots and lots of people on Facebook who are as exposed on the internet as Katy Perry at that water park. Go to your Facebook privacy settings and make sure the “default privacy” setting isn't set to "public"! If it’s set to “Custom” make sure you know and understand any “Networks” you’re sharing with.
7 Use unique passwords for every site you go to. This sounds really difficult but - surprise - it is quite simple! Password managers come in many sizes and flavors these days. They will generate complex passwords and remember them for you. Protect yourself against phishing scams, online fraud, and malware. Many of these apps have versions you can use on your computer as well as on your tablet and phone. Some are free and some cost money. Your choice. Here, let me show you how simple it is to find a bunch of them: http://bit.ly/V4xehO! As I said, there are many - the one I use is this one here.
8 Clear your browser history and cookies on a regular basis. Do you remember the last time you did that? If you just shrugged, consider changing your browser settings so it is automatically cleared every session. Go to the “privacy” setting in your Browser’s “Options.” Tell it to “never remember your history.” This will reduce the amount you’re tracked online. Consider one of the several browser add-ons, like TACO, to further reduce tracking of your online behavior.
9 Read the posted privacy policy. Boring, isn't it? Every web site has one and likely for a good reason. Have you ever seen the XDA Privacy Policy? Yup, that's just what I thought!
In conclusion, here's one from the Wall Street Journal's Law Blog.
As I said, this is not a technical article but it may make you think if it does the job right.
Sixth Circuit: No Expectation of Privacy in Cell Phone GPS Data
Drug dealers, beware. Your pay-as-you-go phones probably have GPS. And, according to a federal appeals court in Cincinnati, police can track the signal they emit without a warrant.
The U.S. Court of Appeals for the Sixth Circuit ruled that the Drug Enforcement Administration committed no Fourth Amendment violation in using a drug runner’s cellphone data to track his whereabouts. The DEA obtained a court order to track Melvin Skinner’s phone, after finding his number in the course of an investigation of a large-scale drug trafficking operation.
The DEA didn’t know much about Mr. Skinner or what he looked like. They knew him as Big Foot, the drug mule, and they suspected he was communicating with the leader of the trafficking operation via a secret phone that had been registered under a false name. Agents used the GPS data from his throw-away phone to track him, and he was arrested in 2006 at a rest stop near Abilene, Texas, with a motorhome filled with more than 1,100 pounds of marijuana.
Mr. Skinner was convicted of drug trafficking and conspiracy to commit money laundering. On appeal, he argued that the data emitted from his cell phone couldn’t be used because the DEA failed to obtain a warrant for it, in violation of the Fourth Amendment.
The question in the case was whether Mr. Skinner had a reasonable expectation of privacy in the data his phone emitted. It’s a question that several courts are wrestling with. Federal law enforcement authorities, as in this case, say that investigators don’t need search warrants to gather such information.
Justice Department lawyers argued in a court brief that “a suspect’s presence in a publicly observable place is not information subject to Fourth Amendment protection.”
Judge John M. Rogers, writing for the majority, agreed:
There is no Fourth Amendment violation because Skinner did not have a reasonable expectation of privacy in the data given off by his voluntarily procured pay-as-you-go cell phone. If a tool used to transport contraband gives off a signal that can be tracked for location, certainly the police can track the signal. The law cannot be that a criminal is entitled to rely on the expected untrackability of his tools. Otherwise, dogs could not be used to track a fugitive if the fugitive did not know that the dog hounds had his scent. A getaway car could not be identified and followed based on the license plate number if the driver reasonably thought he had gotten away unseen. The recent nature of cell phone location technology does not change this. If it did, then technology would help criminals but not the police.
He was joined by Judge Eric L. Clay. Judge Bernice B. Donald, who concurred but disagreed with the majority’s Fourth Amendment reasoning, said the DEA couldn’t have figured out the identity of Mr. Skinner, the make and model of his vehicle or the route he would be driving without the GPS data from his phone.
“It is not accurate…to say that police in this case acquired only information that they could have otherwise seen with the naked eye,” she wrote. “While it is true that visual observation of Skinner was possible by any member of the public, the public would first have to know that it was Skinner they ought to observe.”
A lawyer for Mr. Skinner didn’t immediately respond to a request for comment.
Comments? Suggestions? Ideas? They are all welcome.
Flame wars (relating to privacy or otherwise) are not. :-]
[GUIDE] Some incredibly simple things to protect YOUR PRIVACY - Part 2
Cameras on smart phones, getting better with each generation of new devices, allow people to take pictures or videos on the go and transmit these images by e-mail or post them to the Web. With phone in hand, unexpected sightings of celebrities can be snared with a flick of the wrist (turning the celled into the 'snaparazzi'), as can chance encounters with pretty girls or gorgeous sunsets. Their impact can be great for both good and evil.
Not too long ago two men lit themselves on fire in protest. But only one of them is credited with starting a revolution.
The difference between the two? Mobile phones recorded Mohamed Bouazizi, a Tunisian fruit vendor, as he set himself ablaze in despair over his economic plight. Those videos kicked off the wave of 2011 Arab Spring demonstrations.
Abdesslem Trimech, the other man, fell into relative obscurity. (Source: The Mobile Wave: How Mobile Intelligence Will Change Everything by Michael Saylor)
Back in 2005, a retail fraud investigator for one of the larger chain stores said that while he was still unable to capture a usable image of a credit card from even the then newer camera phones, he has been able to grab readable images of all account and routing info from the personal checks customers have produced at the checkout. Check writers, he says, have a tendency to "lay out" their check books on the writing counter at the registers and keep them stationary enough to obtain a clear image of all the personal information printed on the check. He has also tested this theory with camera-equipped palm tops and has found that with the adjustable resolution he has been able to get a pretty clear picture, with zoom, from a reasonable distance away (3-5 feet). So at this point in time, as phone cameras get better and better, your credit card might still be secure but your personal check might not be.
So, what personal information does your mobile phone reveal about you? Do you know? Do you care?
It seems that many people are slowly becoming more aware of the pitfalls and the mobile-privacy concerns.
According to reports, 54% of cell phone users in the U.S. have decided not to install an app once they discovered how much of their personal information it would access. (The amount of sensitive info an app can access typically is indicated by the "permissions" the app requests, listed on its information page.)
Also, nearly one-third of mobile app users report uninstalling an app from their phone because they learned it was collecting personal information they didn't wish to share.
We need to first be aware and also be willing to actively take steps in order to protect our own privacy. Children of all ages need to be carefully taught as well.
Okay, but what about students? Do students have an expectation of privacy on their cell phones while at school?
The short answer to this in the U.S. is a qualified yes. Whether educators have the authority to search the contents of student cell phones depends on a lot of factors. The key issue in this is the standard of reasonableness. According to New Jersey v. T.L.O (1985) students are protected by the Fourth Amendment to the U.S. Constitution which protects citizens against unreasonable searches and seizures. In T.L.O., the Supreme Court goes on to say that the standard that law enforcement officers must reach to conduct a search (probable cause that a crime has been committed), is not required of educators. In general, the standard applied to school officials is whether the search is “justified at its inception and reasonable in scope.” (See When can educators search student cell phones)
What information should children be taught NEVER to reveal?
The suggestions depend on their age. Common 'wisdom' suggests the following:
Elementary School Kids should NEVER share (their own or another’s):
Age
Full Name
Address
Phone Number
Name of School
Password Information
Images (with possible exception depending on parental involvement)
Middle School Kids should NEVER share (their own or another’s):
Age
Full Name
Address
Phone Number
Name of School
Password Information (even to friends)
Most Images (At this age, kids get into social networking and will be sharing images via cell phones and digital cameras. Parents should focus on limiting the images their children share online)
High School Kids should NEVER share (their own or another’s):
Address
Phone Number
Password Information (even to friends)
Offensive or Sexually Suggestive Images or Messages
If you managed to get this far there must have been something that concerned you.
Congratulations! Learning more about privacy is the first step.
Here's one more little trick you might try since you spent all the time getting here. :highfive:
Want to have an unlisted phone but would not like to have to pay monthly for it? Ask your phone company to replace your last name with another name - your grandmother’s maiden name or something that you never use. This will cost a few dollars, but works very well. Many phone companies will do this for you. No monthly fees for having your number unlisted and as soon as you hear someone calling you Mr. {your grandmother’s maiden name}, you can either block the number or request to be put on the company’s Do Not Call List or <fill in the blank of your choice>. Note that Caller ID takes its information from the phone book, so you will be identified as Mr. {your grandmother’s maiden name} on Caller ID units of people you call unless you turn this feature off.
Another helpful addition to the listing (available in some areas) is: "(data line)", meaning that the phone number is connected to a fax or computer and not to a live person. Check with your local company if this option is available.
Some time ago, in a concerted effort, multiple ACLU affiliates filed a total of 381 Freedom of Information Act (FoIA) requests in 32 states, asking local law enforcement agencies to disclose how they are using mobile phone location data.
The FoIA request in North Carolina struck gold: a copy of an official Department of Justice flyer, dated August 2010 that explains exactly what data is retained by Verizon Wireless, T-Mobile, AT&T, Sprint, and Sprint division Nextel. There's an enhanced copy on the ACLU website.
The eye-openers:
All of the mobile phone companies keep details about the location of cell towers used by every phone, for a year or longer.
All of the mobile phone companies keep records about voice calls and text messages received and sent for a year or longer. Verizon stores the contents of every text message for three to five days. (The others don't keep the text.)
IP session information -- tying your phone to an IP address -- is kept for a year by Verizon and 60 days on Sprint and Nextel.
IP destination information -- which IP addresses you connected to -- is stored for 90 days at Verizon and 60 days on Sprint and Nextel.
The ACLU is gathering information on what steps local police have to go through in order to acquire that stored data: warrants, formal requests, emergencies, possibly even informal procedures. They're also trying to figure out how law enforcement agencies share the data and how long it is retained.
There doesn't appear to be any sort of uniform nationwide policy or widespread judicial precedent.
The ACLU is also looking at law enforcement requests to "identify all of the cell phones at a particular location" and "systems whereby law enforcement agents are notified whenever a cell phone comes within a specific geographic area."
If you have been concerned about privacy and location data being leaked sporadically on your iOS or Android or Windows Phone device it seems you have been looking at very, very small potatoes!
Comments? Suggestions? Ideas? They are all welcome.
Flame wars (relating to privacy or otherwise) are not. :-]
[ Another place holder ]
[GUIDE] Some Incredibly Simple Things To Protect Your Privacy!
If you find this thread helpful then do not forget to
Rate: *****
Submit thread as News Tip
If you find a particular post is helpful, please click on the Thanks button
If you are using XDA App or Tapatalk, long press on the post and select :good: Thanks
Thanks ny_limited - I just did all these!
Cheers
Tom
Szczepanik said:
If you find this thread helpful then do not forget to
Rate: *****
Submit thread as News Tip
If you find a particular post is helpful, please click on the Thanks button
If you are using XDA App or Tapatalk, long press on the post and select :good: Thanks
Thanks ny_limited - I just did all these!
Cheers
Tom
Click to expand...
Click to collapse
Appreciate the kind works, Tom, but.. This thread is for the non-technical ones among us. I suspect you are more technical than I am thus you hardly qualify to be here.
Thanks for the tips.
For extra protection, there's quite a few security apps on the market that will lock whatever information sensitive apps you want locked, usually with the same security options that your phone offers i.e. Password, PIN, pattern etc.
Just search "app lock" in the play store, for those interested.
--> dominating your screen from my t-mobile gs3, powered by: FreeGS3 R7 "Resurrection"
Complacency is one thing that most if not all internet/mobile/computing user have. I always advocate "Do not remember my password" while browsing from any form of medium to my friends. You never know when you will get compromised. Just leave your computer for a moment, your friend with malicious intent can extract all your private information with a simple and obtainable usb trick..
Even the thing most personal to me, my mobile phone, has no sites on "Log me in always" checked.
I hope websites would leave the box unchecked, as sites I visit always encourage user to have that option enabled. E.g. Ebay, Facebook..
Post # 2 has been updated just in case you need more reading material.
ny_limited said:
Post # 2 has been updated just in case you need more reading material.
Click to expand...
Click to collapse
like 1 better :good:
coohdeh said:
like 1 better :good:
Click to expand...
Click to collapse
Agreed. I guess I really didn't need the 3rd placeholder after all.
---
Spes in virtute est. (via XDA app)
This article is just over a year old but still makes good reading if you haven't seen it yet.
Few people would willingly carry around a device that tracks their movements, records their conversations, and keeps tabs on all the people they talk to. But, according to documents recently released by the American Civil Liberties Union, cell phone companies are doing all of that -- and may be passing the information on to law enforcement agencies.
"Retention Periods of Major Cellular Service Providers," an August 2010 document produced by the Department of Justice, outlines the types of information collected by various cell phone companies, as well as the amount of time that they retain it. On some levels, this is reassuring: Verizon (VZ) is the only company that holds on to text message content, and they erase it after 3-5 days. However, text message details -- the information about who you text with -- is retained for a minimum of a year, with some companies keeping it for up to seven years. In other words, that little back-and-forth you had with Bernie Madoff back in 2007 will be on the books until 2014.
Complete article is here
Click to expand...
Click to collapse
The privacy buck stops with the user
Yes, those terms of service are annoying. They're usually too complicated and too long, and users who want a certain mobile app will be inclined to click 'next' without actually reading the fine print, even if they're worried about what rights they're signing away. Still, "cellphone users need to take responsibility for their own data," maintains Steve Durbin, global VP of the Information Security Forum.
Click to expand...
Click to collapse
Cellphone and smartphone users have a love-hate relationship with mobile apps. While they love the functionality and enhanced user experience they bring to the table, clearly many hate the perceived privacy intrusions, suggests a newly released report from the Pew Internet & American Life Project.
More than half -- 54 percent -- of app users surveyed decided against installing a cellphone app when they discovered how much personal information they would need to share in order to use it. Thirty percent uninstalled an app that was already on their cellphone because they learned it was collecting personal information that they didn't wish to share.
Many cellphone users take additional steps to protect the personal data on their mobile devices, including backing up photos, contacts and other files -- tasks performed by 41 percent of those surveyed. Some 32 percent have cleared the browsing or search histories on their phone, and 19 percent have turned off the location-tracking feature due to privacy concerns.
Finally, 12 percent of cell owners say that another person has accessed their phone's contents in a way that made them feel that their privacy had been invaded.
The complete article was written by Erika Morphy and published in the E-Commerce Times in September.
i just know that you can monitor the keywords via google alerts
some useful information here. Thanks a lot!
More cell phone privacy notes
Police Searches of Cell Phones
You may have a legitimate expectation of privacy of the information stored in your cell phone, and so a search warrant may be needed before a police officer can look at your phone's data. However, an officer has the authority to search a cell phone when the search is "incident to an arrest." The search is deemed similar to an officer that searches a closed container on or near a person that he's arresting.
Traditional search warrant exceptions apply to the search of cell phones. Where the accessing of memory is a valid search incident to arrest, the court need not decide whether exigent circumstances also justify the officer's retrieval of the numbers from your cell phone. Police officers are not limited to search only for weapons or instruments of escape on the person being arrested. Rather, they may also, without any additional justification, look for evidence of the arrestee's crime on his person in order to preserve it for use at trial.
Illegally Intercepted Communications
Most people would think that public broadcasting of an illegally intercepted cell phone conversation would be illegal. Well, the US Supreme Court has found that (U.S.) the First Amendment allows an illegally intercepted cell phone conversation to be shared with others when the conversation involves matters of significant public interest. The lesson here is to be careful because technology has increased the chances that your cell phone conversations are being recorded and could be made public or used against you.
Cell Phone GPS Tracking
Although there are many advantages to cell phone GPS tracking, there are also privacy concerns. As most people carry their cell phone with them at all times, the ability is in place to track the exact movements of all individuals. Cell phone GPS could prove useful in saving lives during emergencies.
For these reasons the (U.S.) Federal Communications Commission (FCC) requires wireless network providers to give the cell phone GPS tracking location information for 911 calls that have been made from cell phones. This is known as E911. The law on E911 is fairly explicit. It allows carriers to provide tracking location information to third parties for E911 emergency calls only, however not under any other circumstances whatsoever without the consent of the cell phone owner. Recent court hearings have disallowed the requests of law enforcement agencies to obtain cell phone GPS tracking information from the cell phone companies for suspects in criminal investigations.
The complete article was written and published on Lawyers.com.
Instagram says it now has the right to sell your photos
Instagram said today that it has the perpetual right to sell users' photographs without payment or notification, a dramatic policy shift that quickly sparked a public outcry.
The new intellectual property policy, which takes effect on January 16, comes three months after Facebook completed its acquisition of the popular photo-sharing site. Unless Instagram users delete their accounts before the January deadline, they cannot opt out.
Under the new policy, Facebook claims the perpetual right to license all public Instagram photos to companies or any other organization, including for advertising purposes, which would effectively transform the Web site into the world's largest stock photo agency. One irked Twitter user quipped that "Instagram is now the new iStockPhoto, except they won't have to pay you anything to use your images."
"It's asking people to agree to unspecified future commercial use of their photos," says Kurt Opsahl, a senior staff attorney at the Electronic Frontier Foundation. "That makes it challenging for someone to give informed consent to that deal."
The complete article is written by Declan McCullagh and published in c|net.
Thanks to FameWolf for the link!
Horrible Autoplay Video Ads Are Coming to Facebook
Facebook will unveil a new video ad product that will auto-play commercials upon arrival, executives told AdWeek's Jason del Ray. This most annoying addition, which will allow advertisers a chance to slap unsolicited videos all over the Facebook news feed, is expected to launch by April 2013, the sources say. And, to reiterate, yes, these will be the same variant of videos that pollute the ESPN.com homepage — the ones that start without you asking them to.
Facebook, which has been trying just about every kind of new ad it can this year, has not yet decided if these commercials will automatically play with or without sound. But in either case, you can bet they'll be a pain — and you can expect plenty of frustrated users. On the desktop version of Facebook, the vids will expand "out of the news feed into webpage real estate in both the left and right columns -- or rails -- of the screen," explains del Ray. Meaning: they will be everywhere. Also, for people who use a million tabs on older computers, imagine a ton of video playing over and over: slow-load city. Add a little audio in the mix and we can already see the confused masses looking for that one tab with the unwanted sound coming out of it. Oh, yeah, this is a really great idea, Facebook. As if you weren't full of those this week already.
The complete article is written by Rebecca Greenfield, published in The Atlatic Wire
ny_limited said:
Instagram said today that it has the perpetual right to sell users' photographs without payment or notification, a dramatic policy shift that quickly sparked a public outcry.
The new intellectual property policy, which takes effect on January 16, comes three months after Facebook completed its acquisition of the popular photo-sharing site. Unless Instagram users delete their accounts before the January deadline, they cannot opt out.
Under the new policy, Facebook claims the perpetual right to license all public Instagram photos to companies or any other organization, including for advertising purposes, which would effectively transform the Web site into the world's largest stock photo agency. One irked Twitter user quipped that "Instagram is now the new iStockPhoto, except they won't have to pay you anything to use your images."
"It's asking people to agree to unspecified future commercial use of their photos," says Kurt Opsahl, a senior staff attorney at the Electronic Frontier Foundation. "That makes it challenging for someone to give informed consent to that deal."
The complete article is written by Declan McCullagh and published in c|net.
Thanks to FameWolf for the link!
Click to expand...
Click to collapse
Instagram has backed off the language in its new privacy and terms of service policies that set off a significant firestorm online. Instagram cofounder Kevin Systrom posted on the company’s blog under the title “Thank you, and we’re listening”. Whether you believe him or not you can read more about it at Forbes.
Happy New Year, everyone!
Enjoy the festivities!
Will see you all next year!
New 2013 CA laws affect online privacy, homeowners, schools
From protecting your online privacy to party buses, there are 750 new California (USA) laws taking effect in 2013.
The complete KABC-TV (Los Angeles) article of January 1, 2013 can be found here.
[USA] New laws keep employers out of worker social media accounts
Employers in Illinois and California cannot ask for usernames and passwords to the personal social media accounts of employees and job seekers under laws that took effect on Jan. 1.
Illinois Gov. Patrick Quinn in August signed legislation amending the State's 'Right to Privacy in the Workplace Act.'
California Gov. Jerry Brown signed legislation adding the prohibitions to the State's Labor Code in September.
The two states join Maryland, Michigan, New Jersey and Delaware in implementing such privacy laws.
Full ComputerWorld article: http://bit.ly/118L2tM
Hey XDAian...:laugh:
Get ready for few suggestions & discussion.
Based on some pretty interesting facts about "mobile in general", The smartphone segment has brought accessibility to millions around the world, at work and at home. Naturally, all the data in those devices, wirelessly accessible, becomes a gold mine for those with nefarious motives to exploit.
On the work front, smartphones are a huge contributor to productivity. At home, they provide meaningful and useful (and sometimes redundant) ways to stay in touch with friends and family. The more of these devices we buy, the bigger the opportunity is for criminals, because there are so many ways to get the data. We might lose a device, or its is stolen, we might download a bad application, or soon brush against an NFC tag or visit a bad web-page. The possibilities are so diverse compared to a PC or server farm hardwired to the internet.
With the tremendous growth of the smartphone market not expected to slow down anytime soon, people and organizations must be vigilant in guarding against breaches of their data and/or personal information. Even as organized hackers work on ways to score the high-value breach, they are working on high-volume, low-risk attacks against weaker targets as well.
In addition to some tips about securing mobile devices, the infographic has some interesting facts from 2011 in there as well, such as 855 breaches resulted in the theft of 174 million records.
We Need some Security Applications for preventing our valuable data (like Msgs, Contacts, Pin codes etc). Therefore, from my side this thread belong to all XDAians.
Please suggest the latest, finest Applications & few tremendous suggestion from all Devs, RC, RD & Members.
I like a Security based Application called LBE Privacy Guard to Prevent sending data through various applications installed at our Mobile.:good:
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Some Great Ideas Received from Our XDA Members. Which are here follows:
As this OP thread may become too long so, for Batter view just press "Show Contents" for there suggestions.
A Very Big thanks to Android Police, Phone Arena & Android Authority for survey about malwares & security.
How to secure your Android phone and protect your data
All software has security vulnerabilities. It is a fact. You only need to look at the software updates that are issued by the big companies like Microsoft, Adobe, Apple and Google to see how prevalent is this security problem. Smartphones aren’t immune, not iPhones, not Windows Phones and not Android. But there are some simple things you can do that will drastically reduce your exposure and help secure your Android phone or tablet, as well as protect your data.
A recent report by Check Point, the firewall maker, estimated that €36+ million has been stolen from corporate and private bank accounts in Europe by a group running a campaign of attacks known as “Eurograbber”. The campaign infected victim’s mobile phones with a piece of malware which could intercept SMS messages. When the victim used their online banking the SMS authentication code sent to the phone was intercepted. This then allowed the attackers to access the victim’s account.
Securing your smartphone and protecting yourself against malware isn’t about stopping some annoying virus getting on your device, it is about protecting your money, data and privacy.
There are several different areas in which you can improve your phone’s security including physical access, malware protection and encryption.
Who has access to your phone?
RULE #1 – Never leave your phone laying around where uninvited guests can access it
Before looking at things like malware and data stealing apps, the simplest form of security is to limit physical access to your phone. There maybe lots of sophisticated remote attacks out there but if all I need to do is quickly pickup your phone and access your emails, PayPal, eBay or Amazon account while you pop off to get a coffee then all the security software in the world won’t do you any good.
RULE #2 – Use a lock screen
It is also essential that you use a lock screen. This stops everyone from small kids to determined snoopers from sneakily accessing your device. Modern Android versions have a whole gamut of lock screen options including pattern unlock, PIN numbers and password protection. To set these go to Settings and then tap Security. You can also customize how quickly the lock is automatically applied.
RULE #3 - Set a PIN to protect purchases on Google Play
It is also possible to set a PIN for purchases in Google Play. With the PIN any would-be trickster (or small child) won’t be able to buy content from Google’s app store. To set it, start the Google Play app, go to setting and then tap “Set or change PIN”. After the PIN is set, tap “Use PIN for purchases” to require the PIN before purchasing anything from the store.
RULE #4 – Install a phone location app or use a security app with an anti-theft component
Keeping your phone nearby and using a lock screen will thwart snoopers but the determined criminal will simply just walk away with your phone and try to extract the data later or simple wipe your phone and try and selling it. The first few hours after you phone has been taken are the most critical. To find your phone it is important to use a phone location service like Where’s My Droid or install a security app with an anti-theft option like avast! Mobile Security.
Malware
RULE #5 – Don’t install apps from dodgy third party sites, stick to places like Google Play or the Amazon appstore
Because Android is so popular, it is normal for it to become a malware target. Malware authors don’t waste their time writing malware for a phone operating system that no one is using. This means that there is lots of Android malware out there. But here is thing, how does Android malware spread? Unlike worms, which spread automatically over the network or viruses which tend to spread via USB flash drives etc., the majority of Android malware needs to be installed manually. There have been some exceptions but in general it is unsuspecting users that install the malware themselves onto their own phones.
The malware authors have lots of dirty tricks to try and fool potential victims into installing their malware. One very common approach is to offer a free version of a popular non-free app with the malware hidden inside the app. Greedy users who think they are getting a bargain because they have managed to save $0.69, but in fact are infecting their devices with malware. Over 99% of Android malware is spread via third party app sites. Don’t use them.
RULE #6 – Always read the reviews of apps before installing them
RULE #7 – Check the permissions the app needs. Games generally don’t need to send SMS messages etc
A small percentage of malware is spread via Google Play, but the apps in question normally only survive a few hours on the store before being removed. To avoid such rare cases it is always important to read the reviews of other users and always check the app permissions.
RULE #8 – Never follow links in unsolicited emails or text messages to install an app
If the malware authors can’t get you via a third party store or their apps are taken down from Google Play, they have one more trick, unsolicited emails and text messages asking you to install an app. In the “Eurograbber” campaign, what the attackers did was infect the victim’s PC with a piece a malware (something which is a lot easier than infecting an Android phone) and then via that malware they tricked the user into installing their “enhanced security” app on their phone. The PC malware monitored the victim’s Internet usage and when they went to an online banking site the malware pretended to be a warning from the bank telling them to install an app on their smartphone. It was all downhill from there for the poor victim.
RULE #9 – Use an anti-virus / anti-malware app
Even with diligence it is possible for malware to find its way on to your device. It is therefore important that you install an anti-virus / anti-malware app. This best antivirus apps for Android article will help you choose one, but if you don’t have time right now then go for Kaspersky Mobile Security (paid) or avast! Mobile Security (free)
Rooting
RULE #10 – Don’t root your phone unless you absolutely need to
Some of my colleagues here at Android Authority are very keen on rooting and I can understand why. The lure of custom ROMs and the ability to tweak different parts of the OS are all part of what makes Android great. But, Android was designed with a very particular security model which limits what an app can do. By rooting a device this security model breaks. Even the CyanogenMod team acknowledged that there are limited uses for root and none that warrant shipping the OS defaulted to unsecured. The problem is there are specific types of Android malware that circumvent Android’s security mechanisms by using the existing root access. With root access, the malware can access parts of Android that are supposed to be protected by the permissions system.
Encryption
RULE #11 - If your device has valuable data on it then use encryption
Since Android 3 it is possible to use full encryption on a phone or tablet. By encrypting your device all the data including your Google Accounts, application data, media and downloaded information etc. becomes inaccessible without the right password or PIN. Every time you boot the device you must enter the PIN or password to decrypt it. If your device has valuable data on it using this encryption is a must. NASA recently had an embarrassing episode where a laptop was taken that held personally identifiable information of “at least” 10,000 NASA employees and contractors. After the incident NASA decided that any devices that leave a NASA building need to use full disk encryption.
RULE #12 – Use a VPN on unsecured Wi-Fi connections
While on the subject of encryption it is worth remembering that if you are using a public unsecured Wi-Fi hot spot all of the data that is send using http:// (rather than https://) can be seen my any network snooper. In the past security researchers have shown how easy can be to steal passwords to the popular social networking sites just by using a laptop and waiting around near a public open hot spot. To avoid revealing your password and other data, don’t use open Wi-Fi hot spots or use a virtual private network (VPN) to secure your connection.
Conclusion
If you follow these twelve rules and remain vigilant you should never have any security troubles with malware, thieves, hackers or any small furry animals! OK, that last part isn’t true, but the rest is!
Source: Android policereserved for articles
Android malware perspective: only 0.5% comes from the Play Store
Are Android apps secure enough for us to let them handle our finances and personal information? Quite a few of them aren't, according to a recent research that analyzed how well various applications protect the user's sensitive data. The study was conducted by the Leibniz University of Hannover, Germany, in partnership with the Philipps University of Marburg, the researchers came up with a list of 41 Android apps that should use tighter security measures.
In particular, these apps were discovered to expose the user's data at risk while a device running Android 4.0 is communicating with a web server. What's even more worrying is that these insecure apps were among the most popular ones on Google Play, being downloaded between 39.5 million and 185 million times already. The names of the applications were not disclosed.
"We could gather bank account information, payment credentials for PayPal, American Express and others," the researchers wrote after conducting their study. "Furthermore, Facebook, email and cloud storage credentials and messages were leaked, access to IP cameras was gained and control channels for apps and remote servers could be subverted." The contents of e-mails and instant messages could also be accessed.
But how could one use these apps' security flaws to their advantage? Simply put, if an Android smartphone or a tablet is connected to a vulnerable local area network, such as a Wi-Fi hotspot, an attacker could potentially crack the security protocols used by the apps and snoop on the data they exchange. Sure, the attacker will need to have a certain exploit monitoring the activity on the network, but obtaining access to such a tool isn't as hard as it may seem.
Scary stuff, we know, which is why there should be more awareness amongst developers about implementing proper security features within apps, as the researchers suggest. There are certain methods that can make security protocols tougher to crack, or the apps could simply be checked for vulnerabilities at the time they are being installed. In fact, Google is said to have ramped up security in Android 4.2, thus likely making the platform more resistant to hacks like the one described above. What measures have been taken, however, will be known with certainty in a few days – On October 29, to be more specific, which is when a new Android release is probably going to be unveiled.
For more in Deep: check out here: Click Here
Over 60% of Android malware steals your money via premium SMS, hides in fake forms of popular apps
Over 60% of Android malware steals your money via premium SMS, hides in fake forms of popular apps
Like any popular platform, Android has malware. Google’s mobile operating system is relatively new, however, so the problem is still taking form. In fact, it turns out that the larger majority of threats on Android come from a single malware family: Android.FakeInstaller, also known as OpFake, which generates revenue by silently sending expensive text messages in the background.
McAfee says that the malware family makes up more than 60 percent of Android samples the company processes. So now the question is: why is this malware so popular amongst cybercriminals?
The reason is simple: it’s extremely effective. Android users seem to fall for fake apps on a regular basis. Furthermore, since the whole of the malware appears to make money, it’s not surprising that those behind this one continue to keep it updated. McAfee agrees:
Malware authors appear to make lots of money with this type of fraud, so they are determined to continue improving their infrastructure, code, and techniques to try to avoid antivirus software. It’s an ongoing struggle, but we are constantly working to keep up with their advances.
This malware type has been in the news for months, mainly because there have been so many fake apps created, including for popular ones like Instagram and Skype. On top of that, those behind it seem to keep adding various types of functionality to avoid detection by antimalware solutions, including server-side polymorphism, obfuscation, antireversing techniques, and frequent recompilation.
How it works
Cybercriminals typically create fake versions of a given popular Android app to earn money from unsuspecting users. There have also been instances of the malware being bundled with a legitimate version of popular apps. The apps appear to be legitimate, including screenshots, descriptions, user reviews, videos, and so on. Users never get the app they want, but instead get a lot more than they bargained for.
The malware authors often set up fake websites advertising the fake version of the app. Many of these are shared on questionable websites, but many are also shared on fake Facebook and Twitter accounts that spam legitimate users on social networks.
Upon installation, the malware often displays a service agreement that tells the user that one or more SMS messages will be sent. The user is forced to click an Agree or Next button, but some versions send the messages before the victim even taps the button. There are often fake progress bars to keep the user further in the dark.
Either way, the devil is in the details. In the background, the malicious app sends expensive international text messages to earn its creators revenue. Some variants even connect to a Command & Control (C&C) server to send and retrieve data, as well as await further instructions.
Early versions of FakeInstaller were created only for Eastern European users, but malware developers have expanded their fraud to other countries by adding instructions to get the device’s Mobile Country Code and Mobile Network Code. Based on that information, the malware selects a corresponding premium-rate numbers.
How to protect yourself
The good news here is that since this malware family is so prevalent, it’s rather easy to avoid it: just don’t download fake apps. Android lets you download and install apps from anywhere, but unless you know what you’re doing, you shouldn’t be installing anything and everything you can on your phone or tablet.
If you want to significantly reduce your chance of getting malware such as this one, only install apps from the official Google Play store. That being said, malware has snuck into the store before, so it can happen again.
As a result, the way to protect yourself is the same as on any other platform: don’t click on questionable links and don’t download random apps. Always check to see if what you’re getting is legitimate and you should be fine.
Android’s malware problem is getting worse, and only users of the latest version are safe from harm
Earlier this year, we saw a report that said there was a 163% rise in the number of malware-infected Android devices in 2012. As shocking as that figure might be, we have a new report now that says the problem has blown up even further.
According to a recently published report[1] from networking vendor Juniper Networks, the number of mobile threats grew an astonishing 614% from March 2012 to March 2013. This equates to a grand total of 276,259 malicious samples, according to research done by the company's Mobile Threat Center or MTC.
What exactly constitutes such a large amount of mobile threats? It is said that the majority of these mobile threats — 77% of the total — come in the form of money-siphoning applications that either force users to send SMS messages to so-called premium-rate numbers or somehow manage to perform the sending of SMS messages all on their own.
They go virtually undetected as they are normally bundled with pirated apps and appear as normal applications. Typically, these malicious apps can net their creators an average profit of about $10 per user, according to Juniper Networks.
As it is currently the most popular mobile device platform in the world, it's easy to see why Android would be targeted with such malicious activities. But perhaps you're wondering, is there anything that can be done to combat this problem?
ndeed, there is. In Android 4.2 Jelly Bean, a new safety feature was introduced in order to stop wayward SMS messages dead in their tracks. But that in itself is a huge problem: Android 4.2, the latest version of the Google mobile operating system, is only available on a tiny fraction of all Android-powered devices out on the market. In fact, many of today's newer devices don't even ship with it. So the relevant safety features, as useful as they might be, becomes pretty much useless.
Even worse, the money-making malware mentioned above represents only one type of mobile threat on Android. Android spyware is also present, accounting for 19% of the total malicious samples collected in the above-mentioned research. These could potentially put a user's privacy at risk, collecting sensitive data and all kinds of information then relaying them to the spyware's creator.
Trojan apps have also been discovered to be part of the overall Android ecosystem. Although they form a very small part of the entire body of mobile threats on Android right now, it is possible for them to become more widespread in the future. If the fix really only lies in having the latest version of Android installed on a device, and the issue of fragmentation — not to mention the slow software updates from carriers and OEMs — persists, that's almost a certainty.
What do you think could be done to finally overcome these kinds of problems? Will it be the end of Android as we know it? Let us hear your thoughts in the comments.
Mobile malware getting out of control? Study claims 614% increase on year, Android accounts for 92% of total infections
A terrifying report was released two days ago by the Mobile Threat Center arm (MTC) of Juniper Networks – a manufacturer of network equipment with a hefty stake in enterprise security. According to Juniper, its MTC research facility is dedicated to 'around-the-clock mobile security and privacy research'. The MTC found mobile malware growing exponentially at an alarming rate – a 614% on year increase reaching a total of just about 280,000 malicious apps.
Read full article here
A major app vulnerability has been found which can be effect 99 percent of the Android smartphones on the planet.
A major app vulnerability has been found which can be effect 99 percent of the Android smartphones on the planet. The issue was unraveled by Bluebox security, which claimed to have found an ‘Android Master Key’ that could allow a hacker to turn any Android app into a malicious zombie.
This basically means that an app could allow hackers to capture data and control a device remotely, without the owner and the app developer knowing about it.
And the kicker is that, this is not a new vulnerability as Bluebox has discovered that it has existed since Android 1.6 Donut, which is four years old.
Jeff Forristal, CTO of Bluebox securities revealed that his company had found a way where in a hacker could possibly load an app with malware and still make it appear to be a legitimate file. This bit is important because verified apps are granted full access by default on the Android system.
However, on the bright side apps on the Google Play store are impervious to this problem, so if one sticks to downloading apps from the Play store then one is in the clear. That said, there are a number of third party app stores and users can even download APKs directly off the web and here’s where the danger lies as it is possible for users to download tampered apps.
This problem is accentuated more in countries like China where users like to use local app store over the Google Play store and many OEMs like Xiaomi don’t even bundle the Google Play store on the device by default.
Bluebox securities claims that it reported the problem to Google way back in February and the issue has already been resolved for the Galaxy S4 and currently Google is taking a look at the Nexus range of hardware.
Cryptographic bug in Android lets hackers create malicious apps with system access
Security researchers have found a bug in Android which allows them to create malicious Android apps which appear to be genuine with the correct digital signatures. In computing, digital signatures allow any piece of data, including an app, to be checked to see that it is genuine and actually comes from the author. Now, due to a bug in Android, it is possible to create a fake app and sign it so it looks like a real app from any author including Google, or others like Samsung, HTC and Sony.
Since the digital signatures of Google and handset manufacturers can be faked it is possible to create a low level system app which has absolute access to the device. These system apps, which have what is known as 'System UID access' can perform any function on the phone including modifying system-level software and system-level parameters.
If such an app is installed on an Android phone, the user would be completely vulnerable to a multitude of attacks including key-logging and password sniffing. The researchers at Bluebox Security informed Google about the flaw (Android security bug 8219321) back in February and are now planning to reveal details of the bug at an upcoming security conference.
More details -> here
Survey: Juniper Networks Whitepaper (Warning: PDF)
reserved.
Thanks for this thread buddy
Sent from my GT-N7100 using xda app-developers app
Tha TechnoCrat said:
Thanks for this thread buddy
Sent from my GT-N7100 using xda app-developers app
Click to expand...
Click to collapse
Great to see you here buddy. Actually I wanted to shift my whole thread here but MOD denied and ask me to carry on with new phase. So here I am.
Thank you Vikesh for creating this thread.
In my view
Everyday every hour and every minute hackers are coming up with new viruses and malware
Not only they can corrupt your phone but also steal confidential information like credit card number, password and other important data.So every Android user should spend some money on the anti viruses to save your confidential information and money of course.
Sent from my GT-I9103 using xda app-developers app
Major app vulnerability found, could effect 99 percent Android smartphones
A major app vulnerability has been found which can be effect 99 percent of the Android smartphones on the planet. The issue was unraveled by Bluebox security, which claimed to have found an ‘Android Master Key’ that could allow a hacker to turn any Android app into a malicious zombie.
Continue in post 3
Cryptographic bug in Android lets hackers create malicious apps with system access
Security researchers have found a bug in Android which allows them to create malicious Android apps which appear to be genuine with the correct digital signatures. In computing, digital signatures allow any piece of data, including an app, to be checked to see that it is genuine and actually comes from the author. Now, due to a bug in Android, it is possible to create a fake app and sign it so it looks like a real app from any author including Google, or others like Samsung, HTC and Sony.
continue in Post 3
Every GSM phone needs a SIM card, and you'd think such a ubiquitous standard would be immune to any hijack attempts. Evidently not, as Karsten Nohl of Security Research Labs -- who found a hole in GSM call encryption several years ago -- has uncovered a flaw that allows some SIM cards to be hacked with only a couple of text messages. By cloaking an SMS so it appears to have come from a carrier, Nohl said that in around a quarter of cases, he receives an error message back containing the necessary info to work out the SIM's digital key. With that knowledge, another text can be sent that opens it up so one can listen in on calls, send messages, make mobile purchases and steal all manner of data.
Apparently, this can all be done "in about two minutes, using a simple personal computer," but only affects SIMs running the older data encryption standard (DES). Cards with the newer Triple DES aren't affected; also, the other three quarters of SIMs with DES Nohl probed recognized his initial message as a fraud. There's no firm figure on how many SIMs are at risk, but Nohl estimates the number at up to 750 million. The GSM Association has been given some details of the exploit, which have been forwarded to carriers and SIM manufacturers that use DES. Nohl plans to spill the beans at the upcoming Black Hat meeting. If you're listening, fine folks at the NSA, tickets are still available.
Source-Tech Geek
"Thanks button is just to avoid "THANKS" posts in threads. Nothing more than that. Don't ask in signature or post for it and defeat the purpose why it was introduced"
Great info buddy. :good:
Thanks,
Disturbed™
Sent from my Disturbed™ Galaxy S4 using Tapatalk (VIP)
______________________________________________________
Wait for my time, U gonna pay for what U have done. - Disturbed™
Informative read. You also understand why the stores charge their Developer fees now. Not all third party sites host malware however. A lot of the buying community is ignorant (and understandably so) in detecting if malware has been applied. It's up to the community of ubiquitous OSs to report
JeffM123 said:
Informative read. You also understand why the stores charge their Developer fees now. Not all third party sites host malware however. A lot of the buying community is ignorant (and understandably so) in detecting if malware has been applied. It's up to the community of ubiquitous OSs to report
Click to expand...
Click to collapse
can provide more info for it?
Thanks,
Disturbed™
Sent from my Disturbed™ Galaxy S4 using Tapatalk (VIP)
______________________________________________________
Wait for my time, U gonna pay for what U have done. - Disturbed™
Malware using the Android Master Key intercepted in the wild, here's how to protect i
Malware using the Android Master Key intercepted in the wild, here's how to protect yourself
It was back at the beginning of the month when we first broke for you the news of a new, massive vulnerability, plaguing 99% of Android devices. First discovered by mobile security company Bluebox, the flaw was reported to Google back in February. Since then, Google has patched the Play Store and has provided its OEM partners with a patch for it.
Yet here we are again. And now it's official – the first detected malware taking advantage of the vulnerability has been intercepted by Symantec whilst running amok in China. The security giant reports that the code has been implanted in otherwise legit apps that help you find and appoint a meeting with a doctor. The source of the infected app? A third-party store, of course.
We won't get into the tech lingo, instead we'll just report that according to Symantec, the exploit grants said malicious code remote access to infected devices. This leaves the gates wide open, the company claims, for a wrongdoer to steal sensitive information such as your IMEI, phone number, and also send premium SMS messages and execute root commands.
Click here to know more
what is the best antivirus?
lolmann101 said:
what is the best antivirus?
Click to expand...
Click to collapse
For android, I may say your awareness is the best. First install the LBE Security Master. Let you know which application is gaining which privilege .
But if you want then you can check the first 1 to 4 posts. its in that.
How Google has been making Android a safer place since 2012
Last year in June, Google brought Android Jelly Bean 4.1 to the world. It was a wonderful day, too. It brought with it Project Butter, which spelled the end for lag for a lot of people. Android was running smoother and more complete than ever. Who’d have known that just a year later, we’d be introduced to Jelly Bean not for the second time, but for the third time. Android 4.3 was a mixed bag. Some people were disappointed that it wasn’t Key Lime Pie, but most were happy to see a plethora of improvements, some new features, and even more optimizations. One little footnote that most people have skimmed over so far, though, has been the added security.
It’s not news that malware stories are everywhere. Some of them are no big deal and some are completely ridiculous. Thanks to that, anti-virus companies have been cleaning up. People are more scared of malware on Android now than ever before and they’re flocking to anti-virus apps by the millions. It’s getting to the point where apps like Lookout are coming pre-installed on many devices when they’re shipped out. All because of some malware that, most of the time, is impossible to get unless you download apps from outside the approved channels.
Well, apparently Google is going to fix this problem themselves. JR Raphael over at Computer World has written up an excellent post about how Google is quietly keeping us safe. As it turns out, that little footnote that says that Android 4.3 contains security improvements probably shouldn’t have remained a footnote. It should’ve been printed on billboards and discussed everywhere.
You may have seen inklings of these security features already. We’ve covered one of them, the Android 4.3 Permission Manager, commonly known as Apps Ops. This nifty little feature lets you control what permissions your apps can use. It’s a lovely and powerful feature that’s baked right into Android 4.3. It’s still in beta right now, but eventually that’ll be a part of everyone’s Android experience.
So what other security enhancements does Google have in store for Android 4.3?
We are glad you asked. According to JR Raphael, Google has been working on these security features for years. We’ll do a quick breakdown.
Starting with Android 4.2, there was a feature called Verify Apps that was added. This scans phones both downloaded and side-loaded to make sure they didn’t contain malware or pose a threat.
Verify Apps was eventually made available to all devices from 2.3 onward. According to JR Raphael, that’s 95% of Android devices running currently.
This now works in tandem with another older feature, the app scanner in the Google Play Store that scans apps as they’re submitted to Google Play to make sure they aren’t malicious. This is why you can always download from Google Play without worries.
All of these features are currently on Android devices right now.
But wait, there’s more. In Android 4.3 specifically, they have added yet another security feature called SELinux. This stands for Security-Enhanced Linux and it essentially keeps the important parts of your phone safe. Most notably the operating system. So there is protection everywhere.
So we’ll add this up one more time. In the last two years, Google has implemented,
An app scanner in the Google Play Store that scans every single app uploaded and submitted. It rejects the bad apps and keeps the good ones.
A system on devices from Android 2.3 and up called Verify Apps that scans every app that gets installed on your device to make sure it’s not malicious. Keep in mind that if you download an app from the Google Play Store, it gets scanned twice.
Apps Ops –which is still in beta– that will let you control the individual permissions of any application you download and install. So if you don’t want, say, Facebook to see your location, you can prevent that from happening.
SELinux, a Linux security feature that protects the core operation system functionality.
Let’s not forget what you, the consumer can do to protect yourself,
Only download apps from known and trusted sources. These include the Play Store and the Amazon App Store, among others.
Use your common sense. In most cases, malware apps are easy to spot. If you download the free Angry Birds cheat app from GivingYouMalware.com, the end result is rather predictable.
So without an anti-virus app, there are 6 things that are protecting you from the big bad malware threats. That’s a whole lot more than most people realize and it’s an ever expanding project from Google to keep everyone safe from garbage applications. Now here’s the big question. Do you think it’s enough? Or should Google keep going?
@Disturbed™ buddy could you post that new KNOX feature here?
Sent from my GT-I9103 using xda app-developers app
Few words from Wikipedia:
Samsung Knox (trademarked Samsung KNOX) is an enterprise mobile security solution that addresses the needs of enterprise IT without invading its employees' privacy. The service, first released on the Samsung Galaxy S4 mobile device, provides security features that enable business and personal content to coexist on the same mobile device. Samsung Knox is an Android-based platform that uses container technology, among other features, to allow for separation of work and personal life on mobile devices.
Services
Samsung Knox provides enterprise security features that enable business and personal content to coexist on the same handset. The user presses an icon that switches from Personal to Work use with no delay or reboot wait time. Knox will be fully compatible with Android and Google and will provide full separation of work and personal data on mobile devices. Samsung claims that the Knox service "addresses all major security gaps in Android."
The Knox service is part of the company's Samsung for Enterprise (SAFE) offerings for smartphones and tablets. Samsung Knox’s primary competitor is Blackberry Balance, a service that separates personal and work data, but BlackBerry’s service does not include management of work space through containers in Active Directory and other features such as direct Office 365 and Exchange 2010, ActiveSync, iOS management, Single Sign-On, and complete customization for operability on Samsung device settings.
The service's name, Samsung Knox, is inspired by Fort Knox.
From Engadget:
Samsung's Knox security solution has tended to mostly garner headlines when the company's phones get approval from the likes of the US Defense Department, but it's now set to broaden its user base considerably. In addition to announcing that it's bolstering the offering with some help from Lookout, Samsung has also confirmed today that its opening the platform up to all consumers. That will give security-minded users an added layer of protection, with Knox letting you store personal data and run a set of pre-screened apps in a so-called container -- other apps can still be run outside the container, but with only limited access to your personal information. Naturally, you'll need a Samsung device to take advantage of it.
For more information : http://www.samsungknox.com.
Thanks: Wiki & Engadget
Almost 1,000 fraudulent apps published on Google Play in August alone
Almost 1,000 fraudulent apps published on Google Play in August alone
Yes, there are downsides to Google’s policy of letting anyone publish their apps on Google Play. Symantec has found that scammers published almost 1,000 fraudulent apps on Google Play in August alone, most of which were deleted within hours of posting on the store.
But even though Google was quick to delete the fraudulent Android apps, Symantec estimates that they were still downloaded more than 10,000 times. Symantec also says that one group is responsible for 97 percent of the fraudulent apps, which typically “include numerous links to various online adult-related sites, but one or two links actually lead to fraudulent sites that attempt to con people into paying a fee without properly signing them up for the paid service.”
Source:BGR.in
What absolute [email protected]
So... how do we get around this?
The First Horseman of the Privacy Apocalypse Has Already Arrived: Verizon Announces Plans to Install Spyware on All Its Android Phones
Within days of Congress repealing online privacy protections, Verizon has announced new plans to install software on customers’ devices to track what apps customers have downloaded. With this spyware, Verizon will be able to sell ads to you across the Internet based on things like which bank you use and whether you’ve downloaded a fertility app.
Verizon’s use of “AppFlash”—an app launcher and web search utility that Verizon will be rolling out to their subscribers’ Android devices “in the coming weeks”—is just the latest display of wireless carriers’ stunning willingness to compromise the security and privacy of their customers by installing spyware on end devices.
The AppFlash Privacy Policy published by Verizon states that the app can be used to
“collect information about your device and your use of the AppFlash services. This information includes your mobile number, device identifiers, device type and operating system, and information about the AppFlash features and services you use and your interactions with them. We also access information about the list of apps you have on your device.”
Troubling as it may be to collect intimate details about what apps you have installed, the policy also illustrates Verizon’s intent to gather location and contact information:
“AppFlash also collects information about your device’s precise location from your device operating system as well as contact information you store on your device.”
And what will Verizon use all of this information for? Why, targeted advertising on third-party websites, of course:
“AppFlash information may be shared within the Verizon family of companies, including companies like AOL who may use it to help provide more relevant advertising within the AppFlash experiences and in other places, including non-Verizon sites, services and devices.”
In other words, our prediction that mobile Internet providers would start installing spyware on their customers’ phones has come true, less than 48 hours after Congress sold out your personal data to companies like Comcast and AT&T. With the announcement of AppFlash, Verizon has made clear that it intends to start monetizing its customers’ private data as soon as possible.
What are the ramifications? For one thing, this is yet another entity that will be collecting sensitive information about your mobile activity on your Android phone. It’s bad enough that Google collects much of this information already and blocks privacy-enhancing tools from being distributed through the Play Store. Adding another company that automatically tracks its customers doesn’t help matters any.
But our bigger concern is the increased attack surface an app like AppFlash creates. You can bet that with Verizon rolling this app out to such a large number of devices, hackers will be probing it for vulnerabilities, to see if they can use it as a backdoor they can break into. We sincerely hope Verizon has invested significant resources in ensuring that AppFlash is secure, because if it’s not, the damage to Americans’ cybersecurity could be disastrous.
AppFlash is just a custom bloated version of the Google Search Bar with intense focus on data mining. This is essentially a widget, which belongs to a package, which should be able to be disabled/uninstalled depending on its implementation. You may need a rooted phone to fully remove it from the system - but time will tell. Either way, this will end up in my pile of other Verizon 'Services/Apps' that are either uninstalled or frozen.
the_rev said:
But our bigger concern is the increased attack surface an app like AppFlash creates. You can bet that with Verizon rolling this app out to such a large number of devices, hackers will be probing it for vulnerabilities, to see if they can use it as a backdoor they can break into. We sincerely hope Verizon has invested significant resources in ensuring that AppFlash is secure, because if it’s not, the damage to Americans’ cybersecurity could be disastrous.
Click to expand...
Click to collapse
I find this comment amusing - eluding that 'hackers' don't probe every single aspect of a system and it's software, but now that this application is going to be pushed you better worry!
Calm down. The sky isn't falling yet.
"UPDATE: We have received additional information from Verizon and based on that information we are withdrawing this post while we investigate further. Here is the statement from Kelly Crummey, Director of Corporate Communications of Verizon: "As we said earlier this week, we are testing AppFlash to make app discovery better for consumers. The test is on a single phone – LG K20 V – and you have to opt-in to use the app. Or, you can easily disable the app. Nobody is required to use it. Verizon is committed to your privacy. Visit www.verizon.com/about/privacy to view our Privacy Policy.""
https://www.eff.org/deeplinks/2017/...e-has-already-arrived-verizon-announces-plans
Oh, and what can you do about it? You can vote every single individual in Congress that voted for repealing these protections out of office. Be vocal about this with friends and family. The general population does not understand this issue. I have answered so many questions like "So, if I clear my browser history this doesn't matter, right?" lately that it makes me sick to my stomach.
Averix said:
Oh, and what can you do about it? You can vote every single individual in Congress that voted for repealing these protections out of office. Be vocal about this with friends and family. The general population does not understand this issue. I have answered so many questions like "So, if I clear my browser history this doesn't matter, right?" lately that it makes me sick to my stomach.
Click to expand...
Click to collapse
This. Vote out every single person who voted to repeal what we've spent years fighting for. They let their own monetary gains guide their decisions and not what's best for the people, which is what their job is.
It's absolutely baffling to me how many people just don't give 2 fks about having companies mine personal and sensitive information about them. The classic "If you don't have anything to hide, then what does it matter" argument instantly enrages me.
Sent from my Samsung Galaxy S7 Edge using XDA Labs
just calm down.. I've been telling everyone about this for past 4 years.its not just this app.but hard bedded in every device..the only way to get rid of any of it is educate yourself on removing it. .as for the comment about hackers knowing the weaknesses.hes absolutely right...the good amd bad hackers.not all of us are bad.
All of this concern over potential "spyware" on our devices is laughable because some of you may be missing the big picture here. Regardless of carrier-introduced data capturing apps or malware, etc on the device itself, carriers already store all user data and wireless data transmissions, texts, etc. This data is accessed by whomever has the "authority" to access it. If you are a suspect in a homicide for example, the homicide detectives will get a quick signature from a judge to retrieve all of you phone records including gps, tower pings, internet, incoming & outgoing texts, etc. Who's to say who phone carriers share your regular data with? You can't prove if they do or don't.
Within the last few hours of Obama's presidency, he did the unthinkable by legalizing the sharing of intelligence and sensitive data between numerous intelligence agencies so they can all share sensitive data between one another at their whims. The obvious reason for this was to better mask the source of the information and blur the lines of responsibility for the data retrieved. Data not only from citizens, but from anyone in the government, FBI, CIA, NSA, etc is able to be retrieved at any time and used for legal purposes and even illegal purposes if you have been paying attention lately. We now get to enjoy complete invasion of privacy in our daily lives. Not just with our cell phones. I find this topic useless at this point. So I have to say... unless you're doing something illegal, you have nothing to be concerned about and electronic privacy is non-existent these days so don't let that fool you. Someone posted that my last sentence instantly infurates them... well this is the facts so be infurated my friend because it's the truth. Nobody is able to defeat the electronic data that is stored and accessed by those who have the "authority" to access it. Get over it.
As for defeating ads and stuff like that, well that's a different topic all together.
tx_dbs_tx said:
All of this concern over potential "spyware" on our devices is laughable because some of you may be missing the big picture here. Regardless of carrier-introduced data capturing apps or malware, etc on the device itself, carriers already store all user data and wireless data transmissions, texts, etc. This data is accessed by whomever has the "authority" to access it. If you are a suspect in a homicide for example, the homicide detectives will get a quick signature from a judge to retrieve all of you phone records including gps, tower pings, internet, incoming & outgoing texts, etc. Who's to say who phone carriers share your regular data with? You can't prove if they do or don't.
Within the last few hours of Obama's presidency, he did the unthinkable by legalizing the sharing of intelligence and sensitive data between numerous intelligence agencies so they can all share sensitive data between one another at their whims. The obvious reason for this was to better mask the source of the information and blur the lines of responsibility for the data retrieved. Data not only from citizens, but from anyone in the government, FBI, CIA, NSA, etc is able to be retrieved at any time and used for legal purposes and even illegal purposes if you have been paying attention lately. We now get to enjoy complete invasion of privacy in our daily lives. Not just with our cell phones. I find this topic useless at this point. So I have to say... unless you're doing something illegal, you have nothing to be concerned about and electronic privacy is non-existent these days so don't let that fool you. Someone posted that my last sentence instantly infurates them... well this is the facts so be infurated my friend because it's the truth. Nobody is able to defeat the electronic data that is stored and accessed by those who have the "authority" to access it. Get over it.
As for defeating ads and stuff like that, well that's a different topic all together.
Click to expand...
Click to collapse
The main issue is the blatant disregard by our government to even acknowledge the American people's privacy. Of course this all comes down to money and corruption as usual. For a simpler solution to a lot of these issues is remove all of the lobbyists, but I digress.
Look at it this way people. No one is pointing a gun at your head making you use cell phones social media, etc. If you don't want to be spied on buy a house in the mountains with no outside connections and enjoy life.
by sophisticated government attack i mean something with virtualization technologies, several masking and hiding capabilities like FinFishers solutions.
Does:
Updating to the newest version of ios
hard reset the phone
securely remove the spyware?
1) i see more as a bonus question that is not really needed, but might be interesting too.
I would thank you for a careful but practical answer, since this question relates to some "moving parts" like: "Is it possible to load a "real" update from an infected phone, or will a sophisticated attack redirect those requests" and if there is something you can do to prevent this etc. or the question whether a hard reset really deletes everything or if the spyware can somewhat hide in "blocked" or wrongly addressed areas of the storage and so on.
On the other hand i do know that there never is absolute certainty and would be more interested in a "probabilistic view".
Thanks to the Forum!
I think your question is pointing to widespread security problems with most technology. Manufacturers often use closed source software and the same goes for most of the hardware devices. This makes security very difficult and of course these weaknesses are now being exploited by state sponsors.
Stuxnet was a good example and well worth reading about.
https://en.m.wikipedia.org/wiki/Stuxnet
http://itmanager.blogs.com/notes/20...e-protected-the-iranians-against-stuxnet.html
It infects microcontroller chips that do memory management. The introduced code returns modified data, maybe not even on each read.
So if the phone internal memory uses these microcontroller chips then even loading a new rom wouldn't help. You have to be able to have access to the microcontroller firmware and introduce your own access certification. It is very difficult to do this at present as most of the hardware information is not available, both for phone and internal chips.
Unfortunately this means that state sponsors can take the devices apart, inspect chips with an electron microscope, thus obtain a lot of secret information for their hacks.
Having had stuxnet on a laptop I became interested in these problems.
Contaminated updates again depend on the resources available. These rely on https and code signing.
https://arstechnica.com/information...ate-authorities-conspire-to-spy-on-ssl-users/
http://www.crypto-it.net/eng/theory/software-signing.html
A contaminated update requires access to the certificates and a delivery method such as intercepting a request from a known ip address.
Many states have access to the certificates and the means to target downloads. Using tor for updating might give some protection, as would a system to compare your download with that obtained by other people. We don't have this working automatically yet as far as I know.
https://www.torproject.org/docs/verifying-signatures.html.en
Phones have a second operating system where code may not be secure.
http://www.osnews.com/story/27416/The_second_operating_system_hiding_in_every_mobile_phone
https://www.rsaconference.com/event...ile-apt-how-rogue-base-stations-can-root-your
You can minimize risk by keeping a device in airplane mode and using a separate mifi device.
If you consider yourself an innocent target or just want to minimise risk then perhaps regularly buy second hand or new devices from shops, keep them in airplane mode, keep the necessary software to send by bluetooth and check the md5 sums.
Web browsers could be another security problem if they can run exploits, but this is probably outside the scope of your question.
Secure communications apps will probably work fine as long as they don't require updates. Beyond that, keep it all locked up in a safe you built yourself.