Android trialware: best practices - Android Software/Hacking General [Developers Only]

Hi all,
Sorry if this is a duplicate but I already searched for an answer and couldn't find one. I am working on an Android app that I wish to distribute as trialware and I am seeking info on best practices.
First of all, what is the best way to make sure that users cannot get the free trial again by reinstalling? This is critical, of course.
Next, how do I manage the expectations of my users who think they are downloading a totally free app? Is there a better way than just shouting it in the app description?
Any other advice, links or suggestions on this topic are much appreciated!
Thanks in advance,
Barry

Hi!
The only way to prevent reseting the trial period with reinstalling is to create a server and validate the device only by some of its hardware IDs.
Alternatively You can use an online service like https://trialvalidator.com.
Robert

Just keep in mind that server validation isnt bullet proof.
Users can use a simple firewall like Droidwall to block incoming/outgoing communications or both for individual or all apps.
There's LBE or Pdroid which can prevent apps from obtaining uniquely identifiable information and also change it so that each time your app requests the ID it gets a different random ID.
Then there are "code patchers" like LuckyPatcher and others which can patch the server validation within the app and bypass it.
You might get lucky and be releasing an app whose target market isn't a particularly tech savvy audience, but personally I run a very tight ship on my phone, and will not install any apps without locking them down completely.
This includes free and purchased apps.
Even my system apps are screened and only allowed to access the bare minimum on my phone to retain their functionality.
Have you looked into having crippled/free and full/paid versions of your app? Or a crippled app that has an in app purchase option to upgrade to full funtionality?
Another option would be an always on internet requirement, but unless its a really great MMO game, users are not going to be too happy about that especially if, for example your app is a music player or shopping list or single player game.
Im not trying to disseminate methods to bypass validation, or dishearten your app protection efforts. This is just an FYI.

Related

[APP] closeFeint, disable openFeint for rooted users

I hate openFeint so I made an app to disable it
https://market.android.com/details?id=benor.closeFeint
I'm still a new user here so it's not a link, if any one can edit this message and make this a link I'll thank him (and give him a free copy of this already free app )
I could debug it only on CM7 so i would like to see if it works on other roms.
The usual it might toast your device and don't blame me (It shouldn't it didn't even restarted my phone while i developed it)
Why do you have to disable adblocking, is there a way to have disable openfeint and not mess up with adblocking.
Just posting the link for convenience:
https://market.android.com/details?id=benor.closeFeint
Any chance of a direct download link or mediafire or ddopbox
ofantastic said:
Any chance of a direct download link or mediafire or ddopbox
Click to expand...
Click to collapse
@benor, let me know if you want me to take this link down
http://www.mediafire.com/?bm718kq7lf3i3d4
sweet, just what i wanted
goood idea closing feint thanx
Are there any methods that will not disable ADblocker?
I'd love to know about alternatives to disable/remove Openfeint too.
The condescending vibe this developer gives off, messing with installed applications that are none of his concern, I would never touch that. I would pay for an ad-free 'premium' version, but not from this developer. Removing annoying Openfeint nag screens in exchange for other nag screens just doesn't make any sense.
Android ad blockers work by dumping entries into the hosts file. This app also does the same. To be fair to the developer, he'd have to somehow make his app run every time after an ad blocker runs to ensure OpenFeint remains blocked, which would be annoying to support.
Since AdAway (my favourite ad blocker; it's open sourced) has a blacklist option, add the following entries to it:
openfeint.com
api.openfeint.com
scoreloop.com
and OpenFeint will be blocked by AdAway as it's doing the ads. There's also "*.openfeint.com" but I'm sure that that isn't valid hosts file syntax.
dfkt_ said:
I'd love to know about alternatives to disable/remove Openfeint too.
The condescending vibe this developer gives off, messing with installed applications that are none of his concern, I would never touch that. I would pay for an ad-free 'premium' version, but not from this developer. Removing annoying Openfeint nag screens in exchange for other nag screens just doesn't make any sense.
Click to expand...
Click to collapse
It's a single host file. He might not believe in the blocking of ads. He makes it very clear in his description that it does not work in tandem with Adblockers and that those who use it are not his audience.
He's not being condescending. Who is anyone (not talking about you specifically) to voluntarily download his free app and then get pissy when it does exactly what he said would not work? And then to have the audacity to downrate it to 1 star because they were too stupid to read the description before installing the app?
Honestly, the comments for this app's market listing just go to further confirm that most Android app users are complete idiots with a self-importance complex and they don't think before installing an app. (Not that iOS reviewers are much better)
Based on some of the comments, you'd think that the app was being shoved down peoples' throats.
qwerty12, thank you very much for the explanation! I didn't know this just uses the regular hosts file. If this app overwrites what AdAway put there, then it seems to be rather poorly conceived.
So far I did a chmod 000 and a chown/chgrp 9999 on the Openfeint folder in /sdcard, which only solved half the issue. Will add your URLs to the hosts file.
Liquidsolstice, it's this sentence from the description in the Market that I find condescending: "It will disable you adblockers, if you are using any ad blocker you aren't my audience and i'm not planing to change this." Of course I didn't download it and then whined about it or downrated it, this was warning enough. I agree that the comments on the Market don't show much effort on the users' side. But at least the developer should give a reason *why* he disables ad blockers, instead of that snooty one-liner.
LiquidSolstice said:
It's a single host file. He might not believe in the blocking of ads. He makes it very clear in his description that it does not work in tandem with Adblockers and that those who use it are not his audience.
He's not being condescending. Who is anyone (not talking about you specifically) to voluntarily download his free app and then get pissy when it does exactly what he said would not work? And then to have the audacity to downrate it to 1 star because they were too stupid to read the description before installing the app?
Honestly, the comments for this app's market listing just go to further confirm that most Android app users are complete idiots with a self-importance complex and they don't think before installing an app. (Not that iOS reviewers are much better)
Based on some of the comments, you'd think that the app was being shoved down peoples' throats.
Click to expand...
Click to collapse
Some things are never acceptable under any circumstances.
Openfeint is one of them.
Airpush is another.
Anyone helping others to not have to deal with this junk is doing a service to the community and it should be commended.
It is malware plain and simple (Anything that while the app isn't open puts any junk on the screen is malware).
There is so few developers with any integrity on Android. (Everything is malware or adware - these things are are frowned upon even on Windows don't get why it is ok on a mobile device (hint it is not)).
If you make something worth having (That is a game) and give away a bit (No strings) and it is good you will make allot of money selling the rest for a game. Just like the old proper shareware model.
(I only buy DRM free stuff hence I bought the humble Android bundle for 6 times the average - no interest in anything else or social anything).
Filling other peoples devices with malware to compensate for the developers inability to create a decent app is unacceptable and always will be.
(I would be less bothered if the Market was structured in a way that I could easily avoid this type of junk (i.e adware / malware / stuff that gives away your personal information in a different section).
Regardless of what it is any adware/malware is always one star from me and always will be. (Other than if it is specifically stated in the description that it is adware. (Then I just would never install it).
qwerty12 said:
Android ad blockers work by dumping entries into the hosts file. This app also does the same. To be fair to the developer, he'd have to somehow make his app run every time after an ad blocker runs to ensure OpenFeint remains blocked, which would be annoying to support.
Since AdAway (my favourite ad blocker; it's open sourced) has a blacklist option, add the following entries to it:
openfeint.com
api.openfeint.com
scoreloop.com
and OpenFeint will be blocked by AdAway as it's doing the ads. There's also "*.openfeint.com" but I'm sure that that isn't valid hosts file syntax.
Click to expand...
Click to collapse
Works! Thanks!

[Q] Mobile Web App Authentication

Hey guys. I am new to mobile development. I have created a web app which is nearing completion and am looking into developing andriod and iphone apps for it. Ive been trying to read up on best practices and stuff and am having a harder time finding information then I had thought.
For now, I have a simple question about how to best handle authentication. In my mind when the user launches the mobile app they would either log in or sign up initially. Either way, their credentials would be stored on the mobile device so they would not have to do so again.
Then my plan is to have the mobile app authenticate with these credentials to the web app via HTTPS and receive a token. This token would expire in an hour and the mobile app would have to re-authenticate. This token would then be used when performing authenticated calls to the web application API.
Is this a sound concept? This is my first time getting into this type of development, my previous experience is mainly just self contained web applications with no APIs or third party calls to it.
If anyone has any suggested reading or links to offer me to help me get a good grasp on how to best tackle this, feel free to share. I appreciate any and all help.
I assume I will develop the app, poorly at first, then have to re-develop it once Ive learned from all my mistakes the first go around. Id like to avoid that...but chances are, thats my fate Thanks for any advice, tips or what not you can give.
So lot of topics about it.

[Q] Android Phone Security - buying and privacy

New to the Android platform. It's surprising how 'connected' they are. Apologies if this is the wrong forum. I'll be happy to post elsewhere or see this post moved.
I have an Epic 4G Touch.
I've been pondering the security and privacy aspect of these Android phones, and it seems to me that precautions are prudent, but I’m not exactly sure what precautions are necessary and how to put them into practice. I’m really not even sure what questions to ask. I’m very computer literate, so I guess that gives me a head start of sorts.
I guess complete privacy, information safety and anonymity is impossible, but I hope there is some sort of method that will allow as much as is available.
The questions below are examples of some of the questions I have.
Is there some sort of primer that covers these and other details that should be known?
Questions that occur:
1. What is the most secure way to purchase apps? How do the ‘savvy’ users handle this? And should they be purchased online or via the phone? What method of payment are most comfortable with?
2. Is it a bad idea to access other online accounts from the phone, or is it better to establish some sort of new account with a ‘credit limit’ or a low limit credit card?
3. I’m using a few of my ‘anonymous’ Gmail accounts on the phone. I’m not sure how much privacy this provides, given that the phone is in my name?
4. Are there practices that should be avoided (i.e., emailing my 'non-mobile’ accounts)?
5. After getting up to speed, I’ll likely be rooting. Any extra security precautions required? I guess an app like LBE Privacy Guard is warranted?
I suppose a good primer will cover much more. Thanks for any help .
Sam
I can't really help with the purchasing of apps questions, as I don't invest much money into apps, but I would definitely recommend LBE. It helps get your app permissions under control.
Sam Sung;19111758]New to the Android platform. It's surprising how 'connected' they are. Apologies if this is the wrong forum. I'll be happy to post elsewhere or see this post moved.
I have an Epic 4G Touch.
I've been pondering the security and privacy aspect of these Android phones, and it seems to me that precautions are prudent, but I’m not exactly sure what precautions are necessary and how to put them into practice. I’m really not even sure what questions to ask. I’m very computer literate, so I guess that gives me a head start of sorts.
I guess complete privacy, information safety and anonymity is impossible, but I hope there is some sort of method that will allow as much as is available.
The questions below are examples of some of the questions I have.
Is there some sort of primer that covers these and other details that should be known?
Questions that occur:
1. What is the most secure way to purchase apps? How do the ‘savvy’ users handle this? And should they be purchased online or via the phone? What method of payment are most comfortable with?
I do it via phone and bill to my phone bill.
2. Is it a bad idea to access other online accounts from the phone, or is it better to establish some sort of new account with a ‘credit limit’ or a low limit credit card?
I check my info with the banks application.
3. I’m using a few of my ‘anonymous’ Gmail accounts on the phone. I’m not sure how much privacy this provides, given that the phone is in my name?
Probably not much.
4. Are there practices that should be avoided (i.e., emailing my 'non-mobile’ accounts)?
I can't think of any shouldn't make a difference.
5. After getting up to speed, I’ll likely be rooting. Any extra security precautions required? I guess an app like LBE Privacy Guard is warranted?
Only security precaution I suggest is read perms. Lol
I suppose a good primer will cover much more. Thanks for any help .
Sent from my PC36100 using xda premium
First you need to decide how private you want to be.
Hiding your activity from Sprint for example would be fairly difficult. The ET4G is setup to route all internet traffic through sprint's proxies, you can change this (search the ET4g forums to find out how) but I'm certain that sprint could still monitor your activity if they wanted to unless you setup some kind of VPN which I don't even know if we can do on our phones.
Next up would be google, they make money by gathering information about you... so yeah if you want to hide from them your a tad limited since this is android. I guess you could just not associate a gmail account with the phone, but then whats the point of running android?
Personally I'm not insanely worried about the above two entities. What concerns me is the tons of random apps people load onto phones that have every permission granted you could think of. This is where LBE Privacy Guard comes into play and should be used regardless of rooting. Safest place to get apps is the official market, downloading cracked apps opens you up to who knows what.
Anyway thats my spiel
Sam Sung said:
New to the Android platform. It's surprising how 'connected' they are. Apologies if this is the wrong forum. I'll be happy to post elsewhere or see this post moved.
I have an Epic 4G Touch.
I've been pondering the security and privacy aspect of these Android phones, and it seems to me that precautions are prudent, but I’m not exactly sure what precautions are necessary and how to put them into practice. I’m really not even sure what questions to ask. I’m very computer literate, so I guess that gives me a head start of sorts.
I guess complete privacy, information safety and anonymity is impossible, but I hope there is some sort of method that will allow as much as is available.
The questions below are examples of some of the questions I have.
Is there some sort of primer that covers these and other details that should be known?
Questions that occur:
1. What is the most secure way to purchase apps? How do the ‘savvy’ users handle this? And should they be purchased online or via the phone? What method of payment are most comfortable with?
2. Is it a bad idea to access other online accounts from the phone, or is it better to establish some sort of new account with a ‘credit limit’ or a low limit credit card?
3. I’m using a few of my ‘anonymous’ Gmail accounts on the phone. I’m not sure how much privacy this provides, given that the phone is in my name?
4. Are there practices that should be avoided (i.e., emailing my 'non-mobile’ accounts)?
5. After getting up to speed, I’ll likely be rooting. Any extra security precautions required? I guess an app like LBE Privacy Guard is warranted?
I suppose a good primer will cover much more. Thanks for any help .
Sam
Click to expand...
Click to collapse
.
Thread moved to Q&A due to it being a question. Would advise you to read forum rules and post in correct section.
Failure to comply with forum rules will result in an infraction and/or ban depending on severity of rule break.
Thanks to all for your comments.
R1ptide said:
First you need to decide how private you want to be.
Hiding your activity from Sprint for example would be fairly difficult. The ET4G is setup to route all internet traffic through sprint's proxies, you can change this (search the ET4g forums to find out how) but I'm certain that sprint could still monitor your activity if they wanted to unless you setup some kind of VPN which I don't even know if we can do on our phones.
Next up would be google, they make money by gathering information about you... so yeah if you want to hide from them your a tad limited since this is android. I guess you could just not associate a gmail account with the phone, but then whats the point of running android?
Click to expand...
Click to collapse
I agree. Although I've always been very 'privacy centered', I've come to accept the reality that there is a compromise required here. It never occurred to me that I should worry about Sprint. The 'Big Picture' where Google is concerned is somewhat disturbing, but I suppose the (unacceptable) alternative is to throw away my android and limit all of my online activity.
At this point, I can safely say that I won't be tossing my Android unless I become a fugitive of justice .
However, I'm only willing to give up what I have to. The problem is, at my current level of experience, I'm not quite sure what that is. And that is the question I should have included in my OP:
If I want to protect my privacy, data, acounts, and all else to the greatest degree possible without giving up my Android (and still retaining the lion's share of functionality and features), how would I best accomplish that?
I do understand that common sense plays a large role here, and I'm not looking to overide that, but whatever practices, software, some kind of anonymous payment methods or whatever else that can provide the greatest degree of protection, privacy and anonymity without shelving all functionality is what I'm after.
Personally I'm not insanely worried about the above two entities. What concerns me is the tons of random apps people load onto phones that have every permission granted you could think of. This is where LBE Privacy Guard comes into play and should be used regardless of rooting. Safest place to get apps is the official market, downloading cracked apps opens you up to who knows what.
Anyway thats my spiel
Click to expand...
Click to collapse
I appreciate your well thought out response. As far as cracked apps, I apply the same caution here as I do to my computers. No questionable software or sites. No 'off the beaten path' practices unless thoroughly researched.
Where LBE is concerned...the Market description (and a thread I read in these forums) states that Root is required. Is that not correct?
Again, thanks for your (and any other) responses.
Sam Sung said:
Where LBE is concerned...the Market description (and a thread I read in these forums) states that Root is required. Is that not correct?
Click to expand...
Click to collapse
That is correct, and if you're getting at what I think you are, then yes, some people have a problem with this. It's hard accepting that LBE protects you from bad apps, while LBE itself has full access to every inch of your phone. That being said, I don't believe anyone has come up with any solid evidence that the app itself is harmful; people, however, can still be skeptics.
Without it, when you come across an app with a questionable permission, your only option is to not use the app. Every other permission blocker I've come across does so forcefully, which leaves the apps useless (force closes, etc). LBE, on the other hand, maintains the usability of the apps while still preventing them those permissions. In my opinion, it's a wonderfully helpful app. Your decision to use it may be different though, depending on your paranoia.
upichie said:
That is correct, and if you're getting at what I think you are...
In my opinion, it's a wonderfully helpful app. Your decision to use it may be different though, depending on your paranoia.
Click to expand...
Click to collapse
Well, actually, my question was based on the reality that I would be running it now if my phone was rooted (and the supposition that it will be pointless to install to an unrooted phone). I will be rooting this phone (Epic 4G Touch) eventually. The only reasons I haven't are:
1) This is my first Android phone and therefore I have no experience with rooting (still reading different rooting threads). I tend to research before I leap into something new.
2) I just don't have the time right now to troubleshoot if something goes wrong. And this phone is so incredible, I'd rather not be without it for any extended length of time (I use it as an 'appliance' rather than a phone...I have other phones for such menial tasks)
But I'm definitely convinced of the virtues of rooting, largely due to the app functionality. I also want to be prepared for the caveats. I'm not sure what they may be right now, but there must be some security risks.
Thanks!
Apps can be purchased via PC web browser at AppStoreHQ.
Gapps are optional. After rooting you could remove them or just those you don't need. Market is a tough one to live without, IMO.
If you don't plan to use your device for email then create a new email account specifically for the phone. Don't give it out. This will allow you to use the Market, etc.
Install Shark for Root + SharkReader to look at network traffic, or do it via router. Use hosts file to block google analytics etc. Routinely wipe the cache.
If you root install busybox and a terminal emulator and you can control the apps and system yourself. Everything LBE does you can do manually. Compile/install a kernel with tun.ko module and connect to a VPN. Or change DNS if you want. It's Linux, always keep that in mind.
My BIGGEST problem with Android is the lack of timely updates which include security patches. For this reason these devices are a security nightmare. Turn off WiFi, data, gps, Bluetooth when not using them. Disable install from unknown sources and debugging when not in us. Follow blogs that report on security issues and understand where you're vulnerable.
I'm security conscious as well and don't purchase or do banking with my phone. Sure it's convenient but it can wait until I get home. If someone is sniffing my traffic or should my phone be stolen I'm not scurrying to cancel credit cards and change passwords. This gives me the piece of mind I need to enjoy my smartphone. It also limits it, but I'm ok with that.
Turducken said:
Apps can be purchased via PC web browser at AppStoreHQ.
Click to expand...
Click to collapse
Is there a more anonymous payment method than standard CC?
Gapps are optional. After rooting you could remove them or just those you don't need. Market is a tough one to live without, IMO.
If you don't plan to use your device for email then create a new email account specifically for the phone. Don't give it out. This will allow you to use the Market, etc.
Click to expand...
Click to collapse
Actually, I have 3 gmail accts on the phone. One for market, one for clients, one for logins.
Install Shark for Root + SharkReader to look at network traffic, or do it via router. Use hosts file to block google analytics etc. Routinely wipe the cache.
If you root install busybox and a terminal emulator and you can control the apps and system yourself. Everything LBE does you can do manually. Compile/install a kernel with tun.ko module and connect to a VPN. Or change DNS if you want. It's Linux, always keep that in mind.
My BIGGEST problem with Android is the lack of timely updates which include security patches. For this reason these devices are a security nightmare. Turn off WiFi, data, gps, Bluetooth when not using them. Disable install from unknown sources and debugging when not in us. Follow blogs that report on security issues and understand where you're vulnerable.
I'm security conscious as well and don't purchase or do banking with my phone. Sure it's convenient but it can wait until I get home. If someone is sniffing my traffic or should my phone be stolen I'm not scurrying to cancel credit cards and change passwords. This gives me the piece of mind I need to enjoy my smartphone. It also limits it, but I'm ok with that.
Click to expand...
Click to collapse
Thanks, Turducken. This is really good information. All the more reason I need to get up to speed w/rooting so that I can batten down the hatches. I'm not quite sure how to use some of this info yet, but time and educating myself will remedy that.
One app I just ran across looks interesting (which I can't use until I root) is Logging Test.
It was originally written for HTC phones, but the paid version will support more devices.
Please consider this thread ongoing. Any information and/or links pertinent to security, data and privacy protection is enthusiastically welcomed!

Security does matter![Updated 25th. Jan]

Introduction
I have not seen much talk about security in XDA, and not at all on Neo Section.
SO here's just one informative link talking about using and developing apps and security risks involved
http://www.technologyreview.com/computing/25921/?mod=related
Any bug in software could potentially be used as a security loophole to gain access to private information, spy on you, get your credit card info(should you do such things on phone).
What is kind of unsettling is that everyone seems fine with modding, tweaking, developing and using those ROMs made in XDA without worrying if there could be that kind of bug in your made or used ROM.
You don't need a malicious app only to have risks. Most people use Windows so they should know that it is OP systems bugs and vulnerabilities that allow for unwanted access to your files, data, etc.
Android itself is having very non-foolproof security system. All apps on unrooted phone are in sandbox. That's no security measure at all. It doesn't limit app from stealing your private info at all, it only cant delete the whole ROM. That's just idiotic security system, for it is the only thing beside encrypting shut off phone on 3.0 and 4.0. So that means Android on it's own has no security measures while it's working. Even Windows has... some... but not too much... so you could pay for antivirus and antispyware software ofc.
It has always been the goal of big corporations to make money from insecurity, be they software developers, arms dealers and you name it. They all benefit from insecurities existing. Same is with Google and it's Android. But the good news is that we the users can modify Android. We could all say "Au revoir security bugs and loopholes!" if we would care about developing ROMs designed to make Android more secure... alas that's not happening yet!
Overview of Linux/Android security issues.
It's a short condensed description just to get you interested in the topic. There's lots of material on net, you only need to search, read, watch videos.
Linux becomes more vulnerable with more applications with different permissions installed. Same is true for Android.
Say your Phone Exporer has root access, that means it has root access to whole Android. To remove unnecessary risks, this app's root access should be limited to only most necessary functions it needs to operate.
Currently for Android there is no such solution. For Linux there is Apparmor.
http://en.wikipedia.org/wiki/AppArmor
Total root access is obvious vulnerability, but it is at least known one. Let's look at possibility of apps having hidden permissions and what that could mean to you.
Blade Buddy from Market.
On market it does not list permission to "Unique Device ID"(IMEI for GSM and MEID; ESN for CDMA) for free nor for paid version.
That means the author of BB has left the code from free version in paid one. This permission is used by ads to track you. It's not necessary code for ads, but it helps the dev know who clicked on the add and generated him some money. To see your money generating zombie empire stretch across the whole globe.... quite a thrill, isn't it?
So it's a latent code, with no benefit to user and an exploit only calling to be abused.
Unique Device ID allows you to be tracked on net and also where you are physically. GPS is just one way to find you, police for example have scanners to locate your devices physical location by the IMEI code. You can count on the "bad guys" having this technology as well, for it's quite a tool for burglars and other criminals.
The risks of your home being marked as the next dungeon to be looted by some raiders, I mean criminals(or perhaps WoW players sleepwalking and sleepraiding?) or getting your ID and bank details stolen by trojan/hacker is random. Yet the threat would not exist without apps having so flagrant hidden permissions.
Next app with ludicrous permissions
Brightest Flashlight
It does list many permissions, among them "Hardware controls - take pictures and videos ". No, it does not need a permission to take photos through cameras to operate the flashlight. But it's fun nonetheless for the dev to see his trusty peasants, or maybe he just likes to observe people like some watch fish in aquarium or hamsters in cage( "Look at that dork!", "You're one ugly m...f...er","ummm a couple kissing in dark with ma flashlight, what are they searching?", "what's that you eat, mr Korean, brains?" "hey show me that document again.")
You don't even need to run the app yourself. It can be triggered by hacker on background and take a snapshot of you.
On top of this little needless permission it has following hidden permissions:
1. Unique IMSI, read about here http://en.wikipedia.org/wiki/IMSI
2. MCC+MNC (CDMA)
3. Unique Devide ID
4. Cell Tower Name.
That's a lot of needless permissions for flashlight, these are there just to track you the app user and have nothing to do with your comfortable use of the app.
These are just 2 apps with totally needless permissions for their intended functioning. If you don't want your Windows and Linux have such security holes then why do you want your Android have them?! You don't want, that's the point and these apps would not be so popular if people would really know and care about their phone being secure.
It can be stated for sure that above exemplified permissions not listed on market are more useful for pranksters, criminals or someone plainly looking-down-on-all-the-dumb-sheep and not at all for any legitimate, user or customer friendly purposes.
There are very few tools to check for security and privacy problems in apps. That gives a sense that majority of devs do not want Android to be secure and private, because Android is another revenue generating platform through Google ads business of course. Were people more educated about the matter then Google ads business would shrink down as well. A private and secure Android can't be tracked or annoyed with ads. No ads, no profit. No security therefore means profit. Unfortunately this lack of security can be exploited by anyone with criminal or malignant intentions so very easily.
The most important thing is to read the permissions before installing.
If you had read the article I linked. Those permissions don't matter anything really if stuff developers use doesn't reveal what it does, or developer itself doesn't disclose what the app does.
We can safely say that those permissions asked are just to make ordinary users of Android think that all is under their control.
I use Privacy Blocker app and it keeps finding app permissions that are not listed. Even that app doesn't find those permissions which Cyanogenmod permission manager shows. And I've sanitized all my apps, still I find my phone connecting to some odd servers while using certain paid and seemingly legit apps. I even found shapshots from front camera made by some app... and I am checking all permissions I can, even for those not listed.
What seems harmless but could reveal your IP address and potentially other data about you is... advertisements used by apps.
Ads can be far more than just a little annoyance that slows your device. Any file, picture loaded from some location in internet can be used to locate you.
I had a problem of getting phone call bills for calls lasting 10 to 20 secs that I never made after using a slew of market apps, flashlights, fun stuff, etc.
I paid two months for such calls trying to find out which app did it and still don't know which one it was. Skype(phone app has fake IP of Holland but actual connection goes to Moscow... oh come one what is this? Why such hiding? Like anyone would trust their phone's Skype connection stream through Moscow... no thank you! Then wonder still if the phone gets so slow and Skype call quality is so bad even over wifi while Windows Skype does just fine?), Brighest flashlight, some photo editors, and slew of other garbage I've already forgotten about cause I don't use any of it anymore.
First post updated
How about the new 4.3 update..in includes some security and privacy control..will this thing prevent you had mentioned?
Is there any way to reactivate this post? maybe start working on a security enhanced android ROM? I'm agree, Security does matter!

Security does matter!

I wrote this On Xperia Neo General forum but it belongs to here much more.
Original thread at: http://forum.xda-developers.com/showthread.php?t=1447095
Click to expand...
Click to collapse
Introduction
I have not seen much talk about security in XDA.
First, here's just one informative link talking about using and developing apps and security risks involved.
http://www.technologyreview.com/comp...1/?mod=related
Any bug in software could potentially be used as a security loophole to gain access to private information, spy on you, get your credit card info(should you do such things on phone).
What is kind of unsettling is that everyone seems fine with modding, tweaking, developing and using those ROMs made in XDA without worrying if there could be that kind of bug in your made or used ROM.
You don't need a malicious app only to have risks. Most people use Windows so they should know that it is OP systems bugs and vulnerabilities that allow for unwanted access to your files, data, etc.
Android itself is having very non-foolproof security system. All apps on unrooted phone are in sandbox. That's no security measure at all. It doesn't limit app from stealing your private info at all, it only cant delete the whole ROM. That's just idiotic security system, for it is the only thing beside encrypting shut off phone on 3.0 and 4.0. So that means Android on it's own has no security measures while it's working. Even Windows has... some... but not too much... so you could pay for antivirus and antispyware software ofc.
It has always been the goal of big corporations to make money from insecurity, be they software developers, arms dealers and you name it. They all benefit from insecurities existing. Same is with Google and it's Android. But the good news is that we the users can modify Android. We could all say "Au revoir security bugs and loopholes!" if we would care about developing ROMs designed to make Android more secure... alas that's not happening yet!
Overview of Linux/Android security issues.
It's a short condensed description just to get you interested in the topic. There's lots of material on net, you only need to search, read, watch videos.
Linux becomes more vulnerable with more applications with different permissions installed. Same is true for Android.
Say your Phone Exporer has root access, that means it has root access to whole Android. To remove unnecessary risks, this app's root access should be limited to only most necessary functions it needs to operate.
Currently for Android there is no such solution. For Linux there is Apparmor.
http://en.wikipedia.org/wiki/AppArmor
Total root access is obvious vulnerability, but it is at least known one. Let's look at possibility of apps having hidden permissions and what that could mean to you.
Blade Buddy from Market.
On market it does not list permission to "Unique Device ID"(IMEI for GSM and MEID; ESN for CDMA) for free nor for paid version.
That means the author of BB has left the code from free version in paid one. This permission is used by ads to track you. It's not necessary code for ads, but it helps the dev know who clicked on the add and generated him some money. To see your money generating zombie empire stretch across the whole globe.... quite a thrill, isn't it?
So it's a latent code, with no benefit to user and an exploit only calling to be abused.
Unique Device ID allows you to be tracked on net and also where you are physically. GPS is just one way to find you, police for example have scanners to locate your devices physical location by the IMEI code. You can count on the "bad guys" having this technology as well, for it's quite a tool for burglars and other criminals.
The risks of your home being marked as the next dungeon to be looted by some raiders, I mean criminals(or perhaps WoW players sleepwalking and sleepraiding?) or getting your ID and bank details stolen by trojan/hacker is random. Yet the threat would not exist without apps having so flagrant hidden permissions.
Next app with ludicrous permissions
Brightest Flashlight
It does list many permissions, among them "Hardware controls - take pictures and videos ". No, it does not need a permission to take photos through cameras to operate the flashlight. But it's fun nonetheless for the dev to see his trusty peasants, or maybe he just likes to observe people like some watch fish in aquarium or hamsters in cage( "Look at that dork!", "You're one ugly m...f...er","ummm a couple kissing in dark with ma flashlight, what are they searching?", "what's that you eat, mr Korean, brains?" "hey show me that document again.")
You don't even need to run the app yourself. It can be triggered by hacker on background and take a snapshot of you.
On top of this little needless permission it has following hidden permissions:
1. Unique IMSI, read about here http://en.wikipedia.org/wiki/IMSI
2. MCC+MNC (CDMA)
3. Unique Devide ID
4. Cell Tower Name.
That's a lot of needless permissions for flashlight, these are there just to track you the app user and have nothing to do with your comfortable use of the app.
These are just 2 apps with totally needless permissions for their intended functioning. If you don't want your Windows and Linux have such security holes then why do you want your Android have them?! You don't want, that's the point and these apps would not be so popular if people would really know and care about their phone being secure.
It can be stated for sure that above exemplified permissions not listed on market are more useful for pranksters, criminals or someone plainly looking-down-on-all-the-dumb-sheep and not at all for any legitimate, user or customer friendly purposes.
There are very few tools to check for security and privacy problems in apps. That gives a sense that majority of devs do not want Android to be secure and private, because Android is another revenue generating platform through Google ads business of course. Were people more educated about the matter then Google ads business would shrink down as well. A private and secure Android can't be tracked or annoyed with ads. No ads, no profit. No security therefore means profit. Unfortunately this lack of security can be exploited by anyone with criminal or malignant intentions so very easily.
In my honest opinion. If someone keeps files like ccinfo they have to worry about being jacked then they deserve it. Should it happen. U shouldn't keep things on your phoney don't want the rest if the world to have
Sent from my Cyanocrack using Xparent Blue Tapatalk
You don't need to keep credit card info on phone, your using the credit card via Market or logging in to bank on phones browser is enough to intercept your credit card info. Your browser may show you xxxxxxxxxxxx+"last four digits only" but that doesn't mean the data to and from your device doesn't contain exact credit card number. It's encrypted, but that is merely a minor inconvenience for a hacker.
That is why being rooted is not advised to everyone. Mainly if they don't know what they are doing. Also customs roms are not for everyone. People flash them cause they think its cool and don't understand what they are doing. That is their problem. People should pay attention to the permissions that am app asks for. Common sense is the best protection. Main reason I don't do anything that deals with a bank on my phone.
Raoa said:
I have not seen much talk about security in XDA.
Click to expand...
Click to collapse
There's talk. It's just not on important yet, because the android device is not being marketed like an OS is with a personal computer.
However, the more we do on our phones, the more we'll realize it needs protection like firewalls. We catch a few like CIQ or the Wimax exploit, but it's going to get worse as we advance in our integration. We do need to start now before exploits get worse and stay ahead of the curve.
Until that time, 4G exploits and root kit programs will run freely on our devices that houses a lot of our personal information.
Plus, for some stupid reason, there are a lot of people who think Linux is immuned to viruses and security holes due to it's code transparency. Android is being mainstreamed. It will soon be a continuous target like other existing popular software programs and operating systems.
And that's why iOS is far superior even without widgets or live wallpapers.
Something to think about.thanks for posting.
Sent from my HTC Glacier using XDA App
alex2792 said:
And that's why iOS is far superior even without widgets or live wallpapers.
Click to expand...
Click to collapse
IOS and Mac are just as vulnerable, maybe even more so because of there popularity and the misconception that IOS is secure and does not need AntiVirus protection. Just last week i removed a nasty virus on a brand new Macbook Pro so that is not the way to think. You need to act as if there are security issues and just be really careful at what link you click and what email you open.
mattfox27 said:
IOS and Mac are just as vulnerable, maybe even more so because of there popularity and the misconception that IOS is secure and does not need AntiVirus protection. Just last week i removed a nasty virus on a brand new Macbook Pro so that is not the way to think. You need to act as if there are security issues and just be really careful at what link you click and what email you open.
Click to expand...
Click to collapse
I'll give you OS X,but I've never heard of an iPhone virus while there are loads of malware on Android market.
Sent from my Galaxy Nexus using Tapatalk
I am not an expert on iOS nor do I have any wish to even know or use it, because Apple buys from suppliers that emply child labor and sweatshops.
When Linux started spreading around people also thought it has no viruses.
Same story repeats with every software.
For each different OS it takes merely time before people start to notice that their OS has viruses/trojans/spyware too. That doesn't mean their OS is not targeted. You should expect all sorts of thieves to use any and all opportunities.
Secondly OS does not matter so much as the matter that your device is connected to wifi, data, bluetooth, et or not. IP addresses, MAC, IMEI, etc they all stay the same on every platform. No matter which OS, they all connect to wireless networks, cell network, data, bluetooth, etc which all have set standards.
So someone wanting to track, spy, get your private info simply has to intercept the data your device sends to any network. If you don't use strong encryption to send info via network then it is easy to "wiretap" you.
Why is there so much spam, viruses, spyware in internet today? It's because the software managing internet is not made to be so secure. If it were secure then it would also be more private and safer for people to chat over net.
So not only OS's need to be more secure, but the very internet itself needs to be reformed.
This relates to SOPA and PIPA. Had those two bills been passed the next step would have been logically to make changes to all networks so you'd be more easily trackable, hackable, "wiretappable". It's simply logical, cause SOPA, PIPA were so defunctly worded as if asking/preparing for a third bill to regulate the networks.
So we must make sure that internet will be reformed for the private users and not for greedy corporations. We would not need to buy anti-spyware, anti-virus software if the internet were truly engineered for the welfare of humanity.
You could use any OS, bugged or not and not be afraid of loosing your property or privacy if the internet would stop such acts before they could harm you, the individual who is supposed to truly and freely benefit from the services; either for free or for honest price, but now you are robbed and think it is good to pay the thieves.
Raoa said:
Android itself is having very non-foolproof security system. All apps on unrooted phone are in sandbox. That's no security measure at all. It doesn't limit app from stealing your private info at all, it only cant delete the whole ROM.
Click to expand...
Click to collapse
Please elaborate. The sandbox does prevent one app from reading the data of another, such as the CC info from the Market.
Also, are you sure Market sends the entire CC number? There's no reason for it to send it, the transaction is performed on Google's servers.
alex2792 said:
I'll give you OS X,but I've never heard of an iPhone virus while there are loads of malware on Android market.
Click to expand...
Click to collapse
Are you talking about viruses or malware? Please don't conflate the two.
Malware is easy to take care of - check the apps you're downloading for what permissions they want. It's as simple as that.
alex2792 said:
I'll give you OS X,but I've never heard of an iPhone virus while there are loads of malware on Android market.
Sent from my Galaxy Nexus using Tapatalk
Click to expand...
Click to collapse
Just before xmas an iphone developer admitted to deliberately uploading malware in his ios app to show malware can easily affect iphone.
http://m.intomobile.com/2011/11/08/security-expert-sneaks-malware-into-iphone-app-store/
That was for normal iphones. For jailbroken ones there are more malware apps.
Dave
Sent from my LG P920 using Tapatalk
Raoa, your absolutely right.
I've had the exact same thought recently
Its like the overall view of the Android landscape is ridden from real security apps, for the simple purpose of have the platform as open as possible. And while this is good for developers and users of this and other serious forums, its also open for the "dark" communities as well.
I often ask myself, if the ROM devs onboard have these thoughts themselves, as in, what is my source of this modded apk, is is straight from the Market or from another dubious, (do I dare say chinese forum, just an example)
And how clean is my code really?
And is all mods just legit just cuz they are from here?
I love that we have so many ppl having a desire to mess around with the OS, but I miss, as you say, the talk about having a go on security as well.
I dont know, but I do think that awareness, as you initial post direct us to, should be raised, as a natural step for any serious dev and users in general on XDA, to be more aware, of the code.
Im on my first year as an Android user, and ofcourse did have to gain root on my splendid Sensation. Why?, cuz I needed the security tools requiring root.
Ask again, why? Cuz I came from Winblows 7, and know what a jungle software is, and that is is indeed exploitable, like hell, you might say.
And Im gladd I did gain s-off and root, cuz its really really needed fo youre just a little concerned about your privacy in, mails, sms, location, usage pattern, netbanking, dropobox deposits of your ****, some might even be work related and therefore hold more than just your own privacy.
And then there is what you mentioned, our devices unique ID's, the intent "app install referrer" to "plug" you into admob/google analyzer and so on.
I love one guy here, Treve, who made the HTC tool for scanning for ****, Logging Test Tool, and in version 10, he made it aware of admob/mobclix/analytics, and my god it find a lot...
So Treve, please, if you read this, just go on, as every version you make is getting finer and finer.
We could learn from this guy, and others here that got more code-insight.
What we CAN do as a community at the very least, is to share our knowledge and tips for securing our phones.
HOST filtering, code scanning of apks and so on. using AV's and firewalls and so on.
Right from the start I noticed that Android is not a clean OS, nor is its app market, and I noticed this cuz I have another splendid little Linux system at hand, Smoothwall Express with url filtering and proxy enabled
and My god is Android and its aps LEAKING!
Have a look in your urlfilters on a standalone firewall the step after your wireless android phone, and watch how much **** is going on.
Well, I can tell you for a start that I have added atleast 100 new domains to my custom urlfilter, besides the casual downloadable HOST filters around the net, like the ones found in AdblockPlus and so on. But after android, heh, you need more than just advertising filtering, that much I can say.
Just as an example, like those you mentioned, I have one too, that I was made aware of by Avast on my phone tonight, that ChompSMS was being flagged as malware/trojan.
I thought, **** man, why this crap, Im quite fund of Chomp, really.
So I thought, no, imma let more that Avast on my phone have a go.
So I File Expert dump the full apk, and uploaded it for a scan on virustotal, just for the sake of it. And whatta'ya know, ClamAV, GData, Kaspersky, NOD32, and Sophos flagged it as that same Plankton.G variant as my on-phone Avast.
Great, I thought (sarkasm intended)
I thought a bit further and picked up APK Multi-Tool, had a decompile and a content-scan for just "http" in is readable code.
12 different domains is mentioned so far, and I didnt even poke in all of its xml's, just the smali's
I know android is by a far stretch advertising born, and ofcuz the app devs have a right to earn their money, no doubt about that, and I gladly pay for the good ****, like most ppl here believeably do, but.. 12 different .com's mentioned in its code is a no go for me.
I have earlier used Privacy Blocker, and Privacy Inspector from XEUDOXUS in the market, to make permission scanning, beside using LBE/HOST/Avast, and I like those two aps, the Inspector one is free but only can scan.
The paid Blocker can "repair" as a feature, but its not maintained enuff, so it often fails to make installable apks, so not really worth it for me anymore, but as a free too, it can tell you more about those permissions you mentioned.
But enuff said from me for now, lets just collect and share our tips and tricks, ALSO for security, not just developing ROM and mod's and hacks, as thou they are fine, if not to say, so cool and great, but, we need to be secure too.
Please do not polute the discussion with IOS vs Android and what not, cuz thats not the purpose of it, even thou it definitly concerns (g)A(r)pple products too.
Sincerely, Omnius
alex2792 said:
I'll give you OS X,but I've never heard of an iPhone virus while there are loads of malware on Android market.
Sent from my Galaxy Nexus using Tapatalk
Click to expand...
Click to collapse
Iphones can get viruses they come through SMS's and other sources not as bad as android apple keeps there market much more under control, but everything is vulnerable i work in a security team for a big corp and believe me nothing is safe.
Check these articles out i just found them on google.
I remember a while ago maybe a year or so there was a huge security hole in IOS5 and Mac waited a long time to tell the public and release a patch. The one major problem with Apple is when there are security threats they really try to keep it hush...Iphone's OS is tight but not totally secure. Its not viruses either its moslty just malware that charges you tons of money in texting i saw once an iphone that turned into a bot and at midnight it would dial a 900 number and just sit there all night at like $20 bucks a minunte then disconnect when it felt the phone move.
http://www.mactrast.com/2010/07/iphone-virus-discovered-be-vigilant-and-seek-advice/
http://techfragments.com/news/982/Software/Apple_iPhone_Virus_Spreads_By_SMS_Messages.html
I'm going to fanboy MIUI for a second.
When you install an app you are presented with a screen (separate from the market) that allows you to toggle all the permissions an app ask for between Allowed/Ask/Disabled.
More roms should adopt this.
NB: I haven't checked CM9 so it might be a CM9 feature that MIUI has polished or it might be native to MIUI.
weedy2887 said:
I'm going to fanboy MIUI for a second.
When you install an app you are presented with a screen (separate from the market) that allows you to toggle all the permissions an app ask for between Allowed/Ask/Disabled.
More roms should adopt this.
NB: I haven't checked CM9 so it might be a CM9 feature that MIUI has polished or it might be native to MIUI.
Click to expand...
Click to collapse
I wouldn't be so fast to praise MIUI.
weedy2887 said:
I'm going to fanboy MIUI for a second.
When you install an app you are presented with a screen (separate from the market) that allows you to toggle all the permissions an app ask for between Allowed/Ask/Disabled.
More roms should adopt this.
NB: I haven't checked CM9 so it might be a CM9 feature that MIUI has polished or it might be native to MIUI.
Click to expand...
Click to collapse
The problem is the "Average Joe" doesn't even look at those or doesn't know what they mean. I see so many viruses/malware/open security holes just because of user error its insane. Almost 90% of security breaches or problems originate from the end users not paying attention or just not knowing or caring. Also another thing i see so much when new clients call me with there servers melting down and all there banking info being stolen is they haven't installed any updates on there servers since they were set up 2-5 years ago. I worked for a large industrial supply company and all there servers running MS Server 2008 no updates had been installed and they were using AVG free on there main SQL server...INSANE LOL
Then theirs the users, "my computer was fine until my friend on facebook wanted my SS# and mothers maiden name and insisted i open his email attachment, now its acting weird what do you think is wrong?"
Brutal
what is the 4g exploit that you are talking about? And is it only with wimax or is lte part of it as well?
Oneiricl said:
Malware is easy to take care of - check the apps you're downloading for what permissions they want. It's as simple as that.
Click to expand...
Click to collapse
It's absolutely amazing that people are willing to put up with something so ridiculous.
Sent from my SGH-I897

Categories

Resources