Hello I am an entrepreneur and I am trying to determine technical feasibility of an application idea. If this is viable, I am willing to hire developers.
Please let me know if this is feasible.
The basic idea is an app that blocks users from opening other apps for a specific time period. for example, you open an app, determine the time frame that you do not want to allow yourself to be on facebook. save the information. then if you try to access the facebook android app, you will get a notification from the other app that says you cannot access the app turning the specified time period.
I'm aware of the sandbox structure but I want to know if permissions can be altered so that the information entered in one app can block facebook usage for a set time.
I greatly appreciate this.
Luke B
I am not familiar with Android per se, but am pretty familiar with several comparable app sandboxing schemes.
Sandboxing is specifically used to prevent this kind of thing. If you go low-level (break\mod the operating system), you can go around it.
Low-level techniques are not "mainstream" and will not work for a consumer app, as most users will not be willing to run in a custom configuration required for this to work.
sorry bro me not familr
Executive Summary
The future is here, and ahead of schedule. Come join us, the weather's nice.
This blog post describes the installation and configuration of a prototype of a secure, full-featured, Android telecommunications device with full Tor support, individual application firewalling, true cell network baseband isolation, and optional ZRTP encrypted voice and video support (ZRTP does run over UDP which is not yet possible to send over Tor, but we are able to send SIP account login and call setup over Tor independently).
Aside from a handful of binary blobs to manage the device firmware and graphics acceleration, the entire system can be assembled (and recompiled) using only FOSS components. However, as an added bonus, we will describe how to handle the Google Play store as well, to mitigate the two infamous Google Play Backdoors.
Introduction
Android is the most popular mobile platform in the world, with a wide variety of applications, including many applications that aid in communications security, censorship circumvention, and activist organization. Moreover, the core of the Android platform is Open Source, auditable, and modifiable by anyone.
Unfortunately though, mobile devices in general and Android devices in particular have not been designed with privacy in mind. In fact, they've seemingly been designed with nearly the opposite goal: to make it easy for third parties, telecommunications companies, sophisticated state-sized adversaries, and even random hackers to extract all manner of personal information from the user. This includes the full content of personal communications with business partners and loved ones. Worse still, by default, the user is given very little in the way of control or even informed consent about what information is being collected and how.
This post aims to address this, but we must first admit we stand on the shoulders of giants. Organizations like Cyanogen, F-Droid, the Guardian Project, and many others have done a great deal of work to try to improve this situation by restoring control of Android devices to the user, and to ensure the integrity of our personal communications. However, all of these projects have shortcomings and often leave gaps in what they provide and protect. Even in cases where proper security and privacy features exist, they typically require extensive configuration to use safely, securely, and correctly.
This blog post enumerates and documents these gaps, describes workarounds for serious shortcomings, and provides suggestions for future work.
It is also meant to serve as a HOWTO to walk interested, technically capable people through the end-to-end installation and configuration of a prototype of a secure and private Android device, where access to the network is restricted to an approved list of applications, and all traffic is routed through the Tor network.
It is our hope that this work can be replicated and eventually fully automated, given a good UI, and rolled into a single ROM or ROM addon package for ease of use. Ultimately, there is no reason why this system could not become a full fledged off the shelf product, given proper hardware support and good UI for the more technical bits.
Click to expand...
Click to collapse
https://blog.torproject.org/blog/mission-impossible-hardening-android-security-and-privacy
Pretty much what Guardian ROM is doing. I look forward to all the new builds
Truth. Transparency. Technology
The versatile Internet and the overall web has changed the way we live and work over the previous decade or something like that. Going virtual means more than simply assembling data. Today, it means being a dynamic operators, one who is in steady and continuous cooperation with others online and on the go. Progressively, the capacity to take your web-life out and about is the standard. Portable applications are pretty much as basic as the standard PC and tablet applications -- Kingroot
Regular more android clients are rooting their gadgets, giving them the capacity to evacuate transporter introduced bloatware, tweak client interfaces, switch bearers and introduce custom applications. In straightforward terms, "rooting your android" implies introducing a "SU" application that gives you the "root" authorizations to your gadget. "Super User" status gives you lifted consents and can adjust pretty much any piece of your android's working framework. There are such a large number of applications that permit you to root your android gadgets.
On the off chance that you are hoping to attest more prominent control over your root android gadgets, one of the most ideal methods for doing as such is to introduce and application that permits you to root your gadget. A root android can give you extensive ability as you participate in your everyday life on the web. There are numerous such android root applications, so it is vital to fare thee well in selecting the one that you at last choose Kingroot to download.
To be sure, new apps seem to be appearing all the ideal opportunity for pretty much everything. Huge numbers of them can be entirely valuable in the event that you recognize what's in store before you download them. Rooting your gadget gives you finish control over your android working framework and fills your heart with joy to-day undertakings a considerable measure less demanding to deal with more speed, more battery life and access to the most recent android programming upgrades and applications.
You ought to never feel overpowered by the numerous choices you see before you when searching for simply the privilege application. We have the arrangement! Instead of investigating every one of them actually, engineers have assembled the most recent and most prominent android rooting applications on a continuous premise.
You don't need to be a geek to root your android gadget. Some time ago just the most learned and actually refined individuals could deal with this sort of innovation. It is presently all so easy to use that anybody can deal with, select, and download the application of their decision. Also, this should be possible without having a specific specialized information and without taking up a lot of your time. Luckily, it is not that difficult to do any of these things these days.
In case you're excessively occupied on the other hand, to root your own particular android gadgets and need spare a few valuable time, attempt a remote android rooting administration. In one brisk online session, they'll tune up and root any of your android gadgets. This is an important administration for occupied android proprietors on the go.
Many root apps don't work properly with KingUser since they are written for either SuperUser or SuperSU.
Before I begin, I'm not here to flame tbe devs as I would love this app if these issues weren't present and do hope this problem is resolved as a result of bringing it to the attention of the community and hopefully this app's devs.
This application has serious vulnerabilities, some of which should be quite easily patched yet have not been for months to a year or so of them having been made public by a reputable security researcher working for Zimperium.
Login information via the browser is not utilizing a secure form of encryption for both web.airdroid.com or when accessing via local IP despite their SSL cert being valid for *.airdroid.com. The key for the DES encryption being used to hash the password and e-mail being hardcoded into the application despite having a POC for an attack on their users is inexcusable and shows a blatant disregard for their application's level of access as well as their user's safety and security.
My finding (as a security noob) has also deeply disturbed me following no response to bug reports or email contact. While attempting to check out their Windows desktop client, my antivirus discovered the installer attempting to download a variant of adware which monitored the user's activities and provides monetary incentives to developers which include it within their programs and applications. I do understand that if something is free, the product is you. However, I am a paying customer of this service as I'm sure many who use xda would be in an effort to support development of software and applications we enjoy. This adware was ran through and confirmed with VirusTotal and certainly is not a false positive. This desktop client also does not use SSL for communication.
Due to discovering these problems, I immediately discontinued use (the same day I renewed my yearly subscription). However, I was unable to remove the application from my phone without a full factory reset even after both application updates and upgrading android versions. With it set as a device administrator, it's access must first be revoked before uninstalling. However, across multiple devices and versions of android, attempting to remove it from device administrators causes a crash of the android settings app.
I had planned to do a POC for what I feel is an extremely likely scenario based off both public vulnerabilities as well as what I had discovered myself, but I have been far too busy with a few other projects as well as work to complete it yet. I had just stumbled across this section of the xda forums while looking for something else and hoped to get a response from the devs of this app.
I would love to be able to utilize an app with this functionality. However, there needs to be far more focus on security in its design before I would ever feel comfortable utilizing it again.
In theory, it would be entirely possible for an unstable, technically inclined person at a local coffee shop (or other public location with unsecured an wireless network) to hijack a user's login information with minimal skill level required then giving them full, unadulterated access to the application's functions such as forcing gps or camera on to track or watch someone without their consent as all connections aren't even requiring the user to accept the incoming connection on their phone to perform these actions. That is not a farfetched scenario and presents a possible threat to someone's physical safety.
Link to said researcher's findings can be found on his blog by searching Zimperium airdroid multiple vulnerabilities as I just created this account for this post and can not yet post outside links.
Thanks a lot for all this information. I really appreciate it.
Why hasn't this been addressed yet?
I remember reading this a while ago, realizing that it is a serious issue, and just how little the devs care about security on their app.
This is mainly because most end-users don't dive this deep into an app, and don't fully comprehend the severity of such vulnerabilities until it is too late.
We should make a bigger fuss about these things!
I've always been very careful with RAT-type apps and so I was when checking out AirDroid. I've uninstalled it after 30 minutes of using, just because I didn't like the fact, there's a chance some undesirable person could start spying on me. As I read this thread, I'm realising how right I was that time.
Hello all! I'm sure most of you are familiar with Google Play Services, the base of Google's Android framework and the brains behind all the Google things you do on your phone. Less of you, however, might also know that Play Services is notorious for being a beast of an application that no one truly knows the function of.
Below here is a rough explanation of Play Services from what I know about it. You can skip this if you already know and move on to the bread and butter of this post.
Play Services is proprietary software, meaning that its source code is not available to the public. All of Google's apps are proprietary like this as well. While developers like Chainfire have legitimate reasons to close off their app source code so others don't steal it, and so does Google, it is extra worrying from a company that makes a profit off of collecting userdata. Many people, including me, do not trust Google with our data, so we try to avoid their products as much as possible.
I thought that it would be nice to create a megathread of sorts with various users' suggestions on how to subvert the constant surveillance of Play Services, while also attempting to maintain the useful functionality of it. Below are some of the primary methods that I have thought of, and that I and some others have tried:
LineageOS/CyanogenMod Privacy Guard - If you are using LineageOS or any derivative thereof, you can go to Privacy Guard and deny certain permissions from Play Services. I and another user have denied permissions from Play Services without side effects, but your mileage may vary. @javelinanddart said on Reddit that Privacy Guard does indeed block permissions from Play Services and other system apps, so rest assured that Privacy Guard actually does something rather than being a placebo.
XPrivacyLua - This is an Xposed module that feeds false data to apps rather than blocking it entirely. I haven't tried this method myself, but the XDA post I linked above reports that XPrivacyLua works, even in tandem with Privacy Guard.
microG - microG is an open-source alternative to Play Services. It emulates many key functions of Play Services - push notifications, location services, etc - without the data collection running alongside such functionality. To clarify, this is a full replacement for Play Services, so you would flash a microG package instead of a GApps package. There are lots of bugs, though, even admitted by the developer. If you want to learn more, I suggest you visit the XDA thread for it, or view the implementation progress for various pieces of functionality.
There is nothing else that I know of, so if anybody knows of another viable method or can provide their own experiences with the above ones, your contributions would be appreciated by me and the rest of the privacy community.
Thanks for thread.
My only reason to use custom ROM is because they are GApps-free. In nearly every other aspect stock ROMs are better. Phones without good custom ROM I simply setup without Google account and install f-droid and yalp stores.
Another idea:
Imagine: Google is not as evil as we think: there are many privacy related settings in your Google account. You can login with a web browser and try through all these settings - and hope.
Device is a Samsung i9305 with RR-N-v5.8.5-final, Magisk v16.0, XPosed, XPrivacyLua, microG (via NanoDroid). No genuine Google services; Google Play Store is the one and only Google application installed.
I hope it suits into this thread (thanks very much for creating it!), and I'd like to share my settings. Please refer to the screenshots; I think it's self-explaining where they where taken from.
Actually no restrictions to microG, only to Play Store.
Remarks: µG has no restrictions in the firewall (AFWall+ Donation Beta); Play Store only granted internet access via WiFi and VPN. Just for completeness; running a RaspberryPi in the home network with Pi-Hole installed and acting as the DNS-server in the network. Unless using the home network i.e. using a foreign WiFi network or mobile data, ALWAYS establishing my own secure VPN to my RaspberryPi (with PiVPN installed) via OpenVPN and again the Pi acting as the DNS-server. If interested in further details please refer to this thread.
Thanks for this.
I was considering asking for a forum section here devoted to privacy, but it doesn't seem like a popular subject here. (After all, most of the people who have already picked the most snoopery OS in the world could be assumed to be not particularly worried about privacy. ? )
I come from a different motivation: the hope that by using a somewhat hackable OS, one can theoretically modify it in ways to achieve one's objectives, including privacy. But the last few years have made it rather clear that the Big G is working determinedly to foil such efforts.
Lately that seems to take the form of pushing more and more essential services into the Gplay frameworks, and deprecating perfectly working things like GCM in favor of intertwining it with Firebase, which may saddle us with that analytics data vacuum in order to get another essential service, push notifications.
Re: revoking permissions from Gplay frameworks, I feel like Google's determination to get their hands on data by hook or by crook (eg their ignoring of user preferences to disable various radios and enabling them in the background anyway, to track location and such) means they will quite possibly circumvent these preferences at some point as well.
As I mentioned in another thread I've experienced various problems in the past when I tried to aggressively restrict perms on the Gplay services using CM/LOS Privacy Guard, but perhaps some of that came from choosing interactive restriction prompts rather than blanket revoking. I do know that so many essential services are tied-into the Gplay frameworks these days that blocking tons of perms will inevitably cause breakage of some things depending how you use your device.
Jrhotrod said:
...
There is nothing else that I know of, so if anybody knows of another viable method or can provide their own experiences with the above ones, your contributions would be appreciated by me and the rest of the privacy community.
Click to expand...
Click to collapse
Due to your request above, please allow me to draw your attention to two threads by me. In these threads I tried about one and a half year ago to initially capture but also to update how I believe to have enhanced the battery duration, privacy and security of my GT-i9305 and how I went for a GApps-free device with microG.
Over the time until today, some of the described implementations, applications and measures became absolete or were replaced by others (e.g. using NanoDroid - or Nanomod as it was called in the beginning, since it has come out). Some changes occured due to the step from Marshmellow to Nougat or the non-availabilty of the official Xposed framework for Nougat in the very beginning. However, over all the time I've tried to maintain both threads updated and amended but currently not to much occuring on that frontline, probably because I've received a privacy status on our devices that obviously satisfies me in my personal opinion.
Oswald Boelcke said:
Due to your request above, please allow me to draw your attention to two threads by me. In these threads I tried about one and a half year ago to initially capture but also to update how I believe to have enhanced the battery duration, privacy and security of my GT-i9305 and how I went for a GApps-free device with microG.
Over the time until today, some of the described implementations, applications and measures became absolete or were replaced by others (e.g. using NanoDroid - or Nanomod as it was called in the beginning, since it has come out). Some changes occured due to the step from Marshmellow to Nougat or the non-availabilty of the official Xposed framework for Nougat in the very beginning. However, over all the time I've tried to maintain both threads updated and amended but currently not to much occuring on that frontline, probably because I've received a privacy status on our devices that obviously satisfies me in my personal opinion.
Click to expand...
Click to collapse
Wow, this is really great! Very high-quality thread.
Will add to OP later today
I apologise for the double post (original in my thread here) but I guess it also suits in this thread.
Found the below quoted post by @jawz101 in the XPrivacyLua thread here. Pretty interesting, and therefore I like to share:
Looking around on Data Transparency Lab website http://datatransparencylab.org/ - they fund grants for research in privacy stuff.
...I found an app called AntMonitor, an academic research project that does a MITM SSL cert + local VPN to look at sensitive traffic - even that which is encrypted. https://play.google.com/store/apps/d...it2.anteatermo
Anyways, it shows some apps trying to send my gps coordinates even though it doesn't have Android permission. Like, my coordinates are actually attempting to be sent encrypted to a destination. XPrivacyLUA doesn't trigger so I can only assume they grab my coordinates in a way that circumvents the traditional Android permission model.
To test, just try the app and open a few apps. I think it's apps with the Facebook graph API that is maybe doing it.
If you like ANTMonitor another app that does an SSL cert+ VPN is Lumen Privacy Monitor- a project by Berkely, but it doesn't seem to detect raw coordinates like ANTMonitor does.
Click to expand...
Click to collapse
However, I suggest to also follow the discussion/conversation between jawz101 and M66B, which has developed after this post.
Oswald Boelcke said:
Found the below quoted post by @jawz101 in the XPrivacyLua thread here. Pretty interesting, and therefore I like to share:
However, I suggest to also follow the discussion/conversation between jawz101 and M66B, which has developed after this post.
Click to expand...
Click to collapse
This is certainly an important discovery, thanks for the news.
Now for the sidenote that's 10x longer than the main comment. ?
One of the key issues I have with the various "privacy tools" is trying to figure out whether or not I trust all these entities that produce these diagnostic things to not be a solution worse than the problem when it comes to possessing and safeguarding my sensitive personal data.
It's getting to the point where I'm no longer enamored of giving *anyone* access to such stuff if I can help it, no matter *who* they are.
Even if they're not lying about their intentions and their commitment to security/privacy, there are still matters like carelessness/incompetence and targeted attacks to worry about.
@Exabyter: You're statement and expressed concerns are abolutely correct. Nothing to add except that I wouldn't limit it to "privacy tools" but especially include all applications that require root (and get it granted by the user) or all Magisk and Xposed modules. The latter should definitely concern.
My personal decision:
I'm not willing to trust anybody from the very beginning but I'm willing to trust single persons, groups or agencies. I've developed my own, private criteria, to which I stick but I've also admit the final decision isn't always based on rationality but also a lot on my feeling (in my stomage).
I don't held any confidential data on my device but privacy related ones, and I don't use my device for any kind of banking, shopping or payments.
I consider to use tools, modules and applications if their functionality rests within my defined specifications for the use of my device. Then I go for "the shopping tour" while I try to look into the details of the tools under closer examination, which includes where is it from, who's the developer etc.
I'll continue with the measures already described in one of my threads.
Oswald - I think we have largely similar stances on such things. In my case I will sometimes sway towards the pragmatic over the pedantic when the pedantic involves so many inconveniences that the tech becomes more of a burden than a help to me.
For example, I really don't like the idea of 3rd-parties keeping data pertaining to my daily geographic movements, but I also use several tools and services that by their nature rely on location data which could in some cases end up in the hands of parties I'd rather didn't have access to it. So I have to regularly weigh the apparent cost/benefit of such services and there are certainly some of them which have a high enough value to me that I willingly lower my default "protection level" in order to keep the other benefits of such tools/services.
Certainly microG is an important tool in that toolchest as it has a major disruptive impact on some of the most common ways Google and other parties snoop on users. But some of its imperfections also threaten to keep me from my ultimate goal of carrying a single phone which performs all the tasks I need to accomplish with it without undermining my privacy in a major way. (And ultimately, my freedom and agency as a citizen in a nominally and allegedly "free and democratic society", which is the actual "big picture" problem with privacy incursions in general IMHO)
I have spent several years now, with varying degrees of effort and success, trying to come up with a hardware/software solution to this problem, and I've never reached a point where I'm fully satisfied with the results. The fact that I am still carrying several mobile devices with me everyday is proof enough that I haven't achieved my objective in this regard and it gets tiring. As does all the time spent on venues such as XDA, researching, discussing and keeping-up with all the relevant issues, not to mention the large amount of time spent tinkering with HW/SW in order to keep all the special measures working. (And after we finally get things working more or less the way we want, we are faced with the particularly customized hardware wearing out, becoming unsupported, 3rd-party ROM and other compatible and necessary software being abandoned/deprecated, and so on and so forth.)
Truth to tell I'm a bit bitter about the amount of time/energy I have to spend to achieve something which should have been part of the mobile platforms in the first place. The current de-facto mobile platform duopoly certainly doesn't help matters.
---------- Post added at 03:39 PM ---------- Previous post was at 02:57 PM ----------
Now that I've gotten that philosophical rant out of the way ? ...
So as far as technical specifics:
microG of course is a big help as it either neuters or removes many troublesome anti-privacy vectors. For example, at the present time it does not support Firebase Analytics at all, which means (as far as I can tell) any app that expects to get telemetry on users via Firebase Analytics will not get anything if the app user's device is Gapps-free and using microG instead. (It remains to be seen if adding Firebase Cloud Messaging capability to microG will negate this presumed benefit. Cynics like myself are inclined to think one of Google's key objectives in deprecating Google Cloud Messaging and rolling push notification frameworks into Firebase instead was specifically to undermine the ability of users to avoid/circumvent Firebase Analytics)
XprivacyLUA looks interesting and is on my list to test. I found its predecessor Xprivacy to be an extremely tedious and labor-intensive option so I never seriously pursued it after my initial testing.
There are various tools I find handy to help get a sense of how dangerous certain apps may be to privacy. Here are a few:
AppBrain Ad Detector
https://play.google.com/store/apps/details?id=com.appspot.swisscodemonkeys.detector
Addons Detector
https://play.google.com/store/apps/details?id=com.denper.addonsdetector
Checkey (also on f-droid)
https://play.google.com/store/apps/details?id=info.guardianproject.checkey
Applications Info (also on f-droid)
https://play.google.com/store/apps/details?id=com.majeur.applicationsinfo
Permission Friendly Apps
https://play.google.com/store/apps/details?id=org.androidsoft.app.permission