Security does matter! - Android General

I wrote this On Xperia Neo General forum but it belongs to here much more.
Original thread at: http://forum.xda-developers.com/showthread.php?t=1447095
Click to expand...
Click to collapse
Introduction
I have not seen much talk about security in XDA.
First, here's just one informative link talking about using and developing apps and security risks involved.
http://www.technologyreview.com/comp...1/?mod=related
Any bug in software could potentially be used as a security loophole to gain access to private information, spy on you, get your credit card info(should you do such things on phone).
What is kind of unsettling is that everyone seems fine with modding, tweaking, developing and using those ROMs made in XDA without worrying if there could be that kind of bug in your made or used ROM.
You don't need a malicious app only to have risks. Most people use Windows so they should know that it is OP systems bugs and vulnerabilities that allow for unwanted access to your files, data, etc.
Android itself is having very non-foolproof security system. All apps on unrooted phone are in sandbox. That's no security measure at all. It doesn't limit app from stealing your private info at all, it only cant delete the whole ROM. That's just idiotic security system, for it is the only thing beside encrypting shut off phone on 3.0 and 4.0. So that means Android on it's own has no security measures while it's working. Even Windows has... some... but not too much... so you could pay for antivirus and antispyware software ofc.
It has always been the goal of big corporations to make money from insecurity, be they software developers, arms dealers and you name it. They all benefit from insecurities existing. Same is with Google and it's Android. But the good news is that we the users can modify Android. We could all say "Au revoir security bugs and loopholes!" if we would care about developing ROMs designed to make Android more secure... alas that's not happening yet!
Overview of Linux/Android security issues.
It's a short condensed description just to get you interested in the topic. There's lots of material on net, you only need to search, read, watch videos.
Linux becomes more vulnerable with more applications with different permissions installed. Same is true for Android.
Say your Phone Exporer has root access, that means it has root access to whole Android. To remove unnecessary risks, this app's root access should be limited to only most necessary functions it needs to operate.
Currently for Android there is no such solution. For Linux there is Apparmor.
http://en.wikipedia.org/wiki/AppArmor
Total root access is obvious vulnerability, but it is at least known one. Let's look at possibility of apps having hidden permissions and what that could mean to you.
Blade Buddy from Market.
On market it does not list permission to "Unique Device ID"(IMEI for GSM and MEID; ESN for CDMA) for free nor for paid version.
That means the author of BB has left the code from free version in paid one. This permission is used by ads to track you. It's not necessary code for ads, but it helps the dev know who clicked on the add and generated him some money. To see your money generating zombie empire stretch across the whole globe.... quite a thrill, isn't it?
So it's a latent code, with no benefit to user and an exploit only calling to be abused.
Unique Device ID allows you to be tracked on net and also where you are physically. GPS is just one way to find you, police for example have scanners to locate your devices physical location by the IMEI code. You can count on the "bad guys" having this technology as well, for it's quite a tool for burglars and other criminals.
The risks of your home being marked as the next dungeon to be looted by some raiders, I mean criminals(or perhaps WoW players sleepwalking and sleepraiding?) or getting your ID and bank details stolen by trojan/hacker is random. Yet the threat would not exist without apps having so flagrant hidden permissions.
Next app with ludicrous permissions
Brightest Flashlight
It does list many permissions, among them "Hardware controls - take pictures and videos ". No, it does not need a permission to take photos through cameras to operate the flashlight. But it's fun nonetheless for the dev to see his trusty peasants, or maybe he just likes to observe people like some watch fish in aquarium or hamsters in cage( "Look at that dork!", "You're one ugly m...f...er","ummm a couple kissing in dark with ma flashlight, what are they searching?", "what's that you eat, mr Korean, brains?" "hey show me that document again.")
You don't even need to run the app yourself. It can be triggered by hacker on background and take a snapshot of you.
On top of this little needless permission it has following hidden permissions:
1. Unique IMSI, read about here http://en.wikipedia.org/wiki/IMSI
2. MCC+MNC (CDMA)
3. Unique Devide ID
4. Cell Tower Name.
That's a lot of needless permissions for flashlight, these are there just to track you the app user and have nothing to do with your comfortable use of the app.
These are just 2 apps with totally needless permissions for their intended functioning. If you don't want your Windows and Linux have such security holes then why do you want your Android have them?! You don't want, that's the point and these apps would not be so popular if people would really know and care about their phone being secure.
It can be stated for sure that above exemplified permissions not listed on market are more useful for pranksters, criminals or someone plainly looking-down-on-all-the-dumb-sheep and not at all for any legitimate, user or customer friendly purposes.
There are very few tools to check for security and privacy problems in apps. That gives a sense that majority of devs do not want Android to be secure and private, because Android is another revenue generating platform through Google ads business of course. Were people more educated about the matter then Google ads business would shrink down as well. A private and secure Android can't be tracked or annoyed with ads. No ads, no profit. No security therefore means profit. Unfortunately this lack of security can be exploited by anyone with criminal or malignant intentions so very easily.

In my honest opinion. If someone keeps files like ccinfo they have to worry about being jacked then they deserve it. Should it happen. U shouldn't keep things on your phoney don't want the rest if the world to have
Sent from my Cyanocrack using Xparent Blue Tapatalk

You don't need to keep credit card info on phone, your using the credit card via Market or logging in to bank on phones browser is enough to intercept your credit card info. Your browser may show you xxxxxxxxxxxx+"last four digits only" but that doesn't mean the data to and from your device doesn't contain exact credit card number. It's encrypted, but that is merely a minor inconvenience for a hacker.

That is why being rooted is not advised to everyone. Mainly if they don't know what they are doing. Also customs roms are not for everyone. People flash them cause they think its cool and don't understand what they are doing. That is their problem. People should pay attention to the permissions that am app asks for. Common sense is the best protection. Main reason I don't do anything that deals with a bank on my phone.

Raoa said:
I have not seen much talk about security in XDA.
Click to expand...
Click to collapse
There's talk. It's just not on important yet, because the android device is not being marketed like an OS is with a personal computer.
However, the more we do on our phones, the more we'll realize it needs protection like firewalls. We catch a few like CIQ or the Wimax exploit, but it's going to get worse as we advance in our integration. We do need to start now before exploits get worse and stay ahead of the curve.
Until that time, 4G exploits and root kit programs will run freely on our devices that houses a lot of our personal information.
Plus, for some stupid reason, there are a lot of people who think Linux is immuned to viruses and security holes due to it's code transparency. Android is being mainstreamed. It will soon be a continuous target like other existing popular software programs and operating systems.

And that's why iOS is far superior even without widgets or live wallpapers.

Something to think about.thanks for posting.
Sent from my HTC Glacier using XDA App

alex2792 said:
And that's why iOS is far superior even without widgets or live wallpapers.
Click to expand...
Click to collapse
IOS and Mac are just as vulnerable, maybe even more so because of there popularity and the misconception that IOS is secure and does not need AntiVirus protection. Just last week i removed a nasty virus on a brand new Macbook Pro so that is not the way to think. You need to act as if there are security issues and just be really careful at what link you click and what email you open.

mattfox27 said:
IOS and Mac are just as vulnerable, maybe even more so because of there popularity and the misconception that IOS is secure and does not need AntiVirus protection. Just last week i removed a nasty virus on a brand new Macbook Pro so that is not the way to think. You need to act as if there are security issues and just be really careful at what link you click and what email you open.
Click to expand...
Click to collapse
I'll give you OS X,but I've never heard of an iPhone virus while there are loads of malware on Android market.
Sent from my Galaxy Nexus using Tapatalk

I am not an expert on iOS nor do I have any wish to even know or use it, because Apple buys from suppliers that emply child labor and sweatshops.
When Linux started spreading around people also thought it has no viruses.
Same story repeats with every software.
For each different OS it takes merely time before people start to notice that their OS has viruses/trojans/spyware too. That doesn't mean their OS is not targeted. You should expect all sorts of thieves to use any and all opportunities.
Secondly OS does not matter so much as the matter that your device is connected to wifi, data, bluetooth, et or not. IP addresses, MAC, IMEI, etc they all stay the same on every platform. No matter which OS, they all connect to wireless networks, cell network, data, bluetooth, etc which all have set standards.
So someone wanting to track, spy, get your private info simply has to intercept the data your device sends to any network. If you don't use strong encryption to send info via network then it is easy to "wiretap" you.
Why is there so much spam, viruses, spyware in internet today? It's because the software managing internet is not made to be so secure. If it were secure then it would also be more private and safer for people to chat over net.
So not only OS's need to be more secure, but the very internet itself needs to be reformed.
This relates to SOPA and PIPA. Had those two bills been passed the next step would have been logically to make changes to all networks so you'd be more easily trackable, hackable, "wiretappable". It's simply logical, cause SOPA, PIPA were so defunctly worded as if asking/preparing for a third bill to regulate the networks.
So we must make sure that internet will be reformed for the private users and not for greedy corporations. We would not need to buy anti-spyware, anti-virus software if the internet were truly engineered for the welfare of humanity.
You could use any OS, bugged or not and not be afraid of loosing your property or privacy if the internet would stop such acts before they could harm you, the individual who is supposed to truly and freely benefit from the services; either for free or for honest price, but now you are robbed and think it is good to pay the thieves.

Raoa said:
Android itself is having very non-foolproof security system. All apps on unrooted phone are in sandbox. That's no security measure at all. It doesn't limit app from stealing your private info at all, it only cant delete the whole ROM.
Click to expand...
Click to collapse
Please elaborate. The sandbox does prevent one app from reading the data of another, such as the CC info from the Market.
Also, are you sure Market sends the entire CC number? There's no reason for it to send it, the transaction is performed on Google's servers.

alex2792 said:
I'll give you OS X,but I've never heard of an iPhone virus while there are loads of malware on Android market.
Click to expand...
Click to collapse
Are you talking about viruses or malware? Please don't conflate the two.
Malware is easy to take care of - check the apps you're downloading for what permissions they want. It's as simple as that.

alex2792 said:
I'll give you OS X,but I've never heard of an iPhone virus while there are loads of malware on Android market.
Sent from my Galaxy Nexus using Tapatalk
Click to expand...
Click to collapse
Just before xmas an iphone developer admitted to deliberately uploading malware in his ios app to show malware can easily affect iphone.
http://m.intomobile.com/2011/11/08/security-expert-sneaks-malware-into-iphone-app-store/
That was for normal iphones. For jailbroken ones there are more malware apps.
Dave
Sent from my LG P920 using Tapatalk

Raoa, your absolutely right.
I've had the exact same thought recently
Its like the overall view of the Android landscape is ridden from real security apps, for the simple purpose of have the platform as open as possible. And while this is good for developers and users of this and other serious forums, its also open for the "dark" communities as well.
I often ask myself, if the ROM devs onboard have these thoughts themselves, as in, what is my source of this modded apk, is is straight from the Market or from another dubious, (do I dare say chinese forum, just an example)
And how clean is my code really?
And is all mods just legit just cuz they are from here?
I love that we have so many ppl having a desire to mess around with the OS, but I miss, as you say, the talk about having a go on security as well.
I dont know, but I do think that awareness, as you initial post direct us to, should be raised, as a natural step for any serious dev and users in general on XDA, to be more aware, of the code.
Im on my first year as an Android user, and ofcourse did have to gain root on my splendid Sensation. Why?, cuz I needed the security tools requiring root.
Ask again, why? Cuz I came from Winblows 7, and know what a jungle software is, and that is is indeed exploitable, like hell, you might say.
And Im gladd I did gain s-off and root, cuz its really really needed fo youre just a little concerned about your privacy in, mails, sms, location, usage pattern, netbanking, dropobox deposits of your ****, some might even be work related and therefore hold more than just your own privacy.
And then there is what you mentioned, our devices unique ID's, the intent "app install referrer" to "plug" you into admob/google analyzer and so on.
I love one guy here, Treve, who made the HTC tool for scanning for ****, Logging Test Tool, and in version 10, he made it aware of admob/mobclix/analytics, and my god it find a lot...
So Treve, please, if you read this, just go on, as every version you make is getting finer and finer.
We could learn from this guy, and others here that got more code-insight.
What we CAN do as a community at the very least, is to share our knowledge and tips for securing our phones.
HOST filtering, code scanning of apks and so on. using AV's and firewalls and so on.
Right from the start I noticed that Android is not a clean OS, nor is its app market, and I noticed this cuz I have another splendid little Linux system at hand, Smoothwall Express with url filtering and proxy enabled
and My god is Android and its aps LEAKING!
Have a look in your urlfilters on a standalone firewall the step after your wireless android phone, and watch how much **** is going on.
Well, I can tell you for a start that I have added atleast 100 new domains to my custom urlfilter, besides the casual downloadable HOST filters around the net, like the ones found in AdblockPlus and so on. But after android, heh, you need more than just advertising filtering, that much I can say.
Just as an example, like those you mentioned, I have one too, that I was made aware of by Avast on my phone tonight, that ChompSMS was being flagged as malware/trojan.
I thought, **** man, why this crap, Im quite fund of Chomp, really.
So I thought, no, imma let more that Avast on my phone have a go.
So I File Expert dump the full apk, and uploaded it for a scan on virustotal, just for the sake of it. And whatta'ya know, ClamAV, GData, Kaspersky, NOD32, and Sophos flagged it as that same Plankton.G variant as my on-phone Avast.
Great, I thought (sarkasm intended)
I thought a bit further and picked up APK Multi-Tool, had a decompile and a content-scan for just "http" in is readable code.
12 different domains is mentioned so far, and I didnt even poke in all of its xml's, just the smali's
I know android is by a far stretch advertising born, and ofcuz the app devs have a right to earn their money, no doubt about that, and I gladly pay for the good ****, like most ppl here believeably do, but.. 12 different .com's mentioned in its code is a no go for me.
I have earlier used Privacy Blocker, and Privacy Inspector from XEUDOXUS in the market, to make permission scanning, beside using LBE/HOST/Avast, and I like those two aps, the Inspector one is free but only can scan.
The paid Blocker can "repair" as a feature, but its not maintained enuff, so it often fails to make installable apks, so not really worth it for me anymore, but as a free too, it can tell you more about those permissions you mentioned.
But enuff said from me for now, lets just collect and share our tips and tricks, ALSO for security, not just developing ROM and mod's and hacks, as thou they are fine, if not to say, so cool and great, but, we need to be secure too.
Please do not polute the discussion with IOS vs Android and what not, cuz thats not the purpose of it, even thou it definitly concerns (g)A(r)pple products too.
Sincerely, Omnius

alex2792 said:
I'll give you OS X,but I've never heard of an iPhone virus while there are loads of malware on Android market.
Sent from my Galaxy Nexus using Tapatalk
Click to expand...
Click to collapse
Iphones can get viruses they come through SMS's and other sources not as bad as android apple keeps there market much more under control, but everything is vulnerable i work in a security team for a big corp and believe me nothing is safe.
Check these articles out i just found them on google.
I remember a while ago maybe a year or so there was a huge security hole in IOS5 and Mac waited a long time to tell the public and release a patch. The one major problem with Apple is when there are security threats they really try to keep it hush...Iphone's OS is tight but not totally secure. Its not viruses either its moslty just malware that charges you tons of money in texting i saw once an iphone that turned into a bot and at midnight it would dial a 900 number and just sit there all night at like $20 bucks a minunte then disconnect when it felt the phone move.
http://www.mactrast.com/2010/07/iphone-virus-discovered-be-vigilant-and-seek-advice/
http://techfragments.com/news/982/Software/Apple_iPhone_Virus_Spreads_By_SMS_Messages.html

I'm going to fanboy MIUI for a second.
When you install an app you are presented with a screen (separate from the market) that allows you to toggle all the permissions an app ask for between Allowed/Ask/Disabled.
More roms should adopt this.
NB: I haven't checked CM9 so it might be a CM9 feature that MIUI has polished or it might be native to MIUI.

weedy2887 said:
I'm going to fanboy MIUI for a second.
When you install an app you are presented with a screen (separate from the market) that allows you to toggle all the permissions an app ask for between Allowed/Ask/Disabled.
More roms should adopt this.
NB: I haven't checked CM9 so it might be a CM9 feature that MIUI has polished or it might be native to MIUI.
Click to expand...
Click to collapse
I wouldn't be so fast to praise MIUI.

weedy2887 said:
I'm going to fanboy MIUI for a second.
When you install an app you are presented with a screen (separate from the market) that allows you to toggle all the permissions an app ask for between Allowed/Ask/Disabled.
More roms should adopt this.
NB: I haven't checked CM9 so it might be a CM9 feature that MIUI has polished or it might be native to MIUI.
Click to expand...
Click to collapse
The problem is the "Average Joe" doesn't even look at those or doesn't know what they mean. I see so many viruses/malware/open security holes just because of user error its insane. Almost 90% of security breaches or problems originate from the end users not paying attention or just not knowing or caring. Also another thing i see so much when new clients call me with there servers melting down and all there banking info being stolen is they haven't installed any updates on there servers since they were set up 2-5 years ago. I worked for a large industrial supply company and all there servers running MS Server 2008 no updates had been installed and they were using AVG free on there main SQL server...INSANE LOL
Then theirs the users, "my computer was fine until my friend on facebook wanted my SS# and mothers maiden name and insisted i open his email attachment, now its acting weird what do you think is wrong?"
Brutal

what is the 4g exploit that you are talking about? And is it only with wimax or is lte part of it as well?

Oneiricl said:
Malware is easy to take care of - check the apps you're downloading for what permissions they want. It's as simple as that.
Click to expand...
Click to collapse
It's absolutely amazing that people are willing to put up with something so ridiculous.
Sent from my SGH-I897

Related

Security does matter![Updated 25th. Jan]

Introduction
I have not seen much talk about security in XDA, and not at all on Neo Section.
SO here's just one informative link talking about using and developing apps and security risks involved
http://www.technologyreview.com/computing/25921/?mod=related
Any bug in software could potentially be used as a security loophole to gain access to private information, spy on you, get your credit card info(should you do such things on phone).
What is kind of unsettling is that everyone seems fine with modding, tweaking, developing and using those ROMs made in XDA without worrying if there could be that kind of bug in your made or used ROM.
You don't need a malicious app only to have risks. Most people use Windows so they should know that it is OP systems bugs and vulnerabilities that allow for unwanted access to your files, data, etc.
Android itself is having very non-foolproof security system. All apps on unrooted phone are in sandbox. That's no security measure at all. It doesn't limit app from stealing your private info at all, it only cant delete the whole ROM. That's just idiotic security system, for it is the only thing beside encrypting shut off phone on 3.0 and 4.0. So that means Android on it's own has no security measures while it's working. Even Windows has... some... but not too much... so you could pay for antivirus and antispyware software ofc.
It has always been the goal of big corporations to make money from insecurity, be they software developers, arms dealers and you name it. They all benefit from insecurities existing. Same is with Google and it's Android. But the good news is that we the users can modify Android. We could all say "Au revoir security bugs and loopholes!" if we would care about developing ROMs designed to make Android more secure... alas that's not happening yet!
Overview of Linux/Android security issues.
It's a short condensed description just to get you interested in the topic. There's lots of material on net, you only need to search, read, watch videos.
Linux becomes more vulnerable with more applications with different permissions installed. Same is true for Android.
Say your Phone Exporer has root access, that means it has root access to whole Android. To remove unnecessary risks, this app's root access should be limited to only most necessary functions it needs to operate.
Currently for Android there is no such solution. For Linux there is Apparmor.
http://en.wikipedia.org/wiki/AppArmor
Total root access is obvious vulnerability, but it is at least known one. Let's look at possibility of apps having hidden permissions and what that could mean to you.
Blade Buddy from Market.
On market it does not list permission to "Unique Device ID"(IMEI for GSM and MEID; ESN for CDMA) for free nor for paid version.
That means the author of BB has left the code from free version in paid one. This permission is used by ads to track you. It's not necessary code for ads, but it helps the dev know who clicked on the add and generated him some money. To see your money generating zombie empire stretch across the whole globe.... quite a thrill, isn't it?
So it's a latent code, with no benefit to user and an exploit only calling to be abused.
Unique Device ID allows you to be tracked on net and also where you are physically. GPS is just one way to find you, police for example have scanners to locate your devices physical location by the IMEI code. You can count on the "bad guys" having this technology as well, for it's quite a tool for burglars and other criminals.
The risks of your home being marked as the next dungeon to be looted by some raiders, I mean criminals(or perhaps WoW players sleepwalking and sleepraiding?) or getting your ID and bank details stolen by trojan/hacker is random. Yet the threat would not exist without apps having so flagrant hidden permissions.
Next app with ludicrous permissions
Brightest Flashlight
It does list many permissions, among them "Hardware controls - take pictures and videos ". No, it does not need a permission to take photos through cameras to operate the flashlight. But it's fun nonetheless for the dev to see his trusty peasants, or maybe he just likes to observe people like some watch fish in aquarium or hamsters in cage( "Look at that dork!", "You're one ugly m...f...er","ummm a couple kissing in dark with ma flashlight, what are they searching?", "what's that you eat, mr Korean, brains?" "hey show me that document again.")
You don't even need to run the app yourself. It can be triggered by hacker on background and take a snapshot of you.
On top of this little needless permission it has following hidden permissions:
1. Unique IMSI, read about here http://en.wikipedia.org/wiki/IMSI
2. MCC+MNC (CDMA)
3. Unique Devide ID
4. Cell Tower Name.
That's a lot of needless permissions for flashlight, these are there just to track you the app user and have nothing to do with your comfortable use of the app.
These are just 2 apps with totally needless permissions for their intended functioning. If you don't want your Windows and Linux have such security holes then why do you want your Android have them?! You don't want, that's the point and these apps would not be so popular if people would really know and care about their phone being secure.
It can be stated for sure that above exemplified permissions not listed on market are more useful for pranksters, criminals or someone plainly looking-down-on-all-the-dumb-sheep and not at all for any legitimate, user or customer friendly purposes.
There are very few tools to check for security and privacy problems in apps. That gives a sense that majority of devs do not want Android to be secure and private, because Android is another revenue generating platform through Google ads business of course. Were people more educated about the matter then Google ads business would shrink down as well. A private and secure Android can't be tracked or annoyed with ads. No ads, no profit. No security therefore means profit. Unfortunately this lack of security can be exploited by anyone with criminal or malignant intentions so very easily.
The most important thing is to read the permissions before installing.
If you had read the article I linked. Those permissions don't matter anything really if stuff developers use doesn't reveal what it does, or developer itself doesn't disclose what the app does.
We can safely say that those permissions asked are just to make ordinary users of Android think that all is under their control.
I use Privacy Blocker app and it keeps finding app permissions that are not listed. Even that app doesn't find those permissions which Cyanogenmod permission manager shows. And I've sanitized all my apps, still I find my phone connecting to some odd servers while using certain paid and seemingly legit apps. I even found shapshots from front camera made by some app... and I am checking all permissions I can, even for those not listed.
What seems harmless but could reveal your IP address and potentially other data about you is... advertisements used by apps.
Ads can be far more than just a little annoyance that slows your device. Any file, picture loaded from some location in internet can be used to locate you.
I had a problem of getting phone call bills for calls lasting 10 to 20 secs that I never made after using a slew of market apps, flashlights, fun stuff, etc.
I paid two months for such calls trying to find out which app did it and still don't know which one it was. Skype(phone app has fake IP of Holland but actual connection goes to Moscow... oh come one what is this? Why such hiding? Like anyone would trust their phone's Skype connection stream through Moscow... no thank you! Then wonder still if the phone gets so slow and Skype call quality is so bad even over wifi while Windows Skype does just fine?), Brighest flashlight, some photo editors, and slew of other garbage I've already forgotten about cause I don't use any of it anymore.
First post updated
How about the new 4.3 update..in includes some security and privacy control..will this thing prevent you had mentioned?
Is there any way to reactivate this post? maybe start working on a security enhanced android ROM? I'm agree, Security does matter!

[Q] Worst scenario: Are homebrew app dangerous?

Guys,
I always wondered how harmful could be - in theory - a homebrew app installed on an Interop-unlocked wp7.5 device.
What is considered as a virus, spam or scam app?
The worst it could do is copy my contact list and upload it on its own server? (privacy issue).
Could an app take the whole OS down?
How much do we trust casual developer?
I always install homebrew apps found on the xda with no second thought. But a few days ago I installed an app to browse some *dirty* websites and dunno why, I started thinking about this issue?
Thanks to you all!
K.
Usually, you can trust the guys here on XDA.
However, even a normal app could steal your contacts. And a homebrew app on a b fully unlocked rom can do even more (of course! that's the point ).
But as said, XDA is usually quite OK, and if a big name like cotulla, ultrashot, Heathcliff74 (and all other amazing devs here on xda) is behind it, you're definately safe.
Oh, and what's a virus? That's nood easily defined. Just think of a file manager. It allows you to delete files. Deleting a file is nothing special. So what? Well, what if the app is going to delete random files? You got a virus... (That's why it's so hard to make behaviour analysis....)
LOL, there is no way WP can get a virus with it's locked down UI and isolated storage. WP isn not Windows OS. So don't worry.
Unlocked phones and risks
sinister1 said:
LOL, there is no way WP can get a virus with it's locked down UI and isolated storage. WP isn not Windows OS. So don't worry.
Click to expand...
Click to collapse
Please note that the OP is talking about an Interop-unlocked phone which is quite open compared to a WP7 phone in its normal state (which really does give little reason for worry).
If you ask me, the age of pranks and viruses that delete your files just because they can is over already quite some time. Today people most often try things with malware if there is money to be made.
So you may ask yourself: How could there be monetary profit from the very small base of users with fully-unlocked WP7 phones? Especially factoring in the fact that many of those users being anything than noobs which will get suspicious easily.
If I was a malware author I really would look out for greener pastures
if you don't trust the developer you can easily check the code by decompiling it. ok... this requires some knowledge in c# development and doesn't work for native code.
Well, decompiling native code is entirely possible. It's just more difficult to read the resulting source.
There risk is absolutely there. The way malware would work on WP7 is different from how it would work on a PC, but it's certainly possible (and actually, on a full-unlock ROM you could write malware very similar to how you'd write it for PC). Consider the various kinds of Android malware; WP7 malware (with sufficient permissions) could do things like send SMS to "premium" numbers, track you using the GPS, and other unpleasantries.
This is the reason that, for example, Heathcliff74 made Root Tools require that the user manually mark an app as Trusted before the app receives full permissions. Of course, that requires that you trust Root Tools itself (and it's quite heavily obfuscated, so decompiling it won't do you much good) but as @chabun said, he's one of the "big names" in WP7 homebrew and is considered trustworthy.
For myself, this question is one of the reasons I release the source code to my apps. If you've got the source, you can check it for any malicious or even undesirable behavior, and if you want to you can modify it to suit yourself better.
kevyn82 said:
Guys,
I always wondered how harmful could be - in theory - a homebrew app installed on an Interop-unlocked wp7.5 device.
Click to expand...
Click to collapse
Well, there are quite a few harmful things a malicious homebrew app could do:
spy on you all the time using the built-in cam and mic;
record all your phone and video calls;
copy all your text messages;
track and report all your movements (GPS);
upload all your personal pictures to a third party;
call international or "premium" phone numbers without your knowledge, generating large phone bills;
send "premium" text messages or registering you to premium subscriptions;
sent text messages in your name to influence a TV show vote;
reroute all your phone calls through a "premium carrier", again generating large costs;
transform your phone into an email relay or VoIP for spamming;
record all your usernames, passwords, account numbers or credit cards for financial profit;
make your phone become a BitTorrent relay, eating through your mobile data allowance in a few days;
I am sure that we can find a few more by brainstorming a little bit, or by googling "iOS malware" or "Android malware"...
So the key questions is not what is possible in theory, but how much do you trust the developer of an app, homebrew or not.
Cheers,
Stephen
GoodDayToDie said:
This is the reason that, for example, Heathcliff74 made Root Tools require that the user manually mark an app as Trusted before the app receives full permissions. Of course, that requires that you trust Root Tools itself (and it's quite heavily obfuscated, so decompiling it won't do you much good) but as @chabun said, he's one of the "big names" in WP7 homebrew and is considered trustworthy.
Click to expand...
Click to collapse
Thanks for your answer!
Yes I think some premium dev like yourself, Heathcliff74 etc are deeply trusted on here.
But still I am pretty sure the average user doesn't care about names or source. He or she won't be able to read though the source code or understanding what does require an app access to.
Also, if the app would require "elevated privileges" trough Heathcliff's Root Tool, he wouldn't think twice about granting to it.
Then if something bad would happen, then it would blame the OS, not him- or herself.
Things like requiring user confirmation to call or send a text within an app, from my prospective, never should be avoided.
On iOS for instance a lot of user complained to the carrier (here in Italy), some international sms sent billed in their accounts. It was iMessage first set up to send a txt to the UK (which costs on avg 0.30 Eur, compared to 0.10-0.15 a single sms).
But I am wondering now why jail-broken iPhone aren't subject to malewares like the open Android platform. I'm sure unlocked iOS would be a pretty green garden for them.
rbrunner7 said:
Please note that the OP is talking about an
If you ask me, the age of pranks and viruses that delete your files just because they can is over already quite some time. Today people most often try things with malware if there is money to be made.
Click to expand...
Click to collapse
You're right, just wanted to show that it's not really easy to say what's bad and what's good...
There's been malware for jailbroken iPhones. There was even a worm that spread by infecting people who had enabled an SSH server on their phone but left the default password.
The reason it's less of an issue there than on Android is that malware is typically a business - that is, it's done to make money - and so you target the largest number of people you can. There are fewer iPhones than Android phones, and far fewer jailbroken iPhones than Android phones that can access the market or even install apps from outside the official market (pretty much all of them).

Why Google force all to sync the data/ why Google wants to enter in everybody's life?

Hello guys, this is a small article cum question thread. After reading please give me your views.
When we buy a phone and we start with our gmail id.
They forcefully sync all data, even the gallery (picasa).
I mean why is Google entering in our life so much..
They have every single detail. Contact , location, whereabouts, preferences, taste, when we get up/ sleep...
Every single data is with Google.
Now Google glass... Its too much interference...
I feel like being spy by a person name Google. Prove me wrong, I will be glad.
Before Android, I had Nokia phone. I never felt being spy every time.
I have spend lots of money on my Android phone but im feeling insecured every moment.
Why Google force all to sync the data/ why Google wants to enter in everyon's life?
Are we purchasing Android phones for being monitored 24x7?
Let me know your views too..
Thank you.
Disclaimer:
I am not an apple fan. I have shared experience and beyond this I don't have intension to degrade the goodwill of gaint Google.
Supporting links for this thread
http://m.firstpost.com/tech/how-to-stop-googlefbspyingyou-220138.html?page=1
http://m.youtube.com/#/watch?v=imbkac40t38&desktop_uri=/watch?v=imbkac40t38
Endless....
We've all heard about the "big brother". Before the TV reality shows there was only books and stories about it, there were wars for power and world dominance. May be my words are too strong, but think about it - there are strong arguments in DBZo07's post, don't you think?
Google may be one of the reasons for the next World War. I am sure that there will be one - all of the major civilizations before us have disappeared for various reasons, most of them connected with war and the will of dominance. We will wipe ourselfs too or will become "human androids".
I think that we should think about what will be the next kind of terrorism? I doubt it will be for petrol, gold, money... it will be about information, communication, privacy - and Google are getting even more and more into our life, as DBZo07 have observed. It was only 8 years ago when for most of us smartphones were a joke and look now - hybrids, phonepads, padphones, tablets, docking stations, virtual HDD's (cloud storage)... Now can you leave without Viber, skype, facebook, gmail? No, you can't and if you could you will be searching for better replacements.
When you put all of the things it really seems too much. What if someone uses the information we share virtually each day? What if someone wants more than just money to share or store our information or to communicate with each other? Now they want our money, but tomorrow?
May be someone will want more from us tomorrow... may be we will start to sync our dreams for more efficient sleep time.
Or probably my arguments are nonsense and no one will let these thing happen. I hope so and I believe so - you should believe too
Yes it is bad, but just do like everybody disliking this state, deactivate all you can that allow google to "follow" you.
At the end, androïd is not linux, androïd is "google is watching you OS", so make all you can to hide yourself.
Maybe one day, we'll have a "pure" linux system for smartphones.
@mutha88 : that's what , we are forced to believe Google like God. Turning off auto sync may ease our mind. But still who knows about which data is being snatched with our data plan on all times in the very owned OS of Google. I still can appreciate Microsoft Windows, which is carring on from years after years still there is sense of personal private life being secured.
No doubt Google is an award winning innovative company but why getting personal to the extent of choking privacy.
On other hand, consumers are least concern about privacy now a days. Very trusted Microsoft is trying hard to penetrate phones and data stealer Google is having large pie of market share. It is we who made Google survive and in return we have loss of privacy.
@BombinBasta : yeah, but for development of any OS needs finance. Linux is free open source, hardly people donate. And Microsoft has enough money to carry on their development. Apple already charges too high for thier devices. Whereas Google... makes money from phones, market, various products and who knows what they make from every details of their users.
Seriously, as i heard from childgood that evil ends when they cross thier limits... will there be end of Google anyways!!! I wonder.
May be I'm wrong but their are no proper justifications from Google for interference.
Sent from my GT-I9082 using Tapatalk HD
u cant be free of data collection by google...
even if u never sync ur data and use internet on ur android(even if it a vanila AOSP android ) there is code in that to give the data to google.
in todays age of information technology....information/data is everything...WHO HOLDS THE DATA...HOLDS THE POWER TO RULE THE WORLD...
DBZo07 said:
@mutha88 : that's what , we are forced to believe Google like God. Turning off auto sync may ease our mind. But still who knows about which data is being snatched with our data plan on all times in the very owned OS of Google. I still can appreciate Microsoft Windows, which is carring on from years after years still there is sense of personal private life being secured.
No doubt Google is an award winning innovative company but why getting personal to the extent of choking privacy.
On other hand, consumers are least concern about privacy now a days. Very trusted Microsoft is trying hard to penetrate phones and data stealer Google is having large pie of market share. It is we who made Google survive and in return we have loss of privacy.
@BombinBasta : yeah, but for development of any OS needs finance. Linux is free open source, hardly people donate. And Microsoft has enough money to carry on their development. Apple already charges too high for thier devices. Whereas Google... makes money from phones, market, various products and who knows what they make from every details of their users.
Seriously, as i heard from childgood that evil ends when they cross thier limits... will there be end of Google anyways!!! I wonder.
May be I'm wrong but their are no proper justifications from Google for interference.
Sent from my GT-I9082 using Tapatalk HD
Click to expand...
Click to collapse
You act like Microsoft doesnt do the same thing. When ever you use any of their programs it is the same. Privacy is a moot point if you use the internet for anything. You would be amazed how many times your personal info is used. Use a Shopping card to get discounts? Tracked. Use a CC for anything? Tracked. Buy anything on line? Tracked. Use any social networks? Yup tracked again.
It is not just Google. If you trust MS so much then why not get a WP?
k2wl said:
u cant be free of data collection by google...
even if u never sync ur data and use internet on ur android(even if it a vanila AOSP android ) there is code in that to give the data to google.
in todays age of information technology....information/data is everything...WHO HOLDS THE DATA...HOLDS THE POWER TO RULE THE WORLD...
Click to expand...
Click to collapse
This information again shocking.. will there be a respect for privacy is a big question..
Is there any way that code being blocked ...
zelendel said:
You act like Microsoft doesnt do the same thing. When ever you use any of their programs it is the same. Privacy is a moot point if you use the internet for anything. You would be amazed how many times your personal info is used. Use a Shopping card to get discounts? Tracked. Use a CC for anything? Tracked. Buy anything on line? Tracked. Use any social networks? Yup tracked again.
It is not just Google. If you trust MS so much then why not get a WP?
Click to expand...
Click to collapse
My bad.. Microsoft still a good sided. I'm not promoting Microsoft but everybody have used Windows and this hunger for data wasn't found, maybe Microsoft is too smart to do silently but there is a chance that it may or may not be true. Google openly does all stealing I mean who is going to held them!! We the users are just watching being used all time.
When I took Android , i wasn't aware of Google's hunger for information..
In the end, everyone is happy without Google's justifications...
Sent from my GT-I9082 using Tapatalk HD
I would like to point out that you are under no compulsion to connect an android phone to a Google account. You only need to connect your account if you want to avail of their services such as Play Store, syncing contacts, etc. If you can do without them, then by all means you can disconnect your Google account.
Sent from my Nexus 10 using Tapatalk HD
sidthegreatest said:
I would like to point out that you are under no compulsion to connect an android phone to a Google account. You only need to connect your account if you want to avail of their services such as Play Store, syncing contacts, etc. If you can do without them, then by all means you can disconnect your Google account.
Sent from my Nexus 10 using Tapatalk HD
Click to expand...
Click to collapse
I completely agree...
As for me I don't like Google's spying so I uninstalled all their apps, including network location and Google framework service, and I use alternative apps for gtalk or Google play. And recently I even made a new email at Yahoo's. I know Yahoo spies as well, but since android is Google at least I don't put all my eggs in the same basket.
If like me you are very privacy concerned there are ways to cut the abusive permissions most apps use.
You need to be rooted, and then use apps like appsettings (in conjunction with xposer app), permissions denied, rom toolbox, greenify, privacy blocker, and the best (but unfortunately not available for all roms) : pdroid and its variants like open pdroid and the like.
For example, recently I downloaded the Yahoo app. Before to start using it I put it through privacy blocker and then changed the imei value and other nosy informations with fake values (thank you privacy blocker and respect to xeudoxus its developer). Then I opened appsettings and blocked other unwanted permissions (thank you rovo and tungstwenty, respect). Finally I started to use it, and when I'm done checking my mails I greenify (thank you oasisfeng and respect) the app to avoid background usage.
Of course when one does such things one doesn't get notifications as soon as a new message arrives, but as for me I don't care since I don't need, and don't want, to be connected and hence spied, 24 hours a day.
It's relatively easy to get rid of the spying, but of course you will loose 2-3 features.
It's up to you...
I did the same with my browsers (opera mini and dolphin), privacy blocker+ appsettings+greenify, and with Mozilla I use an add-on called self destructing cookies.
Another thing is that not only Google spies on us, actually everyone does.
Just have a look at the permissions used by your system (default) applications, it's insane moreover that when one blocks those abusive permissions the apps still work. Don't think that it would be any better with a custom room, it's exactly the same story with cyanogen mode or aosp or pa etc.
What I do is that I remove most system apps (keeping like 10 for my tab, and 20 something on my phone, which means that I uninstall over 100 system apps, exactly 160 on my tab's recent jb upgrade) and replace them with third party apps that are easier to control and whose permissions are easier to block. And of course I block everything I can, system and user apps alike.
One of these days when I have time I'll write a more precise guide on these matters...
unclefab said:
I completely agree...
As for me I don't like Google's spying so I uninstalled all their apps, including network location and Google framework service, and I use alternative apps for gtalk or Google play. And recently I even made a new email at Yahoo's. I know Yahoo spies as well, but since android is Google at least I don't put all my eggs in the same basket.
If like me you are very privacy concerned there are ways to cut the abusive permissions most apps use.
...........
One of these days when I have time I'll write a more precise guide on these matters...
Click to expand...
Click to collapse
Sir, this is what I wanted to know. Thank you very much for your valuable time and experience shared here. I know this is serious concern and people like us need a way to be have a sound sleep without virtual spies.
About permissions, Google chrome takes permission to use camera and mic without and command by user.. I mean why Google needs it...again another why...
Your reply was very helpful, thank you...
keep updated me here when you can...
Stay blessed..
DBZo07 said:
Sir, this is what I wanted to know. Thank you very much for your valuable time and experience shared here. I know this is serious concern and people like us need a way to be have a sound sleep without virtual spies.
About permissions, Google chrome takes permission to use camera and mic without and command by user.. I mean why Google needs it...again another why...
Your reply was very helpful, thank you...
keep updated me here when you can...
Stay blessed..
Click to expand...
Click to collapse
My pleasure, I'm happy if I could help you...
Google chrome is one of the worst browser when it comes to privacy. If you want to keep on using it try to block the unwanted permissions like camera and mike with appsettings. The problem is that sometimes apps crash after having their perms blocked, and in this case what I do is just uninstalling and looking for another one that does the same job, fortunately there is no shortage of apps on the web
If you can't manage to tame Google chrome just use Mozilla. It has some abusive perms as well but they can be disabled for sure (I use it). Not with appsettings though but with permissions denied (another privacy app, quite powerful but one has to use it with care).
Just get the apps I recommended in my first post (some are paid but they are well worth the money) and start playing with them, in no time you will regain your privacy.
And uninstall as many system apps as you can...
Good luck!
Oh, I nearly forgot! Read my post in the following link, it tells which apps are safe to remove for the galaxy grand:
http://forum.xda-developers.com/showthread.php?p=39395506
They anonymize all of the usage data as much as possible. If you don't like using Google services but still want to be able to download apps from the Play Store, go into Settings -> Accounts -> your Google account(s) -> uncheck all of the boxes for syncing various services.
Every company collects information on usage in order to better their products and find out how people are using them. They're not reading all of your emails (yes, their computers scan them to show you relevant text ads, but that's all) or coming to your house to film you while you're in the shower. You guys are overreacting. There is not one company who doesn't collect usage data. And if they don't, then they're doing it wrong, because they're developing their products and services blindly. Google is pretty clear about their data collection policies.
unclefab said:
My pleasure, I'm happy if I could help you...
Google chrome is one of the worst browser when it comes to privacy. If you want to keep on using it try to block the unwanted permissions like camera and mike with appsettings. The problem is that sometimes apps crash after having their perms blocked, and in this case what I do is just uninstalling and looking for another one that does the same job, fortunately there is no shortage of apps on the web
Click to expand...
Click to collapse
You do realize that Chrome has the Microphone permission so that it can hear you when you use voice search, among other things, right? Your computer browser can also access your webcam and microphone...
I care about privacy as well, but you guys are wearing tinfoil hats. Google does not care about you. They just want to know how to further develop their products.
Product F(RED) said:
You do realize that Chrome has the Microphone permission so that it can hear you when you use voice search, among other things, right? Your computer browser can also access your webcam and microphone...
I care about privacy as well, but you guys are wearing tinfoil hats. Google does not care about you. They just want to know how to further develop their products.
Click to expand...
Click to collapse
Of course I know that this perm is for the voice search, an app that I don't use either.
And I know that in 2013 it's not such a big deal if those big companies collect data about us, apart from spamming us with advs.
But I don't know how it will be in 10 our 20 years, and when I see the way our "democracies" go I rather understand now how to make myself invisible, better to prevent than to cure.
Imagine if Hitler had had this technology...
Those days are gone? I don't think so, the Yankees had Bush for eight years, the French had Sarkozy for five years, they were not modern Hitler but they were going in the same direction, cutting rough in the people's freedom.
They didn't go as far as Hitler but who knows what will happen in the next decades. I'm 44 and since the 90 ies I've seen a worrying drift towards less and less freedom, and it won't get any better for sure, it will only get worse.
Anyway, it's not only about this, it's about those apps using my data plan without asking, depleting my phone's battery and slowing my ram. If Google wants infos he has to pay for it, and I have to agree to sell him those infos.
Cuz my phone didn't come for free, I had to pay for it and I don't see why I should use my data plan to help big Google and co...
unclefab said:
Of course I know that this perm is for the voice search, an app that I don't use either.
And I know that in 2013 it's not such a big deal if those big companies collect data about us, apart from spamming us with advs.
But I don't know how it will be in 10 our 20 years, and when I see the way our "democracies" go I rather understand now how to make myself invisible, better to prevent than to cure.
Imagine if Hitler had had this technology...
Those days are gone? I don't think so, the Yankees had Bush for eight years, the French had Sarkozy for five years, they were not modern Hitler but they were going in the same direction, cutting rough in the people's freedom.
They didn't go as far as Hitler but who knows what will happen in the next decades. I'm 44 and since the 90 ies I've seen a worrying drift towards less and less freedom, and it won't get any better for sure, it will only get worse.
Anyway, it's not only about this, it's about those apps using my data plan without asking, depleting my phone's battery and slowing my ram. If Google wants infos he has to pay for it, and I have to agree to sell him those infos.
Cuz my phone didn't come for free, I had to pay for it and I don't see why I should use my data plan to help big Google and co...
Click to expand...
Click to collapse
It's more like, "by using the software on this phone, you agree to Google's data collection policies." Either create your own ROM that doesn't include the code, or don't use the phone. You could go to Apple and use an iPhone, but they do the same thing. Microsoft does the same thing with Windows Phone. Palm did the same with WebOS. Seriously, there's nowhere you can go where anonymous data isn't collected to develop products.
I am glad that there are few more people who take their privacy seriously and knowledgeable enough to know what happening inside phones.
I strongly believe that this topic needs mass exposure. Millions of innocent people don't know what's happening and the risks. Take this topic to social networks and spread. For my part I will post this thread link on Facebook, Twitter and WhatsApp.
I would also wish that some of our great developers would come forward and help in this matter.
Thanks for starting this thread.
I knew people will feel thus topic as paranoid. But that's preference.
No problem, speak against topic or support this topic, you will help other members have clear picture of what I want to say. After all critics have role to play too. So thanks to all.
@unclefab thank you for your comment which helped me get my words meaningful.
@silentvisitor that's what I had planned to get the topic wide exposure. Hope, there will be respect for privacy oneday.
Revolutionary changes are required and that can be just hoped.
The only hope I can see is that when the country itself recognises this as an issue than it can impact on world... more and more country joins the cause the stronger will be the impact.
These are just hopes and how future will play that God knows.
Sent from my GT-I9082 using Tapatalk HD
Product F(RED) said:
It's more like, "by using the software on this phone, you agree to Google's data collection policies." Either create your own ROM that doesn't include the code, or don't use the phone. You could go to Apple and use an iPhone, but they do the same thing. Microsoft does the same thing with Windows Phone. Palm did the same with WebOS. Seriously, there's nowhere you can go where anonymous data isn't collected to develop products.
Click to expand...
Click to collapse
Yep, true, and actually Apple is worse.
What I don't like, beside the fact that they hijack my connection, my battery and my ram (and I mean, not only Google but most apps), is that they create files about us. It's ok as long as we have a democracy but as I previously said I'm not very optimistic about democracy in the future, remember the infamous patriot act in the States...
For example, Google knows that mister uncle fab has a gmail account. It knows as well that uncle fab goes on this and that website and reads this or that page, buys this and that online, has this and that app on his phone, goes here or there (thank you GPS and Google now) and stops here or there, listens to this or that kind of music, watches this or that movie, takes this and that picture and so on.
Eventually they have a file about uncle fab, and know a lot about his life and his taste.
Suppose now that uncle fab is a commie and someone who disagrees with the invasion of Iraq and Afghanistan, and that he's a muslim who has traveled to some of the so called axe of evil countries (which I did by the way, that's why I take this example, but fear not for I'm no terrorist )
What would happen? If uncle fab lives in the States he may be in serious trouble and get invited to a nice all included stay in Guantanamo, eventhough he's not a terrorist.
Well that's just an example but seriously, what happens with all those files they gather about people? Not to mention facebook, you know what I mean, their data base is huge and includes pictures.
What will they do with those files in the event of the government turning fascist or half fascist?
I'm not a terrorist but I have some convictions and some ideas that would make me a bad guy for a fascist regime and that would bring me to jail.
Don't get me wrong, I'm not a bad guy
But, amongst others, I seriously dislike the State's foreign policy and sincerely think that the wars in Iraq and Afghanistan are crimes against mankind that should bring their authors (Bush and his friends) in front of the international court. I do think as well that endeavors like wikileaks are very good ones and that their informants shouldn't be trialled.
I do think other things as well, it's my right, but under the Bush administration I would have been called a bad American and if they had caught me I would have won a free stay in Guantanamo.
During the Mac Carthy area I would have been called a commie because of my anti capitalistic ideas and would have been sent to jail.
Etc, etc...
So eventhough I'm not a bad guy I rather stay as invisible as I can, no-one knows what will happen in the future but from my point of view it looks pretty grim to say the last.
Regarding your remark about building my own Rom I agree, it's on my list of to do things.
But let's see first how the Mozilla os goes, and if the devs behind the Linux on android project manage to make it work properly for a daily use.
At the end of the day it's a matter of choice as you said, if someone doesn't like Google one can uninstall its apps.
You know, I spent hours playing with the apps I mentioned in my previous posts and I can say that no app knows my imei or my location, and that the only apps I allowed to connect with the internet are my browsers and the Yahoo app whose abusive perms I blocked.
Of course the browsers know my ip but that's all they know and I don't care about it, and if one day I did then I would use a vpn app or tor/orbot.
So I don't see how anyone could squeeze any data from me...
Oh, I just found this on the forum, give it a read:
http://www.xda-developers.com/android/say-sayonara-to-the-play-store-part-1/
If you want privacy, go move to a rainforest in South America or something. Get rid of your phone, computer, internet connection, etc. What you guys are asking for is ridiculous. You want free products handed to you on a silver platter. These companies need something in return. At the very least, they need the information they collect to understand their userbase. I'm a marketing major and computer science minor. Really, I understand that privacy is pivotal to you guys, but you're demanding something pretty ridiculous. This is ANONYMOUS usage data.
Sent from my Galaxy Note 2
Product F(RED) said:
If you want privacy, go move to a rainforest in South America or something. Get rid of your phone, computer, internet connection, etc. What you guys are asking for is ridiculous. You want free products handed to you on a silver platter. These companies need something in return. At the very least, they need the information they collect to understand their userbase. I'm a marketing major and computer science minor. Really, I understand that privacy is pivotal to you guys, but you're demanding something pretty ridiculous. This is ANONYMOUS usage data.
Sent from my Galaxy Note 2
Click to expand...
Click to collapse
You sound very straight forward. Your comments are brainwashing. You have better way of critical thinking, its appreciable. As a marketing guy you know user have different preferences and taste.
Rarely people are concern about privacy which is not letting this being called as an issue.
Data is used anonymously, is this justified?
Even Facebook says this, than why it has photos and name in their database?
How come Facebook/Google recognize face with exact name if data is anonymous..
Can any of data stealers come forward and give just a short justification and proof about how data is being used?
Sent from my GT-I9082 using Tapatalk HD
As Fred as stated, everything you do is tracked and monitored. This is nothing new really, been going on for years. There is only one way around it. That is to remove yourself from all things as stated above. You would be amazed how many times your personal info changes hands on a daily basis. Even utility companies track your usage. Your cell carrier does the same thing. Now I understand wanting privacy but total privacy is a myth that in this day and age is not an option. Now I dont trust the Gov in any way shape or form, to the point of not buying any device that has the fema chip installed. Which is 99% of the devices in the US.

Most secure apps for various purposes

Ive been through the entire security forum. Must say till a little raw but it will mature hopefully. Still a lot of noobs talking and no serious dev talk. Im not a developer but I have done some research esp on encryption systems and keep myself updated with the loopholes in various apps. Until such time when they do join in I think it would be a good idea (esp if the higher-level know-its) would share their list of apps they use for their everyday functioning and especially how you currently protect yourself best against unwarranted attacks to the types other forums are talking about.
My list is:
K-9 mail : for email. I use APG with that though im still not convinced its worth it cause the keys would be a easy to 'reverse engineer' as you can easily detect the device you use to send the mail and thus an estimate of the computing power essentially showing them the narrow range of prime numbers in which the key could have been generated. But you would need to be a dedicated target for that. Plus its open-source and very popular.
Xprivacy: its good for apps with too many unnecessary permissions but it wont protect you against intruder attacks.
network connections: just switched over to this from wire shark. Still undergoing testing. But it tell you the current internet connections and seem promising. You can block the suspicious IPs using xposed framework called peerblock (look into the xposed mod index). Needless to say but I think blacklisting google would be perhaps make you life considerably old-fashioned esp if your plugging the google 'backdoor' access they provide to 'he-who-shall-not-be-named' organizations.
Browser: im using the native AOSP browser. Firefox would be a better alternative in my opinion to chrome or others. I wish we had chromium for android.
Quickpic: using it instead of the native gallery after i found that it was connecting to the internet.
Calander: using the native AOSP calander but deleted the calander sync cause i try to avoid relying on google too much. selectively Denied internet permission.
ES file manager: a very complete tool. root explorer with checksum built-in. denied internet permissions.
TextSecure : Using this for standard texting because it seems to offer more encryption that any other texting app at the moment. Plus its going to be the default messaging app in Cyanogen ROMs in the future. Offers One-Time-Pad system encryption which is encryption theoretically secure (what that means for the common man is that this encryption is the only one that has stood the test of time to be unbreakable of used properly. All other encryption systems rely on the fact that the decrypting systems used to 'crack' the encryption lag behind the algorithms. Lets hope the devs did implement it properly)
Remove Google from CM10+ ROMs : http://www.xda-developers.com/android/remove-the-google-from-cyanogenmod-with-freecygn/
"Not every user particularly cares for Google’s proprietary bits and its tendency to put them everywhere. As such, XDA Senior Member MaR-V-iN has created a script to clear out Google proprietary binaries from all CM10+ ROMs. Freecyngn disassembles the CyanogenMod settings app and replaces Google Analytics library with the free NoAnalytics. The whole process doesn’t break the Settings app, and turns your device into one that is Google-free"
Click to expand...
Click to collapse
Thanks to @SecUpwN for the site: www.prism-break.org As you will see by visiting this site its not secure but just a list of more open-source projects.
I dont use a lot of google products like gmail or chrome or maps but i would like to minus the uneasiness that i have using it. And i dont use public wifi at all. The great things in life are hardly ever free!
Needless to say but i use CM 10.1 since its well developed and open-source. Looking forward to omniROM by chainfire and other great devs. I do believe we need some serious stenographic programs for android because encryption alone is not the way to go. Maybe they will take this more seriously. This remains a work in progress. As always hit thanks if it helps.
CM is now for profit. It's CyanogenMOD Inc. Anyway, this is a pretty naive approach, IMHO. You want to keep something secret you can't tell technology about it. Check out "Schneier on Security."
where did you download "network connections" from?
@aejazhaq: See www.prism-break.org!
runwithme said:
where did you download "network connections" from?
Click to expand...
Click to collapse
I downloaded it when the dev was giving the pro version free for a limited time to XDA members. How ever its available on the play store...https://play.google.com/store/apps/details?id=com.antispycell.connmonitor&hl=en
SecUpwN said:
@aejazhaq: See www.prism-break.org!
Click to expand...
Click to collapse
Yes i cam across that just a week ago. It seems to me as my knowledge progress' that the apps available are just to keep the selective data eg your mails private if you use APG with that. @pan.droid I think anything on your device is still as vulnerable as can be honestly and don't think, at least as of now that you can protect your data on you device with any satisfactory means, at least not yet. I'm interested in stenographic means more now than ever because I think encryption alone wont cut it esp keys generated on the phone; the prime numbers needed for a foreseeable future (3+ yrs) protection are elusive on the phone, perhaps the PC can do a better job, but again with its fallacies esp with emails being stored in the cloud permanently means that there's an expiration date on such material you choose to share. And given it lacks forward secrecy and anyone using PGP in emails is definitely shouting encrypted msgs being transmitted perhaps arousing more suspension and the subsequent package.
Thus I do agree the list is currently very naive but perhaps the best we can do at the moment. Thats why I'll leave people to share their opinions on this because this is perhaps an ongoing discussion.
I'm really interested in a contacts replacement. I hate the new style google version but I don't trust ANYTHING free from the app store. They all download your contacts!
You didn't mention AFWall+, the iptables firewall I consider instrumental in blocking most phone home attempts.
SecUpwN said:
@aejazhaq: See www.prism-break.org!
Click to expand...
Click to collapse
Actually, pretty great site!
pan.droid said:
Actually, pretty great site!
Click to expand...
Click to collapse
You're welcome. If you're interested in security projects, have a look!
I'd totally jump on board with that, but all I have is a WI-FI tablet, ATM. Great activist project for anyone serious about security.
pan.droid said:
I'd totally jump on board with that, but all I have is a WI-FI tablet, ATM. Great activist project for anyone serious about security.
Click to expand...
Click to collapse
Sadly, our project is missing real security enthusiasts and DEVELOPERS. Do you know anyone I should get in touch with?
I use "Keepass2Android Offline" to manage my passwords. This "offline" version removes Internet access permissions which I consider essential for security of my database.

Detection of law enforcement malware (e.g. FinFisher)

Ladies and Gentlemen,
I am opening this discussion in order to not only receive some high-quality answers on the following questions, but also to learn what everyone does in order to ensure security and integrity of Apps on their phones (especially when working in environments where attacks are likely or possible due to intersting files on the phone or similar).
Here is my question: Let's suppose a phone is ROOTED, is locked with a Pattern, is updated daily, has TitaniumBackup installed, runs Trust as well as an Antivirus App and on top of that, installed Apps are monitored in a regular basis through TitaniumBackup. Is it even possible for law enforcements or hackers to install malware? If so, what would be necessary for them to do so? Physical access? Malformed Apps with matching signature? Other types of attacks (encouraging @He3556 the owner of Smartphone Attack Vector to chime in)?
Second question (hope @jcase can answer this): What would be the best way of preventing attacks of afforementioned groups and alike? What do YOU personally do?
SecUpwN said:
Ladies and Gentlemen,
I am opening this discussion in order to not only receive some high-quality answers on the following questions, but also to learn what everyone does in order to ensure security and integrity of Apps on their phones (especially when working in environments where attacks are likely or possible due to intersting files on the phone or similar).
Here is my question: Let's suppose a phone is ROOTED, is locked with a Pattern, is updated daily, has TitaniumBackup installed, runs Trust as well as an Antivirus App and on top of that, installed Apps are monitored in a regular basis through TitaniumBackup. Is it even possible for law enforcements or hackers to install malware? If so, what would be necessary for them to do so? Physical access? Malformed Apps with matching signature? Other types of attacks (encouraging @He3556 the owner of Smartphone Attack Vector to chime in)?
Second question (hope @jcase can answer this): What would be the best way of preventing attacks of afforementioned groups and alike? What do YOU personally do?
Click to expand...
Click to collapse
Pe rooted, with common rooted apps installed? Would be easy to compromise that phone, as you have already done it for them.
Use a stock firmware, chose a vendor with a recent history of good security (Samsung, nexus, motorola in that order imo), keep it up to date, reduce the number of apps you run, don't root it. Disabled usb debugging.
jcase said:
Pe rooted, with common rooted apps installed? Would be easy to compromise that phone, as you have already done it for them.
Use a stock firmware, chose a vendor with a recent history of good security (Samsung, nexus, motorola in that order imo), keep it up to date, reduce the number of apps you run, don't root it. Disabled usb debugging.
Click to expand...
Click to collapse
Thanks for answering. So that means, in short words, buy a phone and only update official stuff. How boring, I wouldn't be here on XDA then! But I get your point. I'm especially interested in the question of detection. If such agencies have installed anything that would leak data (and I'm sure it's fairly easy to do for them), how would they hide that specific App from the list of TitaniumBackup? Also, how would they trick the Trust Even Logger created by @Dark3n to not show any installation?
Most importantly though, is there some way of detecting such installations or manipulations afterwards?
There is growing so called "Zero-Day-Exploit" Industry, with names like vupen or FinFisher , the one who are working for the German Gov. but also for countries like Saudia Arabia and Iran. They know how to find exploits, nobody knows about (zero-day) and program trojans for all kinds of platforms. So antivirus software can't help here. And it is easy to bypass security if you know one of the bugs - and we know there are many of them in firmware, operating systems, plugins, frameworks and so on... Beside this "white" marked there is also a grey and black marked. So if you need to track your woman or steal information from other companies, you will find somebody with a tool for that, i suppose.
You would need a "Intrusion Detection Software" - sorry but this won't work for Smartphones, because there is a lot of calculation, data and energy needed - you find this special hardware in big data centers.
Do not root and do not install Apps you don't really need is still a good advice, specially when people don't know so much about all this.
Another way to sneak in is to compromise the users pc, that is (maybe) connected to the phone sometimes (work with iphone sync but also with android to change DNS and get SMS with e-tan's - you will find more info it in the media)
Or if you have the "power" you can can use the cloud services (iOS, Google, Windows or other 3rd party services) to steal user data (sms, pictures, GPS history...) or just let it sync the malware to the phone. So you don't have to break in directly.
What would be the best way of preventing attacks of afforementioned groups and alike?
Click to expand...
Click to collapse
tomorrow i will have time, there are to many possibilities
Thanks for clarifying, @He3556!
Now I know that phones in general are hard to lock down for such agencies. Time to quote myself:
SecUpwN said:
Most importantly though, is there some way of detecting such installations or manipulations afterwards?
Click to expand...
Click to collapse
Hey @He3556, if you've been following security news the past weeks, this topic here is becoming more relevant with each revelation. Since the trojan-coding company FinFisher has highly likely been hacked and some cool whisteblowers are publishing very sensitve data like price lists and handbooks on their Twitter account GammaGroupPR, more details of their secret software FinSpy Mobile is being revealed. And this is exactly the type of software that I am talking about here in this thread. I want to know how users can protect themselves from crap like that. According to the video that has been leaked, It is being installed through a fake update, or even through messages via E-Mail to "please" install this "very important update":
And just to make everyone more curious, FinSpy Mobile has been leaked on Twitter! It obviously works for all operating systems, including Android, Blackberry, Windows Mobile, and Symbian. Another trophy is source code of FinFly Web, which found its way the code hosting platform GitHub. It is designed to provide remote and covert infection of a Target System by using a wide range of web-based attacks. FinFly Web provides a point-and-click interface, enabling the Agent to easily create a custom infection code according to selected modules. Target Systems visiting a prepared website with the implemented infection code will be covertly infected with the configured software. Regarding FinSpy Mobile and similar software: How would law enforcements possibly attack a cautious member of XDA (or any other site)? I mean, people that have been in the field of flashing new ROMs, updating their firmware and recovery themselves, not installing strange APKs sent via E-Mail and controlling installed Apps through TitaniumBackup should be somewhat immune to such type of attacks, right?
It appears to me as if their software might work for the general masses, but highly-likely not on people like @jcase or other Android security-gurus. Since I linked you, I'd be very happy if you could expand on that a little. I am sure such companies might even have the possibility of messing with the baseband of a target phone through only knowing the phone number of a target. But I am really curious what their "standard procedure" is if they face a target with thorough Android knowledge, maybe even a security-enthusiastic Android developer. Wouldn't their only option be to manually manipulate the handset?
There are two methods to keep away all kinds of trojan and malware...
1. use a SIM with data connections only: There are SIM cards on the marked you can use in a USB Stick for Notebooks or tablets.
You won't have a cell phone number and can't receive SMS. You won't be able to use the circuit switched (GSM & UMTS-cs) part of your cell phone. For communication you have to use a VoIP provider - with Secure SIP and SRTP.
2. Web browser, Apps, e-mail client and all other connection must be use VPN.
But there is one more stepp to take.
The virtualization of all services and Apps you are using. This works like Team Viewer on a PC. The App is running on a cloud server while you only see the desktop of the remote controlled application. This technique is already used when you want to use flash with iOS device (photon, cloudbrowse, puffin and so on..)
More details about this you can find here: http://itwatch.info/Products/ReCAppS
But i am sure there are more projects about this out there...
He3556 said:
There are two methods to keep away all kinds of trojan and malware...
1. use a SIM with data connections only: There are SIM cards on the marked you can use in a USB Stick for Notebooks or tablets.
You won't have a cell phone number and can't receive SMS. You won't be able to use the circuit switched (GSM & UMTS-cs) part of your cell phone. For communication you have to use a VoIP provider - with Secure SIP and SRTP.
Click to expand...
Click to collapse
I know this works, but the only guy who is so insane and is already doing that is probably @InvaderX.
Honestly, what's the purpose of a phone if I can't receive SMS and call anyone without internet connection?
He3556 said:
2. Web browser, Apps, e-mail client and all other connection must be use VPN.
But there is one more stepp to take.
The virtualization of all services and Apps you are using. This works like Team Viewer on a PC. The App is running on a cloud server while you only see the desktop of the remote controlled application. This technique is already used when you want to use flash with iOS device (photon, cloudbrowse, puffin and so on..)
More details about this you can find here: http://itwatch.info/Products/ReCAppS
But i am sure there are more projects about this out there...
Click to expand...
Click to collapse
Better yet: Living under a rock should solve all these problems. Seriously though, can such law enforcement agencies silently update stuff on my phone (possibly baseband) that goes unnoticed even when using TitaniumBackup and flashing a fresh ROM every month? From the things you mentioned as for protection, I highly doubt that I'll move that way. And no matter how hard I try, the bad guys (or, to put it in the wording of those companies: the agencies that are "protecting our freedom") will likely always find a way in - even if that means tapping the phone through listining in on my calls or deploying an IMSI-Catcher. But talking about this makes me wonder: It seems as if the probability is high that most of the time they are selling a fake update to the target. Is there a convenient way of knowing that stuff like FinSpy Mobile has been installed, where such agencies can't possibly tinker with any records of what was happening on the phone? I especially check the Trust - Event Logger by @Dark3n very often. Could they change such records? Is there a better App to warn about unauthorizes access or (hidden) App installation?
Trust is not a security app!
If an attacker has root, you can just alter the database of apps like Trust, which would be the easiest way.
There are probably also ways to alter the system so it does not broadcast certain events(which is how Trust monitors most things).
It is just not build to withstand such attacks.
SecUpwN said:
Seriously though, can such law enforcement agencies silently update stuff on my phone (possibly baseband) that goes unnoticed
Click to expand...
Click to collapse
Maybe? But there are much easier ways if it is not desired to target specific persons.
I'll brain storm a bit for you:
I would divide the attack vectors into those that work with root and those that don't.
Without root apps can still do plenty of malicious actions, including tracking your position or uploading all files on your sdcard (INTERNET;SDCARD;LOCATION permissions) etc.
If an attacker gains root permission he could install rootkits, modify existing apps, inject malicious code into dex files of installed apps etc.
Basicly do what the hell he wants.
While not using a rooted device would certainly make it more difficult to do malicious things, it's doesn't prevent it.
A normal app you install could still root your phone through vulnerabilities. It works the same way apps such as TowelRoot or ZergRush root your phone.
Downloading new apps that request root is also very dangerous ofc, once you pressed "grant", it's too late, anything could have been done. So be wary when trying out new root apps of devs you don't know/trust?
Abusing trust in existing apps is probably the biggest danger.
The most obvious danger here is downloading apps you usually trust but from unknown sources.
Sure there could be signature issues when updating over your current app, but what if you don't have it installed? I could also think about a few ways to inject malicious code without altering the signature (did not try, just a thought, might be impossible).
The issue is that you probably wouldn't even notice, as the compromised app retains it's original functionality.
Want a botnet?
Inject malicious code into a popular root up that is paid, crack it and upload it somewhere.
While this more dangerous (or worth for an attacker) with root apps, it's still viable for non root apps, just pick one that already aquires many permissions.
It's way too easy, people constantly underestimate the danger of this. It's not all about piracy it's bad, it's a barn door sized security hole.
A bit more difficult variant would be abusing known security holes in existing apps that can be root or nonroot apps, such as modifying files the other apps uses, such that it executes your malicious code for you, so some type of code injection. First thought would be looking for root apps that use scripts or binary files and then check the permissions on those files to see whether they are writeable.
Now those are all ways to target a broad mass of users.
If a single user is the target, it would be more difficult, but there are still plenty of options:
- MITM attacks at public hotspots,
- Pressuring developers of apps you use. What dev wouldn't implement a security hole into an app of his, if a guy in a black suit comes up and points a gun to his head? Well that escalated quickly... But with "secret courts" and all the **** that happens secretly sanctioned or is just done by some agencies because they are above the law, is it really such an impossible scenario? The ends justify the means? Do they?
- My favorite plan yet, making a popular app themselves that they know you will try
It is usually never impossible, just a matter of resources and whether its unfeasible to spend so many resources on that goal.
edit: So the best course of action? Don't install anything you don't trust. Don't trust the manufactor either? Install a custom ROM, but as those often use binary blobs for certain parts of the software, it's not really a 100% solution... There could also be compromising hardware built in, but now I'm really climing up the tinfoil tree, but as recents new story suggest that the NSA is intercepting hardware packets from manufactors such as cisco to modify them, what's really impossible?
TL;DR Best course of action that is feasible to adhere to is probably to just not install stuff one doesn't know or trust.
edit2: More specific answers to your questions.
You might be able to monitor files changes on an a system level, but if your attacker gains highlevel priviledges, what keeps him from changing the monitoring system?
SecUpwN said:
Seriously though, can such law enforcement agencies silently update stuff on my phone (possibly baseband) that goes unnoticed even when using TitaniumBackup and flashing a fresh ROM every month?
Click to expand...
Click to collapse
How does TiBu help prevent such injection? Flashing a new ROM would probably undo such changes, but what prevents "them" from just doing it again.
SecUpwN said:
And no matter how hard I try, the bad guys (or, to put it in the wording of those companies: the agencies that are "protecting our freedom") will likely always find a way in - even if that means tapping the phone through listining in on my calls or deploying an IMSI-Catcher.
Click to expand...
Click to collapse
This is the thing, with enough resources, there is always a way.
SecUpwN said:
It seems as if the probability is high that most of the time they are selling a fake update to the target.
Click to expand...
Click to collapse
Exactly disguising as something legit is the cheapest way, "trojan horse".
SecUpwN said:
Is there a convenient way of knowing that stuff like FinSpy Mobile has been installed, where such agencies can't possibly tinker with any records of what was happening on the phone? I especially check the Trust - Event Logger by @Dark3n very often. Could they change such records? Is there a better App to warn about unauthorizes access or (hidden) App installation?
Click to expand...
Click to collapse
I don't know any surefire way to detect this. The issue is that with enough priviledges (which can be gained without authorization, zero day exploits are worth a lot money to "agencies" as well as criminal organisations, though I'm no longer sure where the difference is), you can just clean up your track of malicious behavior.
Whoa, this has to be the longest answer I've received since registering here. Huge thanks! Grab a coffee..
Dark3n said:
Trust is not a security app!
If an attacker has root, you can just alter the database of apps like Trust, which would be the easiest way.
There are probably also ways to alter the system so it does not broadcast certain events(which is how Trust monitors most things).
It is just not build to withstand such attacks.
Click to expand...
Click to collapse
Ok, fair. Will keep it anyhow.
Dark3n said:
Maybe? But there are much easier ways if it is not desired to target specific persons.
I'll brain storm a bit for you:
I would divide the attack vectors into those that work with root and those that don't.
Click to expand...
Click to collapse
Just to mention it here: An awesome site to see which attack vectors and vulnerabilities exist is Smartphone Attack Vektor by @He3556.
Dark3n said:
Without root apps can still do plenty of malicious actions, including tracking your position or uploading all files on your sdcard (INTERNET;SDCARD;LOCATION permissions) etc.
If an attacker gains root permission he could install rootkits, modify existing apps, inject malicious code into dex files of installed apps etc.
Basicly do what the hell he wants.
Click to expand...
Click to collapse
Ok, I get the point. Also like @jcase already pointed out: If we root, we pwn ourselves. And if we don't, too.
Dark3n said:
While not using a rooted device would certainly make it more difficult to do malicious things, it's doesn't prevent it.
A normal app you install could still root your phone through vulnerabilities. It works the same way apps such as TowelRoot or ZergRush root your phone.
Downloading new apps that request root is also very dangerous ofc, once you pressed "grant", it's too late, anything could have been done. So be wary when trying out new root apps of devs you don't know/trust?
Click to expand...
Click to collapse
I only install trusted Applications.
Dark3n said:
Abusing trust in existing apps is probably the biggest danger.
The most obvious danger here is downloading apps you usually trust but from unknown sources.
Sure there could be signature issues when updating over your current app, but what if you don't have it installed? I could also think about a few ways to inject malicious code without altering the signature (did not try, just a thought, might be impossible).
The issue is that you probably wouldn't even notice, as the compromised app retains it's original functionality.
Click to expand...
Click to collapse
Guess if I use the F-Droid Store I should be pretty safe, right? But don't worry, I don't rely on it - as for me, smartphones are huge bugs with touchscreens. That is why I also built a phone signal blocking pouch for myself and friends. Further good recommendations can be found on the bottom of my GitHub.
Dark3n said:
Want a botnet?
Inject malicious code into a popular root up that is paid, crack it and upload it somewhere.
While this more dangerous (or worth for an attacker) with root apps, it's still viable for non root apps, just pick one that already aquires many permissions.
It's way too easy, people constantly underestimate the danger of this. It's not all about piracy it's bad, it's a barn door sized security hole.
Click to expand...
Click to collapse
Actually, no. I already have two or three. Or maybe even four?
Dark3n said:
A bit more difficult variant would be abusing known security holes in existing apps that can be root or nonroot apps, such as modifying files the other apps uses, such that it executes your malicious code for you, so some type of code injection. First thought would be looking for root apps that use scripts or binary files and then check the permissions on those files to see whether they are writeable.
Now those are all ways to target a broad mass of users.
Click to expand...
Click to collapse
Good to know we've come to an end here. Reading all this makes me want to throw my phone out of the window.
Dark3n said:
If a single user is the target, it would be more difficult, but there are still plenty of options:
- MITM attacks at public hotspots,
Click to expand...
Click to collapse
I DON'T use public hotspots. Why? Because you can be almost certain that stuff will be logged and analyzed once you use that. Over here in my town, we've got a HUGE Apple Store. And guess what - FREE WIFI for everyone! Yeyyy... not.
- Pressuring developers of apps you use. What dev wouldn't implement a security hole into an app of his, if a guy in a black suit comes up and points a gun to his head? Well that escalated quickly... But with "secret courts" and all the **** that happens secretly sanctioned or is just done by some agencies because they are above the law, is it really such an impossible scenario? The ends justify the means? Do they?
You are right, threats against family, friends and relatives are a no-go. If I remember correctly, something similar had happened to my beloved XDA developer @idcrisis who invented CrossBreeder. He left development of his toolset because starnge things occured in his life which he linked to his development. Shortly after leaving his project, he proposed a new license: The Aware License. Hope this guy is still living a happy life, though. Added to the above security-issues: Trust NOONE! How come? Well, just read this stunning story I discovered yesterday where a US critical infrastructure company last year revealed that its star developer had outsourced his own job to a Chinese subcontractor and was spending all his work time playing around on the internet adn surfing cat videos. ^^
Dark3n said:
- My favorite plan yet, making a popular app themselves that they know you will try
Click to expand...
Click to collapse
I don't quite get what you meanb by that. Please clarify, it sounds interesting.
Dark3n said:
It is usually never impossible, just a matter of resources and whether its unfeasible to spend so many resources on that goal.
Click to expand...
Click to collapse
The way I see it: The only thing that we have no real access to, is the baseband. I am sure that these are full of backdoors and switches for agencies that they just need to trigger - just like the Samsung Galaxy Backdoor discovered by Replicant.
Dark3n said:
edit: So the best course of action? Don't install anything you don't trust. Don't trust the manufactor either? Install a custom ROM, but as those often use binary blobs for certain parts of the software, it's not really a 100% solution...
Click to expand...
Click to collapse
Nope, I don't trust the manufacturer either. And I am SICK of bloatware! hence, I am a happy user of AOKP since several years - but regarding the binary blobs, I would certainly love to try out Replicant (sadly not yet available for the HTC One).
Dark3n said:
There could also be compromising hardware built in, but now I'm really climing up the tinfoil tree, but as recents new story suggest that the NSA is intercepting hardware packets from manufactors such as cisco to modify them, what's really impossible?
Click to expand...
Click to collapse
Nothing is impossible, everything can be done. A wise man once said: Everything you can imagine, will happen.
Dark3n said:
TL;DR Best course of action that is feasible to adhere to is probably to just not install stuff one doesn't know or trust.
Click to expand...
Click to collapse
Good advice, I already do follow that one. As already said, if I were a spy company, I'd just team up with manufacturers of basebands..
Dark3n said:
You might be able to monitor files changes on an a system level, but if your attacker gains highlevel priviledges, what keeps him from changing the monitoring system?
Click to expand...
Click to collapse
Highly-likely nothing. I already know that there is not much I can do to prevent them to get in, but at least I do want to detect them - and having such a detection mechanism raises the bar in disguising their actions even further - and who knows, maybe they're not interested anymore then?
Dark3n said:
How does TiBu help prevent such injection? Flashing a new ROM would probably undo such changes, but what prevents "them" from just doing it again.
Click to expand...
Click to collapse
Not much.
Dark3n said:
This is the thing, with enough resources, there is always a way.
Exactly disguising as something legit is the cheapest way, "trojan horse".
Click to expand...
Click to collapse
Absolutely right. But what I am really curious of: How do people from the security-community really protect their phones? Do you have friends that are using their phones to just communicate via VPN and VOIP, not sending SMS and never calling people? Perfect place for @InvaderX to chime in, he told me before to really do a combination of that approach.
Dark3n said:
I don't know any surefire way to detect this. The issue is that with enough priviledges (which can be gained without authorization, zero day exploits are worth a lot money to "agencies" as well as criminal organisations, though I'm no longer sure where the difference is), you can just clean up your track of malicious behavior.
Click to expand...
Click to collapse
Sigh.. mobile phones are a total threat to humanity, I get it..
At least I am not the only one paranoid about this kind of thing. LOL
lostangelintx said:
At least I am not the only one paranoid about this kind of thing. LOL
Click to expand...
Click to collapse
It doesn't have much to do with "Paranoia". The very reason you started to care about this, is because phones are in fact very insecure devices - most people just don't realize or care about it. Another very interesting thread I found lately: Android Security for Conscious Mind.
a tool against 0-day exploits
don't freak out to early - this tool is only for windows desktops.
But at least it shows how it could work for mobile devices, too.
It is called Enhanced Mitigation Experience Toolkit (EMET 5.0) ...is a utility that helps prevent vulnerabilities in software from being successfully exploited.
These technologies function as special protections and obstacles that an exploit author must defeat to exploit software vulnerabilities. These security mitigation technologies do not guarantee that vulnerabilities cannot be exploited. However, they work to make exploitation as difficult as possible to perform.
SSL/TLS certificate pinning - This feature is intended to detect (and stop, with EMET 5.0) man-in-the-middle attacks that are leveraging the public key infrastructure (PKI).
Ok, they do not guarantee 100% security - but who could? Even this software comes from Microsoft, it's still a good solution and closes the gap between anti-virus, firewall and keeping your software updated.
Here is a test from 2010 (EMET 2.0) http://www.rationallyparanoid.com/articles/emet-testing.html
And one of 2014 http://www.offensive-security.com/vulndev/disarming-enhanced-mitigation-experience-toolkit-emet/
Does anybody know a APP for Android, iOS, WP8 or BB?
Just a small side note:
In regard to device security vs. rooting.
There are essentially 2 schools of thought. On the one side we have those who believe we should trust the device manufacturers experience and knowledge to keep malware out of AOS, and you phone from spilling your data when stolen, which also means keeping users from rooting their devices, simply because they know security better, than the average user. (I think @jcase may be one of those, but he'd have to answer for himself.) On the other hand we have people like me, who firmly believe that the best way to keep your device secure is by being rooted, since we cannot trust anyone, especially large companies who scream "TRUST US". For us, we own the device and everything it does, and that your phone should not be able to send a single photon of radiation, without your permission. Then at least we have the choice to provide our own security by Firewalls, open source baseband, and encrypted phone calls etc. So no, this is not part of the majority of phone owners. But we think it should be. So who's right? Well, we're both right of course. What we need is to be able to make this choice at the time of purchase, and independent of the device you like. To be able to choose if you have a fully open device that you can secure on your own or if you like one that is claimed as secure, but you will never be able to check or control on your own. But unfortunately, this is not possible in most circumstances.
I trust neither the ODMs, nor the custom roms. However I KNOW the average custom rom is just as if not MORE vulnerable than current stock roms, add su into the mix and it is without a doubt more vulnerable. Show me a custom rom dev that claims he ships a secure firmware, and I'll show you someone ignorant of the facts. Ask most of them what CTS is, and they will look at you like you are referencing 18th century medical terms.
That is my stance. In regards to root making a device more vulnerable, I can back that statement time and time again. From key compromises of the superuser apps, to vulnerabilities in the app, to vulns in the su binaries, to vulns in apps that typical make su requests, to stupid users who will grant it to anyone. Having any access point to "root" makes turning a small vuln to a complete compromise relatively easy.
E:V:A said:
Just a small side note:
In regard to device security vs. rooting.
There are essentially 2 schools of thought. On the one side we have those who believe we should trust the device manufacturers experience and knowledge to keep malware out of AOS, and you phone from spilling your data when stolen, which also means keeping users from rooting their devices, simply because they know security better, than the average user. (I think @jcase may be one of those, but he'd have to answer for himself.) On the other hand we have people like me, who firmly believe that the best way to keep your device secure is by being rooted, since we cannot trust anyone, especially large companies who scream "TRUST US". For us, we own the device and everything it does, and that your phone should not be able to send a single photon of radiation, without your permission. Then at least we have the choice to provide our own security by Firewalls, open source baseband, and encrypted phone calls etc. So no, this is not part of the majority of phone owners. But we think it should be. So who's right? Well, we're both right of course. What we need is to be able to make this choice at the time of purchase, and independent of the device you like. To be able to choose if you have a fully open device that you can secure on your own or if you like one that is claimed as secure, but you will never be able to check or control on your own. But unfortunately, this is not possible in most circumstances.
Click to expand...
Click to collapse
@jcase : So I think we agree on that what you say, but from another perspective, we can ask ourselves whether or not a stupid user with root, can possibly endanger a smart user with root? I think this is not generally possible, apart from some automated DDOS attack, which would ultimately originate from a smart user with root, using the stupid user as a transport.
To what extent should ODM's be able to decide who is a smart root user and stupid root user? (And regardless their decision, why should we believe them?) There may not be an answer here, but the discussion is interesting also from a political point of view. How much should the "government" be responsible for a certain individual's action, regardless of their intelligence? Personally I think they're not, and should only provide security to prevent individuals from directly hurting each other, and not preventing them from hurting themselves, if they choose to do so.
Reading all this, it makes me wonder if the antivirus apps help at all..
stefeman said:
Reading all this, it makes me wonder if the antivirus apps help at all..
Click to expand...
Click to collapse
Let's put it this way.
In 6 years of heavy 24/7 PC use, my anti-virus have prevented me from a "possible" remote exploit exactly once, while having annoyed me with lengthy uninterruptible scans and ignoring my ignore settings about a 1000 times, due to adware and various other false positives. Then only god knows how many different countries governments are already present in my PC. Go figure. And yes, I have tweaked every possible setting and tried multiple well know AV's.
Forget AV's and get a good FW and with a well tuned host file, and well tuned common sense.
E:V:A said:
@jcase : So I think we agree on that what you say, but from another perspective, we can ask ourselves whether or not a stupid user with root, can possibly endanger a smart user with root? I think this is not generally possible, apart from some automated DDOS attack, which would ultimately originate from a smart user with root, using the stupid user as a transport.
To what extent should ODM's be able to decide who is a smart root user and stupid root user? (And regardless their decision, why should we believe them?) There may not be an answer here, but the discussion is interesting also from a political point of view. How much should the "government" be responsible for a certain individual's action, regardless of their intelligence? Personally I think they're not, and should only provide security to prevent individuals from directly hurting each other, and not preventing them from hurting themselves, if they choose to do so.
Click to expand...
Click to collapse
Really, I dont want to do this again, this conversation.
Most stupid people don't realize they are stupid, they assume they are smart. (We are all stupid in some regards).
I think I could endanger a user from root, pretty sure I can either screw the phone up, or possibly catch it on fire. If it had a sim in it, and was on the network I am certain I could make them regret ever rooting their device.
Here is a question, how many of you understand how these unlocks/exploits work?
I sometimes leave messages hidden in mine, and have only had ONE person reply to the hidden message, out of 100,000s of runs. People don't even know what they are running to gain root, let alone any idea what these "rom devs" do.
Open source is the answer right? Everyone can read the code, and everyone does! Thats why no backdoors or vulns have ever been in open source projects. Every open source project gets a line by line audit by a team of security professionals.</sarcasm>
I'll join back in when someone shows me a custom rom/open device that has the same or better security precautions taken by leading ODMs. Until then, it is generally just as easy or (generally) easier to abuse and exploit one of these custom roms floating around.
stefeman said:
Reading all this, it makes me wonder if the antivirus apps help at all..
Click to expand...
Click to collapse
Won't help a lick for anything originating from a government.

Categories

Resources