Related
Do you know that the Android Market Place too has some serious loop holes as some of the applications in the Android Market Place steals the banking passwords? Yes, for all those who thought that the Android as a platform is safe might just have to give this a thought as its not safe at all as the market has a malware which really is responsible for the stealing of banking passwords data. Basically there are two Android Malware types which are available as of now, one is the Droid Dream Light and another one is the Zitmo out of which both has the ability to steal the banking data or can also intercept the data from the non suspected users and then the data can be fetched to misuse it. Though these both malwares can be caught by using the recognized Antivirus, its still a big question mark on howm many more such malwares are there which cause damage to the privacy of the users confidential data.
Since these two malawares were caught by the LookOut mobile security, we could knew on what consequences it can make, so always ensure that you use a trusted antivirus or the anti malware softwares like the Lookout Mobile Security or else it will be very difficult to track, find and kill such malwares.
According to the release by LookOut, it was reported that the four applications that are Mobnet: Quick FallDown, Scientific Calculator, Bubble Buster and a clone of Best Compass & Leveler pulled the user data and were stealing the udser passwords, so its better that immediately you should uninstall these applications which are mentioned above. Please note that, always you will have to ensure that the unwanted apps should be removed or uninstalled from your device or else such consequences can get aroused. Also, we can hope that since al these things are Anti-Google Policies, Google will surely look out for the same and will ensure that such things are not repeated again. In the above 4 applications which are listed, there was a threat of Droid Dream Light which was found and also this one contnously performs the unwanted tasks in the background without our consent which is the most worst thing as it not only drains the data but also steals the data from our Android Phones like Passwords and other crucial data.
Another malware which is named as the Zitmo is basically a malware which has recently plagued other mobile OS formats like Windows and even the Symbian and was known for stealing the passwords. Also, this on eis very popular on all variants of the Videocon Zeus handsets as this malware is made for all the Zeus variants phones. Adding to the Worst its event like that it tracks all the incoming messages and captures the crucial data like the authentification codes which the bank sends to the users and also it has the capability to perform the transactions on the users behalf. Also, additionally, the apk file size is of around 19KB and it passes itself as the security tool with the name of Trusteer and if te user installs any malicious application, then then trusteer report will be appearing on the main menu and then this will take over the screen after clicking on the application link which is again the bad part of this application and how it works to capture all the important data.
So, all in all if you look to protect yourself from all such malicious threats, then you will have to make sure that you use a good antivirus as well as a good anti malware solutions like AVG Security Suite or even say Look Out Mobile security tool.
Do, let us know if you want to share any such experiences in the comments section below so that all other users will get benefitted with the same.
Source? 10char
tl;dr
However, I'm not stupid enough to enter my details into my phone willy nilly, or at all infact.
source please
Reads like an advertisement for lookout security, an app that has questionable permissions in itself, lol
Sent from my ADR6300 using Tapatalk
1. i dont download app under 300 reviews and rating.
2. i do research before i download app.
3. read step 1 & 2.
techrepublic has a little info on the Zeus/Zitmo and android, stating that:
Security researchers at Fortinet, S21sec, and McAfee are following the Zeus/Zitmo saga closely. They have examples of Zitmo code for Symbian, Blackberry, and Windows mobile operating systems–three out of the big four. What about Android? (...) According to this Nielsen report, Android is favored by a third of all smartphone users. Seems to me, the bad guys are missing or avoiding the largest segment of mobile-device users. Puzzling.
Anyway, for now I think that combo of DroidWall, LBE and Permission Denied provides some level of security
phoenixs4r said:
Reads like an advertisement for lookout security, an app that has questionable permissions in itself, lol
Sent from my ADR6300 using Tapatalk
Click to expand...
Click to collapse
I agree with that, I actually think Lookout itself is the part of malware. I'm curious what it is actually doing while it's scanning apps.
Closed - OP request
I wrote this On Xperia Neo General forum but it belongs to here much more.
Original thread at: http://forum.xda-developers.com/showthread.php?t=1447095
Click to expand...
Click to collapse
Introduction
I have not seen much talk about security in XDA.
First, here's just one informative link talking about using and developing apps and security risks involved.
http://www.technologyreview.com/comp...1/?mod=related
Any bug in software could potentially be used as a security loophole to gain access to private information, spy on you, get your credit card info(should you do such things on phone).
What is kind of unsettling is that everyone seems fine with modding, tweaking, developing and using those ROMs made in XDA without worrying if there could be that kind of bug in your made or used ROM.
You don't need a malicious app only to have risks. Most people use Windows so they should know that it is OP systems bugs and vulnerabilities that allow for unwanted access to your files, data, etc.
Android itself is having very non-foolproof security system. All apps on unrooted phone are in sandbox. That's no security measure at all. It doesn't limit app from stealing your private info at all, it only cant delete the whole ROM. That's just idiotic security system, for it is the only thing beside encrypting shut off phone on 3.0 and 4.0. So that means Android on it's own has no security measures while it's working. Even Windows has... some... but not too much... so you could pay for antivirus and antispyware software ofc.
It has always been the goal of big corporations to make money from insecurity, be they software developers, arms dealers and you name it. They all benefit from insecurities existing. Same is with Google and it's Android. But the good news is that we the users can modify Android. We could all say "Au revoir security bugs and loopholes!" if we would care about developing ROMs designed to make Android more secure... alas that's not happening yet!
Overview of Linux/Android security issues.
It's a short condensed description just to get you interested in the topic. There's lots of material on net, you only need to search, read, watch videos.
Linux becomes more vulnerable with more applications with different permissions installed. Same is true for Android.
Say your Phone Exporer has root access, that means it has root access to whole Android. To remove unnecessary risks, this app's root access should be limited to only most necessary functions it needs to operate.
Currently for Android there is no such solution. For Linux there is Apparmor.
http://en.wikipedia.org/wiki/AppArmor
Total root access is obvious vulnerability, but it is at least known one. Let's look at possibility of apps having hidden permissions and what that could mean to you.
Blade Buddy from Market.
On market it does not list permission to "Unique Device ID"(IMEI for GSM and MEID; ESN for CDMA) for free nor for paid version.
That means the author of BB has left the code from free version in paid one. This permission is used by ads to track you. It's not necessary code for ads, but it helps the dev know who clicked on the add and generated him some money. To see your money generating zombie empire stretch across the whole globe.... quite a thrill, isn't it?
So it's a latent code, with no benefit to user and an exploit only calling to be abused.
Unique Device ID allows you to be tracked on net and also where you are physically. GPS is just one way to find you, police for example have scanners to locate your devices physical location by the IMEI code. You can count on the "bad guys" having this technology as well, for it's quite a tool for burglars and other criminals.
The risks of your home being marked as the next dungeon to be looted by some raiders, I mean criminals(or perhaps WoW players sleepwalking and sleepraiding?) or getting your ID and bank details stolen by trojan/hacker is random. Yet the threat would not exist without apps having so flagrant hidden permissions.
Next app with ludicrous permissions
Brightest Flashlight
It does list many permissions, among them "Hardware controls - take pictures and videos ". No, it does not need a permission to take photos through cameras to operate the flashlight. But it's fun nonetheless for the dev to see his trusty peasants, or maybe he just likes to observe people like some watch fish in aquarium or hamsters in cage( "Look at that dork!", "You're one ugly m...f...er","ummm a couple kissing in dark with ma flashlight, what are they searching?", "what's that you eat, mr Korean, brains?" "hey show me that document again.")
You don't even need to run the app yourself. It can be triggered by hacker on background and take a snapshot of you.
On top of this little needless permission it has following hidden permissions:
1. Unique IMSI, read about here http://en.wikipedia.org/wiki/IMSI
2. MCC+MNC (CDMA)
3. Unique Devide ID
4. Cell Tower Name.
That's a lot of needless permissions for flashlight, these are there just to track you the app user and have nothing to do with your comfortable use of the app.
These are just 2 apps with totally needless permissions for their intended functioning. If you don't want your Windows and Linux have such security holes then why do you want your Android have them?! You don't want, that's the point and these apps would not be so popular if people would really know and care about their phone being secure.
It can be stated for sure that above exemplified permissions not listed on market are more useful for pranksters, criminals or someone plainly looking-down-on-all-the-dumb-sheep and not at all for any legitimate, user or customer friendly purposes.
There are very few tools to check for security and privacy problems in apps. That gives a sense that majority of devs do not want Android to be secure and private, because Android is another revenue generating platform through Google ads business of course. Were people more educated about the matter then Google ads business would shrink down as well. A private and secure Android can't be tracked or annoyed with ads. No ads, no profit. No security therefore means profit. Unfortunately this lack of security can be exploited by anyone with criminal or malignant intentions so very easily.
In my honest opinion. If someone keeps files like ccinfo they have to worry about being jacked then they deserve it. Should it happen. U shouldn't keep things on your phoney don't want the rest if the world to have
Sent from my Cyanocrack using Xparent Blue Tapatalk
You don't need to keep credit card info on phone, your using the credit card via Market or logging in to bank on phones browser is enough to intercept your credit card info. Your browser may show you xxxxxxxxxxxx+"last four digits only" but that doesn't mean the data to and from your device doesn't contain exact credit card number. It's encrypted, but that is merely a minor inconvenience for a hacker.
That is why being rooted is not advised to everyone. Mainly if they don't know what they are doing. Also customs roms are not for everyone. People flash them cause they think its cool and don't understand what they are doing. That is their problem. People should pay attention to the permissions that am app asks for. Common sense is the best protection. Main reason I don't do anything that deals with a bank on my phone.
Raoa said:
I have not seen much talk about security in XDA.
Click to expand...
Click to collapse
There's talk. It's just not on important yet, because the android device is not being marketed like an OS is with a personal computer.
However, the more we do on our phones, the more we'll realize it needs protection like firewalls. We catch a few like CIQ or the Wimax exploit, but it's going to get worse as we advance in our integration. We do need to start now before exploits get worse and stay ahead of the curve.
Until that time, 4G exploits and root kit programs will run freely on our devices that houses a lot of our personal information.
Plus, for some stupid reason, there are a lot of people who think Linux is immuned to viruses and security holes due to it's code transparency. Android is being mainstreamed. It will soon be a continuous target like other existing popular software programs and operating systems.
And that's why iOS is far superior even without widgets or live wallpapers.
Something to think about.thanks for posting.
Sent from my HTC Glacier using XDA App
alex2792 said:
And that's why iOS is far superior even without widgets or live wallpapers.
Click to expand...
Click to collapse
IOS and Mac are just as vulnerable, maybe even more so because of there popularity and the misconception that IOS is secure and does not need AntiVirus protection. Just last week i removed a nasty virus on a brand new Macbook Pro so that is not the way to think. You need to act as if there are security issues and just be really careful at what link you click and what email you open.
mattfox27 said:
IOS and Mac are just as vulnerable, maybe even more so because of there popularity and the misconception that IOS is secure and does not need AntiVirus protection. Just last week i removed a nasty virus on a brand new Macbook Pro so that is not the way to think. You need to act as if there are security issues and just be really careful at what link you click and what email you open.
Click to expand...
Click to collapse
I'll give you OS X,but I've never heard of an iPhone virus while there are loads of malware on Android market.
Sent from my Galaxy Nexus using Tapatalk
I am not an expert on iOS nor do I have any wish to even know or use it, because Apple buys from suppliers that emply child labor and sweatshops.
When Linux started spreading around people also thought it has no viruses.
Same story repeats with every software.
For each different OS it takes merely time before people start to notice that their OS has viruses/trojans/spyware too. That doesn't mean their OS is not targeted. You should expect all sorts of thieves to use any and all opportunities.
Secondly OS does not matter so much as the matter that your device is connected to wifi, data, bluetooth, et or not. IP addresses, MAC, IMEI, etc they all stay the same on every platform. No matter which OS, they all connect to wireless networks, cell network, data, bluetooth, etc which all have set standards.
So someone wanting to track, spy, get your private info simply has to intercept the data your device sends to any network. If you don't use strong encryption to send info via network then it is easy to "wiretap" you.
Why is there so much spam, viruses, spyware in internet today? It's because the software managing internet is not made to be so secure. If it were secure then it would also be more private and safer for people to chat over net.
So not only OS's need to be more secure, but the very internet itself needs to be reformed.
This relates to SOPA and PIPA. Had those two bills been passed the next step would have been logically to make changes to all networks so you'd be more easily trackable, hackable, "wiretappable". It's simply logical, cause SOPA, PIPA were so defunctly worded as if asking/preparing for a third bill to regulate the networks.
So we must make sure that internet will be reformed for the private users and not for greedy corporations. We would not need to buy anti-spyware, anti-virus software if the internet were truly engineered for the welfare of humanity.
You could use any OS, bugged or not and not be afraid of loosing your property or privacy if the internet would stop such acts before they could harm you, the individual who is supposed to truly and freely benefit from the services; either for free or for honest price, but now you are robbed and think it is good to pay the thieves.
Raoa said:
Android itself is having very non-foolproof security system. All apps on unrooted phone are in sandbox. That's no security measure at all. It doesn't limit app from stealing your private info at all, it only cant delete the whole ROM.
Click to expand...
Click to collapse
Please elaborate. The sandbox does prevent one app from reading the data of another, such as the CC info from the Market.
Also, are you sure Market sends the entire CC number? There's no reason for it to send it, the transaction is performed on Google's servers.
alex2792 said:
I'll give you OS X,but I've never heard of an iPhone virus while there are loads of malware on Android market.
Click to expand...
Click to collapse
Are you talking about viruses or malware? Please don't conflate the two.
Malware is easy to take care of - check the apps you're downloading for what permissions they want. It's as simple as that.
alex2792 said:
I'll give you OS X,but I've never heard of an iPhone virus while there are loads of malware on Android market.
Sent from my Galaxy Nexus using Tapatalk
Click to expand...
Click to collapse
Just before xmas an iphone developer admitted to deliberately uploading malware in his ios app to show malware can easily affect iphone.
http://m.intomobile.com/2011/11/08/security-expert-sneaks-malware-into-iphone-app-store/
That was for normal iphones. For jailbroken ones there are more malware apps.
Dave
Sent from my LG P920 using Tapatalk
Raoa, your absolutely right.
I've had the exact same thought recently
Its like the overall view of the Android landscape is ridden from real security apps, for the simple purpose of have the platform as open as possible. And while this is good for developers and users of this and other serious forums, its also open for the "dark" communities as well.
I often ask myself, if the ROM devs onboard have these thoughts themselves, as in, what is my source of this modded apk, is is straight from the Market or from another dubious, (do I dare say chinese forum, just an example)
And how clean is my code really?
And is all mods just legit just cuz they are from here?
I love that we have so many ppl having a desire to mess around with the OS, but I miss, as you say, the talk about having a go on security as well.
I dont know, but I do think that awareness, as you initial post direct us to, should be raised, as a natural step for any serious dev and users in general on XDA, to be more aware, of the code.
Im on my first year as an Android user, and ofcourse did have to gain root on my splendid Sensation. Why?, cuz I needed the security tools requiring root.
Ask again, why? Cuz I came from Winblows 7, and know what a jungle software is, and that is is indeed exploitable, like hell, you might say.
And Im gladd I did gain s-off and root, cuz its really really needed fo youre just a little concerned about your privacy in, mails, sms, location, usage pattern, netbanking, dropobox deposits of your ****, some might even be work related and therefore hold more than just your own privacy.
And then there is what you mentioned, our devices unique ID's, the intent "app install referrer" to "plug" you into admob/google analyzer and so on.
I love one guy here, Treve, who made the HTC tool for scanning for ****, Logging Test Tool, and in version 10, he made it aware of admob/mobclix/analytics, and my god it find a lot...
So Treve, please, if you read this, just go on, as every version you make is getting finer and finer.
We could learn from this guy, and others here that got more code-insight.
What we CAN do as a community at the very least, is to share our knowledge and tips for securing our phones.
HOST filtering, code scanning of apks and so on. using AV's and firewalls and so on.
Right from the start I noticed that Android is not a clean OS, nor is its app market, and I noticed this cuz I have another splendid little Linux system at hand, Smoothwall Express with url filtering and proxy enabled
and My god is Android and its aps LEAKING!
Have a look in your urlfilters on a standalone firewall the step after your wireless android phone, and watch how much **** is going on.
Well, I can tell you for a start that I have added atleast 100 new domains to my custom urlfilter, besides the casual downloadable HOST filters around the net, like the ones found in AdblockPlus and so on. But after android, heh, you need more than just advertising filtering, that much I can say.
Just as an example, like those you mentioned, I have one too, that I was made aware of by Avast on my phone tonight, that ChompSMS was being flagged as malware/trojan.
I thought, **** man, why this crap, Im quite fund of Chomp, really.
So I thought, no, imma let more that Avast on my phone have a go.
So I File Expert dump the full apk, and uploaded it for a scan on virustotal, just for the sake of it. And whatta'ya know, ClamAV, GData, Kaspersky, NOD32, and Sophos flagged it as that same Plankton.G variant as my on-phone Avast.
Great, I thought (sarkasm intended)
I thought a bit further and picked up APK Multi-Tool, had a decompile and a content-scan for just "http" in is readable code.
12 different domains is mentioned so far, and I didnt even poke in all of its xml's, just the smali's
I know android is by a far stretch advertising born, and ofcuz the app devs have a right to earn their money, no doubt about that, and I gladly pay for the good ****, like most ppl here believeably do, but.. 12 different .com's mentioned in its code is a no go for me.
I have earlier used Privacy Blocker, and Privacy Inspector from XEUDOXUS in the market, to make permission scanning, beside using LBE/HOST/Avast, and I like those two aps, the Inspector one is free but only can scan.
The paid Blocker can "repair" as a feature, but its not maintained enuff, so it often fails to make installable apks, so not really worth it for me anymore, but as a free too, it can tell you more about those permissions you mentioned.
But enuff said from me for now, lets just collect and share our tips and tricks, ALSO for security, not just developing ROM and mod's and hacks, as thou they are fine, if not to say, so cool and great, but, we need to be secure too.
Please do not polute the discussion with IOS vs Android and what not, cuz thats not the purpose of it, even thou it definitly concerns (g)A(r)pple products too.
Sincerely, Omnius
alex2792 said:
I'll give you OS X,but I've never heard of an iPhone virus while there are loads of malware on Android market.
Sent from my Galaxy Nexus using Tapatalk
Click to expand...
Click to collapse
Iphones can get viruses they come through SMS's and other sources not as bad as android apple keeps there market much more under control, but everything is vulnerable i work in a security team for a big corp and believe me nothing is safe.
Check these articles out i just found them on google.
I remember a while ago maybe a year or so there was a huge security hole in IOS5 and Mac waited a long time to tell the public and release a patch. The one major problem with Apple is when there are security threats they really try to keep it hush...Iphone's OS is tight but not totally secure. Its not viruses either its moslty just malware that charges you tons of money in texting i saw once an iphone that turned into a bot and at midnight it would dial a 900 number and just sit there all night at like $20 bucks a minunte then disconnect when it felt the phone move.
http://www.mactrast.com/2010/07/iphone-virus-discovered-be-vigilant-and-seek-advice/
http://techfragments.com/news/982/Software/Apple_iPhone_Virus_Spreads_By_SMS_Messages.html
I'm going to fanboy MIUI for a second.
When you install an app you are presented with a screen (separate from the market) that allows you to toggle all the permissions an app ask for between Allowed/Ask/Disabled.
More roms should adopt this.
NB: I haven't checked CM9 so it might be a CM9 feature that MIUI has polished or it might be native to MIUI.
weedy2887 said:
I'm going to fanboy MIUI for a second.
When you install an app you are presented with a screen (separate from the market) that allows you to toggle all the permissions an app ask for between Allowed/Ask/Disabled.
More roms should adopt this.
NB: I haven't checked CM9 so it might be a CM9 feature that MIUI has polished or it might be native to MIUI.
Click to expand...
Click to collapse
I wouldn't be so fast to praise MIUI.
weedy2887 said:
I'm going to fanboy MIUI for a second.
When you install an app you are presented with a screen (separate from the market) that allows you to toggle all the permissions an app ask for between Allowed/Ask/Disabled.
More roms should adopt this.
NB: I haven't checked CM9 so it might be a CM9 feature that MIUI has polished or it might be native to MIUI.
Click to expand...
Click to collapse
The problem is the "Average Joe" doesn't even look at those or doesn't know what they mean. I see so many viruses/malware/open security holes just because of user error its insane. Almost 90% of security breaches or problems originate from the end users not paying attention or just not knowing or caring. Also another thing i see so much when new clients call me with there servers melting down and all there banking info being stolen is they haven't installed any updates on there servers since they were set up 2-5 years ago. I worked for a large industrial supply company and all there servers running MS Server 2008 no updates had been installed and they were using AVG free on there main SQL server...INSANE LOL
Then theirs the users, "my computer was fine until my friend on facebook wanted my SS# and mothers maiden name and insisted i open his email attachment, now its acting weird what do you think is wrong?"
Brutal
what is the 4g exploit that you are talking about? And is it only with wimax or is lte part of it as well?
Oneiricl said:
Malware is easy to take care of - check the apps you're downloading for what permissions they want. It's as simple as that.
Click to expand...
Click to collapse
It's absolutely amazing that people are willing to put up with something so ridiculous.
Sent from my SGH-I897
Hey XDAian...:laugh:
Get ready for few suggestions & discussion.
Based on some pretty interesting facts about "mobile in general", The smartphone segment has brought accessibility to millions around the world, at work and at home. Naturally, all the data in those devices, wirelessly accessible, becomes a gold mine for those with nefarious motives to exploit.
On the work front, smartphones are a huge contributor to productivity. At home, they provide meaningful and useful (and sometimes redundant) ways to stay in touch with friends and family. The more of these devices we buy, the bigger the opportunity is for criminals, because there are so many ways to get the data. We might lose a device, or its is stolen, we might download a bad application, or soon brush against an NFC tag or visit a bad web-page. The possibilities are so diverse compared to a PC or server farm hardwired to the internet.
With the tremendous growth of the smartphone market not expected to slow down anytime soon, people and organizations must be vigilant in guarding against breaches of their data and/or personal information. Even as organized hackers work on ways to score the high-value breach, they are working on high-volume, low-risk attacks against weaker targets as well.
In addition to some tips about securing mobile devices, the infographic has some interesting facts from 2011 in there as well, such as 855 breaches resulted in the theft of 174 million records.
We Need some Security Applications for preventing our valuable data (like Msgs, Contacts, Pin codes etc). Therefore, from my side this thread belong to all XDAians.
Please suggest the latest, finest Applications & few tremendous suggestion from all Devs, RC, RD & Members.
I like a Security based Application called LBE Privacy Guard to Prevent sending data through various applications installed at our Mobile.:good:
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Some Great Ideas Received from Our XDA Members. Which are here follows:
As this OP thread may become too long so, for Batter view just press "Show Contents" for there suggestions.
A Very Big thanks to Android Police, Phone Arena & Android Authority for survey about malwares & security.
How to secure your Android phone and protect your data
All software has security vulnerabilities. It is a fact. You only need to look at the software updates that are issued by the big companies like Microsoft, Adobe, Apple and Google to see how prevalent is this security problem. Smartphones aren’t immune, not iPhones, not Windows Phones and not Android. But there are some simple things you can do that will drastically reduce your exposure and help secure your Android phone or tablet, as well as protect your data.
A recent report by Check Point, the firewall maker, estimated that €36+ million has been stolen from corporate and private bank accounts in Europe by a group running a campaign of attacks known as “Eurograbber”. The campaign infected victim’s mobile phones with a piece of malware which could intercept SMS messages. When the victim used their online banking the SMS authentication code sent to the phone was intercepted. This then allowed the attackers to access the victim’s account.
Securing your smartphone and protecting yourself against malware isn’t about stopping some annoying virus getting on your device, it is about protecting your money, data and privacy.
There are several different areas in which you can improve your phone’s security including physical access, malware protection and encryption.
Who has access to your phone?
RULE #1 – Never leave your phone laying around where uninvited guests can access it
Before looking at things like malware and data stealing apps, the simplest form of security is to limit physical access to your phone. There maybe lots of sophisticated remote attacks out there but if all I need to do is quickly pickup your phone and access your emails, PayPal, eBay or Amazon account while you pop off to get a coffee then all the security software in the world won’t do you any good.
RULE #2 – Use a lock screen
It is also essential that you use a lock screen. This stops everyone from small kids to determined snoopers from sneakily accessing your device. Modern Android versions have a whole gamut of lock screen options including pattern unlock, PIN numbers and password protection. To set these go to Settings and then tap Security. You can also customize how quickly the lock is automatically applied.
RULE #3 - Set a PIN to protect purchases on Google Play
It is also possible to set a PIN for purchases in Google Play. With the PIN any would-be trickster (or small child) won’t be able to buy content from Google’s app store. To set it, start the Google Play app, go to setting and then tap “Set or change PIN”. After the PIN is set, tap “Use PIN for purchases” to require the PIN before purchasing anything from the store.
RULE #4 – Install a phone location app or use a security app with an anti-theft component
Keeping your phone nearby and using a lock screen will thwart snoopers but the determined criminal will simply just walk away with your phone and try to extract the data later or simple wipe your phone and try and selling it. The first few hours after you phone has been taken are the most critical. To find your phone it is important to use a phone location service like Where’s My Droid or install a security app with an anti-theft option like avast! Mobile Security.
Malware
RULE #5 – Don’t install apps from dodgy third party sites, stick to places like Google Play or the Amazon appstore
Because Android is so popular, it is normal for it to become a malware target. Malware authors don’t waste their time writing malware for a phone operating system that no one is using. This means that there is lots of Android malware out there. But here is thing, how does Android malware spread? Unlike worms, which spread automatically over the network or viruses which tend to spread via USB flash drives etc., the majority of Android malware needs to be installed manually. There have been some exceptions but in general it is unsuspecting users that install the malware themselves onto their own phones.
The malware authors have lots of dirty tricks to try and fool potential victims into installing their malware. One very common approach is to offer a free version of a popular non-free app with the malware hidden inside the app. Greedy users who think they are getting a bargain because they have managed to save $0.69, but in fact are infecting their devices with malware. Over 99% of Android malware is spread via third party app sites. Don’t use them.
RULE #6 – Always read the reviews of apps before installing them
RULE #7 – Check the permissions the app needs. Games generally don’t need to send SMS messages etc
A small percentage of malware is spread via Google Play, but the apps in question normally only survive a few hours on the store before being removed. To avoid such rare cases it is always important to read the reviews of other users and always check the app permissions.
RULE #8 – Never follow links in unsolicited emails or text messages to install an app
If the malware authors can’t get you via a third party store or their apps are taken down from Google Play, they have one more trick, unsolicited emails and text messages asking you to install an app. In the “Eurograbber” campaign, what the attackers did was infect the victim’s PC with a piece a malware (something which is a lot easier than infecting an Android phone) and then via that malware they tricked the user into installing their “enhanced security” app on their phone. The PC malware monitored the victim’s Internet usage and when they went to an online banking site the malware pretended to be a warning from the bank telling them to install an app on their smartphone. It was all downhill from there for the poor victim.
RULE #9 – Use an anti-virus / anti-malware app
Even with diligence it is possible for malware to find its way on to your device. It is therefore important that you install an anti-virus / anti-malware app. This best antivirus apps for Android article will help you choose one, but if you don’t have time right now then go for Kaspersky Mobile Security (paid) or avast! Mobile Security (free)
Rooting
RULE #10 – Don’t root your phone unless you absolutely need to
Some of my colleagues here at Android Authority are very keen on rooting and I can understand why. The lure of custom ROMs and the ability to tweak different parts of the OS are all part of what makes Android great. But, Android was designed with a very particular security model which limits what an app can do. By rooting a device this security model breaks. Even the CyanogenMod team acknowledged that there are limited uses for root and none that warrant shipping the OS defaulted to unsecured. The problem is there are specific types of Android malware that circumvent Android’s security mechanisms by using the existing root access. With root access, the malware can access parts of Android that are supposed to be protected by the permissions system.
Encryption
RULE #11 - If your device has valuable data on it then use encryption
Since Android 3 it is possible to use full encryption on a phone or tablet. By encrypting your device all the data including your Google Accounts, application data, media and downloaded information etc. becomes inaccessible without the right password or PIN. Every time you boot the device you must enter the PIN or password to decrypt it. If your device has valuable data on it using this encryption is a must. NASA recently had an embarrassing episode where a laptop was taken that held personally identifiable information of “at least” 10,000 NASA employees and contractors. After the incident NASA decided that any devices that leave a NASA building need to use full disk encryption.
RULE #12 – Use a VPN on unsecured Wi-Fi connections
While on the subject of encryption it is worth remembering that if you are using a public unsecured Wi-Fi hot spot all of the data that is send using http:// (rather than https://) can be seen my any network snooper. In the past security researchers have shown how easy can be to steal passwords to the popular social networking sites just by using a laptop and waiting around near a public open hot spot. To avoid revealing your password and other data, don’t use open Wi-Fi hot spots or use a virtual private network (VPN) to secure your connection.
Conclusion
If you follow these twelve rules and remain vigilant you should never have any security troubles with malware, thieves, hackers or any small furry animals! OK, that last part isn’t true, but the rest is!
Source: Android policereserved for articles
Android malware perspective: only 0.5% comes from the Play Store
Are Android apps secure enough for us to let them handle our finances and personal information? Quite a few of them aren't, according to a recent research that analyzed how well various applications protect the user's sensitive data. The study was conducted by the Leibniz University of Hannover, Germany, in partnership with the Philipps University of Marburg, the researchers came up with a list of 41 Android apps that should use tighter security measures.
In particular, these apps were discovered to expose the user's data at risk while a device running Android 4.0 is communicating with a web server. What's even more worrying is that these insecure apps were among the most popular ones on Google Play, being downloaded between 39.5 million and 185 million times already. The names of the applications were not disclosed.
"We could gather bank account information, payment credentials for PayPal, American Express and others," the researchers wrote after conducting their study. "Furthermore, Facebook, email and cloud storage credentials and messages were leaked, access to IP cameras was gained and control channels for apps and remote servers could be subverted." The contents of e-mails and instant messages could also be accessed.
But how could one use these apps' security flaws to their advantage? Simply put, if an Android smartphone or a tablet is connected to a vulnerable local area network, such as a Wi-Fi hotspot, an attacker could potentially crack the security protocols used by the apps and snoop on the data they exchange. Sure, the attacker will need to have a certain exploit monitoring the activity on the network, but obtaining access to such a tool isn't as hard as it may seem.
Scary stuff, we know, which is why there should be more awareness amongst developers about implementing proper security features within apps, as the researchers suggest. There are certain methods that can make security protocols tougher to crack, or the apps could simply be checked for vulnerabilities at the time they are being installed. In fact, Google is said to have ramped up security in Android 4.2, thus likely making the platform more resistant to hacks like the one described above. What measures have been taken, however, will be known with certainty in a few days – On October 29, to be more specific, which is when a new Android release is probably going to be unveiled.
For more in Deep: check out here: Click Here
Over 60% of Android malware steals your money via premium SMS, hides in fake forms of popular apps
Over 60% of Android malware steals your money via premium SMS, hides in fake forms of popular apps
Like any popular platform, Android has malware. Google’s mobile operating system is relatively new, however, so the problem is still taking form. In fact, it turns out that the larger majority of threats on Android come from a single malware family: Android.FakeInstaller, also known as OpFake, which generates revenue by silently sending expensive text messages in the background.
McAfee says that the malware family makes up more than 60 percent of Android samples the company processes. So now the question is: why is this malware so popular amongst cybercriminals?
The reason is simple: it’s extremely effective. Android users seem to fall for fake apps on a regular basis. Furthermore, since the whole of the malware appears to make money, it’s not surprising that those behind this one continue to keep it updated. McAfee agrees:
Malware authors appear to make lots of money with this type of fraud, so they are determined to continue improving their infrastructure, code, and techniques to try to avoid antivirus software. It’s an ongoing struggle, but we are constantly working to keep up with their advances.
This malware type has been in the news for months, mainly because there have been so many fake apps created, including for popular ones like Instagram and Skype. On top of that, those behind it seem to keep adding various types of functionality to avoid detection by antimalware solutions, including server-side polymorphism, obfuscation, antireversing techniques, and frequent recompilation.
How it works
Cybercriminals typically create fake versions of a given popular Android app to earn money from unsuspecting users. There have also been instances of the malware being bundled with a legitimate version of popular apps. The apps appear to be legitimate, including screenshots, descriptions, user reviews, videos, and so on. Users never get the app they want, but instead get a lot more than they bargained for.
The malware authors often set up fake websites advertising the fake version of the app. Many of these are shared on questionable websites, but many are also shared on fake Facebook and Twitter accounts that spam legitimate users on social networks.
Upon installation, the malware often displays a service agreement that tells the user that one or more SMS messages will be sent. The user is forced to click an Agree or Next button, but some versions send the messages before the victim even taps the button. There are often fake progress bars to keep the user further in the dark.
Either way, the devil is in the details. In the background, the malicious app sends expensive international text messages to earn its creators revenue. Some variants even connect to a Command & Control (C&C) server to send and retrieve data, as well as await further instructions.
Early versions of FakeInstaller were created only for Eastern European users, but malware developers have expanded their fraud to other countries by adding instructions to get the device’s Mobile Country Code and Mobile Network Code. Based on that information, the malware selects a corresponding premium-rate numbers.
How to protect yourself
The good news here is that since this malware family is so prevalent, it’s rather easy to avoid it: just don’t download fake apps. Android lets you download and install apps from anywhere, but unless you know what you’re doing, you shouldn’t be installing anything and everything you can on your phone or tablet.
If you want to significantly reduce your chance of getting malware such as this one, only install apps from the official Google Play store. That being said, malware has snuck into the store before, so it can happen again.
As a result, the way to protect yourself is the same as on any other platform: don’t click on questionable links and don’t download random apps. Always check to see if what you’re getting is legitimate and you should be fine.
Android’s malware problem is getting worse, and only users of the latest version are safe from harm
Earlier this year, we saw a report that said there was a 163% rise in the number of malware-infected Android devices in 2012. As shocking as that figure might be, we have a new report now that says the problem has blown up even further.
According to a recently published report[1] from networking vendor Juniper Networks, the number of mobile threats grew an astonishing 614% from March 2012 to March 2013. This equates to a grand total of 276,259 malicious samples, according to research done by the company's Mobile Threat Center or MTC.
What exactly constitutes such a large amount of mobile threats? It is said that the majority of these mobile threats — 77% of the total — come in the form of money-siphoning applications that either force users to send SMS messages to so-called premium-rate numbers or somehow manage to perform the sending of SMS messages all on their own.
They go virtually undetected as they are normally bundled with pirated apps and appear as normal applications. Typically, these malicious apps can net their creators an average profit of about $10 per user, according to Juniper Networks.
As it is currently the most popular mobile device platform in the world, it's easy to see why Android would be targeted with such malicious activities. But perhaps you're wondering, is there anything that can be done to combat this problem?
ndeed, there is. In Android 4.2 Jelly Bean, a new safety feature was introduced in order to stop wayward SMS messages dead in their tracks. But that in itself is a huge problem: Android 4.2, the latest version of the Google mobile operating system, is only available on a tiny fraction of all Android-powered devices out on the market. In fact, many of today's newer devices don't even ship with it. So the relevant safety features, as useful as they might be, becomes pretty much useless.
Even worse, the money-making malware mentioned above represents only one type of mobile threat on Android. Android spyware is also present, accounting for 19% of the total malicious samples collected in the above-mentioned research. These could potentially put a user's privacy at risk, collecting sensitive data and all kinds of information then relaying them to the spyware's creator.
Trojan apps have also been discovered to be part of the overall Android ecosystem. Although they form a very small part of the entire body of mobile threats on Android right now, it is possible for them to become more widespread in the future. If the fix really only lies in having the latest version of Android installed on a device, and the issue of fragmentation — not to mention the slow software updates from carriers and OEMs — persists, that's almost a certainty.
What do you think could be done to finally overcome these kinds of problems? Will it be the end of Android as we know it? Let us hear your thoughts in the comments.
Mobile malware getting out of control? Study claims 614% increase on year, Android accounts for 92% of total infections
A terrifying report was released two days ago by the Mobile Threat Center arm (MTC) of Juniper Networks – a manufacturer of network equipment with a hefty stake in enterprise security. According to Juniper, its MTC research facility is dedicated to 'around-the-clock mobile security and privacy research'. The MTC found mobile malware growing exponentially at an alarming rate – a 614% on year increase reaching a total of just about 280,000 malicious apps.
Read full article here
A major app vulnerability has been found which can be effect 99 percent of the Android smartphones on the planet.
A major app vulnerability has been found which can be effect 99 percent of the Android smartphones on the planet. The issue was unraveled by Bluebox security, which claimed to have found an ‘Android Master Key’ that could allow a hacker to turn any Android app into a malicious zombie.
This basically means that an app could allow hackers to capture data and control a device remotely, without the owner and the app developer knowing about it.
And the kicker is that, this is not a new vulnerability as Bluebox has discovered that it has existed since Android 1.6 Donut, which is four years old.
Jeff Forristal, CTO of Bluebox securities revealed that his company had found a way where in a hacker could possibly load an app with malware and still make it appear to be a legitimate file. This bit is important because verified apps are granted full access by default on the Android system.
However, on the bright side apps on the Google Play store are impervious to this problem, so if one sticks to downloading apps from the Play store then one is in the clear. That said, there are a number of third party app stores and users can even download APKs directly off the web and here’s where the danger lies as it is possible for users to download tampered apps.
This problem is accentuated more in countries like China where users like to use local app store over the Google Play store and many OEMs like Xiaomi don’t even bundle the Google Play store on the device by default.
Bluebox securities claims that it reported the problem to Google way back in February and the issue has already been resolved for the Galaxy S4 and currently Google is taking a look at the Nexus range of hardware.
Cryptographic bug in Android lets hackers create malicious apps with system access
Security researchers have found a bug in Android which allows them to create malicious Android apps which appear to be genuine with the correct digital signatures. In computing, digital signatures allow any piece of data, including an app, to be checked to see that it is genuine and actually comes from the author. Now, due to a bug in Android, it is possible to create a fake app and sign it so it looks like a real app from any author including Google, or others like Samsung, HTC and Sony.
Since the digital signatures of Google and handset manufacturers can be faked it is possible to create a low level system app which has absolute access to the device. These system apps, which have what is known as 'System UID access' can perform any function on the phone including modifying system-level software and system-level parameters.
If such an app is installed on an Android phone, the user would be completely vulnerable to a multitude of attacks including key-logging and password sniffing. The researchers at Bluebox Security informed Google about the flaw (Android security bug 8219321) back in February and are now planning to reveal details of the bug at an upcoming security conference.
More details -> here
Survey: Juniper Networks Whitepaper (Warning: PDF)
reserved.
Thanks for this thread buddy
Sent from my GT-N7100 using xda app-developers app
Tha TechnoCrat said:
Thanks for this thread buddy
Sent from my GT-N7100 using xda app-developers app
Click to expand...
Click to collapse
Great to see you here buddy. Actually I wanted to shift my whole thread here but MOD denied and ask me to carry on with new phase. So here I am.
Thank you Vikesh for creating this thread.
In my view
Everyday every hour and every minute hackers are coming up with new viruses and malware
Not only they can corrupt your phone but also steal confidential information like credit card number, password and other important data.So every Android user should spend some money on the anti viruses to save your confidential information and money of course.
Sent from my GT-I9103 using xda app-developers app
Major app vulnerability found, could effect 99 percent Android smartphones
A major app vulnerability has been found which can be effect 99 percent of the Android smartphones on the planet. The issue was unraveled by Bluebox security, which claimed to have found an ‘Android Master Key’ that could allow a hacker to turn any Android app into a malicious zombie.
Continue in post 3
Cryptographic bug in Android lets hackers create malicious apps with system access
Security researchers have found a bug in Android which allows them to create malicious Android apps which appear to be genuine with the correct digital signatures. In computing, digital signatures allow any piece of data, including an app, to be checked to see that it is genuine and actually comes from the author. Now, due to a bug in Android, it is possible to create a fake app and sign it so it looks like a real app from any author including Google, or others like Samsung, HTC and Sony.
continue in Post 3
Every GSM phone needs a SIM card, and you'd think such a ubiquitous standard would be immune to any hijack attempts. Evidently not, as Karsten Nohl of Security Research Labs -- who found a hole in GSM call encryption several years ago -- has uncovered a flaw that allows some SIM cards to be hacked with only a couple of text messages. By cloaking an SMS so it appears to have come from a carrier, Nohl said that in around a quarter of cases, he receives an error message back containing the necessary info to work out the SIM's digital key. With that knowledge, another text can be sent that opens it up so one can listen in on calls, send messages, make mobile purchases and steal all manner of data.
Apparently, this can all be done "in about two minutes, using a simple personal computer," but only affects SIMs running the older data encryption standard (DES). Cards with the newer Triple DES aren't affected; also, the other three quarters of SIMs with DES Nohl probed recognized his initial message as a fraud. There's no firm figure on how many SIMs are at risk, but Nohl estimates the number at up to 750 million. The GSM Association has been given some details of the exploit, which have been forwarded to carriers and SIM manufacturers that use DES. Nohl plans to spill the beans at the upcoming Black Hat meeting. If you're listening, fine folks at the NSA, tickets are still available.
Source-Tech Geek
"Thanks button is just to avoid "THANKS" posts in threads. Nothing more than that. Don't ask in signature or post for it and defeat the purpose why it was introduced"
Great info buddy. :good:
Thanks,
Disturbed™
Sent from my Disturbed™ Galaxy S4 using Tapatalk (VIP)
______________________________________________________
Wait for my time, U gonna pay for what U have done. - Disturbed™
Informative read. You also understand why the stores charge their Developer fees now. Not all third party sites host malware however. A lot of the buying community is ignorant (and understandably so) in detecting if malware has been applied. It's up to the community of ubiquitous OSs to report
JeffM123 said:
Informative read. You also understand why the stores charge their Developer fees now. Not all third party sites host malware however. A lot of the buying community is ignorant (and understandably so) in detecting if malware has been applied. It's up to the community of ubiquitous OSs to report
Click to expand...
Click to collapse
can provide more info for it?
Thanks,
Disturbed™
Sent from my Disturbed™ Galaxy S4 using Tapatalk (VIP)
______________________________________________________
Wait for my time, U gonna pay for what U have done. - Disturbed™
Malware using the Android Master Key intercepted in the wild, here's how to protect i
Malware using the Android Master Key intercepted in the wild, here's how to protect yourself
It was back at the beginning of the month when we first broke for you the news of a new, massive vulnerability, plaguing 99% of Android devices. First discovered by mobile security company Bluebox, the flaw was reported to Google back in February. Since then, Google has patched the Play Store and has provided its OEM partners with a patch for it.
Yet here we are again. And now it's official – the first detected malware taking advantage of the vulnerability has been intercepted by Symantec whilst running amok in China. The security giant reports that the code has been implanted in otherwise legit apps that help you find and appoint a meeting with a doctor. The source of the infected app? A third-party store, of course.
We won't get into the tech lingo, instead we'll just report that according to Symantec, the exploit grants said malicious code remote access to infected devices. This leaves the gates wide open, the company claims, for a wrongdoer to steal sensitive information such as your IMEI, phone number, and also send premium SMS messages and execute root commands.
Click here to know more
what is the best antivirus?
lolmann101 said:
what is the best antivirus?
Click to expand...
Click to collapse
For android, I may say your awareness is the best. First install the LBE Security Master. Let you know which application is gaining which privilege .
But if you want then you can check the first 1 to 4 posts. its in that.
How Google has been making Android a safer place since 2012
Last year in June, Google brought Android Jelly Bean 4.1 to the world. It was a wonderful day, too. It brought with it Project Butter, which spelled the end for lag for a lot of people. Android was running smoother and more complete than ever. Who’d have known that just a year later, we’d be introduced to Jelly Bean not for the second time, but for the third time. Android 4.3 was a mixed bag. Some people were disappointed that it wasn’t Key Lime Pie, but most were happy to see a plethora of improvements, some new features, and even more optimizations. One little footnote that most people have skimmed over so far, though, has been the added security.
It’s not news that malware stories are everywhere. Some of them are no big deal and some are completely ridiculous. Thanks to that, anti-virus companies have been cleaning up. People are more scared of malware on Android now than ever before and they’re flocking to anti-virus apps by the millions. It’s getting to the point where apps like Lookout are coming pre-installed on many devices when they’re shipped out. All because of some malware that, most of the time, is impossible to get unless you download apps from outside the approved channels.
Well, apparently Google is going to fix this problem themselves. JR Raphael over at Computer World has written up an excellent post about how Google is quietly keeping us safe. As it turns out, that little footnote that says that Android 4.3 contains security improvements probably shouldn’t have remained a footnote. It should’ve been printed on billboards and discussed everywhere.
You may have seen inklings of these security features already. We’ve covered one of them, the Android 4.3 Permission Manager, commonly known as Apps Ops. This nifty little feature lets you control what permissions your apps can use. It’s a lovely and powerful feature that’s baked right into Android 4.3. It’s still in beta right now, but eventually that’ll be a part of everyone’s Android experience.
So what other security enhancements does Google have in store for Android 4.3?
We are glad you asked. According to JR Raphael, Google has been working on these security features for years. We’ll do a quick breakdown.
Starting with Android 4.2, there was a feature called Verify Apps that was added. This scans phones both downloaded and side-loaded to make sure they didn’t contain malware or pose a threat.
Verify Apps was eventually made available to all devices from 2.3 onward. According to JR Raphael, that’s 95% of Android devices running currently.
This now works in tandem with another older feature, the app scanner in the Google Play Store that scans apps as they’re submitted to Google Play to make sure they aren’t malicious. This is why you can always download from Google Play without worries.
All of these features are currently on Android devices right now.
But wait, there’s more. In Android 4.3 specifically, they have added yet another security feature called SELinux. This stands for Security-Enhanced Linux and it essentially keeps the important parts of your phone safe. Most notably the operating system. So there is protection everywhere.
So we’ll add this up one more time. In the last two years, Google has implemented,
An app scanner in the Google Play Store that scans every single app uploaded and submitted. It rejects the bad apps and keeps the good ones.
A system on devices from Android 2.3 and up called Verify Apps that scans every app that gets installed on your device to make sure it’s not malicious. Keep in mind that if you download an app from the Google Play Store, it gets scanned twice.
Apps Ops –which is still in beta– that will let you control the individual permissions of any application you download and install. So if you don’t want, say, Facebook to see your location, you can prevent that from happening.
SELinux, a Linux security feature that protects the core operation system functionality.
Let’s not forget what you, the consumer can do to protect yourself,
Only download apps from known and trusted sources. These include the Play Store and the Amazon App Store, among others.
Use your common sense. In most cases, malware apps are easy to spot. If you download the free Angry Birds cheat app from GivingYouMalware.com, the end result is rather predictable.
So without an anti-virus app, there are 6 things that are protecting you from the big bad malware threats. That’s a whole lot more than most people realize and it’s an ever expanding project from Google to keep everyone safe from garbage applications. Now here’s the big question. Do you think it’s enough? Or should Google keep going?
@Disturbed™ buddy could you post that new KNOX feature here?
Sent from my GT-I9103 using xda app-developers app
Few words from Wikipedia:
Samsung Knox (trademarked Samsung KNOX) is an enterprise mobile security solution that addresses the needs of enterprise IT without invading its employees' privacy. The service, first released on the Samsung Galaxy S4 mobile device, provides security features that enable business and personal content to coexist on the same mobile device. Samsung Knox is an Android-based platform that uses container technology, among other features, to allow for separation of work and personal life on mobile devices.
Services
Samsung Knox provides enterprise security features that enable business and personal content to coexist on the same handset. The user presses an icon that switches from Personal to Work use with no delay or reboot wait time. Knox will be fully compatible with Android and Google and will provide full separation of work and personal data on mobile devices. Samsung claims that the Knox service "addresses all major security gaps in Android."
The Knox service is part of the company's Samsung for Enterprise (SAFE) offerings for smartphones and tablets. Samsung Knox’s primary competitor is Blackberry Balance, a service that separates personal and work data, but BlackBerry’s service does not include management of work space through containers in Active Directory and other features such as direct Office 365 and Exchange 2010, ActiveSync, iOS management, Single Sign-On, and complete customization for operability on Samsung device settings.
The service's name, Samsung Knox, is inspired by Fort Knox.
From Engadget:
Samsung's Knox security solution has tended to mostly garner headlines when the company's phones get approval from the likes of the US Defense Department, but it's now set to broaden its user base considerably. In addition to announcing that it's bolstering the offering with some help from Lookout, Samsung has also confirmed today that its opening the platform up to all consumers. That will give security-minded users an added layer of protection, with Knox letting you store personal data and run a set of pre-screened apps in a so-called container -- other apps can still be run outside the container, but with only limited access to your personal information. Naturally, you'll need a Samsung device to take advantage of it.
For more information : http://www.samsungknox.com.
Thanks: Wiki & Engadget
Almost 1,000 fraudulent apps published on Google Play in August alone
Almost 1,000 fraudulent apps published on Google Play in August alone
Yes, there are downsides to Google’s policy of letting anyone publish their apps on Google Play. Symantec has found that scammers published almost 1,000 fraudulent apps on Google Play in August alone, most of which were deleted within hours of posting on the store.
But even though Google was quick to delete the fraudulent Android apps, Symantec estimates that they were still downloaded more than 10,000 times. Symantec also says that one group is responsible for 97 percent of the fraudulent apps, which typically “include numerous links to various online adult-related sites, but one or two links actually lead to fraudulent sites that attempt to con people into paying a fee without properly signing them up for the paid service.”
Source:BGR.in
Ladies and Gentlemen,
I am opening this discussion in order to not only receive some high-quality answers on the following questions, but also to learn what everyone does in order to ensure security and integrity of Apps on their phones (especially when working in environments where attacks are likely or possible due to intersting files on the phone or similar).
Here is my question: Let's suppose a phone is ROOTED, is locked with a Pattern, is updated daily, has TitaniumBackup installed, runs Trust as well as an Antivirus App and on top of that, installed Apps are monitored in a regular basis through TitaniumBackup. Is it even possible for law enforcements or hackers to install malware? If so, what would be necessary for them to do so? Physical access? Malformed Apps with matching signature? Other types of attacks (encouraging @He3556 the owner of Smartphone Attack Vector to chime in)?
Second question (hope @jcase can answer this): What would be the best way of preventing attacks of afforementioned groups and alike? What do YOU personally do?
SecUpwN said:
Ladies and Gentlemen,
I am opening this discussion in order to not only receive some high-quality answers on the following questions, but also to learn what everyone does in order to ensure security and integrity of Apps on their phones (especially when working in environments where attacks are likely or possible due to intersting files on the phone or similar).
Here is my question: Let's suppose a phone is ROOTED, is locked with a Pattern, is updated daily, has TitaniumBackup installed, runs Trust as well as an Antivirus App and on top of that, installed Apps are monitored in a regular basis through TitaniumBackup. Is it even possible for law enforcements or hackers to install malware? If so, what would be necessary for them to do so? Physical access? Malformed Apps with matching signature? Other types of attacks (encouraging @He3556 the owner of Smartphone Attack Vector to chime in)?
Second question (hope @jcase can answer this): What would be the best way of preventing attacks of afforementioned groups and alike? What do YOU personally do?
Click to expand...
Click to collapse
Pe rooted, with common rooted apps installed? Would be easy to compromise that phone, as you have already done it for them.
Use a stock firmware, chose a vendor with a recent history of good security (Samsung, nexus, motorola in that order imo), keep it up to date, reduce the number of apps you run, don't root it. Disabled usb debugging.
jcase said:
Pe rooted, with common rooted apps installed? Would be easy to compromise that phone, as you have already done it for them.
Use a stock firmware, chose a vendor with a recent history of good security (Samsung, nexus, motorola in that order imo), keep it up to date, reduce the number of apps you run, don't root it. Disabled usb debugging.
Click to expand...
Click to collapse
Thanks for answering. So that means, in short words, buy a phone and only update official stuff. How boring, I wouldn't be here on XDA then! But I get your point. I'm especially interested in the question of detection. If such agencies have installed anything that would leak data (and I'm sure it's fairly easy to do for them), how would they hide that specific App from the list of TitaniumBackup? Also, how would they trick the Trust Even Logger created by @Dark3n to not show any installation?
Most importantly though, is there some way of detecting such installations or manipulations afterwards?
There is growing so called "Zero-Day-Exploit" Industry, with names like vupen or FinFisher , the one who are working for the German Gov. but also for countries like Saudia Arabia and Iran. They know how to find exploits, nobody knows about (zero-day) and program trojans for all kinds of platforms. So antivirus software can't help here. And it is easy to bypass security if you know one of the bugs - and we know there are many of them in firmware, operating systems, plugins, frameworks and so on... Beside this "white" marked there is also a grey and black marked. So if you need to track your woman or steal information from other companies, you will find somebody with a tool for that, i suppose.
You would need a "Intrusion Detection Software" - sorry but this won't work for Smartphones, because there is a lot of calculation, data and energy needed - you find this special hardware in big data centers.
Do not root and do not install Apps you don't really need is still a good advice, specially when people don't know so much about all this.
Another way to sneak in is to compromise the users pc, that is (maybe) connected to the phone sometimes (work with iphone sync but also with android to change DNS and get SMS with e-tan's - you will find more info it in the media)
Or if you have the "power" you can can use the cloud services (iOS, Google, Windows or other 3rd party services) to steal user data (sms, pictures, GPS history...) or just let it sync the malware to the phone. So you don't have to break in directly.
What would be the best way of preventing attacks of afforementioned groups and alike?
Click to expand...
Click to collapse
tomorrow i will have time, there are to many possibilities
Thanks for clarifying, @He3556!
Now I know that phones in general are hard to lock down for such agencies. Time to quote myself:
SecUpwN said:
Most importantly though, is there some way of detecting such installations or manipulations afterwards?
Click to expand...
Click to collapse
Hey @He3556, if you've been following security news the past weeks, this topic here is becoming more relevant with each revelation. Since the trojan-coding company FinFisher has highly likely been hacked and some cool whisteblowers are publishing very sensitve data like price lists and handbooks on their Twitter account GammaGroupPR, more details of their secret software FinSpy Mobile is being revealed. And this is exactly the type of software that I am talking about here in this thread. I want to know how users can protect themselves from crap like that. According to the video that has been leaked, It is being installed through a fake update, or even through messages via E-Mail to "please" install this "very important update":
And just to make everyone more curious, FinSpy Mobile has been leaked on Twitter! It obviously works for all operating systems, including Android, Blackberry, Windows Mobile, and Symbian. Another trophy is source code of FinFly Web, which found its way the code hosting platform GitHub. It is designed to provide remote and covert infection of a Target System by using a wide range of web-based attacks. FinFly Web provides a point-and-click interface, enabling the Agent to easily create a custom infection code according to selected modules. Target Systems visiting a prepared website with the implemented infection code will be covertly infected with the configured software. Regarding FinSpy Mobile and similar software: How would law enforcements possibly attack a cautious member of XDA (or any other site)? I mean, people that have been in the field of flashing new ROMs, updating their firmware and recovery themselves, not installing strange APKs sent via E-Mail and controlling installed Apps through TitaniumBackup should be somewhat immune to such type of attacks, right?
It appears to me as if their software might work for the general masses, but highly-likely not on people like @jcase or other Android security-gurus. Since I linked you, I'd be very happy if you could expand on that a little. I am sure such companies might even have the possibility of messing with the baseband of a target phone through only knowing the phone number of a target. But I am really curious what their "standard procedure" is if they face a target with thorough Android knowledge, maybe even a security-enthusiastic Android developer. Wouldn't their only option be to manually manipulate the handset?
There are two methods to keep away all kinds of trojan and malware...
1. use a SIM with data connections only: There are SIM cards on the marked you can use in a USB Stick for Notebooks or tablets.
You won't have a cell phone number and can't receive SMS. You won't be able to use the circuit switched (GSM & UMTS-cs) part of your cell phone. For communication you have to use a VoIP provider - with Secure SIP and SRTP.
2. Web browser, Apps, e-mail client and all other connection must be use VPN.
But there is one more stepp to take.
The virtualization of all services and Apps you are using. This works like Team Viewer on a PC. The App is running on a cloud server while you only see the desktop of the remote controlled application. This technique is already used when you want to use flash with iOS device (photon, cloudbrowse, puffin and so on..)
More details about this you can find here: http://itwatch.info/Products/ReCAppS
But i am sure there are more projects about this out there...
He3556 said:
There are two methods to keep away all kinds of trojan and malware...
1. use a SIM with data connections only: There are SIM cards on the marked you can use in a USB Stick for Notebooks or tablets.
You won't have a cell phone number and can't receive SMS. You won't be able to use the circuit switched (GSM & UMTS-cs) part of your cell phone. For communication you have to use a VoIP provider - with Secure SIP and SRTP.
Click to expand...
Click to collapse
I know this works, but the only guy who is so insane and is already doing that is probably @InvaderX.
Honestly, what's the purpose of a phone if I can't receive SMS and call anyone without internet connection?
He3556 said:
2. Web browser, Apps, e-mail client and all other connection must be use VPN.
But there is one more stepp to take.
The virtualization of all services and Apps you are using. This works like Team Viewer on a PC. The App is running on a cloud server while you only see the desktop of the remote controlled application. This technique is already used when you want to use flash with iOS device (photon, cloudbrowse, puffin and so on..)
More details about this you can find here: http://itwatch.info/Products/ReCAppS
But i am sure there are more projects about this out there...
Click to expand...
Click to collapse
Better yet: Living under a rock should solve all these problems. Seriously though, can such law enforcement agencies silently update stuff on my phone (possibly baseband) that goes unnoticed even when using TitaniumBackup and flashing a fresh ROM every month? From the things you mentioned as for protection, I highly doubt that I'll move that way. And no matter how hard I try, the bad guys (or, to put it in the wording of those companies: the agencies that are "protecting our freedom") will likely always find a way in - even if that means tapping the phone through listining in on my calls or deploying an IMSI-Catcher. But talking about this makes me wonder: It seems as if the probability is high that most of the time they are selling a fake update to the target. Is there a convenient way of knowing that stuff like FinSpy Mobile has been installed, where such agencies can't possibly tinker with any records of what was happening on the phone? I especially check the Trust - Event Logger by @Dark3n very often. Could they change such records? Is there a better App to warn about unauthorizes access or (hidden) App installation?
Trust is not a security app!
If an attacker has root, you can just alter the database of apps like Trust, which would be the easiest way.
There are probably also ways to alter the system so it does not broadcast certain events(which is how Trust monitors most things).
It is just not build to withstand such attacks.
SecUpwN said:
Seriously though, can such law enforcement agencies silently update stuff on my phone (possibly baseband) that goes unnoticed
Click to expand...
Click to collapse
Maybe? But there are much easier ways if it is not desired to target specific persons.
I'll brain storm a bit for you:
I would divide the attack vectors into those that work with root and those that don't.
Without root apps can still do plenty of malicious actions, including tracking your position or uploading all files on your sdcard (INTERNET;SDCARD;LOCATION permissions) etc.
If an attacker gains root permission he could install rootkits, modify existing apps, inject malicious code into dex files of installed apps etc.
Basicly do what the hell he wants.
While not using a rooted device would certainly make it more difficult to do malicious things, it's doesn't prevent it.
A normal app you install could still root your phone through vulnerabilities. It works the same way apps such as TowelRoot or ZergRush root your phone.
Downloading new apps that request root is also very dangerous ofc, once you pressed "grant", it's too late, anything could have been done. So be wary when trying out new root apps of devs you don't know/trust?
Abusing trust in existing apps is probably the biggest danger.
The most obvious danger here is downloading apps you usually trust but from unknown sources.
Sure there could be signature issues when updating over your current app, but what if you don't have it installed? I could also think about a few ways to inject malicious code without altering the signature (did not try, just a thought, might be impossible).
The issue is that you probably wouldn't even notice, as the compromised app retains it's original functionality.
Want a botnet?
Inject malicious code into a popular root up that is paid, crack it and upload it somewhere.
While this more dangerous (or worth for an attacker) with root apps, it's still viable for non root apps, just pick one that already aquires many permissions.
It's way too easy, people constantly underestimate the danger of this. It's not all about piracy it's bad, it's a barn door sized security hole.
A bit more difficult variant would be abusing known security holes in existing apps that can be root or nonroot apps, such as modifying files the other apps uses, such that it executes your malicious code for you, so some type of code injection. First thought would be looking for root apps that use scripts or binary files and then check the permissions on those files to see whether they are writeable.
Now those are all ways to target a broad mass of users.
If a single user is the target, it would be more difficult, but there are still plenty of options:
- MITM attacks at public hotspots,
- Pressuring developers of apps you use. What dev wouldn't implement a security hole into an app of his, if a guy in a black suit comes up and points a gun to his head? Well that escalated quickly... But with "secret courts" and all the **** that happens secretly sanctioned or is just done by some agencies because they are above the law, is it really such an impossible scenario? The ends justify the means? Do they?
- My favorite plan yet, making a popular app themselves that they know you will try
It is usually never impossible, just a matter of resources and whether its unfeasible to spend so many resources on that goal.
edit: So the best course of action? Don't install anything you don't trust. Don't trust the manufactor either? Install a custom ROM, but as those often use binary blobs for certain parts of the software, it's not really a 100% solution... There could also be compromising hardware built in, but now I'm really climing up the tinfoil tree, but as recents new story suggest that the NSA is intercepting hardware packets from manufactors such as cisco to modify them, what's really impossible?
TL;DR Best course of action that is feasible to adhere to is probably to just not install stuff one doesn't know or trust.
edit2: More specific answers to your questions.
You might be able to monitor files changes on an a system level, but if your attacker gains highlevel priviledges, what keeps him from changing the monitoring system?
SecUpwN said:
Seriously though, can such law enforcement agencies silently update stuff on my phone (possibly baseband) that goes unnoticed even when using TitaniumBackup and flashing a fresh ROM every month?
Click to expand...
Click to collapse
How does TiBu help prevent such injection? Flashing a new ROM would probably undo such changes, but what prevents "them" from just doing it again.
SecUpwN said:
And no matter how hard I try, the bad guys (or, to put it in the wording of those companies: the agencies that are "protecting our freedom") will likely always find a way in - even if that means tapping the phone through listining in on my calls or deploying an IMSI-Catcher.
Click to expand...
Click to collapse
This is the thing, with enough resources, there is always a way.
SecUpwN said:
It seems as if the probability is high that most of the time they are selling a fake update to the target.
Click to expand...
Click to collapse
Exactly disguising as something legit is the cheapest way, "trojan horse".
SecUpwN said:
Is there a convenient way of knowing that stuff like FinSpy Mobile has been installed, where such agencies can't possibly tinker with any records of what was happening on the phone? I especially check the Trust - Event Logger by @Dark3n very often. Could they change such records? Is there a better App to warn about unauthorizes access or (hidden) App installation?
Click to expand...
Click to collapse
I don't know any surefire way to detect this. The issue is that with enough priviledges (which can be gained without authorization, zero day exploits are worth a lot money to "agencies" as well as criminal organisations, though I'm no longer sure where the difference is), you can just clean up your track of malicious behavior.
Whoa, this has to be the longest answer I've received since registering here. Huge thanks! Grab a coffee..
Dark3n said:
Trust is not a security app!
If an attacker has root, you can just alter the database of apps like Trust, which would be the easiest way.
There are probably also ways to alter the system so it does not broadcast certain events(which is how Trust monitors most things).
It is just not build to withstand such attacks.
Click to expand...
Click to collapse
Ok, fair. Will keep it anyhow.
Dark3n said:
Maybe? But there are much easier ways if it is not desired to target specific persons.
I'll brain storm a bit for you:
I would divide the attack vectors into those that work with root and those that don't.
Click to expand...
Click to collapse
Just to mention it here: An awesome site to see which attack vectors and vulnerabilities exist is Smartphone Attack Vektor by @He3556.
Dark3n said:
Without root apps can still do plenty of malicious actions, including tracking your position or uploading all files on your sdcard (INTERNET;SDCARD;LOCATION permissions) etc.
If an attacker gains root permission he could install rootkits, modify existing apps, inject malicious code into dex files of installed apps etc.
Basicly do what the hell he wants.
Click to expand...
Click to collapse
Ok, I get the point. Also like @jcase already pointed out: If we root, we pwn ourselves. And if we don't, too.
Dark3n said:
While not using a rooted device would certainly make it more difficult to do malicious things, it's doesn't prevent it.
A normal app you install could still root your phone through vulnerabilities. It works the same way apps such as TowelRoot or ZergRush root your phone.
Downloading new apps that request root is also very dangerous ofc, once you pressed "grant", it's too late, anything could have been done. So be wary when trying out new root apps of devs you don't know/trust?
Click to expand...
Click to collapse
I only install trusted Applications.
Dark3n said:
Abusing trust in existing apps is probably the biggest danger.
The most obvious danger here is downloading apps you usually trust but from unknown sources.
Sure there could be signature issues when updating over your current app, but what if you don't have it installed? I could also think about a few ways to inject malicious code without altering the signature (did not try, just a thought, might be impossible).
The issue is that you probably wouldn't even notice, as the compromised app retains it's original functionality.
Click to expand...
Click to collapse
Guess if I use the F-Droid Store I should be pretty safe, right? But don't worry, I don't rely on it - as for me, smartphones are huge bugs with touchscreens. That is why I also built a phone signal blocking pouch for myself and friends. Further good recommendations can be found on the bottom of my GitHub.
Dark3n said:
Want a botnet?
Inject malicious code into a popular root up that is paid, crack it and upload it somewhere.
While this more dangerous (or worth for an attacker) with root apps, it's still viable for non root apps, just pick one that already aquires many permissions.
It's way too easy, people constantly underestimate the danger of this. It's not all about piracy it's bad, it's a barn door sized security hole.
Click to expand...
Click to collapse
Actually, no. I already have two or three. Or maybe even four?
Dark3n said:
A bit more difficult variant would be abusing known security holes in existing apps that can be root or nonroot apps, such as modifying files the other apps uses, such that it executes your malicious code for you, so some type of code injection. First thought would be looking for root apps that use scripts or binary files and then check the permissions on those files to see whether they are writeable.
Now those are all ways to target a broad mass of users.
Click to expand...
Click to collapse
Good to know we've come to an end here. Reading all this makes me want to throw my phone out of the window.
Dark3n said:
If a single user is the target, it would be more difficult, but there are still plenty of options:
- MITM attacks at public hotspots,
Click to expand...
Click to collapse
I DON'T use public hotspots. Why? Because you can be almost certain that stuff will be logged and analyzed once you use that. Over here in my town, we've got a HUGE Apple Store. And guess what - FREE WIFI for everyone! Yeyyy... not.
- Pressuring developers of apps you use. What dev wouldn't implement a security hole into an app of his, if a guy in a black suit comes up and points a gun to his head? Well that escalated quickly... But with "secret courts" and all the **** that happens secretly sanctioned or is just done by some agencies because they are above the law, is it really such an impossible scenario? The ends justify the means? Do they?
You are right, threats against family, friends and relatives are a no-go. If I remember correctly, something similar had happened to my beloved XDA developer @idcrisis who invented CrossBreeder. He left development of his toolset because starnge things occured in his life which he linked to his development. Shortly after leaving his project, he proposed a new license: The Aware License. Hope this guy is still living a happy life, though. Added to the above security-issues: Trust NOONE! How come? Well, just read this stunning story I discovered yesterday where a US critical infrastructure company last year revealed that its star developer had outsourced his own job to a Chinese subcontractor and was spending all his work time playing around on the internet adn surfing cat videos. ^^
Dark3n said:
- My favorite plan yet, making a popular app themselves that they know you will try
Click to expand...
Click to collapse
I don't quite get what you meanb by that. Please clarify, it sounds interesting.
Dark3n said:
It is usually never impossible, just a matter of resources and whether its unfeasible to spend so many resources on that goal.
Click to expand...
Click to collapse
The way I see it: The only thing that we have no real access to, is the baseband. I am sure that these are full of backdoors and switches for agencies that they just need to trigger - just like the Samsung Galaxy Backdoor discovered by Replicant.
Dark3n said:
edit: So the best course of action? Don't install anything you don't trust. Don't trust the manufactor either? Install a custom ROM, but as those often use binary blobs for certain parts of the software, it's not really a 100% solution...
Click to expand...
Click to collapse
Nope, I don't trust the manufacturer either. And I am SICK of bloatware! hence, I am a happy user of AOKP since several years - but regarding the binary blobs, I would certainly love to try out Replicant (sadly not yet available for the HTC One).
Dark3n said:
There could also be compromising hardware built in, but now I'm really climing up the tinfoil tree, but as recents new story suggest that the NSA is intercepting hardware packets from manufactors such as cisco to modify them, what's really impossible?
Click to expand...
Click to collapse
Nothing is impossible, everything can be done. A wise man once said: Everything you can imagine, will happen.
Dark3n said:
TL;DR Best course of action that is feasible to adhere to is probably to just not install stuff one doesn't know or trust.
Click to expand...
Click to collapse
Good advice, I already do follow that one. As already said, if I were a spy company, I'd just team up with manufacturers of basebands..
Dark3n said:
You might be able to monitor files changes on an a system level, but if your attacker gains highlevel priviledges, what keeps him from changing the monitoring system?
Click to expand...
Click to collapse
Highly-likely nothing. I already know that there is not much I can do to prevent them to get in, but at least I do want to detect them - and having such a detection mechanism raises the bar in disguising their actions even further - and who knows, maybe they're not interested anymore then?
Dark3n said:
How does TiBu help prevent such injection? Flashing a new ROM would probably undo such changes, but what prevents "them" from just doing it again.
Click to expand...
Click to collapse
Not much.
Dark3n said:
This is the thing, with enough resources, there is always a way.
Exactly disguising as something legit is the cheapest way, "trojan horse".
Click to expand...
Click to collapse
Absolutely right. But what I am really curious of: How do people from the security-community really protect their phones? Do you have friends that are using their phones to just communicate via VPN and VOIP, not sending SMS and never calling people? Perfect place for @InvaderX to chime in, he told me before to really do a combination of that approach.
Dark3n said:
I don't know any surefire way to detect this. The issue is that with enough priviledges (which can be gained without authorization, zero day exploits are worth a lot money to "agencies" as well as criminal organisations, though I'm no longer sure where the difference is), you can just clean up your track of malicious behavior.
Click to expand...
Click to collapse
Sigh.. mobile phones are a total threat to humanity, I get it..
At least I am not the only one paranoid about this kind of thing. LOL
lostangelintx said:
At least I am not the only one paranoid about this kind of thing. LOL
Click to expand...
Click to collapse
It doesn't have much to do with "Paranoia". The very reason you started to care about this, is because phones are in fact very insecure devices - most people just don't realize or care about it. Another very interesting thread I found lately: Android Security for Conscious Mind.
a tool against 0-day exploits
don't freak out to early - this tool is only for windows desktops.
But at least it shows how it could work for mobile devices, too.
It is called Enhanced Mitigation Experience Toolkit (EMET 5.0) ...is a utility that helps prevent vulnerabilities in software from being successfully exploited.
These technologies function as special protections and obstacles that an exploit author must defeat to exploit software vulnerabilities. These security mitigation technologies do not guarantee that vulnerabilities cannot be exploited. However, they work to make exploitation as difficult as possible to perform.
SSL/TLS certificate pinning - This feature is intended to detect (and stop, with EMET 5.0) man-in-the-middle attacks that are leveraging the public key infrastructure (PKI).
Ok, they do not guarantee 100% security - but who could? Even this software comes from Microsoft, it's still a good solution and closes the gap between anti-virus, firewall and keeping your software updated.
Here is a test from 2010 (EMET 2.0) http://www.rationallyparanoid.com/articles/emet-testing.html
And one of 2014 http://www.offensive-security.com/vulndev/disarming-enhanced-mitigation-experience-toolkit-emet/
Does anybody know a APP for Android, iOS, WP8 or BB?
Just a small side note:
In regard to device security vs. rooting.
There are essentially 2 schools of thought. On the one side we have those who believe we should trust the device manufacturers experience and knowledge to keep malware out of AOS, and you phone from spilling your data when stolen, which also means keeping users from rooting their devices, simply because they know security better, than the average user. (I think @jcase may be one of those, but he'd have to answer for himself.) On the other hand we have people like me, who firmly believe that the best way to keep your device secure is by being rooted, since we cannot trust anyone, especially large companies who scream "TRUST US". For us, we own the device and everything it does, and that your phone should not be able to send a single photon of radiation, without your permission. Then at least we have the choice to provide our own security by Firewalls, open source baseband, and encrypted phone calls etc. So no, this is not part of the majority of phone owners. But we think it should be. So who's right? Well, we're both right of course. What we need is to be able to make this choice at the time of purchase, and independent of the device you like. To be able to choose if you have a fully open device that you can secure on your own or if you like one that is claimed as secure, but you will never be able to check or control on your own. But unfortunately, this is not possible in most circumstances.
I trust neither the ODMs, nor the custom roms. However I KNOW the average custom rom is just as if not MORE vulnerable than current stock roms, add su into the mix and it is without a doubt more vulnerable. Show me a custom rom dev that claims he ships a secure firmware, and I'll show you someone ignorant of the facts. Ask most of them what CTS is, and they will look at you like you are referencing 18th century medical terms.
That is my stance. In regards to root making a device more vulnerable, I can back that statement time and time again. From key compromises of the superuser apps, to vulnerabilities in the app, to vulns in the su binaries, to vulns in apps that typical make su requests, to stupid users who will grant it to anyone. Having any access point to "root" makes turning a small vuln to a complete compromise relatively easy.
E:V:A said:
Just a small side note:
In regard to device security vs. rooting.
There are essentially 2 schools of thought. On the one side we have those who believe we should trust the device manufacturers experience and knowledge to keep malware out of AOS, and you phone from spilling your data when stolen, which also means keeping users from rooting their devices, simply because they know security better, than the average user. (I think @jcase may be one of those, but he'd have to answer for himself.) On the other hand we have people like me, who firmly believe that the best way to keep your device secure is by being rooted, since we cannot trust anyone, especially large companies who scream "TRUST US". For us, we own the device and everything it does, and that your phone should not be able to send a single photon of radiation, without your permission. Then at least we have the choice to provide our own security by Firewalls, open source baseband, and encrypted phone calls etc. So no, this is not part of the majority of phone owners. But we think it should be. So who's right? Well, we're both right of course. What we need is to be able to make this choice at the time of purchase, and independent of the device you like. To be able to choose if you have a fully open device that you can secure on your own or if you like one that is claimed as secure, but you will never be able to check or control on your own. But unfortunately, this is not possible in most circumstances.
Click to expand...
Click to collapse
@jcase : So I think we agree on that what you say, but from another perspective, we can ask ourselves whether or not a stupid user with root, can possibly endanger a smart user with root? I think this is not generally possible, apart from some automated DDOS attack, which would ultimately originate from a smart user with root, using the stupid user as a transport.
To what extent should ODM's be able to decide who is a smart root user and stupid root user? (And regardless their decision, why should we believe them?) There may not be an answer here, but the discussion is interesting also from a political point of view. How much should the "government" be responsible for a certain individual's action, regardless of their intelligence? Personally I think they're not, and should only provide security to prevent individuals from directly hurting each other, and not preventing them from hurting themselves, if they choose to do so.
Reading all this, it makes me wonder if the antivirus apps help at all..
stefeman said:
Reading all this, it makes me wonder if the antivirus apps help at all..
Click to expand...
Click to collapse
Let's put it this way.
In 6 years of heavy 24/7 PC use, my anti-virus have prevented me from a "possible" remote exploit exactly once, while having annoyed me with lengthy uninterruptible scans and ignoring my ignore settings about a 1000 times, due to adware and various other false positives. Then only god knows how many different countries governments are already present in my PC. Go figure. And yes, I have tweaked every possible setting and tried multiple well know AV's.
Forget AV's and get a good FW and with a well tuned host file, and well tuned common sense.
E:V:A said:
@jcase : So I think we agree on that what you say, but from another perspective, we can ask ourselves whether or not a stupid user with root, can possibly endanger a smart user with root? I think this is not generally possible, apart from some automated DDOS attack, which would ultimately originate from a smart user with root, using the stupid user as a transport.
To what extent should ODM's be able to decide who is a smart root user and stupid root user? (And regardless their decision, why should we believe them?) There may not be an answer here, but the discussion is interesting also from a political point of view. How much should the "government" be responsible for a certain individual's action, regardless of their intelligence? Personally I think they're not, and should only provide security to prevent individuals from directly hurting each other, and not preventing them from hurting themselves, if they choose to do so.
Click to expand...
Click to collapse
Really, I dont want to do this again, this conversation.
Most stupid people don't realize they are stupid, they assume they are smart. (We are all stupid in some regards).
I think I could endanger a user from root, pretty sure I can either screw the phone up, or possibly catch it on fire. If it had a sim in it, and was on the network I am certain I could make them regret ever rooting their device.
Here is a question, how many of you understand how these unlocks/exploits work?
I sometimes leave messages hidden in mine, and have only had ONE person reply to the hidden message, out of 100,000s of runs. People don't even know what they are running to gain root, let alone any idea what these "rom devs" do.
Open source is the answer right? Everyone can read the code, and everyone does! Thats why no backdoors or vulns have ever been in open source projects. Every open source project gets a line by line audit by a team of security professionals.</sarcasm>
I'll join back in when someone shows me a custom rom/open device that has the same or better security precautions taken by leading ODMs. Until then, it is generally just as easy or (generally) easier to abuse and exploit one of these custom roms floating around.
stefeman said:
Reading all this, it makes me wonder if the antivirus apps help at all..
Click to expand...
Click to collapse
Won't help a lick for anything originating from a government.
about root and privacy
Introduction:
nowadays android phones are much more controllable without root access, and bloatwares can be deleted or disabled without root permissions by using the android's settings app, or through the developers' ADB shell. and even firewalls like "Netguard" don't need root access nowadays in order to control the network, and there are so many other opensource apps like "Blokada" and "ublock" that don't require root anymore in order to block ads, YouTube Vanced to watch videos without ads... all of this was impossible to perform three or four years ago, so why still bother with rooting ?
about root:
Root is gaining super user permissions in linux, or being an administrator. you don't need me to mention how many years this super user wasted in order to be able to understand and to become an administrator, or super user.
what I'm trying to say if you don't know what you're doing while acquiring "Root" privileges on your phone, don't do it just for fun.
Root exposes the user to some higher risks even from the trusted play store apps.
"With great powers comes great responsibilities", if you can't assume total control of every aspect of your rooted phone (thousands of files) then don't root it.
and I'm not saying you should let everything to Google or even trust the google softwares, in fact I created a thread especially to limit their disrespectful or exaggerated behaviors by debloating and using firewalls.
real hackers or developers who understands how a mobile operating system works, and how hacking works, can hack a rooted phone much more easier than hacking a non rooted phone.
speaking for myself I can't fully control a rooted smartphone because there are thousands of files : which are written in different development languages, doing different tasks, and they have different dependencies..
and contrary to what some people think, using strong long passwords can't sometimes help, and installing an realtime antivirus protection can't sometimes detect a hacker intrusion (when your phone is being truly exploited and completely controlled by strangers)
I'm not only saying don't root if you aren't an android developer, but you should limit Google and your installed apps behaviors as well.
nothing is unbreakable, and backdoors exist within the google O.S and within google or the manufacturer apps or else, but a firewall can limit some of their behaviors.
a word of truth :
very few people can actually be a super user of a complicated mobile operating system such as android, but if you're one of them, then you already know more than all of this.
I hope this can help anyone, feel free to copy paste, modify and share on your website.
and feel free to comment, debate, saying thanks, or providing some more informations.
I just wanted to share this for anyone who is concerned by root's real life review, from a privacy oriented point of view.
....or another point of view is that unaccountable multinationals like Alphabet who own Google and companies like Samsung and Apple have no moral or ethical compass and are building up a long track record of trust-breaking behaviour that is only accelerating. Without root, you cannot remove or at least minimize the "telemetry" and "walled garden" that every new phone is crammed with. A small percentage of us refuse to be treated like a lamb being led to slaughter so root is absolutely necessary for privacy and security, not the other way around.....
jajk said:
..... Without root, you cannot remove or at least minimize the "telemetry" and "walled garden" that every new phone is crammed with. A small percentage of us refuse to be treated like a lamb being led to slaughter so root is absolutely necessary for privacy and security, not the other way around.....
Click to expand...
Click to collapse
Thanks for your reply :fingers-crossed: , well I think telemetry services are linked to the 'Google play services', and if we don't use any Google accounts and disable and block the Google play services from sending usage data to Amazon and Google servers by using a non-root firewall like 'netguard' (like I specified in this thread) then they can't have anything or too little from us, :laugh: I have set up the firewall to block everything except my open source browser see attachment :laugh::laugh: