I came across this article while surfing the internet. I wanted to share this with you guys, and see what your feelings were on this.
"Mobile Device Security and Android File Disclosure
Back in November, Thomas Cannon brought to light an issue within the Android operating system. Specifically, he found that it was possible to obtain the contents of files on an Android device by simply persuading its owner to visit a web site under attacker control. The issue only garners a 3.5 CVSS score, but yet it’s still fairly serious.
Thomas reported this issue responsibly to Google and they took it seriously. However, since then they have come back with a ridiculous remediation plan. Granted, its probably not entirely Google’s fault, but the overall situation looks very bleak for Android.
The problem is that Google stated that a fix will be available as part of an update to the upcoming Android 2.3. While that, in itself, may not be totally ridiculous, the reality of the situation is that Google is only one party involved in Android. There are two other groups, namely OEMs and Carriers, that must also do their part in getting the fix to users. Although Android devices are becoming increasingly functional, the security posture remains abysmal.
The security posture for desktop applications has improved vastly with all of the sand-boxing, automatic updates, and various other exploit mitigation technologies. Meanwhile, Android includes almost none of existing security protections. In fact, mobile users are being left out in the cold, unable to get a patch for a trivially exploitable cross-zone issue. For that matter, they can’t even control whether their device’s browser automatically downloads files or not.
This situation is not news, rather it is a sad fact. It is totally unfair for end users to be left out to fend for themselves. After all, they are paying a small fortune for these devices and the service to be able to use them. Hopefully the vendors involved will wake up before a network worm outbreak occurs.
Originally, Thomas disclosed the details of his bug on his blog. Later, he removed some details to help protect users. I believe that responsible disclosure is a two-way street that requires responsibility on both sides. Since Google, OEMs, and carriers all continue to act irresponsibly, it is necessary bring more attention to this issue and the situation as a whole.
I spent a little time and managed to recreate the issue with nothing more than HTML and JavaScript. As of today, I have released a Metasploit module to take advantage of the flaw. It is available in the latest copy of our Framework product, or you can view the source via the link to our Redmine project tracker above.
Before I go deeper into the consequence of this bug, I want to point out that Thomas outlined several workarounds for this vulnerability in his blog.
Now, take a deep breath give some thanks to the fact that, under Android, most every process runs under a separate, confined, unix-style user account. This design feature partially mitigates this issue, lowering confidentiality impact to “Partial” and bringing the CVSS score from 5 to 3.5. That said, an attacker can still gain access to some pretty interesting stuff.
For starters, an attacker can steal any world-readable file. In my tests it was possible to get potentially sensitive information from the within the “proc” file system. This type of information could include kernel versions, addresses, or configuration that can be used enhance further attacks.
Also, you can snarf any files that are used by the browser itself. This includes bookmarks, history, and likely more. This kind of information could potentially be embarrassing or possibly even give an attacker access to any saved passwords or session cookies you might have stored.
Perhaps the easiest win though, is that you can grab anything off of the SD card. You might ask, “Anything?! What about the user separation?” Well, because the SD card has been formatted with the “vfat” (aka “fat32”) file system, there is no concept of ownership. All files are owned by the same user id since the file system itself cannot encapsulate who created which file. As Thomas said, files in the SD card that have predictable names are ripe for the picking. This includes pictures and movies. These may in fact be some of the most private data on your device.
In conclusion, I hope that the Android security debacle will get resolved as soon as possible. If Google, OEMs, and carriers can’t work it out, perhaps another party will step in to maintain the operating system. I believe this could be very similar to the way various Linux distributions operate today. If the situation is not resolved, I fear the Android device pool could become a seething cesspool of malicious code..."
Here is the address
http://blog.metasploit.com/2011/01/mobile-device-security-and-android-file.html
Sent from my PC36100 using XDA App
Shocking. Thanks for the info.
Nice find. You are right that oems and manufactures need to stay on top to mantain security. Hopefully meaningful post like this will make users aware of the possible dangers of the internet, data, and phone usage
Sent from my ADR6300 using Tapatalk
Ouch. Wish Android updates were like iOS..
Android is open, one of the main assumptions is that there is no single company, which controls it. I could create my own phone with Android, sell it to people and give them no support at all - Google can't do anything about it.
There is only one solution to this problem: people have to choose their phones wisely. People look at phone specs, at CPU, RAM, camera, but they ignore future support and openess. Recently Motorola has stated they will lock bootloaders in their future phones. People will go for these phones anyway and then they will complain they can't do anything with some horrible bugs, they will complain about Android and Google, but they should complain about Motorola and themselves. While Nexus S owners will have same bugs fixed by both Google and community.
Choose your phones wisely.
SD with vfat...good catch. Horrible bug while many users trying to move their apps to SD. And maybe 80-90% of the apps in the market require modify SD card perm? Horrible. Verizon SGS is screwed since that phone have little internal and lots of external SD.
I'm so glad you guys came across this thread, and it didn't get lost in all the other threads. I hope some of the devs see it. Can a fix be implemented at the Rom or kernal level?
Sent from my PC36100 using XDA App
Introduction
I have not seen much talk about security in XDA, and not at all on Neo Section.
SO here's just one informative link talking about using and developing apps and security risks involved
http://www.technologyreview.com/computing/25921/?mod=related
Any bug in software could potentially be used as a security loophole to gain access to private information, spy on you, get your credit card info(should you do such things on phone).
What is kind of unsettling is that everyone seems fine with modding, tweaking, developing and using those ROMs made in XDA without worrying if there could be that kind of bug in your made or used ROM.
You don't need a malicious app only to have risks. Most people use Windows so they should know that it is OP systems bugs and vulnerabilities that allow for unwanted access to your files, data, etc.
Android itself is having very non-foolproof security system. All apps on unrooted phone are in sandbox. That's no security measure at all. It doesn't limit app from stealing your private info at all, it only cant delete the whole ROM. That's just idiotic security system, for it is the only thing beside encrypting shut off phone on 3.0 and 4.0. So that means Android on it's own has no security measures while it's working. Even Windows has... some... but not too much... so you could pay for antivirus and antispyware software ofc.
It has always been the goal of big corporations to make money from insecurity, be they software developers, arms dealers and you name it. They all benefit from insecurities existing. Same is with Google and it's Android. But the good news is that we the users can modify Android. We could all say "Au revoir security bugs and loopholes!" if we would care about developing ROMs designed to make Android more secure... alas that's not happening yet!
Overview of Linux/Android security issues.
It's a short condensed description just to get you interested in the topic. There's lots of material on net, you only need to search, read, watch videos.
Linux becomes more vulnerable with more applications with different permissions installed. Same is true for Android.
Say your Phone Exporer has root access, that means it has root access to whole Android. To remove unnecessary risks, this app's root access should be limited to only most necessary functions it needs to operate.
Currently for Android there is no such solution. For Linux there is Apparmor.
http://en.wikipedia.org/wiki/AppArmor
Total root access is obvious vulnerability, but it is at least known one. Let's look at possibility of apps having hidden permissions and what that could mean to you.
Blade Buddy from Market.
On market it does not list permission to "Unique Device ID"(IMEI for GSM and MEID; ESN for CDMA) for free nor for paid version.
That means the author of BB has left the code from free version in paid one. This permission is used by ads to track you. It's not necessary code for ads, but it helps the dev know who clicked on the add and generated him some money. To see your money generating zombie empire stretch across the whole globe.... quite a thrill, isn't it?
So it's a latent code, with no benefit to user and an exploit only calling to be abused.
Unique Device ID allows you to be tracked on net and also where you are physically. GPS is just one way to find you, police for example have scanners to locate your devices physical location by the IMEI code. You can count on the "bad guys" having this technology as well, for it's quite a tool for burglars and other criminals.
The risks of your home being marked as the next dungeon to be looted by some raiders, I mean criminals(or perhaps WoW players sleepwalking and sleepraiding?) or getting your ID and bank details stolen by trojan/hacker is random. Yet the threat would not exist without apps having so flagrant hidden permissions.
Next app with ludicrous permissions
Brightest Flashlight
It does list many permissions, among them "Hardware controls - take pictures and videos ". No, it does not need a permission to take photos through cameras to operate the flashlight. But it's fun nonetheless for the dev to see his trusty peasants, or maybe he just likes to observe people like some watch fish in aquarium or hamsters in cage( "Look at that dork!", "You're one ugly m...f...er","ummm a couple kissing in dark with ma flashlight, what are they searching?", "what's that you eat, mr Korean, brains?" "hey show me that document again.")
You don't even need to run the app yourself. It can be triggered by hacker on background and take a snapshot of you.
On top of this little needless permission it has following hidden permissions:
1. Unique IMSI, read about here http://en.wikipedia.org/wiki/IMSI
2. MCC+MNC (CDMA)
3. Unique Devide ID
4. Cell Tower Name.
That's a lot of needless permissions for flashlight, these are there just to track you the app user and have nothing to do with your comfortable use of the app.
These are just 2 apps with totally needless permissions for their intended functioning. If you don't want your Windows and Linux have such security holes then why do you want your Android have them?! You don't want, that's the point and these apps would not be so popular if people would really know and care about their phone being secure.
It can be stated for sure that above exemplified permissions not listed on market are more useful for pranksters, criminals or someone plainly looking-down-on-all-the-dumb-sheep and not at all for any legitimate, user or customer friendly purposes.
There are very few tools to check for security and privacy problems in apps. That gives a sense that majority of devs do not want Android to be secure and private, because Android is another revenue generating platform through Google ads business of course. Were people more educated about the matter then Google ads business would shrink down as well. A private and secure Android can't be tracked or annoyed with ads. No ads, no profit. No security therefore means profit. Unfortunately this lack of security can be exploited by anyone with criminal or malignant intentions so very easily.
The most important thing is to read the permissions before installing.
If you had read the article I linked. Those permissions don't matter anything really if stuff developers use doesn't reveal what it does, or developer itself doesn't disclose what the app does.
We can safely say that those permissions asked are just to make ordinary users of Android think that all is under their control.
I use Privacy Blocker app and it keeps finding app permissions that are not listed. Even that app doesn't find those permissions which Cyanogenmod permission manager shows. And I've sanitized all my apps, still I find my phone connecting to some odd servers while using certain paid and seemingly legit apps. I even found shapshots from front camera made by some app... and I am checking all permissions I can, even for those not listed.
What seems harmless but could reveal your IP address and potentially other data about you is... advertisements used by apps.
Ads can be far more than just a little annoyance that slows your device. Any file, picture loaded from some location in internet can be used to locate you.
I had a problem of getting phone call bills for calls lasting 10 to 20 secs that I never made after using a slew of market apps, flashlights, fun stuff, etc.
I paid two months for such calls trying to find out which app did it and still don't know which one it was. Skype(phone app has fake IP of Holland but actual connection goes to Moscow... oh come one what is this? Why such hiding? Like anyone would trust their phone's Skype connection stream through Moscow... no thank you! Then wonder still if the phone gets so slow and Skype call quality is so bad even over wifi while Windows Skype does just fine?), Brighest flashlight, some photo editors, and slew of other garbage I've already forgotten about cause I don't use any of it anymore.
First post updated
How about the new 4.3 update..in includes some security and privacy control..will this thing prevent you had mentioned?
Is there any way to reactivate this post? maybe start working on a security enhanced android ROM? I'm agree, Security does matter!
Okay, so, I summed up some 5 articles on this subject - in the hope of starting a discussion about device security. I hope you will find this interesting and meaningful and perhaps you will find out about some of the risks of using Android.
2 months ago Juniper Networks, one of the two biggest network equipment manufactures, published a blog post (1) about an intensive research their mobile threat department had on the Android market place.
In essence they analyzed over 1.7 million apps in Google Play, revealing frightening results and prompting a hard reality check for all of us.
One of the worrying findings is that a significant number of applications contain capabilities that could expose sensitive information to 3rd parties. For example, neither Apple nor Google requires apps to ask permission to access some forms of the device ID, or to send it to outsiders. A Wall Street Journal examination (2) of 101 popular Android (and iPhone) apps found that showed that 56 — that's half — of the apps tested transmitted the phone's unique device ID to other companies without users' awareness or consent. 47 apps — again, almost a half — transmitted the phone's location to other companies.
That means that the apps installed in your phone are 50% likely to clandestinely collect and sell information about you without your knowledge nor your consent. For example when you give permission to an app to see your location, most apps don't disclose if they will pass the location to ad companies.
Moving on to more severe Android vulnerabilities. Many applications perform functions not needed for the apps to work — and they do it under the radar! The lack of transparency about who is collecting information and how it is used is a big problem for us.
Juniper warns, that some apps request permission to clandestinely initiate outgoing calls, send SMS messages and use a device camera. An application that can clandestinely initiate a phone call could be used to silently listen to ambient conversations within hearing distance of a mobile device. I am of course talking about the famous and infamous US Navy PlaceRaider (3).
Thankfully the Navy hasn't released this code but who knows if someone hadn't already jumped on the wagon and started making their own pocket sp?. CIO magazine (4) somewhat reassures us though, that the "highly curated nature of [smartphone] application stores makes it far less likely that such an app would "sneak through" and be available for download."
A summary by The Register (5) of the Juniper Networks audit reads that Juniper discovered that free applications are five times more likely to track user location and a whopping 314 percent more likely to access user address books than paid counterparts. 314%!!!
1 in 40 (2.64%) of free apps request permission to send text messages without notifying users, 5.53 per cent of free apps have permission to access the device camera and 6.4 per cent of free apps have permission to clandestinely initiate background calls. Who knows, someone might just be recording you right now, or submitting your photo to some covert database in Czech Republic — without you even knowing that your personal identity is being compromised.
Google, by the way, is the biggest data recipient — so says The Wall Street Journal. Its AdMob, AdSense, Analytics and DoubleClick units collected data from 40% of the apps they audited. Google's main mobile-ad network is AdMob, which lets advertisers target phone users by location, type of device and "demographic data," including gender or age group.
To quote the The Register on the subjec, the issue of mobile app privacy is not new. However Juniper's research is one of the most comprehensive looks at the state of privacy across the entire Google Android application ecosystem. Don't get me wrong. I love using Google's services and I appreciate the positive effect this company has had over how I live my life. However, with a shady reputation like Google's and with it's troubling attitude towards privacy (Google Maps/Earth, Picasa's nonexistent privacy and the list goes on) I sincerely hope that after reading this you will at least think twice before installing any app.
Links: (please excuse my links I'm a new user and cannot post links)
(1) forums.juniper net/t5/Security-Mobility-Now/Exposing-Your-Personal-Information-There-s-An-App-for-That/ba-p/166058
(2) online.wsj com/article/SB10001424052748704694004576020083703574602.html
(3) technologyreview com/view/509116/best-of-2012-placeraider-the-military-smartphone-malware-designed-to-steal-your-life/
(4) cio com/article/718580/PlaceRaider_Shows_Why_Android_Phones_Are_a_Major_Security_Risk?page=2&taxonomyId=3067
(5) theregister co.uk/2012/11/01/android_app_privacy_audit/
____________________________________________________________________________________________
Now I am proposing a discussion. Starting with - do we have the possibility to monitor device activity on the phone? By monitoring device activity, such as outgoing SMSs and phone calls in the background, the camera functions and so on we can tell if our phone is being abused under the radar and against our consent. What do you think?
.
I am finding it sad and troubling but even more so ironic that nobody here cares about this stuff.
Pdroid allows you to tailor your apps and what permissions your device actually allows on a per app basis. Requires some setup, and the GUI is nothing fancy.. but for those worried about permissions, it is quite ideal.
Edit : http://forum.xda-developers.com/showthread.php?t=1357056
Great project, be sure to thank the dev
Sent from my ADR6425LVW using Tapatalk 2
DontPushButtons said:
Pdroid allows you to tailor your apps and what permissions your device actually allows on a per app basis
Click to expand...
Click to collapse
Sounds good for a start, I'll look it up
pilau said:
Sounds good for a start, I'll look it up
Click to expand...
Click to collapse
Okay, so I looked it up, and Pdroid does look like a fantastic solution to control what apps have access to what information on your droid.
However, it doesn't cover monitoring hardware functions such as texts being sent, calls being placed etc. as described in the OP. Besides, it only works in Gingerbread as far as I could gather.
EDIT: looking at PDroid 2.0, it does exactly what I originally asked
pilau said:
Okay, so I looked it up, and Pdroid does look like a fantastic solution a control what apps have access to what information on you droid.
However, it doesn't cover monitoring hardware functions such as texts being sent, calls being placed etc. as described in the OP. Besides, it only works in Gingerbread as far as I could gather.
Click to expand...
Click to collapse
I actually first found out about it on an ics rom, so it's definitely not just gb. As for monitoring, no clue. Any sort of extra process logging would likely bog down resources or space eventually.
Sent from my ADR6425LVW using Tapatalk 2
DontPushButtons said:
Any sort of extra process logging would likely bog down resources or space eventually.
Click to expand...
Click to collapse
I definitely wouldn't know. This solution looks very complicated in first impression but on the Google play page it says 100% no performance effects.
Anyway, I looked up PDroid 2.0 here on XDA, which is the rightful successor of the original app. It does everything the original app does and also monitors many device activities! Here is the full list of features. I would add a working link but I'm still a n00b and I am restricted from doing so. Sigh....
forum.xda-developers com/showthread.php?t=1923576
PDroid 2.0 allows blocking access for any installed application to the following data separately:
Device ID (IMEI/MEID/ESN)
Subscriber ID (IMSI)
SIM serial (ICCID)
Phone and mailbox number
Incoming call number
Outgoing call number
GPS location
Network location
List of accounts (including your google e-mail address)
Account auth tokens
Contacts
Call logs
Calendar
SMS
MMS
Browser bookmarks and history
System logs
SIM info (operator, country)
Network info (operator, country)
IP Tables(until now only for Java process)
Android ID
Call Phone
Send SMS
Send MMS
Record Audio
Access Camera
Force online state (fake online state to permanent online)
Wifi Info
ICC Access (integrated circuit-card access, for reading/writing sms on ICC)
Switch network state (e.g. mobile network)
Switch Wifi State
Start on Boot (prevents that application gets the INTENT_BOOT_COMPLETE Broadcast)
I've always had the luxury of someone else integrating it into the Rom, then I just had to set it up through the app. It is time-consuming, but not very difficult at all. I say give it a shot and see if that's what you had in mind. Maybe the logging is less detrimental than I had previously thought.
I'm sure you could get your post count up by asking for some tips in that thread. Every forum on xda has at least one person that's EXCESSIVELY helpful, frequently more. So have a ball
Sent from my ADR6425LVW using Tapatalk 2
Pronounced "say candy", the goal of SecAndy is to come up with as secure and private of an OS as possible. So as not to reinvent the wheel, we'll base this initiative on our open source code of choice (Android or maybe other developers' choice).
I am not a developer myself but I can without a doubt, because of former professional experiences, organize a project and gather the right people together as a community in order to make sure that project sees the light of day after it has acquired a life of its own if needed, which I think we will agree is something that this kind of project requires because of the scrutiny it will quickly attract.
I am officially calling upon this post all interested developers that could help us fork Android or other open source OS.
Let's get a kickstarter funded and let the party begin. I will update you later today on the advancement of such.
This thread welcomes constructive ideas and developer participation, but here are beginning requirements we'll need to fulfill eventually to privatize and secure android :
- default browser allowing custom search engines such as https://ixquick.com or duckduckgo
- default system search pointing to those custom engines for online component
- control of gps at firmware level to allow full disability
- peer to peer file exchange (think BitTorrent sync) with 1024 to 2048 bit encryption
- implementation of secure sms and mms exchange (think textsecure)
- implementation of encrypted voice channels (think redphone or SIP with end-to-end encryption)
- root vpn for all online access
- systemwide warning of insecure solutions (example : wanting to use gmail or regular email)
- PGP transparent email solution
- Tor option for root vpn (subject to mitm attacks but more on that later)
- peerguardian type auto-updated database to identify suspicious IP address ranges
- systematic in-out firewall control auto updated with peerguardian database and community based rules database
- hardened malware protection and app permissions with automatic permission audit based on application type
- full device encryption and lockup (in case of unauthorized user)
- full remote wipe out and bricking with auto IMEI reporting (in case of theft, might have to be amended because of attack vector)
- full remote location capability with real time tracking (that one might have to be scratched, high security risk because of attack vector)
This obviously doesn't cover all the bases but would be a good start... I know a lot of these options can be implemented with a mismatch of apps and custom Roms but having it all at an OS level AOKP style would greatly help in building an android by the people for the people community that could eventually loosen the stranglehold of less than transparent corporations.
60 views in 24 hours and not one comment. Obviously I'm approaching this the wrong way. More news at 11.
e-motion said:
60 views in 24 hours and not one comment. Obviously I'm approaching this the wrong way. More news at 11.
Click to expand...
Click to collapse
I don't want to be insulting, but no programming work has been done on your part, and you're just asking for people to dive in this project to get managed by someone they never heard of. It's not really surprising no one has commented yet.
I understand what you're saying but any comment, even if only just to show interest in such a project, will be key to drive developers to it.
I might not have started any development but I have clear understanding of how to design secure solutions. I can't go into details of why that is, however you can clearly see with my 2nd post that some research has been done. If I wanted a solution for me alone, I could just go on with my own little pudding of custom ROM and security apps.
However, because of the recent news events that SHOULD have awaken this population, I thought now might finally be the right time to try to get such a project off the ground. But without anyone even showing any interest, why would any developer be drawn to it ? If people would rather focus more on content consumerism than on what might happen under an umbrella of spooks that they're paying for with their taxes, then they have learned nothing from history and deserve what's coming to them, simple as that.
This is NOT a development thread in case you haven't noticed, so telling me I haven't developed anything yet is not even relevant.
In case anyone cares, this will be moved shortly in the t-mobile Note 2 Android development thread as a Touchwiz proof of concept ROM. Little steps, little steps...
Sent from my SGH-T889 using Tapatalk 2
mobile sec
While I am not a developer I would be interested in this project. I've been thinking about this a bit lately given recent events. I think a useful privacy preserving security related app and phone combo might have these features:
-some way to separate the baseband processor (radio) from the OS. It seems most phones share memory with the radio and this fact can and has been exploited. Own the bb processor and you own the phone. Perhaps a 3g dongle plugged into an android phone in host mode would work. Some of these usb "data only" radios can be unlocked for voice too. I believe a rooted phone with IP tables/firewall running would be much more secure than a conventional mobile phone.
-an anonymising network for connecting to servers/peers. I think the i2p network is well suited for this purpose. Rather than connect to services that are not designed with your anonymity/privacy in mind, connect to hidden/darknet servers that make it extremely difficult to ascertain your real IP and location. Perhaps an i2p router running on your home computer relaying i2p traffic while also maintaining a long lived encrypted connection to your mobile in order to "push" data to it. In this way the user benefits from the anonymising network, contributes to the network, but doesn't have the battery drain of relaying packets from the phone (if this is even possible).
-end-to-end encryption. Perhaps OTR messaging for texting and perhaps openPGP for transferring binary files as I don't believe file transfer in OTR is available at this time.
-an app that uses the above network that is capable of sending/receiving encrypted text, audio, video, gps location etc and does not leak any personal information that you don't want leaked. XMPP might be a good choice (with perhaps out-of-band binary transfers for efficiency). Giving your unique identifier to another person that is using the same app would allow you to communicate with them while not revealing your phone number, imei, imsi, etc. There would be some latency in the communication especially with binary transfers but I would gladly accept that for the added security.
anyway, just wanted to add this to the conversation and hope to see this project take shape as we definitely need more security enabled os's and apps.
Freeware isnt something you really find much in the Android community.
You hear the term thrown around quite a bit, but even alot of what is termed as freeware, actually isnt.
The Lion's Share of Android apps are not Freeware at all, and the Vast majority of the so-called 'freeware' apps that are available for us to download & use daily are not truly freeware at all
I would like to draft a set of guidelines for what would ideally become a certification standard for the ethical creation & development of free apps
Apps adhering to this standard could be classified under this genre of apps, and even bear a symbol within the app, overlaid on its logo, showing users it belongs and mentioned in the app's description, showing users how it was developed, and stating that it adheres to the guidelines and fulfills the requirements of the new standard.
I would also like to compile a list of any existing apps which already meet these criteria
and all Apps filling these requirements will fall under the realm of this Guild.
Please feel free to offer your own ideas & input as to what you feel would be best for the end user, and any rules or criteria you feel are relevant to forming a framework of guidelines & prerequisites needed for apps to be called under this name, and be brought under the umbrella of this guild.
Please feel free to offer suggestions for the certification & class name and/or Guild name as well
this is all preliminary work, and I'm looking for anyone interested in helping to build this community and standard & promote its use.
There could be 2 classes of apps, Freeware & Benefit-Ware
Or there could just be one set of rules for each, stating "IF.. such and such, THEN... such and such"
If you are an App User, please mention anything you find annoying, bothersome, or troublesome.
If you are an App Developer who knows about or is displeased with the ethics and developments of certain apps which gives other apps and developers bad names, please mention anything you can that might assist us in reigning in the cowboys of the App Wild West.
Also, if somethings are simply & 100% "Not Possible" because of the Android OS, these would be issues the Guild will work to make Individual Device Manufacturers as well as the Android team at Google aware of
So, it could start something like this:
- An app should not contain ads nor promotions which cannot be closed or disabled
- An app should not contain any full-screen ads nor any ads which limit or effect user interaction with the app
- An app should not give reminders which pop up and ask the user for money, ratings, or to download additional apps
- All requests for financial support, ratings, and downloading of additional apps should be contained in the 'About' Section of the Apps Settings
- All apps which produce sound of any sort must include its Volume Controls, including in-app Mute
- All apps with services which wish to run at start up must include their own settings option to enable or disable "Start when Android Starts"
- An app must not Auto-start unless the User has specifically selected it to, nor shall it be kept running if it has not been manually Launched by a User since the last Boot time.
- An app must allow users to manually select the installation directory upon installation
- An app must have its own internal Uninstall button in the "About" Menu Settings
- An app must install 'portably', that is, without adding data to the internal phone storage
- All apps which save data must have a User-Selectable Save Location which can be used to replace the App Default Save Location
- All Apps must Uninstall completely and leave no folder behind, asking users whether or not to uninstall specific items which might contain important user data
I hope other people can add to this list
thanks
I would like to stress that this isnt a knock on any existing programs, nor do I expect anyone to change what they are doing who isn't willing to.
If you hate the idea of this, please continue doing what you are doing.
This is for people who want to join or participate because these are the apps they would prefer to use, or make.
thanks
Others may include:
- An app must ask users whether or not the user wants to add a shortcut to the users default Home screen, regardless of the user's own phone settings. Perhaps an "Allow Shortcut" selection for Shortcuts which are going to be added
- An app must ONLY install shortcuts to the program currently being installed, and can in no way add shortcuts to the Home screen, the apps drawer, or the installation directory, to any other program nor any website at all.
- An app may include a single, small, unobtrusive "Donate/Beer" button on a menu bar with other menu buttons, but to be at the far right or farthest/last menu item available on the menu
- An app must not include permissions for anything other than the express intent & use of the app for its specified purpose.
- No app may, at any time, access a users personal information unless the app has direct interaction with such information as directly related to a service it is providing as a primary function of the app - And even then, the apps access to information must not be sent online nor over the internet unless specified as such due to it being a primary function of the app - and if & when personal information is sent online, the owner of the server must have a secure server which is not accessed by himself or his employees, but in which information is automatically transferred by software to and from the end users needed locations, and to no other place shall the information be passed - Nor shall it be kept on the server while not being sent or received to/from the users locations, without the users express consent, as an additional option.
- A "Primary Function" is defined as a Function which is the main or only reason a user installs or interacts with the site, and will be the main focus of the apps description
- Secondary Functions are not allowed to gain internet access, nor have any interaction with any online server or service, nor be granted any access to personal information nor any stored data outside the apps own install directory, etc.
- Apps must, in a written disclaimer provided in the "About" section of the apps own settings, give specific details as to the apps permissions and justify with specific reasons and technical details why each function requires each form of permission, and exactly how the app will use each permission, including server specifications & information-handling specifics, where applicable.
- Apps qualifying for inclusion in the Guild will clearly label themselves in one of 3 categories exclusively - Freeware, Benefitware, or Trialware.
- Apps labelled as Free, or containing the word "Free" must 1.) be 100% ad-free, 2.) not be a Trial, 3.) be fully functional, & 4.) not bother users for payments, ratings, etc.
- Apps labelled as "Benefitware" may include 1.) ads adhering to the guidelines for the inclusion of ads, 2.) requests for financial assistance in accordance with the guidelines for requests of Financial Assistance, 3.) Added Functionality which is above and beyond the scope of the original, feature-rich, fully-functional program, & 4.) Other items which are primarily of benefit to the developer, but which adhere to the guidelines of Enjoyable, Unfettered User Interaction
- Apps labeled clearly as "Trialware" may 1.) Limit the functionality of the apps Primary Functions, 2.) Must have a fully-functioning trial period of no less than 30 days, 3.) Must not be limited in any way during the Evaluation Period (e.g. no "20-character", "2-page", "3-time" limitations, or the such), & 4.) after the Trial Period, the app will be completely 100% uninstallable, and a re-install of the app on a specific device will begin a new 30-day evaluation (Users will not be treated like criminals nor presumed Guilty of Fraudulent use before proven otherwise).
- Other apps will not gain classification, certification, or inclusion in the Guild, and may refer to themselves in anyway they care to, but may broadly be referred to as "junkware" if they are found to not conform to the Principles, Guidelines & Statutes set forth and adhered to by the Guild & its Members & Affiliates
-
Also:
- An app must have an option to turn off Automatic updates, and may not self-check for updates otherwise.
- All Settings a User sets must be permanent and may not be reset nor shall those permission requests for updates, etc, be altered or changed nor be made to reappear, nor require the user to specify the same setting more than once.
- No app shall ever contact its servers for anything other than a user-launched request for the specific function required by the user at the time of the request.
- No app nor server nor company shall in any way interact with its apps or servers in anyway other than to execute the exact function called for by the user according to the UI meaning and implicit intent of the action
-
I have checked almost all the setting of it..But couldn't find the prior results..What are the other alternatives of it?
MarkanthonyDonald said:
I have checked almost all the setting of it..But couldn't find the prior results..What are the other alternatives of it?
Click to expand...
Click to collapse
Hi, markanthonydonald. welcome to the forum, I see this is your first day registered, and your first post no less.
That's right, all the prior results are belong to the settings of it t almost at all from the prior r results, but dont stop trying your point o of that the alternatives are to us, and thats the most bases of it. ll
-
I like the idea of this, and from what youre saying and a few apps I use would fall into this category just fine IF certain things were moved into the 'about' option. How or why a dev would change their current, 100% working fine app, to modify this I dont know.
robneymcplum said:
I like the idea of this, and from what youre saying and a few apps I use would fall into this category just fine IF certain things were moved into the 'about' option. How or why a dev would change their current, 100% working fine app, to modify this I dont know.
Click to expand...
Click to collapse
Great Idea!
- An App must have a complete Version History contained in the About Menu Settings, or a Menu Item Devoted to Version History, with Detailed explanations as to why the changes were added, and if they are only to fix a bug with device x, why is it recommended to install it if you arent using that device
- Each App Update should be available as a complete App Stand-Alone APK installer, or installable from the Play Store Directly. No App should require Updates, nor provide updates for which there is no Standalone APK or an updated Google Play Installation.
alot of devs set up their apps just good enough to get on Google play, without getting kicked off, and then after you install it, they update the app with functions & behaviors that would get it kicked from the Play Store.
great work catching that one, thanks
-
robneymcplum said:
I like the idea of this, and from what youre saying and a few apps I use would fall into this category just fine
Click to expand...
Click to collapse
If you know of any solid apps that you believe fall into this category, or easily could, please post them here
We need a list of example apps that we feel embody the spirit of honesty, transparency, user-centric programming & packaging, and which are either made in the spirit of true freeware, or made in the spirit of goodwill, and have either Benefitware or Trialware which adheres to consumer-oriented needs & interests
The following behaviors DO NOT qualify for inclusion in the Guild:
- Any app which appears desperate to flash things in front of your face, particularly things which flash or change scenes or color rapidly, change in a single frame, or less than a 1 second cross-dissolve, and which are overly animated, bothersome, annoying, or which may lead to epileptic reactions, which cannot be permanently closed or disabled for the duration of the session.
- Any app which appears to desperately or urgently present users with matters of no immediate significance or importance to the user. This includes the pestering need for ratings, requests for financial assistance, downloading of the developers other apps or partner apps, offers to visit the Play store or any other external website, etc..
- Any Benefit-ware app with any full-screen advertisement at all, from Internal or external sources used to promote the sales, use, or downloading of its own other products & services or those of an external company
- Any Benefitware which does not allow you to close a bar-style advertisement with a clear, easily-accessed, and adequately-sized close button
- Any Benefitware which re-opens an ad which has been closed within the same 24-hour period, or since reboot.
- Any Trialware which limits functionality of its products to a state inconsistent with the primary function of the app
- Any Trialware which does not allow a minimum 30-day trial period
- Any Trialware which limits the functions within its trial period in any way
- Any Trialware which doesnt openly allow a re-installation of a Trial package on fresh uninstall/reinstall
A user is to be given as much time as is required for him/her to fully evaluate the product. Often times a user may begin a 30-day trial period, only to never have the time to use it, including having no time to even look through it the day it was installed
Furthermore, All apps containing promotions of their own products are to be classified as Benefitware, and not Freeware, even if there are no ads from external advertising companies.
Feel free to add to this list, or to add an app you believe warrants inclusion for its programming efforts, ethics, & merits
-
A similar Evaluation Period problem arises when users are given a 30-time evaluation. As one "Evaluation" day is simply a 24-hour period since the app was launched.
Launching the app by accident, or launching the app and immediately closing it, removes evaluation days from your trial, days in which no evaluating took place.
Even if we give each launch a time-specific interval where an app which is running for 10 or 15 minutes is considered "Evaluated" for one day, it doesnt take into account that launching the app then closing it where it sits opened in the background still takes away your evaluation days, or opening it, then answering the door or going to grab a sandwich also takes from your evaluation period
We could find other solutions to this problem, but one of the primary characteristics for an app or developer to be included in the Guild is to treat the user as if they were a guest in an actual store, and not a criminal pirate on a baby-killing spree, meaning:
- No app or developer should treat a user like a criminal, nor assume he is engaging or will engage in criminal activity, nor accuse him of such activities, nor behave in a manner which displays mistrust or accusations of users
- An app & developer must leave it to fate, heaven, and the common goodwill of mankind to have its requests & guidelines (such as for trials, etc) met, and can in no way behave in a manner which is inconsistent with good will
- All agreements made will be made in Good Faith with the community at large
you wont walk into a department store and be tackled by the security guards and forced to pay for something you didnt even try on, simply because you touched in on the rack, or be banned from the store for life until you do pay for it.. simply because the paranoid psychotic lunatic in charge of the store thinks everybody who walks into his store is a dirt-poor crack-head criminal out to steal his supremely precious goods
-
Also:
- An app is not to be created for the sole intention of Data Collection or Information Gathering, and apps which appear to do so will be blacklisted
- An app is not to be developed or created for the primary purpose of spreading advertising spam, shady promotions, other sites & services, etc, and any app found to be out of balance with respect to this criteria will be blacklisted
- Any app found to be in breech of any of the guidelines shall be blacklisted. Concerned Members could write a letter to the developer instructing them on the things they could change for inclusion in the Guild, if they so choose
- No app shall include advertisements or links of/to any shady or malicious programs or websites, including phishing sites, spoof sites, porn sites, or any site which executes malicious code or scripts, or which is deemed as an unhealthy website, program, or service by the world-wide community of web experts as a whole
- Any app or developer found in severe breech of the spirit of the Guild will be banned for life. Severe offenses include things such as falsifying information, deception, betrayal, lying, perpetuating viruses/malware or web-based attacks, hacks or intrusions, or stealing private information & personal data; the gathering of personal data for uses unspecific to the service or which willfully compromise the security & privacy of users; or if an app or developer is found to be using the information & data of users in a way which destroys the Integrity & Trustworthiness of the app & developer, and undermines, corrupts, corrodes, or destroys the Trust & Faith the community has put in the app & developer
-
chinarabbit said:
If you know of any solid apps that you believe fall into this category, or easily could, please post them here
Click to expand...
Click to collapse
I use zeam launcher, that definetely qualifies.
robneymcplum said:
I use zeam launcher, that definetely qualifies.
Click to expand...
Click to collapse
Cool, thanks
It seems its not under development anymore.
Perhaps a goal of the Organization can be to encourage, promote, or reward excellence in Programming as well..
It may help to motivate devs who've grown disassociated or whos apps may not be getting the attention they deserve.
I currently use Lightning Launcher, and I would definitely say it qualifies as well. It has the most features of any launcher I've tested, and one of the smallest foot prints as well.. its fast and minimalistic, and completely free, and never bothers you about anything.. it has more features than you'd expect from any high-priced app.. if it has additional paid options I dont even know, as the app is extremely feature rich and has all the functions you could ever want, and many more you havent even thought up yet
These kinds of apps make using Android Phones worthwhile
-
Other important requirements -
- Any App wherein the user enters personal, private, or sensitive information, which has the ability to sync Across Devices & Computers through Web-based Servers, shall:
- Provide a switch to turn off all syncing options & functions
- Provide an adequately useful method for SD Card Storage export which is not dependent on the software which was used to create it
- Be fully functional, practical & useful, as per the intent for use of the primary function of the app, in an offline state.
- No app shall automatically start Services such as GPS, Wi-Fi, etc, without offering a user Prompt for acceptance of such actions
- All apps which turn on services like GPS, Wi-Fi, Bluetooth, etc, shall contain a settings option to permanently disable turning on of any such external services
- All information Sent or Received through online servers or web services shall be secure & inaccessible by the host, in the following ways:
- The information & data sent by users shall enter the server and leave the server, and not be kept on the server except for the brief moment during transfer, without being subject to any sort of copy mechanism, nor filter, nor scan, nor shall accessing the content in any way while the information is passing through the server be allowed
- Information & Data uploaded to storage servers for later access by users shall be encrypted by the server administrators with 128-bit encryption, and be stored thus encrypted until it is Retrieved from the server by the user or users granted password access by the owner of the information.
- Server administrators & owners are forbidden from accessing any user information on their servers, and must encrypt the files & user data in such a way that its available only to the user, and otherwise remains in a software-encrypted state upon the server, inaccessible by server admins & owners
- Servers shall be vigilantly maintained and frequently tested for security
- If a server is used for "cloud" storage by the user, the User Data shall be backed-up in an Encrypted state, and frequently tested for data integrity
- Servers which are not secure and which do not encrypt user files & data files, or which do not design themselves to be secure from admin access of data and other third-party viewers, shall be known as "Public Servers", and a Warning Prompt shall appear on the device or computer each time the Server is accessed and data is sent or received (there shall be no method for disabling this prompt). The Warning Message shall clearly state the user is accessing a "Public Server" (capitalized) and that any data sent or received is freely viewable to third-parties, and server owners & administrators shall include themselves as third-party viewers
- First Party users & viewers (hereafter referred to as the "Owner") are designated as both the Device & User which uploaded the data to the server for storage
- Second Party users & viewers are defined specifically as both the Device & User which downloads or accesses the data which was previously stored, and who has been given password-protected permission by the Owner (First Party)
-Third Party is broadly inclusive of any organization, company, or individual who has access or potential access to the Owner's Data. Third Party also includes Devices, Computers, Servers, & Software which handles, accesses or views (or has the potential to do so), in an unencrypted state (not 128-bit or higher), any data or information belonging to or uploaded by the First Party / Owner, with the exception of Software or an Algorithm accessing the data for the sole purpose of automated Encryption to 128-bit level, or decryption from 128-bit, which does not copy, record, send or store any user-sent/received data at all, and which no other software or entity views, has access to, or monitors, records, sends, or retrieves in any way whatsoever
- "Encrypt" (also Encryption, Encrypted, Encrypting, etc) is defined as 128-bit automated, unmonitored software / algorithm encryption processed by a program without oversight or monitoring by any other software, algorithm, or entity,and which has no other function other than Encryption
- To Qualify for Inclusion in the Guild, Server owners must open up their server modules, processes and other relevant information to review by the Guild or one of its member affiliates for inspection, review, & certification. Server Owners must also provide sworn affidavits stating the integrity and security of the data, and how the data is used, who has access, how information is processed, transferred, encrypted, etc. and submit said Affidavits to the Guild before being removed from the Guild Security Blacklist.
-
I think we've already narrowed the list of qualifying software to less than what's available for Windows Phone
-
A qualifying app must also have the ability to retain full functionality after an Android OS reinstall.. meaning a portable install or an install which can use existing files found in File System Root/data/data without errors when reinstalling the app
No developer shall make any requests for donations or monetary compensation of any kind, who has included in his app any form of advertising or which has been given any permissions pertaining to user data & usage information
No App shall require specific permissions for advertisements or promotions.
No in-app advertisement shall require any special permissions or access whatsoever.
No advertisement or information gathering function shall piggyback on other functions requiring access or permissions, nor shall any advertisement or information gathering function utilize access or permissions granted to the app for its core, non-advertising, non-data collecting, non-marketing functions