Severe security flaw in HTC-sense, sensation affected.!!! - HTC Sensation

Ran accross this article just now, relized you all had to read this. It appears HTC ****** up hard.
http://www.androidpolice.com/2011/1...e-numbers-gps-sms-emails-addresses-much-more/
Scary stuff.
I'm so damn tired of all companies taking the liberty to just monitor our lifes just how they like, no matter if its google, microsoft, facebook, apple or HTC. What anoyys even more is how we passivly is forced into accepting it, and just shrudd our shoulders about it. Reading this, I wish I was smart enough to strike back somehow.

The article says "Some Sensations" I'd like to know what that means

Good find.

Pikabat said:
The article says "Some Sensations" I'd like to know what that means
Click to expand...
Click to collapse
Try running the app...

errr ok this is scary though. i wanna ask what's htcLaputa.apk is?
Sent from my HTC Sensation XE with Beats Audio using xda premium

The offending app is HtcLogger.apk and I've only seen it in the newer ROMs - I automatically removed it before this story broke as it didn't sound useful. End of the day you just have to be careful when you install new apps (e.g. direct from trusted sources)
I really wouldn't worry too much about it, typical media hype

EddyOS said:
The offending app is HtcLogger.apk and I've only seen it in the newer ROMs - I automatically removed it before this story broke as it didn't sound useful. End of the day you just have to be careful when you install new apps (e.g. direct from trusted sources)
I really wouldn't worry too much about it, typical media hype
Click to expand...
Click to collapse
This is the example of how we/some of us just go used to this kind of things and started to accept things we never would have a few years back.
How exactly do you determine whats a trusted source? Obviously weve already had a bunch of malwares entering the market.

I use apps only from the company in question. 'Facebook for Android' from Facebook, 'Twitter' from Twitter, etc...only use about 20 apps all in anyway so I don't think I'm at risk
I'm not saying what's been found out isn't bad - it is - I just don't really care. People are far too paranoid these days

EddyOS said:
I use apps only from the company in question. 'Facebook for Android' from Facebook, 'Twitter' from Twitter, etc...only use about 20 apps all in anyway so I don't think I'm at risk
I'm not saying what's been found out isn't bad - it is - I just don't really care. People are far too paranoid these days
Click to expand...
Click to collapse
Im not using so much apps either, on the other hand I want to be able to try some "fun" app from androidmarket without fearing theft og my personal information.
Its not about paranoia to me, I couldnt care less about wheter or not some random dude can read my sms. But Im rather angry about the companies doing just as they like, mainly to direct commercials and ads conected to your personality. Did you know facebook, after their latest update, now saves a certain cookie after your logout and sends all urls you visit with your browser back to their server..?
Well, now Im going offtopic in my own thread.
Id like to see HTC comment on this atleast.

Again, if Facebook care if I open a YouTube video every now and then then that's up to them - I'm not interesting!!
Would be nice to see what HTC say but I'm not going to hold my breath!

Im starting to loose faith in htc
Sent from my HTC Sensation 4G using xda premium

I tried to run the app, seems like my Sensation is not affected (Dutch one, that is)

so, in order to gain any kind of advantage, those apps need to know this vulnerability exists, am i right? just deleted that apk file, along with some other ones.

As the Android Police blog appears to have melted, here's Aunty's take on it
http://www.bbc.co.uk/news/technology-15149588
Oh noes naughty people can access:
The list of user accounts, including email addresses (but apparently not usernames or passwords)
A log of recent GPS locations (so you can be stalked!!!!)
Phone numbers taken from recent call logs (so people you call can be stalked!!!)
SMS data, including recent numbers and encoded messages (meh if they want to read "Park 123 543" be my guest)
HTC's response:
"HTC takes our customers' security very seriously, and we are working to investigate this claim as quickly as possible," the company said in a statement.
"We will provide an update as soon as we're able to determine the accuracy of the claim and what steps, if any, need to be taken."

EddyOS said:
The offending app is HtcLogger.apk and I've only seen it in the newer ROMs - I automatically removed it before this story broke as it didn't sound useful. End of the day you just have to be careful when you install new apps (e.g. direct from trusted sources)
I really wouldn't worry too much about it, typical media hype
Click to expand...
Click to collapse
Is there a way to tell if the offending app (Htclogger.apk) is on your phone without rooting?

jggonzalez said:
Is there a way to tell if the offending app (Htclogger.apk) is on your phone without rooting?
Click to expand...
Click to collapse
Remember it appears you are absolutely fine unless you install an app which is written to access the log files.

As Androidpolice says, the info could be used to clone your device, not only read some of your contacts. Now of course, you are fine as long as you do not install any malicious app, but I would even feel uncomfortable knowing that HTC can read ANY activity from my device at ANY point in time WITHOUT asking for my permission (or even after I denied that permission as shown in the video). The VNC thingie would also bug me cuz it is an app without any apparent use for the user and it does not serve a specific purpose - its just there until "someone" needs it. Now of course HTC wants to improve on user feedback and pulling it is much more convenient than asking for it, but if they want my opinion and see what I'm using they should at least ask me for it. That said, let's hope HTC addresses this problem in the very near future and does clarify why those apps are there and what purpose they serve. I will run the test app again after the next OTA for sure.

kwiggington said:
Im starting to loose faith in htc
Sent from my HTC Sensation 4G using xda premium
Click to expand...
Click to collapse
I don't think HTC is the problem.
I believe the problem is Google.
Ever go to the Google Android market place and see what they want to run in the background before they let you in?
I don't go near the place.

majesensei said:
As Androidpolice says, the info could be used to clone your device, not only read some of your contacts. Now of course, you are fine as long as you do not install any malicious app, but I would even feel uncomfortable knowing that HTC can read ANY activity from my device at ANY point in time WITHOUT asking for my permission (or even after I denied that permission as shown in the video).
Click to expand...
Click to collapse
You're misssing the point.
The phone has this feature so that should you enable "Tell HTC" it can then send the info to HTC, if you don't enable that it just sits on your phone as a system log.

xaccers said:
You're misssing the point.
The phone has this feature so that should you enable "Tell HTC" it can then send the info to HTC, if you don't enable that it just sits on your phone as a system log.
Click to expand...
Click to collapse
True, and I agree that this is not a scary thing for itself. I am not a fan of conspiracy theories, but think about a combination of things: The log is created and sits there. There is a VNC client embedded deeply in your system by your manufacturer for no reason, which gives access to your device from a remote location. I am from Germany and used to a debate about data preservation (which is illegal, in Germany), but there are other countries that have a much broader "grey-zone" for these kind of things. I wonder where those Sensations with the HtcLogger.apk are ([email protected]?). We are all running the same Android build (as long as we don't root our phones), some are affected, others aren't. I just find it weird, and I doubt that some rogue dev at HTC programmed these apk's just for the fun of it.

Related

Good News for Developers, Bad News for Pirates!!

http://www.engadget.com/2010/07/28/new-licensing-service-replacing-existing-copy-protection-metho/
Looks like pretty soon the days of people copy and pasting apk's all over the place are coming to an end.
I hope this doesn't make theming harder.. We'll see.
From reading that article,
Seems like airplane mode or a firewall would crush all the hopes and dreams of google and app devs.
It seems that every time we open an app it needs to verify that it's been paid for by contacting a "licensing" server and retrieving a response.
I feel like that could slow down launch times, and being unable to use an app when offline would be like UBISOFT hell all over again.
I really hope google puts a lot of thought into this..
I wonder if this if already being done? Every time I try to play that golf game on my EVO on an airplane while the radios are off I get a FC when it starts. As soon as I an on the ground and turn the radios on the game works fine.
Sent from my PC36100 using XDA App
what if you are in an area with no signal or on a plane or something? you cant open any apps???
This is already in place in a number of apps, one is IP Cam Viewer.
I paid the money for it. I transferred all my files to my wife's Evo 4G, and thought "hell I'll see if it works..." Well it didn't. When I try to open the app, it tells me that I have to purchase it from the marketplace.
I'm all for buying apps when they're good, and I understand single user licensing. Guess I was just hoping I wouldn't have to spend double the money for all the apps I use.
simplyphp said:
This is already in place in a number of apps, one is IP Cam Viewer.
I paid the money for it. I transferred all my files to my wife's Evo 4G, and thought "hell I'll see if it works..." Well it didn't. When I try to open the app, it tells me that I have to purchase it from the marketplace.
I'm all for buying apps when they're good, and I understand single user licensing. Guess I was just hoping I wouldn't have to spend double the money for all the apps I use.
Click to expand...
Click to collapse
I've heard of couples sharing the same email as apps get replicated on the two phone
I can confirm that they don't get replicated..
I have two evo's right now under the same email and they're definitely not replicating crap.
cahiatt said:
I wonder if this if already being done? Every time I try to play that golf game on my EVO on an airplane while the radios are off I get a FC when it starts. As soon as I an on the ground and turn the radios on the game works fine.
Sent from my PC36100 using XDA App
Click to expand...
Click to collapse
Now that's a problem I understand about paying for apps but not working when I'm in a place with no signal. I see a law suit brewing up. I paid for the app I should be able to use the app whenever I want to. Class action law suit coming real soon.
Sent from my PC36100 using Tapatalk
Crap....
"A limitation of copy protection is that applications using it can be installed only on compatible devices that provide a secure internal storage environment. For example, a copy-protected application cannot be downloaded from Market to a device that provides root access"
...Seriously???
EDIT - the above quote was misrepresented in the place I copied from...research shows it to be misleading. the actual bit of Google's text is posted over on page to of this thread. disregard my indignation in this post...
This is discouraging, because a lot of people like to try the full before they buy it expecting more than what full has to offer, only to be disappointed later.
willwgp said:
This is discouraging, because a lot of people like to try the full before they buy it expecting more than what full has to offer, only to be disappointed later.
Click to expand...
Click to collapse
You do get a 24 hour refund option when you buy from the market so I'm not worried about trying before you buy. I do worry about not being able to play something when I'm in the bathroom at work because I don't get a signal there.
well how many ppl do actually piracy apps??? oh my bad forgot that this is Android, for a second i though it was apple!!
Just to clarify a couple of things:
There are 2 ways to use the Licensing - one is Strict - you CAN NOT USE THE APP WITHOUT ACCESS TO MARKETPLACE. Personally, screw that.
Option 2, however, is a non-strict policy. Server managed, where the license is 'cached' to storage. You also can programmatically set how long your app can be used without any license check.
That'd be the way i go
josue85 said:
You do get a 24 hour refund option when you buy from the market so I'm not worried about trying before you buy. I do worry about not being able to play something when I'm in the bathroom at work because I don't get a signal there.
Click to expand...
Click to collapse
That'll be up to the developer. I like this approach, as I'd be happy to do say... a 5-7 day turn around on the license check. After 7 days with no data signal, seriously, where the hell are you? LOL
Besides, if you've used a paid app for 7 days, and by that time can't decide if you need it or not - wow.
And of course, as soon as you got signal again, the license check would go through and you can use the app again, no problem.
I'm sure there will be UbiSoft and EA style implementations though - way too damn draconian for my tastes. I don't care to know every single second that someone's using my app. I would just like to know that they haven't 'copied that floppy' as it were LOL
I have no doubts this will be defeated in time, though. All it would really take is mimicking the server license response, which can be extracted from the locally cached license of an actual paid product.
People that pirate software are going to do it, regardless. Don't make the honest people pay the price of draconian DRM.
The best approach I can make as a developer, is give my customers the features they want, in a stable, good performing package, and discourage 'casual' piracy. Beyond that, it's out of the developer's control, and honestly, any more than that usually just pisses off the customer and annoys the pirates for about a day and a half.
Ok...had to read the SDK paperwork as I really wanted to know this...my previous post was incorrect and here is the update...
From Google:
Android Market Licensing is a flexible, secure mechanism for controlling access to your applications. It effectively replaces the copy-protection mechanism offered on Android Market and gives you wider distribution potential for your applications.
A limitation of the legacy copy-protection mechanism on Android Market is that applications using it can be installed only on compatible devices that provide a secure internal storage environment. For example, an application using the copy-protection mechanism cannot be downloaded from Market to a device that provides root access, and the application cannot be installed to a device's SD card.
With Android Market licensing, you can move to a license-based model in which access is not bound to the characteristics of the host device, but to your publisher account on Android Market and the licensing policy that you define. Your application can be installed and controlled on any compatible device on any storage, including SD card.
Click to expand...
Click to collapse
Also...there are options for the Devs to allow for apps to be used a chosen number of times before they need to check in for licenses. Strict has to check in every time....other option allows dev to choose based on times used or time since last check in.
SO...all in all I am much less worried about this now.
topdnbass said:
I can confirm that they don't get replicated..
I have two evo's right now under the same email and they're definitely not replicating crap.
Click to expand...
Click to collapse
With licensing the dev can choose whether an app can be accessed from different phones. It is an option...
(greeked...multiple times)
Question: Does that mean we won't be able to open, modify, and resign apks? Like...to change the appearance (make a widget clear, etc).
More like bad news for paying consumers. That's who always pays for everything. Those of us who actually buy the products.
I plan on speaking with my wallet. I wont buy any app that requires I have an internet connection.
A limitation of the legacy copy-protection mechanism on Android Market is that applications using it can be installed only on compatible devices that provide a secure internal storage environment. For example, an application using the copy-protection mechanism cannot be downloaded from Market to a device that provides root access, and the application cannot be installed to a device's SD card.
Click to expand...
Click to collapse
Wait so according to google us rooted folk couldn't download copy-protected apps before now?
Urrr, i think im missing something
This is actually a nice implementation for both the software developer and the user. Most will implement this where it only has to check-in every week or two. So the odds of getting caught in a spot where there is no connection is low.
At the end of the day, it is a pretty straightforward way to handle copy protection that really shouldn't inconvenience anyone.
Also it will bring more developers to the platform if they know they don't have to worry as much about piracy.
Piracy will still run rampant. People will find ways to circumvent this, that's just how it is. At least it will curb some piracy since copying and pasting an apk file wasn't much of a deterrent.

Taintdroid...android's duff security model

Worrying article on how apps are using personal information.
www.theregister.co.uk/2010/09/30/suspicious_android_apps/
I'm sick that they had to go too such lengths to find out. We need a better net architecture to enable a proper firewall to work.
Sent from my HTC Desire using XDA App
Also, app naming FAIL!
Well, since they only tested 30 apps and won't release the names of the ones they tested, only saying that they are "the most popular", personally I don't buy it.
And the information these apps are sending out is primarily geolocation. Well, no ****. If an app wants your location and you don't think it should have it, it's either using it for ads or you should decline to install the app and just send an email to the dev asking him why he needs that information.
tjhart85 said:
Well, since they only tested 30 apps and won't release the names of the ones they tested, only saying that they are "the most popular", personally I don't buy it.
And the information these apps are sending out is primarily geolocation. Well, no ****. If an app wants your location and you don't think it should have it, it's either using it for ads or you should decline to install the app and just send an email to the dev asking him why he needs that information.
Click to expand...
Click to collapse
Agreed... geolocation is pretty obviously straight forward. I don't know about the 'transmissing every 30 seconds' thing though.
Any thoughts ont he transmitting sim card and IMEI info?
http://www.youtube.com/watch?v=qnLujX1Dw4Y
Also discussed here:
http://forum.xda-developers.com/showthread.php?t=795702
With explanation where to get it from http://www.appanalysis.org/
A very well-written reply by "Steven Knox" on The Register, demonstrating how this 'research' is simply a pile of intentionally-misleading statistical rubbish:
By selecting only from applications that access both personal data and the internet, they're overstating the significance of their study by about 3x. Furthermore, their summaries blur this distinction unnecessarily.
Specifically, their FAQ says "We studied just over 8% of the top 50 popular free applications in each category that had access to privacy sensitive information in order to get a sense of the behaviors of these applications." Since there were 22 categories at the time they did the study, that would imply (22*50=1,100 * 8% =) 88 applications. However, they actually only tested 30, because of the 1,100 top 50 applications only (from the PDF) "roughly a third of the applications (358 of the 1,100 applications) require Internet permissions along with permissions to access
either location, camera, or audio data." -- meaning that the other 742 apps don't have the necessary permissions to play badly. The clause "..that had access to privacy sensitive information in order to get a sense of the behaviors of these applications." from the FAQ is grammatically ambiguous in this case (it may refer to "applications" or "category"), and not specific enough to indicate that over 2/3 of the applications are (relatively) safe by dint of not having the necessary permissions.
They also didn't include in their study apps from 10 of the 22 categories, but they don't explain whether that was due to a) there not being any or enough applications in those categories that required internet and personal data permissions, b) a conscious choice to focus on the other 12 categories, or c) the results of random selection (with an explanation of why they did not use a stratified sample).
Once you factor back in the applications they ignored, the numbers don't look quite so bad. Assuming their sample was representative, 2/3 of the 358, or about 239 applications of the top 1,100 of the time use personal data suspiciously. That's about 21.7% or just over 1 in 5 -- still significant, but a far cry from 2 out of 3. In fact, the worst case maximum is actually 358 of 1,100 or just under 1 in 3 (32.45%) because they are as mentioned above the only ones that actually acquire the permissions necessary to do anything "suspicious".
I understand why both the researchers and the reporter used the 2/3 figure -- you all believe you have to sell the point as hard as possible*. But the real story is that it's likely that at least 1 in 5 Android Apps use private data "suspiciously" -- and that number is still high enough to cause concern and to justify the further use of tools like TaintDroid. It's a pity you didn't trust the facts enough to avoid the unnecessary sensationalism.
*I am assuming, here, that Mr. Goodin did actually read and digest the paper as I did, rather than simply picking out the figures from the study, the FAQ, or a press release.
Click to expand...
Click to collapse
good spot. But one in ten woolf be too many. The point is we should have more fine grained control and transparency off what apps do over the net, and we can't, by design.
Sent from my HTC Desire using XDA App
We need to develop a shim that reports modified IMEI/SIM data for different apps. IMO, very few apps need that information. We may not be able to keep all those apps from sending our private information, but we can make that information useless if it appears that we all are using the same IMEI/SIM...
patp said:
...The point is we should have more fine grained control and transparency off what apps do over the net...
Click to expand...
Click to collapse
agreed....
if you are rooted. With Root Explorer go to /data/system/ and open accounts.db you might be surprised what you find in it... Some people it will be fine for but mine it shows my exchange email and password in plain text and a few others show up as plain text has well...Its not geo they are worried about (for the most part) and...this file has been known about for awhile
Don't worry though unless your downloaded android specific virus holding apps you wont have any problem. And if your getting all your apps legally through the market then its no big deal =) and if your pirating them...well I don't feel bad for you...
echoside said:
if you are rooted. With Root Explorer go to /data/system/ and open accounts.db you might be surprised what you find in it... Some people it will be fine for but mine it shows my exchange email and password in plain text and a few others show up as plain text has well...
Click to expand...
Click to collapse
Opened it, my accounts are there, but no passwords....
rori~ said:
Opened it, my accounts are there, but no passwords....
Click to expand...
Click to collapse
my gmail is somesort of encrypted but doesnt look that great.
Exchange shows up
facebook doesnt show anything at all aha
Thats why I said some might not have anything. Awhile back when I first heard about it one of my friends had two or three right there in plain English I didn't have a phone at the time to check...
Its been reported before but kind of just brushed over no biggy. To go real conspiracy theorist....I think apple is submitting all these articles...
ButtonBoy said:
We need to develop a shim that reports modified IMEI/SIM data for different apps.
Click to expand...
Click to collapse
Great idea
The source code/instructions for TaintDroid are now out:
http://appanalysis.org/download.html
Anybody found a (recent) kernel with built-in TaintDroid-support?

[Q] Why my application was removed from the market?

I hope this time it's the correct forum.
So long story short.
I've written an app that allows to hijack FaceBook profiles over the WiFi. So when you're connected to WiFi you can "hack" into other users profiles. It doesn't work for profiles using SSL (yes you have that option in FB). So it can be treated as a "bad app". BUT! it is not dangerous for the one using it. I am aware that this is "questionable" application, but is there any other way to tell people - "HEY! use secure connections, it is not safe to use public WIFI!". I'd bet that a lot of you don't use SSL now and after using/reading this app you will turn SSL on.
That could be the #1 reason for deleting my app.
The second one is that I've put a 'demo' app in the market with a limit to sniffing only 3 profiles. But you could buy it through paypal. And today I've found out that this also could lead to app deletion. However i've bought launcherpro through paypal so I don't see why my app was removed in less than 24 hours.
What is your opinion and what can I do to sell my app somehow (i need my 25$ back that I've paid to register in google wrr...). Is there an option I could do put it in market without google deleting it like putting a disclaimer or something? The app itself is safe for the user downloading it.
Edit: If I put a link to this app here will this thread be deleted? If so, is there an option to promote it here?
Per forum rules, link removed
bponury said:
I've written an app that allows to hijack FaceBook profiles over the WiFi
Click to expand...
Click to collapse
There's your answer.
JamesC_ said:
There's your answer.
Click to expand...
Click to collapse
+1 on that
if it allows you to hijack fb you can steal other information from the users account so why would they allow it and put themselves into a legal bind for doing so
JamesC_ said:
There's your answer.
Click to expand...
Click to collapse
So if it wasn't for this app you would be safe? No, facebook is ignoring users privacy and this app is nothing more then a good way to show people what could be the cost of not using secure connections. Of course this can be used in a bad way, a lot of apps can. Like sms bombing or phone number spoofing. But they are not removed from the marked do they?
Ethics
And even worse you want to get paid for it.
wdl1908 said:
Ethics
And even worse you want to get paid for it.
Click to expand...
Click to collapse
Yes, I know what ethic is however we're not living in a perfect world and just believing that everyone is good and ethical so I can just leave my door open when leaving the house is not going to protect me against the reality. I believe in http://en.wikipedia.org/wiki/Full_disclosure and this case is even better because FaceBook is aware of the problem and just ignore it. A few people are aware that there's an option to use SSL on facebook. In my opinion FB should just get it done right and force users to use it. It's not a problem these days right? And what is wrong in getting paid for my work. I've spent some time developing it. Security by obscurity is not working, really. Take my app for example it would take max 1h to crack it. It's not security it's just being to lazy to secure it. And hoping that no one would care to crack it.
sms bombing is not hacking someones account! you are just spamming someone with messages.
even if it is down to fb to let people know about security, the market owners can be sued for allowing such an app on the market. there are better ways of showing a person how unsecure a connection is without punishing them in such a way.
the secure connection is useful for public connections but some people may not want or need to use it at home so they have the ability to switch it on or off. apparently there are issues with some games on fb that are linked in with the use of the secure connection.
traumatism said:
sms bombing is not hacking someones account! you are just spamming someone with messages.
Click to expand...
Click to collapse
People are killed for spamming in russia (http://www.theregister.co.uk/2005/07/26/russian_spammer_killed/)
And what about spoofing caller id? AFAIK that things are valid in court cases in Poland.
traumatism said:
even if it is down to fb to let people know about security, the market owners can be sued for allowing such an app on the market. there are better ways of showing a person how unsecure a connection is without punishing them in such a way.
the secure connection is useful for public connections but some people may not want or need to use it at home so they have the ability to switch it on or off. apparently there are issues with some games on fb that are linked in with the use of the secure connection.
Click to expand...
Click to collapse
I don't know how to tell people - secure yourself any other way. I know i'm devils (myself) advocate right now, but really do you think that forgetting about insecurity is a good way? I don't force anyone to use it in a bad way. But after I showed how it works in my house all my room-mates turned SSL on instantly. And they were not mad about it, shocked a bit but now they are safer now. Sure you can just tell people - hey turn ssl on and 90% of them will ignore you. But when you show them - look! i can see your messages that easily if you don't do it. Then they would listen.
haha! So, if someone got a gun and went around shooting people in cars to proove that they should actually have bullet proof windows and burst-proof tyres, that it's all ok, and not in any way shape or form, illegal?
ha. ha.
infact op ip should be reported to facebook
By nature I wouldn't go near this app. If its collecting other peoples info I could be collecting my own. Thats how I see it logically ... people always get screwed when they are doing something they shouldn't be doing.
There is a place for all apps in this world be they good or bad. You could always host a site and put it on there. I wouldn't go near it cause once again I'd be afraid of whats laced on that site.
I was just providing another point of view to the convo.
MarkusPO said:
haha! So, if someone got a gun and went around shooting people in cars to proove that they should actually have bullet proof windows and burst-proof tyres, that it's all ok, and not in any way shape or form, illegal?
ha. ha.
infact op ip should be reported to facebook
Click to expand...
Click to collapse
So if you have a car that can be opened by someone who has a screwdriver wouldn't you want car manufacturer to secure your car. Buying a bulletproof car isn't exactly the same as pushing a button in a web browser isn't it? And you're comparing killing a man to posting "I'm a jackass on someones FB wall". But still, you can buy a gun right? Also pretending that there's no problem isn't fixing a problem.
And hey, this app isn't new you know, if it wasn't for this thread maybe you wouldn't know that people use this apps on PC's maybe one day you would find that all your mail is gone (yes, this app could be modified to work with other sites like this forum). And ask yourself wouldn't you be pissed if you've found out that anyone using your network could get into your bank account? Well I would. But most (all?) banks use SSL by default. Google does. Why FB doesn't?
hazard99 said:
By nature I wouldn't go near this app. If its collecting other peoples info I could be collecting my own. Thats how I see it logically ... people always get screwed when they are doing something they shouldn't be doing.
There is a place for all apps in this world be they good or bad. You could always host a site and put it on there. I wouldn't go near it cause once again I'd be afraid of whats laced on that site.
I was just providing another point of view to the convo.
Click to expand...
Click to collapse
Yes, in fact it needs root to modify iptables and send raw arp messages and I know people get scared when an app needs root. If someone is interested I could write here how it's done and anyone could write it. It's actually nothing magical.
I wrote this app as a project for my mobile programming class. In the first version it also sniffed for Gadu-Gadu messages (it's a polish messenger). But I sure hope that when and if this app let's loose than FB will react and enable ssl by default. Maybe other websites will use it too. It's just that easy to protect your users, I don't understand why they don't do it?
most people who do not want their details stolen, do not use public access internet. does FB take money transactions over their site?
google does and the banks do so they will have a secure section. fb may do this using paypal or google checkout or otherwise so may not need the ssl that the banks need. sure it still renders people vulnerable to attack and theft of other information but even so that information is very limited dependant on the user of the account.
traumatism said:
most people who do not want their details stolen, do not use public access internet.
Click to expand...
Click to collapse
Yes, so other people want their details stolen? You are aware of the problem 'cause your "into computers" but out of 500 milion fb users how many of them ever heard of SSL? How many know that they are unsafe?
well with the amount of messages being spread on fb already about this i think more people will know, but to let people know only by stealing their details is pathetic. sure you may have made this app for a project but why give other people the power to do this. all you are doing is providing more uses for those who like to make other peoples lives a misery. the best thing that could be done with this is to let the website provider know how unsecure their system is. especially if you are aware of the issue and are bothered by it. i know i'd do the same. if that didnt work, sure i'd tell people about it but i wouldnt sell an app on to others so they can make use of it. not even for free.
traumatism said:
well with the amount of messages being spread on fb already about this i think more people will know, but to let people know only by stealing their details is pathetic. sure you may have made this app for a project but why give other people the power to do this. all you are doing is providing more uses for those who like to make other peoples lives a misery. the best thing that could be done with this is to let the website provider know how unsecure their system is. especially if you are aware of the issue and are bothered by it. i know i'd do the same. if that didnt work, sure i'd tell people about it but i wouldnt sell an app on to others so they can make use of it. not even for free.
Click to expand...
Click to collapse
Sure I could write an e-mail to facebook, but this issue is known for years! http://en.wikipedia.org/wiki/Session_hijacking I am sure FaceBook is aware of it. In fact they've enabled SSL only a month ago (maybe two months) but why it isn't enabled by default?
who knows. perhaps issues with other applications on the website, or applications made to access facebook. they may have left it so they can cater for other applications for and on the site. only they can answer that question.
anyway, he just showed the spirit of a developer and created something new
he never told anyone "hey go hack facebook profiles" or "sniff those profiles, its fun"
he just showed the possibilites of android development and did nothing wrong in my opinion
it's not his fault if facebook is unable to close a security leak known for a long time
yeah dont get me wrong blezz i understand that completely. but the argument was as to why they would remove it. legality reasons would be tne main issue. to cover their own backs as they can in fact face legal action for allowing the app to become available in their market.
I don't see anything wrong with the app.
It shows the flaws of facebook, and the fact that no one in facebook cares enough to do anything about it. But then I understand whygoogle would remove it... If facebook decided to sue for this google would be sued not YOU.
so it would be best if you released it HERE on xda rather than the market

ChompSMS flagged as malware by several AV's

Hi ppl in the xda hood
I just write to let you know that ChompSMS has now been flagged as malware, both on 2 phone here locally with Avast as scanner, and subsequently by upload to Virustotal, and flagged by some of the major names too.
This concerns both the 5.30 and the update from tonight to v5.31
As Im new, I cannot post urls, but you can dump the apk from both versions, upload for a scan, and have a look at the report yourself from virustotal dot com
XDA must decide if its worth it alarming the community, but better safe than sorry, right?
I guess it could be a false positive, and I do know things should not be rushed about accusations of malware developing, but seeing that several of the major scanners is flagging it both before and after the update, certainly raises my concerns.
I hope those of you who knows your way around decompiling and analyzing code will look into this, so that we can get more eyes on it than "just" the AV companies reports.
Sincerely, Omnius
After a bit of micro-investigating I have so far found these domains in the code, so if you do HAVE to use ChompSMS, (I do) you can ad them to your HOST file, just for the sake of it.
I dont know when or why they will be used but as they are in the code, there is a potential connection lurking in it. Decide for yourself, untill further ppl have a close look than mine.
Im not a dev of any sort, but I do know how to poke around to learn. Therfore please do not just take my words for granted until more competent ppl here have their say.
I do know that a few of these is for "normal" android app ads, and analytics and so on, but these are my finding so far, so filter our what you like it to connect to yourself. If you dont mind ads connections in-app, serve your wish, so to speak.
millennialmedia.com
gateway.textfreek.com
report.bitesms.com
nexage.com
inapp.chompsms.com
adserver.com
greystripe.com
smsgateway.chompsms.com
m.advc.us
cvt.mydas.mobi
rest.starttalking.com
mobileads.google.com
I used to love chompsms... now i guess I'm using GoSMS...
Sent from my Nexus S using XDA App
All of them appear to be valid to the program. Half are ad for ads, the other half are for functionality in ChompSMS.
I would be careful on using go SMS as well.
Antivirus apps will pick up any app that by passes any normal OS use. This always has been and always will be the case.
Anything with ads will always be flagged as it connects to an unknown server.
zelendel said:
I would be careful on using go SMS as well.
Antivirus apps will pick up any app that by passes any normal OS use. This always has been and always will be the case.
Anything with ads will always be flagged as it connects to an unknown server.
Click to expand...
Click to collapse
chomp was never flagged before the 5.30 update a few days ago...
really bothers me, i love chomp. i donated to remove the ads. i'm hoping they fixed it with 5.31 and the virus scanners are just still reporting it as a false positive. until it's sorted out though, i uninstalled...
Update : avg doesn't detect anything wrong with the newest version, 5.31.
Lemme tell you...
I noticed the new permissions requested in 5.30 (special access to browser history/bookmarks), and kinda shrugged it off. Dumb move on my part. Immediately upon launching 5.30, I get a notification from ADWLauncher that it cannot fit a new shortcut on my desktop (because the main page was full). So I'm naturally all like WTF... so I flip through my desktop pages to notice that ChompSMS had made itself a shortcut to searchmobileonline.com.
I also heard that it replaces your default browser home page and search method with the same. I use xScope exclusively, so I haven't been able to check that yet.
Delicious, Inc. has really crossed the line with this latest stunt. What were they thinking!? ChompSMS was the best Android messaging app IMHO. Why jeopardize such a great reputation? If it's money they were after, I'd imagine they could've raked in a nice bundle of cash for selling the product to another company.
Does anyone have a copy of this apk that I could take a look at?
kyokeun1234 said:
I used to love chompsms... now i guess I'm using GoSMS...
Sent from my Nexus S using XDA App
Click to expand...
Click to collapse
GoSMS is a security risk
Sent from Narnia
xHausx said:
Does anyone have a copy of this apk that I could take a look at?
Click to expand...
Click to collapse
I know this is a old thread but better than starting a new one.
I would like to ask if there is any news on this. I love chomp SMS, imo the best messanger for my taste. I have bought the pro version, to stay away from ads and unnecessary internet data. I have chomp on a brand new phone, no sim card, no messages, just activated chomp and my firewall instantly found chomp active on internet. I watched this for some time and really chomp was trying to do something even I did nothing with it.
important note: there is no data mining in any of their terms. Or at least I did not find anything.
So I contacted chomp about the behavior and they said that "they never seen this before" and suggested reinstall. I did, didn't help.
On the second try, they told me that it is connecting because of ads, but I had the pro version (and they knew it). So no luck.
After the third attempt, they said that chomp is sending once a day info that it is installed so they know how many installs they have.
This sucks a lot. Security concerns appears instantly.
I think it would be worthy to literally sniff a bit around this, since so many people is using chomp.

[CLOSED]Psa ...Dont use alliance shield app

Alliance shield app bricked my phone...the owner (RRiVEN) banned me for asking about the permissions his app uses and he got butthurt and banned my account and ip address knowing it would soft brick my phone if i factory reset it with all the apps I disabled and now I can't remove the spyware/malware infected app or recover my device back to factory settings...him and his app destroyed my brand new 1200 dollar s21 ultra
Wow. I used this app and I didn't get my phone blocked. Maybe the problem is something else? Re-record everything on your phone.
Maxxx17 said:
Wow. I used this app and I didn't get my phone blocked. Maybe the problem is something else? Re-record everything on your phone.
Click to expand...
Click to collapse
You didnt get you phone hacked using this trash app because you didnt question the owner of the app about the shady invasive malicious permissions it uses ...smh
Also this app proxys all your data and activity thru his server....the required sign up and login for the app to work is the first dead giveaway and a huge red flag
Lol...the owner of this app doesnt even use ssl for his server or app...its all tsl...unencrypted...lol...poor fella has no clue whos monitoring and accessing his server and network now...smh...this app wont be around much longer...i promise ...lol
HELLFISH420 said:
You didnt get you phone hacked using this trash app because you didnt question the owner of the app about the shady invasive malicious permissions it uses ...smh
Click to expand...
Click to collapse
You may be right. Be careful next time.
yeah the owner is in trouble and he dont even know it....he even tried to push a zip file to my phone (script)
HELLFISH420 said:
Lol...the owner of this app doesnt even use ssl for his server or app...its all tsl...unencrypted...lol...poor fella has no clue whos monitoring and accessing his server and network now...smh...this app wont be around much longer...i promise ...lol
Click to expand...
Click to collapse
I can't believe I missed this thread. Such gold in here.
Since you brought it up, you were banned after you made false claims about the Shield. We offered you MANY chances to prove your claims and you never did, just more talk and more claims and never any proof. Which I expect you will do here, can't wait I have my popcorn ready.
My favorite part is where you think SSL is encrypted and TLS isn't. Protip: SSL is insecure and shouldn't be used, ever. But don't take my word for it. Take Cloudflare's, one of the experts on this - https://www.cloudflare.com/learning/ssl/what-is-ssl/
As far as the shield not being around much longer, well that is also wrong, still going strong - never got an email or call from my Samsung rep like you said I would. You sure you were talking to Samsung and they said they were shutting us down?
The dots in Gmail, nothing to do with my script (Android doesn't run scripts, it runs Java FYI) Dots in Gmail don't do anything, once again don't take my word for it take Google's, you know, the owner of Gmail - https://support.google.com/mail/answer/7436150?hl=en
We block dots in Gmail because it gives spammers/scammers unlimited email addresses. [email protected] gets blocked register again with [email protected] same email inbox. That one gets banned, repeat with another .
The claim of a zip file being pushed to a device is flat out false. You made that claim and never produced the zip file, or evidence it came from the Shield.
A quick check will prove the Shield couldn't do it. We don't ask for or want the Storage permissions. Without them we can't access, add, delete, or create any file outside our apps protected folder. Unless you are suggesting we are using a zero day Android exploit to push a zip file to your device (zip files don't execute so why would we do that in the first place?)
The claim that we proxy all of your traffic through my servers is easily debunked. If that were the case you would see every site using HTTPS throw a certificate error, (most apps won't work either) it is why you use HTTPS so you know if your connection is being hijacked.
We are also confused what shady malicious permissions you are talking about. Android defines the permissions and you either request to use them or not. Once requested the user must grant ones that can cause harm to your device, like storage (once again we don't ask for, we don't want it).
If you have made it this far I will tell you our theory why Hellfish is so bent on spreading lies. He/she used the Shield to disable some critical system apps and bricked their device. Mad, which we would also be, they reached out to us where we informed them sorry nothing we can do now, it is bricked. They also disabled safe mode and factory reset. Once again we have warnings stating be careful what you disable and to understand what you are doing.
Enraged they started spreading lies and when called out they doubled down, and tripled down until we banned them. We have our limits.
The best part, and we saved the login logs, is not even a day later Hellfish was logging in to the app on a S21 ultra. Guess you found a way to get it working. When confronted more lies were spread and that account was banned. (We kept finding your alt accounts because you kept having the name Hellfish in them. We figured after the first alt was banned you would figure it out, but you made it too easy to find you. I gave up looking for you after the fourth alt account was banned, if you want to use the app and keep bricking your phone go for it)
If you haven't noticed we don't bow to pressure or are PC. You mess up and blame us we call you on it, you either own up to your mistake or get banned. If that means I have social problem then ok, fine by me, I sleep just fine at night.
Including screenshot of the Shield having no permissions, most games have more permissions than we do.
lmao...80-90% of what you said is straight up lies...you did all sorts of messed up stuff...hell you even hacked my discord and changed my password...then when my team bypassed your malicious app login you sent me emails threatening me and saying i broke laws and all sorts of dumb sh** ...you know what your doing is wrong....alot of other people see and know what your doing...you log passwords...your app has multiple permissions...exodus and other online checkers
riven you wouldnt by any chance be running a bitcoin mining scam would ya? ...lol....you run scripts and exe. files thru chrome remotely...i seen it with my own eyes...stop denying it...you know all bs aside i was actually nice and trying to help but you got butthurt when i showed the true app permissions to the whole world to see...as far as whats already been done is done...mark my words ...your app WILL NOT BE AROUND FOREVER
you couldnt pay me to use your malicious app .....lol...since my run with you ive already compiled and built my own disabler app ...and guess what..it requires no internet connection...no logins ...no permissions of any kind..has no trackers or anayltics ...and its 100% free..unlike your bitcoin mining app/alliance shield app...lmao.
oh yeah one last thing [email protected]
RRiVEN said:
I can't believe I missed this thread. Such gold in here.
Since you brought it up, you were banned after you made false claims about the Shield. We offered you MANY chances to prove your claims and you never did, just more talk and more claims and never any proof. Which I expect you will do here, can't wait I have my popcorn ready.
My favorite part is where you think SSL is encrypted and TLS isn't. Protip: SSL is insecure and shouldn't be used, ever. But don't take my word for it. Take Cloudflare's, one of the experts on this - https://www.cloudflare.com/learning/ssl/what-is-ssl/
As far as the shield not being around much longer, well that is also wrong, still going strong - never got an email or call from my Samsung rep like you said I would. You sure you were talking to Samsung and they said they were shutting us down?
The dots in Gmail, nothing to do with my script (Android doesn't run scripts, it runs Java FYI) Dots in Gmail don't do anything, once again don't take my word for it take Google's, you know, the owner of Gmail - https://support.google.com/mail/answer/7436150?hl=en
We block dots in Gmail because it gives spammers/scammers unlimited email addresses. [email protected] gets blocked register again with [email protected] same email inbox. That one gets banned, repeat with another .
The claim of a zip file being pushed to a device is flat out false. You made that claim and never produced the zip file, or evidence it came from the Shield.
A quick check will prove the Shield couldn't do it. We don't ask for or want the Storage permissions. Without them we can't access, add, delete, or create any file outside our apps protected folder. Unless you are suggesting we are using a zero day Android exploit to push a zip file to your device (zip files don't execute so why would we do that in the first place?)
The claim that we proxy all of your traffic through my servers is easily debunked. If that were the case you would see every site using HTTPS throw a certificate error, (most apps won't work either) it is why you use HTTPS so you know if your connection is being hijacked.
We are also confused what shady malicious permissions you are talking about. Android defines the permissions and you either request to use them or not. Once requested the user must grant ones that can cause harm to your device, like storage (once again we don't ask for, we don't want it).
If you have made it this far I will tell you our theory why Hellfish is so bent on spreading lies. He/she used the Shield to disable some critical system apps and bricked their device. Mad, which we would also be, they reached out to us where we informed them sorry nothing we can do now, it is bricked. They also disabled safe mode and factory reset. Once again we have warnings stating be careful what you disable and to understand what you are doing.
Enraged they started spreading lies and when called out they doubled down, and tripled down until we banned them. We have our limits.
The best part, and we saved the login logs, is not even a day later Hellfish was logging in to the app on a S21 ultra. Guess you found a way to get it working. When confronted more lies were spread and that account was banned. (We kept finding your alt accounts because you kept having the name Hellfish in them. We figured after the first alt was banned you would figure it out, but you made it too easy to find you. I gave up looking for you after the fourth alt account was banned, if you want to use the app and keep bricking your phone go for it)
If you haven't noticed we don't bow to pressure or are PC. You mess up and blame us we call you on it, you either own up to your mistake or get banned. If that means I have social problem then ok, fine by me, I sleep just fine at night.
Including screenshot of the Shield having no permissions, most games have more permissions than we do.
Click to expand...
Click to collapse
one last thing fool...stop putting ip grabber links in the comments...your just asking for trouble ...lmao
HELLFISH420 said:
lmao...80-90% of what you said is straight up lies...you did all sorts of messed up stuff...hell you even hacked my discord and changed my password...then when my team bypassed your malicious app login you sent me emails threatening me and saying i broke laws and all sorts of dumb sh** ...you know what your doing is wrong....alot of other people see and know what your doing...you log passwords...your app has multiple permissions...exodus and other online checkers
Click to expand...
Click to collapse
All I see is more accusations and ZERO proof. Typical Hellfish.
Where is the poof I log passwords? I will happily give you any version of the Shield going back 2 years. Decompile it and show me the password grabber, or exodus, or anything else. You can't so I won't be holding my breath.
It has multiple permissions yes, but most are so the Knox features work. You know what permissions I don't request? Storage.
HELLFISH420 said:
riven you wouldnt by any chance be running a bitcoin mining scam would ya? ...lol....you run scripts and exe. files thru chrome remotely...i seen it with my own eyes...stop denying it...you know all bs aside i was actually nice and trying to help but you got butthurt when i showed the true app permissions to the whole world to see...as far as whats already been done is done...mark my words ...your app WILL NOT BE AROUND FOREVER
Click to expand...
Click to collapse
Once again more accusations and yet zero proof. Same offer still stands, show me the malicious permissions, what ever that means.
Since we banned you for lies it has been half a year. My app is still here. Still waiting for it to be taken down. My guess is another 6 months will pass and we will still be here.
You were nice and we were nice untill we asked for proof about your wild claims, then it changed. Suddenly we were the bad guys. Extraordinary claims require extraordinary evidence.
HELLFISH420 said:
you couldnt pay me to use your malicious app .....lol...since my run with you ive already compiled and built my own disabler app ...and guess what..it requires no internet connection...no logins ...no permissions of any kind..has no trackers or anayltics ...and its 100% free..unlike your bitcoin mining app/alliance shield app...lmao.
Click to expand...
Click to collapse
We are happy for you, really are, no sarcasm, but once again you don't understand why we have the login.
All it takes is reading our website feature list to see why, but hey you compare apples to carrots.
Also you better hope Samsung doesn't find out you are using Knox to disable system apps or your key will be revoked.
If it uses Samsung Knox, then it needs an internet connection, so excuse me If I don't believe you 100%
HELLFISH420 said:
oh yeah one last thing [email protected]
one last thing fool...stop putting ip grabber links in the comments...your just asking for trouble ...lmao
Click to expand...
Click to collapse
What are you even talking about? I really think you need to get help, your infatuation of us is weird and how you think everything we do is hacking you.
Trust me, if I had a zero day (which I don't) I wouldn't use it to hack random people via my legit app we worked 5 years on and almost half a million downloads. I would sell it for $100,000 and then find the next one.
But hey, you think whatever you want.
Edit:
After reading my comment again do you think the Cloudflare or Google link is an ipgrabber? I take it you never heard of Cloudflare or Google, interesting.
Cloudflare has a market cap of 65 Billion and Google 1.99 Trillion, very huge respected tech companies.
Hi Rriven, I just heard about your app and was surprised that it involved using Samsung Knox. That sparked my curiousity, so I did an some analyzing and I have a curious question. Does your connection with the US Military/Army help you create this app. I did see that the DoD (Department of Defense) has approved and worked with Samsung, Knox specifically in creating a phone for the Military. And according to your LinkedIn profile, it shows that you have DoD clearance.
Suprnova84 said:
Hi Rriven, I just heard about your app and was surprised that it involved using Samsung Knox. That sparked my curiousity, so I did an some analyzing and I have a curious question. Does your connection with the US Military/Army help you create this app. I did see that the DoD (Department of Defense) has approved and worked with Samsung, Knox specifically in creating a phone for the Military. And according to your LinkedIn profile, it shows that you have DoD clearance.
Click to expand...
Click to collapse
Any legit company can apply to use Samsung Knox, which I did.
My connection with the Military has nothing to do with the app. The Shieldx was created in my spare time using my company (RRiVEN LLC) that I set up as a College project before I joined the Military.
Knox is a very powerful system that the Shield only scratches the surface of what it can do. I am not surprised that the Military uses it.
This hellfish character is a troll. Shield is a great app and works well. Only I don't stick with it because there is still no way to add large hosts from online sources easily. Once that happens, I'm switching. Until then, adhell3 is the best solution.
Wow that war was awesome to read. Go Alliance Shield X whoo whoo !!! lol
this issue has been resolved....mods please delete this entire post
I'm not related to hellfish or whatever, just saw a recommendation in the internet - app to control running services on Samsung devices, well that was quite an experience.
This is just ridiculous software, probably author is a follower of well known Terry Davis (god bless his soul) with his well known TempleOS. IT IS JUST FREAKING RIDICULOUS! never ever install that crap and stay away... just a complete nonsense beyond imagination, you may get a taste of it just browsing through official website, which was already very much suspicions, but I registered and installed anyways... mother of god...
also author's weak excuses about dot in emails? WHAT ON EARTH???? have you ever seen a single rnd generator... do you have a slightest idea how email works, any understanding of modern spam\antispam techniques? zero, zilch... my god... sheeez....
HELLFISH420 said:
this issue has been resolved....mods please delete this entire post
Click to expand...
Click to collapse
How did you resolved the issue? pls update me about the solution so we can also try..
HELLFISH420 said:
you couldnt pay me to use your malicious app .....lol...since my run with you ive already compiled and built my own disabler app ...and guess what..it requires no internet connection...no logins ...no permissions of any kind..has no trackers or anayltics ...and its 100% free..unlike your bitcoin mining app/alliance shield app...lmao.
Click to expand...
Click to collapse
also how can I get this software of yours? Have you uploaded this in the forum or playstore or somewhere else? Please update me...

Categories

Resources