Security News Daily: First Known Android Drive-By Download Found - Android General

http://www.securitynewsdaily.com/1805-android-driveby-download.html

I'm wondering if you have your browser's user agent set to desktop or ios, does it still do the redirect or does it just see the browser has something else?

boborone said:
I'm wondering if you have your browser's user agent set to desktop or ios, does it still do the redirect or does it just see the browser has something else?
Click to expand...
Click to collapse
Though I don't know exactly how these exploits work, your question seems valid to me. Hopefully mobile security developers are testing this. I would think that a user agent value of iOS or Android would be most likely to invoke such an exploit when it is aimed at mobile devices.
On my phone, I rarely use a web browser. When I do, it is Firefox with the Phony extension (which lets me change the user agent), and I mostly browse via bookmarks.
Would I have the vigilance and stamina to change to a presumed safer user agent (e.g., Firefox desktop) when I browse to each domain I don't trust? If I could automate the change, yes. Otherwise, maybe not.

Looks like its a page sending an apk to be downloaded. Some browsers like the system on in GB will auto start downloads, Dolphin HD and possibly others will display a prompt before downloading unless these sites have found some exploit.
In order to be infected the user would not only have to download the apk, but also accept the installation notice. A malicious apk file that isn't installed doesn't pose any threat. Its safer than websites that try to send executables to a Windows machine, because those files will post a threat before being installed.
All OSes have their weaknesses, iOS jailbreaks through the browser showed some pretty serious security flaws being exploited.

Major weekness, no, not all. But one that could potentially harm the tech illiterate? Yes. Not all people understand the consequences of clicking links in email. Those who don't would be the ones who this would infect.
"oh something just popped up on my phone.......
it says "better browsing".........*clicks ok
ummm, "Do you wish to install "A Faster Internet".......*clicks ok"
Infected.
spunker88 said:
Looks like its a page sending an apk to be downloaded. Some browsers like the system on in GB will auto start downloads, Dolphin HD and possibly others will display a prompt before downloading unless these sites have found some exploit.
In order to be infected the user would not only have to download the apk, but also accept the installation notice. A malicious apk file that isn't installed doesn't pose any threat. Its safer than websites that try to send executables to a Windows machine, because those files will post a threat before being installed.
All OSes have their weaknesses, iOS jailbreaks through the browser showed some pretty serious security flaws being exploited.
Click to expand...
Click to collapse

Related

Beware Firefox Aurora: check the permissions

Firefox Aurora, which will be Firefox 12, has a whole bunch of new permissions. Do you want your browser to take pictures, discover known accounts, administer accounts, etc.? Me, I just want it to render HTML while leaking as little info as possible. So, if you're concerned about privacy and security, heads-up.
This is too bad, because other than the spyware permissions, it's a big improvement over previous non-ndk Fennec, meaning actually usable.
i noticed the camera ..ect prior to installing went and checked official and beta its the same thing
not new
and the whole account ect. this has to do with new firefox sync app that comes with Aurora
so you can set up an account to sync your desktop browser to your phone
cashmundy said:
Firefox Aurora, which will be Firefox 12, has a whole bunch of new permissions. Do you want your browser to take pictures, discover known accounts, administer accounts, etc.? Me, I just want it to render HTML while leaking as little info as possible. So, if you're concerned about privacy and security, heads-up.
This is too bad, because other than the spyware permissions, it's a big improvement over previous non-ndk Fennec, meaning actually usable.
Click to expand...
Click to collapse
There are no "spyware permissions".
Permissions are just FYI, they're not telling you that an app is a spyware or not. I know sometimes it's hard to figure out why an app includes certain permissions, as a developer i can tell you that most of the times i have to add a permission in order to include code which is so poorly related to the scary permission's description.
Atm I'm having trouble with a user's review, it argued my app was malware just because new permissions were added.
In my opinion firefox products are safe and i'm using Aurora at the moment.
With this i'm not saying "go and install all the worst stuff you can find", paying attention to privacy and security is obviously a good thing... unless it turns into "android-specific-permissions-fobia", sure, because the other systems (PC, Mac, Linux, iOs, whatever) don't have user permissions so you just install a new app and stay happy.
There are a lot of apps that will request things like "read phone state and identity" that have no plausible reason for doing so except tracking/spying. Many run fine with it disabled.
I don't want to keep my bookmarks in the cloud, so the Aurora perms are just a privacy/security risk for me. Note that if a browser process is hijacked by malware, the malware will presumably inherit the permissions, making the trustworthiness of Mozilla moot.
If Aurora only needed the permissions when attempting to set up sync,
that would be tolerable for me, but it crashes on startup without them.
i set up one time sync to transfer bookmarks
then went to sync under the setting witch brings me to my OS account/sync menu
and disabled from attempting sync it still working fine for me
you can also delete the sync account also and still works fine
sync is not integrated into the browser for some reason maybe because it still alpha
but its integrated into official and beta browser and don't have these permission you're worrying over nothing
Actually Aurora got Sync back a few nightlies ago: now you have an icon in Programs and it's in Settings - Account too. Sync is the main reason I use FF on Android, it's brilliant!
I'm sure a lot of people are not concerned with security, data-harvesting, etc. I am, and some other folks must be also or CM wouldn't have added permissions management. A lot of things work fine with half their permissions disabled (Firefox being one). Others don't. Audible, for example, just won't run without "read phone state." I guess Amazon really wants that IMEI #.
Maybe they will patch Aurora so it will run without accounts access unless you try to set up sync.
Google's whole business model is based on data-harvesting. The ICS stock Music Player won't even work at all until you sign in.
Not everyone wants to be monetized in exchange for convenience.
Mozilla is trustworthy enough, they are a non-profit open source company that has been around for years, I'm sure they have a legit reason for the permissions.
Solution = who uses firwdox anyway?.. Boat browser!
Sent from your bedroom with my GT-I9100
Boat is what I mostly use. It wants a lot of permissions but runs just fine with them disabled. I was using Aurora as much as possible until I discovered the permissions.
Boat also stores bookmarks locally, and can save/restore from sdcard, just what I want. No shipping them off to Google or wherever they go for me, thanks.
Why would anyone use Firefox anyways?
It's slower than the default browser and it STILL doesn't support FLASH!
Odd how suddenly permissions became an issue when android decided to tell you what permissions are requested, yet before when you had your nokia/htc/motorola running other OS's, you would install any crap and not worry about it. What is the developer gonna do? Hack naked pics of your gf from your phone? Phone your friends and prank them? Show your mom you browsing dodgy pornsites from her pretty new android phone? Seriously now, everyone is making such a huge fuss about this its bordering on conspiracy paranoia
I put this posting up as a heads-up for my fellow paranoids, people who actually think about who might get their credit/phone/ssn/email etc., not for the benefit or convenience of app writers. It's like the whining from Swype about how they really needed accurate imeis or whatever so they could count unique installs. And dear Google wants everything they can get, now in one convenient location, so and only so they can serve you the right ads, and you can trust that they will never decide to more directly realize the huge shareholder value locked up there, and that they will never be cracked.
Privacy and security are like a gun: you don't need them until you *really* need them.
cashmundy said:
I put this posting up as a heads-up for my fellow paranoids, people who actually think about who might get their credit/phone/ssn/email etc., not for the benefit or convenience of app writers. It's like the whining from Swype about how they really needed accurate imeis or whatever so they could count unique installs. And dear Google wants everything they can get, now in one convenient location, so and only so they can serve you the right ads, and you can trust that they will never decide to more directly realize the huge shareholder value locked up there, and that they will never be cracked.
Privacy and security are like a gun: you don't need them until you *really* need them.
Click to expand...
Click to collapse
I understand your point of view, what i can't understand is why some people scream "beware spyware!" while they actually have no proofs at all.
permission + permission = spyware, it's a weird math which tends to damage developers and the whole android's world.
cashmundy said:
I put this posting up as a heads-up for my fellow paranoids, people who actually think about who might get their credit/phone/ssn/email etc., not for the benefit or convenience of app writers. It's like the whining from Swype about how they really needed accurate imeis or whatever so they could count unique installs. And dear Google wants everything they can get, now in one convenient location, so and only so they can serve you the right ads, and you can trust that they will never decide to more directly realize the huge shareholder value locked up there, and that they will never be cracked.
Privacy and security are like a gun: you don't need them until you *really* need them.
Click to expand...
Click to collapse
Scared your mom/wife/girlfriend sees an add for fleshlight while playing angry birds? Seriously this is a joke, 99% of developers dont give a rats ass about your bank account, email, pvt sexts. All we want is to deliver an application that would benefit the the community, and warnings like these would be the reason ppl move to other platforms because it spreads the idea that Android is an unsecure platform. So what if it logs which sites you visit? Firefox is one of the software applications that brought OSS software into the mainstream. It has been long established as more secure than IE. If it wasnt for software like this, we would not have had an open platform for our devices, making them much more affordable
Magnumutz said:
Why would anyone use Firefox anyways?
It's slower than the default browser and it STILL doesn't support FLASH!
Click to expand...
Click to collapse
+1 both Firefox and this Aurora are horrible browsers. Firefox team needs to get their **** together. Opera is just SO MUCH better. fast, easy, pretty much all options, hardware acc., flash, , and not once it slowed down or crashed on me.
firefox is supporting HTML5 (without h.264 because of licence) and flash is just added, it's still buggy because of AURORA. Aurora is very buggy as you noticed, lets think why? Oh, yes, it's just an alpha relase not even beta. I'm usin firefox beta in my mba 11" and old school 19" pc and both uses sync (which is amazing) I'm also giving feedback all the time with reports, logs and surveys. In mobile I was using dolphin but I can see posibilities.
Firefox is coming with steady steps. Everyone knows ff, and also chrome. Chrome just relased v.17 for pcs and macs. but still no mobile (except ICS beta) (also chrome is a google product and gathers your datas so many times more than firefox) I want to say people could remember time gaps between 3.5 and 3.6 and 4.0 of firefox and you see, now they are relasing new versions on few months which is very good (because now you don't need to wait new features for 5 months or you don't need to install minefield etc.)
About permissions, yes new permissions could be dangerous but hey, these permissions for give you something new like sync, flash plugin or new features. Mozilla is trustworhty and helpful. They are bringing Free Internet Space for years and you can't say they are spying us. there is versions for qr droid, with/without some permissions, maybe firefox can do samething for paranoids.
Also yes I'm supporting and defending firefox but no, I'm not a fanboy, at least I'm still using dolphin for manything and also safari.
Magnumutz said:
Why would anyone use Firefox anyways?
It's slower than the default browser and it STILL doesn't support FLASH!
Click to expand...
Click to collapse
The alpha supports flash and is huge improvement over official and beta that is currently on market
Sent from my Nexus S using xda premium
I use "spyware permissions" in a pretty loose sense of "permissions which are not clearly essential to the core functionality of the app". I agree that Mozilla is trustworthy, moreso because you can read the source. But the browser is the most internet-facing and thus most dangerous app, most likely to be cracked, most likely to have access to lots of personal info, so needs to receive the closest privacy /security scrutiny.
Unlike the Facebook crowd, I look at my info as my property, and ask not why I should not share my info with the world at large, but why should I, what benefit do I receive in exchange for giving away what someone else can monetize (the whole Facebook/Google business model) and which may do me real harm if for example app writers Ivan Ivanovich and his friend Bala Babangida turn out to be not such nice guys, and use my info to send me spam texts or clean out my bank account.
Case in point: Google+ app just added "record audio", but the app doesn't have any audio capability, you can't record and post a sound. I remembered that some years back Google wanted to be able to record audio on laptops, "purely for analytical purposes". That didn't fly back then. I uninstalled Google+.
cashmundy said:
I use "spyware permissions" in a pretty loose sense of "permissions which are not clearly essential to the core functionality of the app". I agree that Mozilla is trustworthy, moreso because you can read the source. But the browser is the most internet-facing and thus most dangerous app, most likely to be cracked, most likely to have access to lots of personal info, so needs to receive the closest privacy /security scrutiny.
Unlike the Facebook crowd, I look at my info as my property, and ask not why I should not share my info with the world at large, but why should I, what benefit do I receive in exchange for giving away what someone else can monetize (the whole Facebook/Google business model) and which may do me real harm if for example app writers Ivan Ivanovich and his friend Bala Babangida turn out to be not such nice guys, and use my info to send me spam texts or clean out my bank account.
Case in point: Google+ app just added "record audio", but the app doesn't have any audio capability, you can't record and post a sound. I remembered that some years back Google wanted to be able to record audio on laptops, "purely for analytical purposes". That didn't fly back then. I uninstalled Google+.
Click to expand...
Click to collapse
Best you can do is contact the developers and ask them about the permissions included. If Ivan Ivanovich & Bala Babangida say their notepad is not able to work without your bank account then ok, let's warn all the other people.
Probably you won't have any reply from google but most of the developers (or app writers, as you prefer) are just glad to answer via email since they're not allowed to reply in the android market.
Instead, the actual scenario is more and more devs who get their clean apps targeted as malware and users who get paranoid by reading too many reckless comments.
In general, devs are not wolfs and users are not sheeps... otherwise there were no open sources (eg Mozilla), no android, no xda-developers!

[Q] javascript / browser security advice.

Hey guys, I'm currently using a HTC sensation with the default browser.
The other day a website I was on redirected me to an untrustworthy site which then (via javascript) started an automatic download (virus) I quickly killed my connection and deleted the partial download.
So on my PC I run Google chrome with a "click to play" plugin to avoid rogue javascripts, I am looking for something similar for my phone.
I know chrome is available for my phone however it does not support flash player which is a requirement, I am aware my current browser has a "on demand" option for plugins but I have tested it and it doesn't work.
I tried opera today and couldn't get along with it.
Could anyone tell me the best way to control what gets downloaded from websites on my phone.
Thankyou in advance for any helpful replies. D
I mean, maybe I have been amiss, but I was under the longstanding impression that hijacks, viruses, and all such malware really didn't effect Linux systems. Like, at all.
Well I don't know much about these operating systems but an executable that downloads itself is not something I want on my phone, regardless of its capabilities.
It was an android application package I do not know if its able to extract itself or if it relies on the user to click on it in the download section, don't know what it installs but I'd rather not find out.

[HACK] Flash on Any Website in IE10 Metro Browser [WIN 8 & WIN RT]

Dear all,
As we all know Windows RT/8's IE Metro browser has limited flash support based on a whitelist. However a lot of sites are not (yet) whitelisted and hence do not work as desired. So I did some digging in the whitelist mechanism and found a way to hack it.
Be sure to follow the following steps in respective order:
Open Desktop IE10 type ALT --> Tools --> Compatibility View settings. Now UNCHECK the last checkmark which says: "Download updated compatibility list from Microsoft". If you have done this, you will be able to locally change the whitelist without getting overridden.
WARNING: If this checkbox is checked IE will override your custom whitelist back to default on each rebout, so be sure to uncheck it..
The whitelist is named "iecompatdata.xml" and is located in this path (copy + paste in File Explorer or IE10)
Code:
%HOMEPATH%\AppData\Local\Microsoft\Internet Explorer\IECompatData\
(Alternatively open File Explorer and search in C:\ for "iecompatdata")
As suggested by danchar4, you can open and edit this file directly with Notepad by pressing WIN + R and type:
Code:
notepad "%HOMEPATH%\AppData\Local\Microsoft\Internet Explorer\IECompatData\iecompatdata.xml"
All whitelisted flash enabled websites are located in this file inbetween the following tags:
Code:
<Flash>
[...]
<domain>zumiez.com</domain>
<domain>zynga.com</domain>
</Flash>
To add a website to the whitelist, all you do is add your desired website inside these tags as follows:
Code:
<domain>YOURDESIREDDOMAIN.COM</domain>
Add as many websites as you desire...
Now we are almost done, one last task is to delete browsing histroy. Open IE10 Metro and click WIN+I (to open settings) --> Internet Options —> Delete browsing history
And you are all set and done. Flash is now enabled in IE10 Metro for the websites you have added to the whitelist!
Of course as with any hack, attempt only at your own risk. I am not responsible in case faulty behaviour occurs... That said, it should be fine
Kind regards,
Marvin
Trouble shooting + faq
TROUBLE SHOOTING + FAQ
I tried to do these steps but it does not work on www.website.com...
Click to expand...
Click to collapse
If the flash content is embedded as an iframe, be sure to also add the domain of the source of the flash content. E.g. be sure to also add the website where the iframe links to to the whitelisted sources, this is what will eventually determine whether flash will be activated or not for this website.
Does this method work for www.website.com?
Click to expand...
Click to collapse
If 'website.com' uses a standard flash plugin (e.g. if you can view the flash content on a normal desktop with just the standard adobe flash player plugin) it will work with this method. All this method does is activating the built in flash plugin for any website you have added to the whitelist.
I can not find the file "iecompatdata.xml"
Click to expand...
Click to collapse
If you can't find this file be sure to enable "show hidden files", this folder will show up now. Alternatively you can find it by searching C:\ for the query "iecompatdata", the file will now show up.
I have added www.website.com to the whitelist, but it does not work!
Click to expand...
Click to collapse
Be sure to delete your browsing history and refresh the page. If it does not work now, please be sure to check if you have added the website correctly (e.g. within <domain> tags).
After I have rebooted my computer, I have lost my custom whitelist!
Click to expand...
Click to collapse
Make sure you have UNCHECKED the last checkmark in "Compatibility View settings" which says: "Download updated compatibility list from Microsoft". If you have done this, you will be able to locally change the whitelist without IE overriding it automatically.
Marvin_S said:
After more thorough testing, I found that a domain with a wildcard will not work i.e.
Code:
<domain>*.com</domain>
Does not allow flash to work on all .com sites... so this solution is out of the window, unless somebody knows if a wildcard in this list is supplied differently. I could not find anything in the documentation regarding the use of wildcards in this list, so most likely its not supported.
Alternatively, we could create some kind of "community" maintained whitelist, where anybody can just add any website and we will then point IE10 to download a whitelist from this community maintained source (instead of from Microsoft).
Click to expand...
Click to collapse
Thanks so much for this work. I remember u from ur past work on wp7/7.5 on here. Thanks again. I almost called MS lite to return my surface because of this stupidity. Are they like apple or what? Trying to decide what u can do and what u can't is a v.stupid idea and whoever decided this at MS should be fired. If I wanted a prison garden, I'd buy an iPad.
---------- Post added at 12:43 PM ---------- Previous post was at 12:34 PM ----------
Now if I can find an easy way to block the ads ill be really happy. These ads are so invading. I didn't realize how much firefox with adblock was until I had to us IE for the last 3 days. quite annoying as it makes content loading so slow.
xirsteon said:
Thanks so much for this work. I remember u from ur past work on wp7/7.5 on here. Thanks again. I almost called MS lite to return my surface because of this stupidity. Are they like apple or what? Trying to decide what u can do and what u can't is a v.stupid idea and whoever decided this at MS should be fired. If I wanted a prison garden, I'd buy an iPad.
---------- Post added at 12:43 PM ---------- Previous post was at 12:34 PM ----------
Now if I can find an easy way to block the ads ill be really happy. These ads are so invading. I didn't realize how much firefox with adblock was until I had to us IE for the last 3 days. quite annoying as it makes content loading so slow.
Click to expand...
Click to collapse
Your welcome. Glad it was helpful, yes I have been less active due to obligations at the univerisity. If we find a better solution we will let you know.
Some kind of adblocker is also integrated in Internet Explorer. Go to Manage add-ons and then to Tracking Protection. Now download a couple of adblock lists. It is not as good as chrome/ff, but it gets the job done for the most part!
And take some time to get used to your new machine, its a beautiful device and only yet people are starting to explore it and develop for it. It will for sure be a highly demanded device and will most likely reach a lot of developer/hacker interest.
xirsteon said:
Are they like apple or what? Trying to decide what u can do and what u can't is a v.stupid idea and whoever decided this at MS should be fired. If I wanted a prison garden, I'd buy an iPad
Click to expand...
Click to collapse
The restriction against other browsers is equally disturbing.
See here: http://news.cnet.com/8301-1001_3-57431236-92/microsoft-bans-firefox-on-arm-based-windows-mozilla-says/
Even Google, who loves to push their own brand name through Chrome, saw the wisdom of allowing the customer freedom.
Lets not forget what, in large part, created Android's success - people jumped ship from Apple because they saw Android as an OS that allowed the consumer as much or as little customization as you want - you want it simple - they present a good out of box experience - you want something more, you can make changes.
We don't need two walled gardens.
Eh, that's just the restriction against third-party desktop apps. Mozilla even acknowledges that they could build a Windows Store app, and in fact they're apparently doing that (http://news.cnet.com/8301-30685_3-57376421-264/coming-in-2012-firefox-for-windows-8s-metro/)... just for some reason they're doing it only for x86. Since Store apps, even for RT, are allowed to use native C/C++ and the compiler supports building them for ARM, I'm really not sure why they don't just recompile it for RT. Yeah, their JavaScript JIT would need to be changed, but they already have a JIT for ARM don't they? That's equally relevant for Firefox on RT in the Desktop or in "Metro" anyhow, so it would be a stupid thing to complain about. In any case, they could just fall back to interpreted JS.
Installed Chrome Browser
GoodDayToDie said:
Eh, that's just the restriction against third-party desktop apps. Mozilla even acknowledges that they could build a Windows Store app, and in fact they're apparently doing that (http://news.cnet.com/8301-30685_3-57376421-264/coming-in-2012-firefox-for-windows-8s-metro/)... just for some reason they're doing it only for x86. Since Store apps, even for RT, are allowed to use native C/C++ and the compiler supports building them for ARM, I'm really not sure why they don't just recompile it for RT. Yeah, their JavaScript JIT would need to be changed, but they already have a JIT for ARM don't they? That's equally relevant for Firefox on RT in the Desktop or in "Metro" anyhow, so it would be a stupid thing to complain about. In any case, they could just fall back to interpreted JS.
Click to expand...
Click to collapse
I am not sure if this adds anything to the discussion. I don't own a Windows RT machine, but I was in Office Depot the other day looking at their devices. They had a Samsung ATIV Smart PC on display. So, I messed around with if for a while. I had read that other browsers were forbidden on the RT. I thought, I wonder if Google Chrome will run? So I installed it off the internet and it worked.
My question is this: Is it just the MS RT the locks itself down? Why did the Samsung allow me to D/L and install Chrome?
davehries said:
My question is this: Is it just the MS RT the locks itself down? Why did the Samsung allow me to D/L and install Chrome?
Click to expand...
Click to collapse
the software restrictions should be the same, the other limitation is that you can't just download x86 software and install it on the RT because x86 doesn't run on ARM processors, are you absolutely certain you were on an ATIV tab running Windows RT or just a samsung tablet running Windows 8 with an x86 processor? If it was already possible to install chrome on Windows RT it'd be all over the internet.
davehries said:
I am not sure if this adds anything to the discussion. I don't own a Windows RT machine, but I was in Office Depot the other day looking at their devices. They had a Samsung ATIV Smart PC on display. So, I messed around with if for a while. I had read that other browsers were forbidden on the RT. I thought, I wonder if Google Chrome will run? So I installed it off the internet and it worked.
My question is this: Is it just the MS RT the locks itself down? Why did the Samsung allow me to D/L and install Chrome?
Click to expand...
Click to collapse
it's the samsung smart PC running on x86 hardware? (clovertrail or i5) if it is, then it's running full windows 8 and you can install any legacy apps (like chrome/ff) to your hearts content.
not to go off topic too much, but as to the earlier comment about freedom and choice being the reason android gained so much marketshare so fast. it has more to do with the combination of cheap handsets and carrier penetration, at a time when the iphone was locked to one network in the US and blackberry was slowly falling out of the consumer mindshare. yes, people like us who frequent xda might have moved to it because of the openness of the platform, but the mainstream market really doesn't care about that.
Guys, we are wandering too far off topic. I appreciate the discussion, but please let it be (somehow) related to ways of enabling flash on IE10 on Win RT and 8. The limitations of Windows RT are better to be discussed in appropriate threads
Did anybody do an experiment with this compatibility list? Or tried to deactivate it in its entire? A systems admin or IT pro might no some more details on this?
Marvin_S said:
Guys, we are wandering too far off topic. I appreciate the discussion, but please let it be (somehow) related to ways of enabling flash on IE10 on Win RT and 8. The limitations of Windows RT are better to be discussed in appropriate threads
Did anybody do an experiment with this compatibility list? Or tried to deactivate it in its entire? A systems admin or IT pro might no some more details on this?
Click to expand...
Click to collapse
I added several websites and it worked fine. I'm a bit bummed as I think MS will find a way to over write the xml file in a masquerade windows update. As far as deactivation is concerned, I thought about making a backup of the xml file, and completely deleting the original to see if it works at all. What do u think?
xirsteon said:
I added several websites and it worked fine. I'm a bit bummed as I think MS will find a way to over write the xml file in a masquerade windows update. As far as deactivation is concerned, I thought about making a backup of the xml file, and completely deleting the original to see if it works at all. What do u think?
Click to expand...
Click to collapse
It might work, but I assume it will just deactivate compatibility view in its entire and hence disable flash for all sites. But its worth the try Let me know if it works!
Marvin_S said:
It might work, but I assume it will just deactivate compatibility view in its entire and hence disable flash for all sites. But its worth the try Let me know if it works!
Click to expand...
Click to collapse
Well I created a local account to test this. Backup the file and deleted the original. All the blacklisted sites didn't work. So its not 100% possible yet but I bet there's a reg option or even a security policy (secpol.msc) that will turn this check off completely. Perhaps a bit of poke around will yield some insights. I looked in secpol and didn't find anything. So that leaves the registry up for grabs unless they're pulling that wp hidden / reg lock down thing.
xirsteon said:
Well I created a local account to test this. Backup the file and deleted the original. All the blacklisted sites didn't work. So its not 100% possible yet but I bet there's a reg option or even a security policy (secpol.msc) that will turn this check off completely. Perhaps a bit of poke around will yield some insights. I looked in secpol and didn't find anything. So that leaves the registry up for grabs unless they're pulling that wp hidden / reg lock down thing.
Click to expand...
Click to collapse
i bet its hidden, since if you want to add a developer website to test flash on you will have to create a reg key in a non existing folder in the ie registry settings called FLASH, so I guess thats the hidden folder. But I wonder if it is possible to somehow trace these folders. I personally dont know anything about the entire mechanism behind the comapibility view. I just discovered it by accident by figuring out where the whitelist was located. So far it seems that it does not take wildcards for domains and also shutting down the list in its entire does not seem to work. We can try to add a 'blank' domain but I doubt it will work.
Doesn't work for me
I am doing just as instructed. I do not know why it doesn't for me. I tried movie2k.to and myp2p, ibliz. None of them work
Marvin_S said:
It might work, but I assume it will just deactivate compatibility view in its entire and hence disable flash for all sites. But its worth the try Let me know if it works!
Click to expand...
Click to collapse
More likely is that it will download the default list, or the current list. I don't really see compatibility view as an issue. What you are getting is the ability to use the major Flash-enabled sites without any of the ad sites, built-in as opposed to using third-party solutions.
mechmouni said:
I am doing just as instructed. I do not know why it doesn't for me. I tried movie2k.to and myp2p, ibliz. None of them work
Click to expand...
Click to collapse
Make sure you follow each step correctly. It has been tested and confirmed working by lots of people, on both Windows RT and Windows 8. Make sure you delete browsing history.
Marvin_S said:
Alternatively, we could create some kind of "community" maintained whitelist, where anybody can just add any website and we will then point IE10 to download a whitelist from this community maintained source (instead of from Microsoft).
Click to expand...
Click to collapse
Here you can add sites: http://minecraft.digiex.org/flash/
And here is the list itself: http://minecraft.digiex.org/flash/iecompatviewlist.xml
Working with Nuduaa on a auto downloader script to autoupdate it every now and then on the surface.
jessenic said:
Here you can add sites: http://minecraft.digiex.org/flash/
And here is the list itself: http://minecraft.digiex.org/flash/iecompatviewlist.xml
Working with Nuduaa on a auto downloader script to autoupdate it every now and then on the surface.
Click to expand...
Click to collapse
Awesome! Now I just have to wait for MS to ship me a damn Surface
If it is done (and there is some automation) I will add it to the first post!
Thank you for maintaining the list. This is great guys... good work!
Does anybody know if Windows RT allows the creation of custom extensions?
help
I am following the steps yet I can't find the place in c drive as described on my surface.

Can anyone recomend a trusworthy secure browser for android?

Hi,
So I trust the AOSP browser but it's not the greatest security wise, It only updates vulnerabilities with the system update which manufacturers don't always do .
Chrome is updating regularly but I don't like the fact that it's googles, so lets say that I don't trust it.
Firefox sounds great but it crashes on my system (different thread).
there is also some UA browser from china but as far as i understand it has problems both in security and in trustworthiness (it constantly sends your info to some server).
Umm I remember encountering some more but they were all basically forks of those primary three .
anyone knows anything?
thank you.
I would suggest Private Browser by Keepsolid Inc. It may be a branch of one of your aforementioned browsers, but it works. I dunno, it receives constant updates, and it protects everything you do from what I have experienced. Try it out...
Link: https://play.google.com/store/apps/details?id=com.keepsolid.privatebrowser
Sent from my LGE VS425PP using XDA Labs
thank you!
I may have forgot to add the word "free".
A free browser.
anyway, I checked it out and I'm not sure, it looks like a chrome version. am i wrong?
I'll admit, I'm a bit wary since this looks like a small company/unknown product. not much talk about them.
oy-ster said:
thank you!
I may have forgot to add the word "free".
A free browser.
anyway, I checked it out and I'm not sure, it looks like a chrome version. am i wrong?
I'll admit, I'm a bit wary since this looks like a small company/unknown product. not much talk about them.
Click to expand...
Click to collapse
Well, I haven't used it. You might try using a low end private browser. Just search "Free Private Browser" in play store... You should get some results
thx
Puffin Browser or Dolphin Browser. I used to use Dolphin but it got buggy. I don't know how it is now, but I've heard they added Flash support. Puffin browser has Flash support and renders sites well. It also has gaming controls and a touchpad mouse control.
Firefox has the additional benefit that the uBlock Origin extension works. The Chrome version only works with desktop, not mobile
FanboyStudios said:
Puffin Browser or Dolphin Browser. I used to use Dolphin but it got buggy. I don't know how it is now, but I've heard they added Flash support. Puffin browser has Flash support and renders sites well. It also has gaming controls and a touchpad mouse control.
Click to expand...
Click to collapse
thx for the response. am i to understand correctly that puffin browser direct all of your traffic through its servers?
also, do you have any particular reason to trust Dolphin or is it just general experience? (I vaguely remember the company was spying after user urls, or something similar, some years back ).
oy-ster said:
thx for the response. am i to understand correctly that puffin browser direct all of your traffic through its servers?
also, do you have any particular reason to trust Dolphin or is it just general experience? (I vaguely remember the company was spying after user urls, or something similar, some years back ).
Click to expand...
Click to collapse
I don't know if Puffin directs traffic through it servers, but I do know that Opera Mini does.
Opera Mini is also a good browser. I'm on Tracfone (on my main phone) and I get 1200mb per year. Divided up, its 100mb per month. To add data it cost about $33.33 per gig. It's highly overpriced.
As for Dolphin, back a few years ago I was looking for a browser that would render desktop sites like on a desktop. Dolphin did better than Firefox for me at the time so I used it. It also had some add-ons that I used as well and the features were nice.
Chrome was to slow and buggy to use, Firefox was a little slow, and I didn't like Opera (not talking about the mini version which I liked). Opera got rid of bookmarks (which I more frequently used) and just overall kind of sucked.
If you're wanting privacy, you're best to stay away from using Tor ( the government recently developed a new system for tracking Tor users). I wouldn't recommend proxies either (as some are malicious and want to snoop). Use a VPN instead, there's many to choose from and some may be more private than others. Some are free and some don't require an app to use (as they use android's built-in VPN settings). Be sure to do your research first.
FanboyStudios said:
I don't know if Puffin directs traffic through it servers, but I do know that Opera Mini does.
Opera Mini is also a good browser. I'm on Tracfone (on my main phone) and I get 1200mb per year. Divided up, its 100mb per month. To add data it cost about $33.33 per gig. It's highly overpriced.
As for Dolphin, back a few years ago I was looking for a browser that would render desktop sites like on a desktop. Dolphin did better than Firefox for me at the time so I used it. It also had some add-ons that I used as well and the features were nice.
Chrome was to slow and buggy to use, Firefox was a little slow, and I didn't like Opera (not talking about the mini version which I liked). Opera got rid of bookmarks (which I more frequently used) and just overall kind of sucked.
If you're wanting privacy, you're best to stay away from using Tor ( the government recently developed a new system for tracking Tor users). I wouldn't recommend proxies either (as some are malicious and want to snoop). Use a VPN instead, there's many to choose from and some may be more private than others. Some are free and some don't require an app to use (as they use android's built-in VPN settings). Be sure to do your research first.
Click to expand...
Click to collapse
Thank you, that is an interesting info.
In terms of privacy, don't you worry about Operas handling of your information?
About TOR I don't know if I wanted to use it but I am a little interested in the subject, what recent government technique are you referring to? I did a google search but I'm not sure what is new...
And you right, I do want privacy, but involving a third party like a VPN... Unless I'm on a public wifi... how smart is that? I thought about the old fashioned device-trusty browser-my router/provider antena -my isp- the requested website model...
Anyway at the moment I need a secure browser.
oh and thx.
Nathan2 said:
Firefox has the additional benefit that the uBlock Origin extension works. The Chrome version only works with desktop, not mobile
Click to expand...
Click to collapse
yeah I wanted them, but unfortunately it always crashes on me.
oy-ster said:
Thank you, that is an interesting info.
In terms of privacy, don't you worry about Operas handling of your information?
About TOR I don't know if I wanted to use it but I am a little interested in the subject, what recent government technique are you referring to? I did a google search but I'm not sure what is new...
And you right, I do want privacy, but involving a third party like a VPN... Unless I'm on a public wifi... how smart is that? I thought about the old fashioned device-trusty browser-my router/provider antena -my isp- the requested website model...
Anyway at the moment I need a secure browser.
oh and thx.
Click to expand...
Click to collapse
I don't worry much about Opera Mini. It's really my only option for Tracfone, since the data is so expensive. Basically I can make 100mb last more like 1gb. However some sites break, and any video I watch I watch usually in 144p.
As for Tor, it can be exploited in a number of ways. One being malicious nodes. Another is by your mouse movements. https://www.hackread.com/tracking-tor-users-with-mouse-movements/
If you really want privacy, the best way to get it is to go completely off grid. Otherwise just abandon using sites that require sign in or accounts, cookies, plugins or other scripts, and use a VPN from a public place on a computer with an amnesic operating system like Tails.
Ok, cool, thank you.
At the moment I don't need to worry about data usage (wifi), but if ever the need arises, I'll keep your idea in mind.
As for the privacy issue, well, I think I'll stave off for a while with my disappearance from the world, at least until I'll learn to properly hunt for the most dangerous game...
But yeah, I get your point.
Anyway, thanks man, , and if anyone else has any more suggestions for secure trusted browsers, that would be great.

Always Force Desktop Website Version

Is there a way to go past the website's UA checks and always load their desktop versions instead of mobile? Asking because I already set in the preferences of all my phone browsers to always load the full desktop version and still, many websites somehow know I'm using a mobile device and force the mobile version.
Anyone found solution for Dolphin or Boat browsers? I've read about "about:debug" and "about:useragent" showing extra UA menu elements which in my case does nothing (android 6). I was also unable to find an user agent switching app that could always force Desktop parameters to the websites.
Even if there's no immefiate solution, I would like to know the principle websites choose which version to load irrespective to browser settings. Is it network/data/service provider settings, or specific browser/resolution signature? Thanks a lot for any ideas.
Menergy said:
Is there a way to go past the website's UA checks and always load their desktop versions instead of mobile? Asking because I already set in the preferences of all my phone browsers to always load the full desktop version and still, many websites somehow know I'm using a mobile device and force the mobile version.
Anyone found solution for Dolphin or Boat browsers? I've read about "about:debug" and "about:useragent" showing extra UA menu elements which in my case does nothing (android 6). I was also unable to find an user agent switching app that could always force Desktop parameters to the websites.
Even if there's no immefiate solution, I would like to know the principle websites choose which version to load irrespective to browser settings. Is it network/data/service provider settings, or specific browser/resolution signature? Thanks a lot for any ideas.
Click to expand...
Click to collapse
If the problem is website's UA check, often you can choose an AdWay or something similar, on my phone i'm surprised to see as "auto check" some pop up, check and box.
But for what never stop working, that's need update every day...
There isn't much you can do in this case.
Sometimes in some browsers you've an option with whitelist or other but I do believe they can be related to the mobile display or desktop of a particular site.
Maybe there is an add-on xposed or plugin that I don't know
My problem is that some websites force the mobile version no matter what, as well as lack on services that I need in there, and you couldn't circumvent that in any way.
Yesterday I had to verify an email address and tried with all the browsers I have on my phone (like 5 different). They were all set to display the desktop version and all were forced into the mobile. But on the mobile you couldn't verify the link, probably on purpose (security if on mobile device), and I would not have access to laptop/desktop browser by the evening. The same is with many other features/missing services on forced mobile websites so I want to find a way to have full functionality when on the go.
Does AdWay have options for influencing data the browser notifies to the websites? Anything similar to Mozilla-code based Random Agent Spoofer browser add-on where you can basically force the browser to inject any incorrect data and prevent other data leaking while browsing? Any special cookie mechanisms inherent to mobile browsers only?
Alternatively, can I access browser settings with something like about:config/debug or else? Dolphin, Boat, others? I am sure the browser notifies the correct desktop user agent, there's something else, probably very simple, that tells websites the connection is from a portable device...
Menergy said:
My problem is that some websites force the mobile version no matter what, as well as lack on services that I need in there, and you couldn't circumvent that in any way.
Yesterday I had to verify an email address and tried with all the browsers I have on my phone (like 5 different). They were all set to display the desktop version and all were forced into the mobile. But on the mobile you couldn't verify the link, probably on purpose (security if on mobile device), and I would not have access to laptop/desktop browser by the evening. The same is with many other features/missing services on forced mobile websites so I want to find a way to have full functionality when on the go.
Does AdWay have options for influencing data the browser notifies to the websites? Anything similar to Mozilla-code based Random Agent Spoofer browser add-on where you can basically force the browser to inject any incorrect data and prevent other data leaking while browsing? Any special cookie mechanisms inherent to mobile browsers only?
Alternatively, can I access browser settings with something like about:config/debug or else? Dolphin, Boat, others? I am sure the browser notifies the correct desktop user agent, there's something else, probably very simple, that tells websites the connection is from a portable device...
Click to expand...
Click to collapse
I use "user agent switcher" for chrome and it always works. It requires root though.
Can you provide an example of a website that refuses to show the desktop version?
And additionally, your build.prop contains your device's information. The browser might be transmitting that information to the website.
Thank you, the build.prop info was very helpful. I am not rooted yet as I've got my new phone just less than a month ago so still exploring, but can't really find the file, even among the hidden files on the internal memory. I will explore more and see how it goes.
I am in the UK so for example one of the websites that always loads the limited mobile instead of desktop version is the one of my service provider, EE, ee. co. uk (apologies for the intervals, I'm otherwise not allowed to post it). This mobile version is too basic and 60% of what you could do on a desktop version is cut. I've been on Three Mobile and sometimes I could get their full website working, sometimes not. Other websites are let's say bbc. co. uk and other media/news/bank websites that know, no matter browser settings, you are accessing them from a portable device.
Unfortunately I do not trust Google and any of their products so avoid voluntarily and (un)intentionally handing any personal data over to them. I would have used Mozilla for Android if it was close to the functionality Boat and Dolphin browsers provide. I even contacted the Dolphin team having previously assisted them but have got no feedback whatsoever. There must be a way for editing these unusual browser settings, but as pointed out above, I suspect it has something to do will submitting device ID info from within system folders. Thus probably only browser developers could tell us how the problem could be circumvented (and hopefully at least for now, with no root).
Or the developers of addons such as the Random Agent Spoofer or the user agent switchers.
Menergy said:
Thank you, the build.prop info was very helpful. I am not rooted yet as I've got my new phone just less than a month ago so still exploring, but can't really find the file, even among the hidden files on the internal memory. I will explore more and see how it goes.
I am in the UK so for example one of the websites that always loads the limited mobile instead of desktop version is the one of my service provider, EE, ee. co. uk (apologies for the intervals, I'm otherwise not allowed to post it). This mobile version is too basic and 60% of what you could do on a desktop version is cut. I've been on Three Mobile and sometimes I could get their full website working, sometimes not. Other websites are let's say bbc. co. uk and other media/news/bank websites that know, no matter browser settings, you are accessing them from a portable device.
Unfortunately I do not trust Google and any of their products so avoid voluntarily and (un)intentionally handing any personal data over to them. I would have used Mozilla for Android if it was close to the functionality Boat and Dolphin browsers provide. I even contacted the Dolphin team having previously assisted them but have got no feedback whatsoever. There must be a way for editing these unusual browser settings, but as pointed out above, I suspect it has something to do will submitting device ID info from within system folders. Thus probably only browser developers could tell us how the problem could be circumvented (and hopefully at least for now, with no root).
Or the developers of addons such as the Random Agent Spoofer or the user agent switchers.
Click to expand...
Click to collapse
The build.prop is a text file which should be located in system/ folder. And you usually can't view the contents of that folder without root, so that's why you haven't been able to find it.
I visited ee.co.uk using chrome, and I was able to switch between the mobile and desktop version of the site without any issues, even without using the UA changing app. All I did was select "request desktop site" from the side menu.
I tried using CM's stock browser though, and just like you experienced, the same website refused to load in desktop mode. I even went as far as changing the UA in its settings menu and even that didn't work.
So all that you wrote in the last two paragraphs have been confirmed.
Right now, it's either chrome or root until the devs fix/properly implement their UA changing feature.
I was testing other browsers the whole morning here and finally reluctantly tried Firefox. Somehow its Android version never impressed me or was too buggy for me when tested before. Probably because just before going for it I tried Pale Moon and have seen that I can readily edit just about everything via about:config. The Pale Moon's UI settings menu was however completely missing (probably a bug), along with no other controls, so I had to skip it.
So I am glad to report that using Firefox's "Request desktop website" option I finally was able to load desktop versions of websites that were forcing me to always have their mobile one instead. This means that Firefix for now becomes my main browser. As suggested by you, I tried first with Chrome but with no success (using its internal user agent options). There were a few Chrome user agent switchers in the market but although some of them did not explicitly require root, upon starting them they did so I had to uninstall them.
My question yet remains, what exactly tells websites not to load full version, even if browser's user agent reports the correct values. I will leave this to me as I go deeper into this. Glad to have got what I wanted
Thanks a lot for all your help.
Just to add for all having my problem and using Firefox for Android.
By default Firefox will always load the mobile website version and every time you will need to tick "Request desktop site" if you dislike it. As I do, there is an addon called "Desktop by Default" that will always keep the tick on for you. You may instead try creating a new string called "general.useragent.override" adding a desktop OS signature but it won't work (tested by me) for exactly the same websites I had issues with above, so do use the addon instead. It will however work for all other websites that don't have issues with Desktop mode on other browsers.
There is another string that I disabled also called general.useragent.site_specific_overrides.
Tweaking with the Chrome for Android settings seems to require root so Firefox in my case is a God bless. I hope this is helpful to all others with my issue...

Categories

Resources