The latest Camera360 update demands a strange and dangerous permission - "Change WiFi State". This is defined as follows:
"Allows the app to connect to and disconnect from Wi-Fi access points, and to make changes to configured Wi-Fi networks."
The apps already has internet access. But change WiFi state means it can not only turn your WiFi on and off, but it can add or delete to your access points, and read/change other information like encrypted passwords.
I emailed the developer (in China) and they just keep emailing me back asking what version I am using. He obviously doesn't want to answer the question!
I've noticed this "permission creep" in many other apps. The latest Firefox Android app wants access to global system setting, address book, and accounts. The latest YouTube app can take pictures and videos without your knowledge.
There are a few apps that I no longer update. I also use DroidWall to block cameras and other apps from internet access.
Stay Away from Camera360!
I use droidwall as well, actually extensively. I block everything but the necessities.
Sent from my LG-P999 using xda app-developers app
Thanks for the heads up.
Sent from my LG-P999 using xda premium
Now that look at it, some of the permissions that Camera360's Chinese developers want are pretty scary:
https://play.google.com/store/apps/details?id=vStudio.Android.Camera360
Here are the most dangerous as of today:
NETWORK COMMUNICATION
FULL INTERNET ACCESS
Allows the app to create network sockets.
YOUR PERSONAL INFORMATION
READ SENSITIVE LOG DATA
Allows the app to read from the system's various log files. This allows it to discover general information about what you are doing with the tablet, potentially including personal or private information. Allows the app to read from the system's various log files. This allows it to discover general information about what you are doing with the phone, potentially including personal or private information.
PHONE CALLS
READ PHONE STATE AND IDENTITY
Allows the app to access the phone features of the device. An app with this permission can determine the phone number and serial number of this phone, whether a call is active, the number that call is connected to and the like.
SYSTEM TOOLS
RETRIEVE RUNNING APPS
Allows the app to retrieve information about currently and recently running tasks. Malicious apps may discover private information about other apps.
CHANGE WI-FI STATE
Allows the app to connect to and disconnect from Wi-Fi access points, and to make changes to configured Wi-Fi networks.
Camera 360 Browser Popups!
The Chinese developers that made Camera 360 removed the draconian permissions. But now, it has a more evil behavior. When you start your phone, Camera 360 starts a background process that displays popup ads on some websites with the default Android browser!
Thread on it here:
http://forum.xda-developers.com/showthread.php?p=33130018
Uninstall Camera 360 and watch your phone and your browser run faster!
Uninstalled :good:
Shouldn't this thread be a sticky, and, posted somewhere owners of all different models of phones will see?
Also, surely there must be some kind of app which lets you install apps without actually granting them those permissions? Some kind of permission stripper?
I'm not sure of any apps that control permissions directly but the is one called DroidWall which can block apps from communication over WiFi and/or your mobile network. Needs superuser/root access.
Sent from my LG-P999 using xda app-developers app
Pdroid, need to make a patch for ROM of choice, but it works like a charm!
Sent from my Nexus 7 using xda premium
Bob Tums said:
I'm not sure of any apps that control permissions directly but the is one called DroidWall which can block apps from communication over WiFi and/or your mobile network. Needs superuser/root access.
Click to expand...
Click to collapse
I have DroidWall, and Camera360 is blocked internet access. But it is still able to hook into the Android browser and show popups.
Not sure how that happens. You can try downloading AdAway from the market and see if that gets red of it.
Sent from my LG-P999 using xda app-developers app
Related
DroidWall in the marketplace allows full WiFi access to all apps.
Is it possible to code an application for Android (perhaps with root access) that can:
- deny all outbound data access per app basis
- specify the rules (ip-range/port-range) per app basis
Like a real alternative to a desktop software firewall?
Way too many apps are leaking all sorts of information (in plain text!) from the user account database to the Internet.
The android security makes me really scared to use the platform for anything requiring security. The privacy/security model is basically a swiss cheese that can be poked through by almost any app that just asks for certain rights at install time.
I'm hoping a firewall would be able to limit this issue, no?
I don't know about the other stuff you mentioned, but my version of DroidWall has a block/allow option for wifi and 3g, separately. It's the latest version from the market place, 1.4.2
Thanks, I just checked it out and it seems DroidWall indeed has a Wifi side blocking by app basis as well. I'm still testing though.
Ah, just tried it. Force closes on Galaxy S (rooted). Sigh.
LBE Privacy Guard v2 is available, check http://forum.xda-developers.com/showthread.php?p=18948472#post18948472 for more information.
----------
First, my apologize for poor engish
Please allow me to introduce LBE Privacy Guard, a small app wrote by myself. This app enhances Android permission system and protects your privacy.
LBE Privacy Guard works just like Windows UAC, it intercept vital actions (like send SMS, call phones) and requests to access sensitive data(SMS conversation, contacts, phone location, IMEI, IMSI, etc) from apps, then prompt for your confirmation. Unless explicit permit, such actions and request will be rejected.
LBE Privacy Guard also has a low-level firewall, supports per-app control like droidwall, but not require netfilter/iptables so it works on pre-froyo devices and faster than droidwall because it doesn't filter packets.
So why I wrote this app? Because android permission system sucks, it's very hard for average user to understand the meaning of each permission, there is also no way to track the behavior of installed app and no way to control the permission of installed app(except uninstallation).
I hope my app could bring dynamic permission control and real-time track for installed apps. So you can figure out which app is stealing your privacy and block it before your privacy stolen.
Requirements
**NEEDS ROOT**
Works on Android 2.0 and above.
Tested on various devices and firmwares, but not tested on Android 3.0 and 3.1 devices.
Current Features
1. Block unwanted send SMS / call phone operation
2. Block unwanted access to phone location, contacts, SMS/MMS conversation database, IMEI/IMSI/ICCID/phone number.
3. Integrated low-level firewall, no netfilter/iptables required, works on pre-froyo devices
Market Link
https://market.android.com/details?id=com.lbe.security
Contact us
For any questions, feel free to send mail to [email protected], any comments are welcomed.
You can also check our website at http://www.lbesec.com (Chinese only)
Screenshots
Good application, Thank you
im gonna give this a look. will report back if any issues
Been waiting for an app that watches local permissions.
Can you tell me what exactly is "low-level firewall." How can it filter network traffic if it does not make use of iptables?
Looks promising. Will give it a test ride for a few days.
Sent from my Legend using XDA App
good app
Sent from my Desire HD using XDA App
crashed after a reboot. will re-install and do another test run later as it would not start the security service when i rebooted my phone.
This is great app... works very well on 2.3.4. Thanks for this wonderful app...
from my desire using xda
traumatism said:
crashed after a reboot. will re-install and do another test run later as it would not start the security service when i rebooted my phone.
Click to expand...
Click to collapse
hi traumatism, i would appreciate if you could tell me your phone model, and the ROM you are using.
It looks like LBE Privacy Guard has some problems to obtain ROOT privilege during auto start process.
Installing now, this looks interesting. I'll report any issues tomorrow.
Thank you.
edit: absolutely no issues, this app is awesome!
I was looking for something like this for the longest time... especially since my kernel doesn't support iptables. Installing now.
I am gob smacked, this application is brilliant!
Had it installed for around 2 hours now, no issues at all, works perfectly fine after reboot, doesn't appear to slow down phone or have any performance impact.
This should be included in Android by default!
Running it on HTC Inspire 4G with CM7.0.3
Great app. my first impression is good. looks like you've did a good job .. Thx happy
First look is great. Thank you. It is exactly what I am looking for
asicman said:
Been waiting for an app that watches local permissions.
Can you tell me what exactly is "low-level firewall." How can it filter network traffic if it does not make use of iptables?
Click to expand...
Click to collapse
The "low-level firewall" does not filter packets, instead it removes network related supplemental groups of certain process. Without such supplemental groups, socket syscall will fail with EPERM, so the application will not be able to access network.
This solution neither require netfilter kernel module / iptables binaries, nor filter packets, it's faster. but it can't distinguish 3G and WIFI connections.
I love this idea! I haven't updated "att Mark the Spot" in months because they requested access to everything. The first thing was trust my root apps, sms, gmail & voice apps, then I blocked my phone ID from ALL apps. (would've been nice to have a "reject all" option there.) My question is, are there any legitimate reasons for an app to request my IMEI? Are there any potential negatives to blocking my IMEI from ALL apps?
Edit: I also experienced the force close on reboot, but LBE started right back up on its own. Atrix 4.1.83
eoc, are you planning to release the source code?
Hi guys,
I am a little confused by this app. Can it allow me to stop the imei sending to my carrier when I connect to the network? They are trying to reduce the amount of data included in my plan if im not using an phone!
n3man said:
Hi guys,
I am a little confused by this app. Can it allow me to stop the imei sending to my carrier when I connect to the network? They are trying to reduce the amount of data included in my plan if im not using an phone!
Click to expand...
Click to collapse
No., It will only block apps and not the communication between your device and the carrier which is impossible on GSM networks.
Is anybody experiencing problems with blocked apps? Like fc or anything similar.
Sent from my LeeDroid Desire HD using laggy Tapatalk
So i am just wondering, there are so much different apps for android on the market, and most of them has a lot of access to phone's functions. Now for example i am always logged in to Gmail, and theoretically can a random app scan and copy my gmail's data and send it trough internet? Really curious..
Kblavkalash said:
Now for example i am always logged in to Gmail, and theoretically can a random app scan and copy my gmail's data and send it trough internet? Really curious..
Click to expand...
Click to collapse
This question is not really an issue of Android security this is a question about general security. Can an app look at your gmail app directly and copy data and send it out...not exactly no, an app can't forcibly connect itself to another app to scan data.
However...
That question is actually not relevant because such a task is unnecessary for malicious apps. Lets say you install a malicious app that wants to copy your gmail data. What it will do is not watch the app itself but it will watch the network packets being sent to and from the app, logging and tracking those.
This is not the only way to get the data though because any data saved on your sdcard is accessible from an app if you give it permission to do so.
The MOST important thing to look at when installing an app is the permissions the app is requesting when it installs. This can be confusing as well because some apps will request full internet access because they need it but this can also be used by a malicious app to steal your data.
The important thing to do is research. The more you learn about the app the better off you are.
-------
Just to clarify, this applies to all apps of any kind on any platform including but not limited to Android, iPhones, Blackberry, Windows Phone, WebOS, Windows PC, Mac OSX, Linux or etc. - ALWAYS learn as much as you can and are comfortable with before installing anything...if you are not comfortable with a particular app or learning more about it then don't install it. That is not to say it may be malicous, it is just to say it could be a bad idea for other reasons. (for example, if it is a developer tool or a configuration tool that you don't understand or haven't researched enough to understand...then you could potentially damage your device with something that is a legitimate tool)
Kblavkalash said:
So i am just wondering, there are so much different apps for android on the market, and most of them has a lot of access to phone's functions. Now for example i am always logged in to Gmail, and theoretically can a random app scan and copy my gmail's data and send it trough internet? Really curious..
Click to expand...
Click to collapse
edit
MichaelTunnell said:
This question is not really an issue of Android security this is a question about general security. Can an app look at your gmail app directly and copy data and send it out...not exactly no, an app can't forcibly connect itself to another app to scan data.
However...
That question is actually not relevant because such a task is unnecessary for malicious apps. Lets say you install a malicious app that wants to copy your gmail data. What it will do is not watch the app itself but it will watch the network packets being sent to and from the app, logging and tracking those.
This is not the only way to get the data though because any data saved on your sdcard is accessible from an app if you give it permission to do so.
The MOST important thing to look at when installing an app is the permissions the app is requesting when it installs. This can be confusing as well because some apps will request full internet access because they need it but this can also be used by a malicious app to steal your data.
The important thing to do is research. The more you learn about the app the better off you are.
-------
Just to clarify, this applies to all apps of any kind on any platform including but not limited to Android, iPhones, Blackberry, Windows Phone, WebOS, Windows PC, Mac OSX, Linux or etc. - ALWAYS learn as much as you can and are comfortable with before installing anything...if you are not comfortable with a particular app or learning more about it then don't install it. That is not to say it may be malicous, it is just to say it could be a bad idea for other reasons. (for example, if it is a developer tool or a configuration tool that you don't understand or haven't researched enough to understand...then you could potentially damage your device with something that is a legitimate tool)
Click to expand...
Click to collapse
Good answer, you are right!, but you say do a research before installing, but it's not really possible unless you are a programmer and checking whole code The best rated apps still have many different permission requirement and i have no idea what they are doing.
For example app can request a new password change for example on paypal and steal packets which come to my gmail about new password.^^
Security Apps
Hi,
in my eyes the best way is to use programs like PDroid. You cann adjist the rights of every App regarding send SMS for example.
LBE Privacy Guard may be also an Option. (runs not on my Device - SGS+)
(i use Pdroid 2.0)
you should also read the comments in the store, and the needed rights from the app before install. The best Apps to trust are open source apps.
Kblavkalash said:
Good answer, you are right!, but you say do a research before installing, but it's not really possible unless you are a programmer and checking whole code The best rated apps still have many different permission requirement and i have no idea what they are doing.
For example app can request a new password change for example on paypal and steal packets which come to my gmail about new password.^^
Click to expand...
Click to collapse
Research generally involves a Google search...
Editor's Choice in the market are safe bets, you know, the blue icon.
But then there are the millions of other apps, and frankly, I tend to toe the app name plus xda for instance, Google will show you xda threads about the app, if the posts are normal, you can be sure it's not malicious.
Stuff like that...
Also, fake market comments are really easy to spot and are a dead giveaway
Sent from my GT-I9000 using xda premium
1)I have rooted the Android phone. Xperia Tipo.
2)Installed the Root explorer, Permissions Denied, Droidwall, Startup Manager, Adfree, Busybox, Titanium Backup.
3)I was planning to use the Comodo Mobile Security (including antivirus and a live monitoring firewall)
Do I need to remove anything from the previously installed set of apps? Because even if I have droidwall, It only blocks applications as a whole. I cannot stop the apps from doing specific spying like- phonebook photo, access. etc.
The ****ty google has lot of apps that keep logged in. I tried to block one service from startup, and youtube stopped working.
I dont want to permanently block them. I only want these apps to login and access only when I need.
What should I do?
I know I asked two or more questions in one topic, despite of the title. But, hope someone tells me.
Dude I can understand what you want because I also hate such google apps running in background so do the following
Go to (settings<apps<all)and find the app you want "for example" take YouTube select it and click "Disable"
(before tat click force stop to save RAM) The app will be freezed and will not run until you again go and enable it...
PS:The disabled app will be in the dead bottom in (settings<apps<all) you can go there and "Enable" it again when you really need to use the app.
HIT THANKS IF I HELPED YOU:thumbup:
Sent from my
xperia tipo rooted
using xda app-developers app
Yup...he's right dude....
Try Anti Theft Mobile Security
Try out Mobisecurity.net
It not only tracks location of lost mobile but also lock mobile remotely, send SIM change alert along with switched SIM number, wipe personal data when fallen into wrong hands.
Using XPRIVACY*****won't be adding any more stuff to this guide for a while. will continue this when i have enough free time*******
XPRIVACY is undoubtedly the best privacy app out there. Its because of the options it supports almost all the android versions.
But it is not as easy to understand as App Ops or Pdroid privacy guard. Thats why inspite of my many attempts to use it, i gave up after few hours or days and switched back to App Ops.
It has come along way from when i made those attempts, it has become more user friendly and interactive but so many options which is its biggest plus point, also makes it hard for new users to switch from other privacy app to XPRIVACY.
I recently made a small guide about HOW TO USE APP OPS MORE EFFECTIVELY.
So the next obvious step was GUIDE on XPRIVACY. i have been putting it off from many days but now no more will add more videos whenever i can but its about time i that i finally get started with it.
I hope this guide will help my fellow XDA members to make the required switch or to introduce them to the world of XPRIVACY
Installation instruction, minimum requirements and other usefull stuff can be found at the official thread of XPRIVACY
What this Guide is ABOUT???
>This guide is for NOOB users, so that they can understand how to use XPRIVACY. Also as i ahven't purchased the PRO version yet this huide will only cover functions of FREE version. I will be buying the PRO version soon and then it will cover use of PRO features as well
>I will try to explain different restriction using different apps.
>Examples will be video of the app with and without those restrictions and the effect that those restriction will have on that app
>NOTE 1 - this is not full blown guide and it is just to get you started. However it can turn into full blown guide depending on the inputs from various users and also after a certain time as i get better in using this app.
>Note 2: Differnet categories are explained using different app. Most of the times category name will be used as heading as you can see in 3rd point, but at some places where permissions like location, contacts , clipboard etc are explained i will use these words only as these words will result in easier understanding.
> More and more videos will be added as i find the appropriate app and a way to demonstrate the use of a particular permission using that app.
LETS STARTYoutube playlist link
1) Faking or restriction location
I am pretty sure this is going to be very useful to many people for playing location based games or to become mayor of certain place in foursquare and i am sure you can think of using it in many other apps.
Please note that you cannot fake location for some apps like google maps and facebook. these are the only two apps that i know of. you cannot fake location for these two apps but you can restrict it.
Also as you can see in the video you will be able to fake location in foursquare but when you will try to access google maps view from inside Foursqaure app you will get no location. But still you can check in and get suggestion from foursquare based on your fake location. default fake location is CHRISTMAS ISLAND. but you can change it through XPRIVACY(which is covered in the video).
2) Blocking access to the different accounts configured in your device
For this i have used Chrome beta as you can see in the video that blocking the account permissions will result in chrome not seeing the different google accounts that are present on my device. Thus i am unable to sign in chrome beta to sync my bookmarks and other stuff.
You can use this to block access from those app which try to gain access to the different accounts configured in your device.
Note: if you block access to 9gag, Ifunny etc apps like these for which you sign in using your configured google account. You wont be able to sign in those apps as these apps won't be able to see the configured account.
Although if a you sign in using username or email id which you use only for that particular app. You can block restrict this permission as it will have no negative effect on that app behaviour
3) Xprivacy Category - View Browser
For explaining what this permission does i have used DIGG app. This permission will restrict app from opening external links. or more precisely hyperlinks from withing app. If this permission is restricted you will be displayed warning from xprivacy when you try to open any link from withing the app(shown in the video).
4) More Videos to come soon..........
More videos to be added whenever i can find time and based on users input. I am also a beginner when it comes to XPRIVACY so be patient with me and if you have any ideas to make this thread better please do share it with us.
Once you have enough understanding to use Xprivacy on daily basis you can head over to XPRIVACY thread and post you advanced question there.
Currently i have some personal stuff to take care of so updating this thread is on hold. Will update it with more videos as soon as i can. I have made the videos just need to edit them and upload.
Reserved
reserved
Other Useful threads by Me
[GUIDE] Using Apps Ops (or Privacy Guard) 4 blocking wakelocks & saving battery
[App] Samachar - Indian News app and more
thanks
thanks for this helpful tutorial.
can u please tell me if I could use xprivacy to block adds on apps , cheers
drreality said:
thanks for this helpful tutorial.
can u please tell me if I could use xprivacy to block adds on apps , cheers
Click to expand...
Click to collapse
You can block internet permission. That will block ads but that can also make app useless if it needs internet to function.
Why don't you use adaway or adblock pro to block ads?
I know this is a dumb question but I've been using Xprivacy for a few years now and I never could figure out what the two boxes to the right of the application names are for. I believe one is for restrict and one is for allow? If someone could let me know which each of those boxes means it would be much appreciated.
Good question. The two-column system is a later addition to xprivacy and many of the newbie tutorials don't cover it.
Let's take a simple example like location.
For starters, let's say the second column is unchecked. This is the easiest situation to understand. Then what happens depends on the first column.
The first column -- if it's checked then xprivacy will always deny access to location and will instead feed the app fake information as set up in the xprivacy settings.
If however the first column is unchecked then the app will be able to get to your actual location.
This is what you want with an app where the answer to "can it use this permission?" is always the same (either "always" or "never"). Second column unchecked, first column choice telling the app yes or no.
The second column controls the pop-ups that you see with xprivacy. If the second column is checked then you'll get a pop-up asking whether to allow the app the permission or not (whether or not the first column is checked).
There are four choices -- "allow", "deny", "don't know", and "oops I timed out".
"oops I timed out" will give the app whatever the answer in the first column is. You can tell what the first column is because the app says "Timeout will: allow/deny" depending on whether the first column is unchecked/checked.
If you click "allow" in the pop-up then xprivacy unchecks the second column in its settings, unchecks the first, and gives the app access to your true location. The popup will then not appear again unless you recheck the second column in the xprivacy settings.
If you click "deny" then xprivacy unchecks the second column, checks the first column and feeds the app fake location. Again you'll not see the popup again.
If you click "Don't know" then I *think* xprivacy denies access (whether or not the first column is unchecked) and leaves the second column checked, so it will ask again the next time.
How did I find this out? Well I didn't read it from a FAQ! I just downloaded xprivacy yesterday and I found it incredibly difficult to work out from scratch. In the end I just downloaded an app which prints out your gps location and nothing else, and I just experimented with it. The above is a report on my conclusions. I hope it helps other people because it is the post which I wish I could have read this time yesterday.
Note that other permissions might work slightly differently. For example it is not really possible to feed an app fake internet information, as this would require carrying around a fake internet on your phone. You can get a quick idea about what data can be faked by looking at the xprivacy settings. For example, you can fake your phone number and your MAC address. But as I've said you can't fake your internet and you can't fake your storage either -- which is quite a good idea because if you pretend to let an app write to your SD card and then pretend to let it read it and it can't find what it just wrote, this is bound to lead to trouble, probably more trouble than if you'd just denied it access in the first place.
Nice tutorial
@yannick.12
Many many thanks for you're well explained tutorial.
This is was definitley needed because is still (incredibly) very hard to find out some good guide out there, expecially for the "second column" options, as you mentioned.
Thank you, again my friend :good:
I got also another question (if someone knonw the answer) about the "shared rules". I mean, if I download the rules for some app, from the XPrivacy server, it's supposed to be the settings that someone has configure, ok. But what if I send my rules and, later in time, I download it again for that app? I got my rules (the rules that I uploaded before) or I got the " common" rules setted shared by the XPrivacy?
Sent from my Xperia E4g using XDA-Developers mobile app
Is it possible for xPrivacy to allow app's permission? I'm using a phone that runs android 5.1.1 and some apps just don't ask for permissions which makes it impossible for me to access storages. It will only respond that app has no permission to write over storages which makes the app not functional.
rUx_Gaming said:
Is it possible for xPrivacy to allow app's permission? I'm using a phone that runs android 5.1.1 and some apps just don't ask for permissions which makes it impossible for me to access storages. It will only respond that app has no permission to write over storages which makes the app not functional.
Click to expand...
Click to collapse
Won't work like that.... And that issue is still there.. Even with pie... App's developer fault..
Sent from my Redmi Note 5 Pro using Tapatalk
Kapiljhajhria said:
Won't work like that.... And that issue is still there.. Even with pie... App's developer fault..
Sent from my Redmi Note 5 Pro using Tapatalk
Click to expand...
Click to collapse
Thanks for info. Is there any possible workaround for this other than contacting the devs to fix storage permission issue?
rUx_Gaming said:
Thanks for info. Is there any possible workaround for this other than contacting the devs to fix storage permission issue?
Click to expand...
Click to collapse
No, give permission manually from app info
Sent from my Redmi Note 5 Pro using Tapatalk
Kapiljhajhria said:
No, give permission manually from app info
Sent from my Redmi Note 5 Pro using Tapatalk
Click to expand...
Click to collapse
I guess there'snothing I can do other than look for an alternative app, android 5.1.1 won't let you edit app permission.
rUx_Gaming said:
I guess there'snothing I can do other than look for an alternative app, android 5.1.1 won't let you edit app permission.
Click to expand...
Click to collapse
I mean give app permission from app's info. I think u can do that... Dont remember 5.1.1 interface now but it should be possible
Sent from my Redmi Note 5 Pro using Tapatalk
Kapiljhajhria said:
I mean give app permission from app's info. I think u can do that... Dont remember 5.1.1 interface now but it should be possible
Sent from my Redmi Note 5 Pro using Tapatalk
Click to expand...
Click to collapse
My phone doesn't seem so. Here's how it looks like in the app settings.