Related
IT'S BEEN LONG TIME SINCE I HAD VIRUS PROBLEM WITH MY DEVICE
BUT PEOPLE JUST PUT IT TOGETHER ,THIS ARTICLE IS 90 % TRUE.
ME PERSONALLY USING ANDROID BUT THIS OS IS OPEN SOURCE AND I DON'T THINK GOOGLE FORGOT ABOUT SECURITY TOOLS . IF I'M GOING TO BE A VICTIM OF DATA THEFT DEFENSIVELY I'LL CHANGE TO DIFFERENT OS.
http://techpp.com/2011/07/04/why-security-threats-to-smartphone-users-are-on-the-rise/
*** Why Security Threats to Smartphone Users are on the Rise
Guest Post by Fergal Glynn.
It’s in the news more and more. The number of viruses, malware, and a number of other ‘virtual illnesses‘ affecting smartphones has already caused billions of dollars in damage. In fact, a recent study by Juniper Networks estimates malware attacks on Android have increased by 400%. But why the sudden interest? They’re a better target, and here’s why:
Smartphones hold more information
Today, phones are a portable hub for all the information in our lives, including business and personal. This means, with one hit, a hacker could potential gain all of your personal and financial information, in addition to gaining the information they need to penetrate a business infrastructure. With that, they simply need to set up a spear phishing attack, and the hackers can access full range of sites, accounts, and systems.
Free Internet is not so Free
Is your favorite free WiFi spot is really free? Or, is it a fake network set up by someone with less than honorable intentions? Because many smartphones automatically connect to open networks (and save them for future use!), it makes them a prime target. Once someone malicious has gained access to your smartphone, they can gather all of your account details, passwords, personal information, financial details, and other informational gems you send through your phone.
No Security Software
Just like a car thief looking for unlocked doors and keys in the ignition, hackers will prey on the easiest targets they can find. Most of the time, this means smartphones. And why not? They often connect to open WiFi networks and usually don’t have any sort of security software installed. Therefore, once attackers gain access, there’s nothing stopping them.
Users Aren’t Aware of the Risks
Because many people who own smartphones think they’re immune to attacks, hackers can ‘live’ in a phone for months or even years without being detected. Imagine the sheer amount of information you share during the year. With that kind of information, banks, business sites, email accounts, personal identities, and all sorts of networks would be at risk. To make matters worse, any attempts by the attackers to gain additional information would be even harder to detect because they would be better able to disguise their phishing attempts.
More Opportunities For Attacks
Smartphones use the Web, SMS, email, voice, apps, and many other methods to communicate with other people and devices. This leaves them wide open to a number of different attacks and gives a determined hacker more options than he’d have with a regular computer. In fact, experts believe it’s even possible for hackers to use the device’s microphone to record voice communications and scan them for calls containing useful information such as those made to a bank or credit card company.
Real Life Threats
Because of their portability, smartphones are much easier to steal than laptops or other communication devices. To make matters worse, many users don’t lock or secure their phones, and even fewer use location services. This means, once a thief gets his hands on a phone, they can access everything, and the user can’t even wipe the phone clean to minimize the damage.
The best way to protect against mobile attacks is to be aware and prepared. To start, install security software, use secure connections, invest in locate and remote wipe services, use strong passwords, and minimize the amount of information you store or use on your smartphone. After all, the more ‘doors’ you close to attackers, the less likely you are to become their victim.
****
OUR DEVICES DOESN'T HAVE THAT MUCH SECURITY THAT WE NEED . AND ALMOST ALL APP THAT YOU INSTALLS IT'S READING YOUR PHONE CALL IDENTITIES EVEN YOU CAN'T BE SO SPECIFIC WITH EACH APPS THAT YOU INSTALL AND CHECK'EM ALL , IS THERE ANYWAY TO AVOID SUCH DISASTER?
Hey XDAian...:laugh:
Get ready for few suggestions & discussion.
Based on some pretty interesting facts about "mobile in general", The smartphone segment has brought accessibility to millions around the world, at work and at home. Naturally, all the data in those devices, wirelessly accessible, becomes a gold mine for those with nefarious motives to exploit.
On the work front, smartphones are a huge contributor to productivity. At home, they provide meaningful and useful (and sometimes redundant) ways to stay in touch with friends and family. The more of these devices we buy, the bigger the opportunity is for criminals, because there are so many ways to get the data. We might lose a device, or its is stolen, we might download a bad application, or soon brush against an NFC tag or visit a bad web-page. The possibilities are so diverse compared to a PC or server farm hardwired to the internet.
With the tremendous growth of the smartphone market not expected to slow down anytime soon, people and organizations must be vigilant in guarding against breaches of their data and/or personal information. Even as organized hackers work on ways to score the high-value breach, they are working on high-volume, low-risk attacks against weaker targets as well.
In addition to some tips about securing mobile devices, the infographic has some interesting facts from 2011 in there as well, such as 855 breaches resulted in the theft of 174 million records.
We Need some Security Applications for preventing our valuable data (like Msgs, Contacts, Pin codes etc). Therefore, from my side this thread belong to all XDAians.
Please suggest the latest, finest Applications & few tremendous suggestion from all Devs, RC, RD & Members.
I like a Security based Application called LBE Privacy Guard to Prevent sending data through various applications installed at our Mobile.:good:
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Some Great Ideas Received from Our XDA Members. Which are here follows:
As this OP thread may become too long so, for Batter view just press "Show Contents" for there suggestions.
A Very Big thanks to Android Police, Phone Arena & Android Authority for survey about malwares & security.
How to secure your Android phone and protect your data
All software has security vulnerabilities. It is a fact. You only need to look at the software updates that are issued by the big companies like Microsoft, Adobe, Apple and Google to see how prevalent is this security problem. Smartphones aren’t immune, not iPhones, not Windows Phones and not Android. But there are some simple things you can do that will drastically reduce your exposure and help secure your Android phone or tablet, as well as protect your data.
A recent report by Check Point, the firewall maker, estimated that €36+ million has been stolen from corporate and private bank accounts in Europe by a group running a campaign of attacks known as “Eurograbber”. The campaign infected victim’s mobile phones with a piece of malware which could intercept SMS messages. When the victim used their online banking the SMS authentication code sent to the phone was intercepted. This then allowed the attackers to access the victim’s account.
Securing your smartphone and protecting yourself against malware isn’t about stopping some annoying virus getting on your device, it is about protecting your money, data and privacy.
There are several different areas in which you can improve your phone’s security including physical access, malware protection and encryption.
Who has access to your phone?
RULE #1 – Never leave your phone laying around where uninvited guests can access it
Before looking at things like malware and data stealing apps, the simplest form of security is to limit physical access to your phone. There maybe lots of sophisticated remote attacks out there but if all I need to do is quickly pickup your phone and access your emails, PayPal, eBay or Amazon account while you pop off to get a coffee then all the security software in the world won’t do you any good.
RULE #2 – Use a lock screen
It is also essential that you use a lock screen. This stops everyone from small kids to determined snoopers from sneakily accessing your device. Modern Android versions have a whole gamut of lock screen options including pattern unlock, PIN numbers and password protection. To set these go to Settings and then tap Security. You can also customize how quickly the lock is automatically applied.
RULE #3 - Set a PIN to protect purchases on Google Play
It is also possible to set a PIN for purchases in Google Play. With the PIN any would-be trickster (or small child) won’t be able to buy content from Google’s app store. To set it, start the Google Play app, go to setting and then tap “Set or change PIN”. After the PIN is set, tap “Use PIN for purchases” to require the PIN before purchasing anything from the store.
RULE #4 – Install a phone location app or use a security app with an anti-theft component
Keeping your phone nearby and using a lock screen will thwart snoopers but the determined criminal will simply just walk away with your phone and try to extract the data later or simple wipe your phone and try and selling it. The first few hours after you phone has been taken are the most critical. To find your phone it is important to use a phone location service like Where’s My Droid or install a security app with an anti-theft option like avast! Mobile Security.
Malware
RULE #5 – Don’t install apps from dodgy third party sites, stick to places like Google Play or the Amazon appstore
Because Android is so popular, it is normal for it to become a malware target. Malware authors don’t waste their time writing malware for a phone operating system that no one is using. This means that there is lots of Android malware out there. But here is thing, how does Android malware spread? Unlike worms, which spread automatically over the network or viruses which tend to spread via USB flash drives etc., the majority of Android malware needs to be installed manually. There have been some exceptions but in general it is unsuspecting users that install the malware themselves onto their own phones.
The malware authors have lots of dirty tricks to try and fool potential victims into installing their malware. One very common approach is to offer a free version of a popular non-free app with the malware hidden inside the app. Greedy users who think they are getting a bargain because they have managed to save $0.69, but in fact are infecting their devices with malware. Over 99% of Android malware is spread via third party app sites. Don’t use them.
RULE #6 – Always read the reviews of apps before installing them
RULE #7 – Check the permissions the app needs. Games generally don’t need to send SMS messages etc
A small percentage of malware is spread via Google Play, but the apps in question normally only survive a few hours on the store before being removed. To avoid such rare cases it is always important to read the reviews of other users and always check the app permissions.
RULE #8 – Never follow links in unsolicited emails or text messages to install an app
If the malware authors can’t get you via a third party store or their apps are taken down from Google Play, they have one more trick, unsolicited emails and text messages asking you to install an app. In the “Eurograbber” campaign, what the attackers did was infect the victim’s PC with a piece a malware (something which is a lot easier than infecting an Android phone) and then via that malware they tricked the user into installing their “enhanced security” app on their phone. The PC malware monitored the victim’s Internet usage and when they went to an online banking site the malware pretended to be a warning from the bank telling them to install an app on their smartphone. It was all downhill from there for the poor victim.
RULE #9 – Use an anti-virus / anti-malware app
Even with diligence it is possible for malware to find its way on to your device. It is therefore important that you install an anti-virus / anti-malware app. This best antivirus apps for Android article will help you choose one, but if you don’t have time right now then go for Kaspersky Mobile Security (paid) or avast! Mobile Security (free)
Rooting
RULE #10 – Don’t root your phone unless you absolutely need to
Some of my colleagues here at Android Authority are very keen on rooting and I can understand why. The lure of custom ROMs and the ability to tweak different parts of the OS are all part of what makes Android great. But, Android was designed with a very particular security model which limits what an app can do. By rooting a device this security model breaks. Even the CyanogenMod team acknowledged that there are limited uses for root and none that warrant shipping the OS defaulted to unsecured. The problem is there are specific types of Android malware that circumvent Android’s security mechanisms by using the existing root access. With root access, the malware can access parts of Android that are supposed to be protected by the permissions system.
Encryption
RULE #11 - If your device has valuable data on it then use encryption
Since Android 3 it is possible to use full encryption on a phone or tablet. By encrypting your device all the data including your Google Accounts, application data, media and downloaded information etc. becomes inaccessible without the right password or PIN. Every time you boot the device you must enter the PIN or password to decrypt it. If your device has valuable data on it using this encryption is a must. NASA recently had an embarrassing episode where a laptop was taken that held personally identifiable information of “at least” 10,000 NASA employees and contractors. After the incident NASA decided that any devices that leave a NASA building need to use full disk encryption.
RULE #12 – Use a VPN on unsecured Wi-Fi connections
While on the subject of encryption it is worth remembering that if you are using a public unsecured Wi-Fi hot spot all of the data that is send using http:// (rather than https://) can be seen my any network snooper. In the past security researchers have shown how easy can be to steal passwords to the popular social networking sites just by using a laptop and waiting around near a public open hot spot. To avoid revealing your password and other data, don’t use open Wi-Fi hot spots or use a virtual private network (VPN) to secure your connection.
Conclusion
If you follow these twelve rules and remain vigilant you should never have any security troubles with malware, thieves, hackers or any small furry animals! OK, that last part isn’t true, but the rest is!
Source: Android policereserved for articles
Android malware perspective: only 0.5% comes from the Play Store
Are Android apps secure enough for us to let them handle our finances and personal information? Quite a few of them aren't, according to a recent research that analyzed how well various applications protect the user's sensitive data. The study was conducted by the Leibniz University of Hannover, Germany, in partnership with the Philipps University of Marburg, the researchers came up with a list of 41 Android apps that should use tighter security measures.
In particular, these apps were discovered to expose the user's data at risk while a device running Android 4.0 is communicating with a web server. What's even more worrying is that these insecure apps were among the most popular ones on Google Play, being downloaded between 39.5 million and 185 million times already. The names of the applications were not disclosed.
"We could gather bank account information, payment credentials for PayPal, American Express and others," the researchers wrote after conducting their study. "Furthermore, Facebook, email and cloud storage credentials and messages were leaked, access to IP cameras was gained and control channels for apps and remote servers could be subverted." The contents of e-mails and instant messages could also be accessed.
But how could one use these apps' security flaws to their advantage? Simply put, if an Android smartphone or a tablet is connected to a vulnerable local area network, such as a Wi-Fi hotspot, an attacker could potentially crack the security protocols used by the apps and snoop on the data they exchange. Sure, the attacker will need to have a certain exploit monitoring the activity on the network, but obtaining access to such a tool isn't as hard as it may seem.
Scary stuff, we know, which is why there should be more awareness amongst developers about implementing proper security features within apps, as the researchers suggest. There are certain methods that can make security protocols tougher to crack, or the apps could simply be checked for vulnerabilities at the time they are being installed. In fact, Google is said to have ramped up security in Android 4.2, thus likely making the platform more resistant to hacks like the one described above. What measures have been taken, however, will be known with certainty in a few days – On October 29, to be more specific, which is when a new Android release is probably going to be unveiled.
For more in Deep: check out here: Click Here
Over 60% of Android malware steals your money via premium SMS, hides in fake forms of popular apps
Over 60% of Android malware steals your money via premium SMS, hides in fake forms of popular apps
Like any popular platform, Android has malware. Google’s mobile operating system is relatively new, however, so the problem is still taking form. In fact, it turns out that the larger majority of threats on Android come from a single malware family: Android.FakeInstaller, also known as OpFake, which generates revenue by silently sending expensive text messages in the background.
McAfee says that the malware family makes up more than 60 percent of Android samples the company processes. So now the question is: why is this malware so popular amongst cybercriminals?
The reason is simple: it’s extremely effective. Android users seem to fall for fake apps on a regular basis. Furthermore, since the whole of the malware appears to make money, it’s not surprising that those behind this one continue to keep it updated. McAfee agrees:
Malware authors appear to make lots of money with this type of fraud, so they are determined to continue improving their infrastructure, code, and techniques to try to avoid antivirus software. It’s an ongoing struggle, but we are constantly working to keep up with their advances.
This malware type has been in the news for months, mainly because there have been so many fake apps created, including for popular ones like Instagram and Skype. On top of that, those behind it seem to keep adding various types of functionality to avoid detection by antimalware solutions, including server-side polymorphism, obfuscation, antireversing techniques, and frequent recompilation.
How it works
Cybercriminals typically create fake versions of a given popular Android app to earn money from unsuspecting users. There have also been instances of the malware being bundled with a legitimate version of popular apps. The apps appear to be legitimate, including screenshots, descriptions, user reviews, videos, and so on. Users never get the app they want, but instead get a lot more than they bargained for.
The malware authors often set up fake websites advertising the fake version of the app. Many of these are shared on questionable websites, but many are also shared on fake Facebook and Twitter accounts that spam legitimate users on social networks.
Upon installation, the malware often displays a service agreement that tells the user that one or more SMS messages will be sent. The user is forced to click an Agree or Next button, but some versions send the messages before the victim even taps the button. There are often fake progress bars to keep the user further in the dark.
Either way, the devil is in the details. In the background, the malicious app sends expensive international text messages to earn its creators revenue. Some variants even connect to a Command & Control (C&C) server to send and retrieve data, as well as await further instructions.
Early versions of FakeInstaller were created only for Eastern European users, but malware developers have expanded their fraud to other countries by adding instructions to get the device’s Mobile Country Code and Mobile Network Code. Based on that information, the malware selects a corresponding premium-rate numbers.
How to protect yourself
The good news here is that since this malware family is so prevalent, it’s rather easy to avoid it: just don’t download fake apps. Android lets you download and install apps from anywhere, but unless you know what you’re doing, you shouldn’t be installing anything and everything you can on your phone or tablet.
If you want to significantly reduce your chance of getting malware such as this one, only install apps from the official Google Play store. That being said, malware has snuck into the store before, so it can happen again.
As a result, the way to protect yourself is the same as on any other platform: don’t click on questionable links and don’t download random apps. Always check to see if what you’re getting is legitimate and you should be fine.
Android’s malware problem is getting worse, and only users of the latest version are safe from harm
Earlier this year, we saw a report that said there was a 163% rise in the number of malware-infected Android devices in 2012. As shocking as that figure might be, we have a new report now that says the problem has blown up even further.
According to a recently published report[1] from networking vendor Juniper Networks, the number of mobile threats grew an astonishing 614% from March 2012 to March 2013. This equates to a grand total of 276,259 malicious samples, according to research done by the company's Mobile Threat Center or MTC.
What exactly constitutes such a large amount of mobile threats? It is said that the majority of these mobile threats — 77% of the total — come in the form of money-siphoning applications that either force users to send SMS messages to so-called premium-rate numbers or somehow manage to perform the sending of SMS messages all on their own.
They go virtually undetected as they are normally bundled with pirated apps and appear as normal applications. Typically, these malicious apps can net their creators an average profit of about $10 per user, according to Juniper Networks.
As it is currently the most popular mobile device platform in the world, it's easy to see why Android would be targeted with such malicious activities. But perhaps you're wondering, is there anything that can be done to combat this problem?
ndeed, there is. In Android 4.2 Jelly Bean, a new safety feature was introduced in order to stop wayward SMS messages dead in their tracks. But that in itself is a huge problem: Android 4.2, the latest version of the Google mobile operating system, is only available on a tiny fraction of all Android-powered devices out on the market. In fact, many of today's newer devices don't even ship with it. So the relevant safety features, as useful as they might be, becomes pretty much useless.
Even worse, the money-making malware mentioned above represents only one type of mobile threat on Android. Android spyware is also present, accounting for 19% of the total malicious samples collected in the above-mentioned research. These could potentially put a user's privacy at risk, collecting sensitive data and all kinds of information then relaying them to the spyware's creator.
Trojan apps have also been discovered to be part of the overall Android ecosystem. Although they form a very small part of the entire body of mobile threats on Android right now, it is possible for them to become more widespread in the future. If the fix really only lies in having the latest version of Android installed on a device, and the issue of fragmentation — not to mention the slow software updates from carriers and OEMs — persists, that's almost a certainty.
What do you think could be done to finally overcome these kinds of problems? Will it be the end of Android as we know it? Let us hear your thoughts in the comments.
Mobile malware getting out of control? Study claims 614% increase on year, Android accounts for 92% of total infections
A terrifying report was released two days ago by the Mobile Threat Center arm (MTC) of Juniper Networks – a manufacturer of network equipment with a hefty stake in enterprise security. According to Juniper, its MTC research facility is dedicated to 'around-the-clock mobile security and privacy research'. The MTC found mobile malware growing exponentially at an alarming rate – a 614% on year increase reaching a total of just about 280,000 malicious apps.
Read full article here
A major app vulnerability has been found which can be effect 99 percent of the Android smartphones on the planet.
A major app vulnerability has been found which can be effect 99 percent of the Android smartphones on the planet. The issue was unraveled by Bluebox security, which claimed to have found an ‘Android Master Key’ that could allow a hacker to turn any Android app into a malicious zombie.
This basically means that an app could allow hackers to capture data and control a device remotely, without the owner and the app developer knowing about it.
And the kicker is that, this is not a new vulnerability as Bluebox has discovered that it has existed since Android 1.6 Donut, which is four years old.
Jeff Forristal, CTO of Bluebox securities revealed that his company had found a way where in a hacker could possibly load an app with malware and still make it appear to be a legitimate file. This bit is important because verified apps are granted full access by default on the Android system.
However, on the bright side apps on the Google Play store are impervious to this problem, so if one sticks to downloading apps from the Play store then one is in the clear. That said, there are a number of third party app stores and users can even download APKs directly off the web and here’s where the danger lies as it is possible for users to download tampered apps.
This problem is accentuated more in countries like China where users like to use local app store over the Google Play store and many OEMs like Xiaomi don’t even bundle the Google Play store on the device by default.
Bluebox securities claims that it reported the problem to Google way back in February and the issue has already been resolved for the Galaxy S4 and currently Google is taking a look at the Nexus range of hardware.
Cryptographic bug in Android lets hackers create malicious apps with system access
Security researchers have found a bug in Android which allows them to create malicious Android apps which appear to be genuine with the correct digital signatures. In computing, digital signatures allow any piece of data, including an app, to be checked to see that it is genuine and actually comes from the author. Now, due to a bug in Android, it is possible to create a fake app and sign it so it looks like a real app from any author including Google, or others like Samsung, HTC and Sony.
Since the digital signatures of Google and handset manufacturers can be faked it is possible to create a low level system app which has absolute access to the device. These system apps, which have what is known as 'System UID access' can perform any function on the phone including modifying system-level software and system-level parameters.
If such an app is installed on an Android phone, the user would be completely vulnerable to a multitude of attacks including key-logging and password sniffing. The researchers at Bluebox Security informed Google about the flaw (Android security bug 8219321) back in February and are now planning to reveal details of the bug at an upcoming security conference.
More details -> here
Survey: Juniper Networks Whitepaper (Warning: PDF)
reserved.
Thanks for this thread buddy
Sent from my GT-N7100 using xda app-developers app
Tha TechnoCrat said:
Thanks for this thread buddy
Sent from my GT-N7100 using xda app-developers app
Click to expand...
Click to collapse
Great to see you here buddy. Actually I wanted to shift my whole thread here but MOD denied and ask me to carry on with new phase. So here I am.
Thank you Vikesh for creating this thread.
In my view
Everyday every hour and every minute hackers are coming up with new viruses and malware
Not only they can corrupt your phone but also steal confidential information like credit card number, password and other important data.So every Android user should spend some money on the anti viruses to save your confidential information and money of course.
Sent from my GT-I9103 using xda app-developers app
Major app vulnerability found, could effect 99 percent Android smartphones
A major app vulnerability has been found which can be effect 99 percent of the Android smartphones on the planet. The issue was unraveled by Bluebox security, which claimed to have found an ‘Android Master Key’ that could allow a hacker to turn any Android app into a malicious zombie.
Continue in post 3
Cryptographic bug in Android lets hackers create malicious apps with system access
Security researchers have found a bug in Android which allows them to create malicious Android apps which appear to be genuine with the correct digital signatures. In computing, digital signatures allow any piece of data, including an app, to be checked to see that it is genuine and actually comes from the author. Now, due to a bug in Android, it is possible to create a fake app and sign it so it looks like a real app from any author including Google, or others like Samsung, HTC and Sony.
continue in Post 3
Every GSM phone needs a SIM card, and you'd think such a ubiquitous standard would be immune to any hijack attempts. Evidently not, as Karsten Nohl of Security Research Labs -- who found a hole in GSM call encryption several years ago -- has uncovered a flaw that allows some SIM cards to be hacked with only a couple of text messages. By cloaking an SMS so it appears to have come from a carrier, Nohl said that in around a quarter of cases, he receives an error message back containing the necessary info to work out the SIM's digital key. With that knowledge, another text can be sent that opens it up so one can listen in on calls, send messages, make mobile purchases and steal all manner of data.
Apparently, this can all be done "in about two minutes, using a simple personal computer," but only affects SIMs running the older data encryption standard (DES). Cards with the newer Triple DES aren't affected; also, the other three quarters of SIMs with DES Nohl probed recognized his initial message as a fraud. There's no firm figure on how many SIMs are at risk, but Nohl estimates the number at up to 750 million. The GSM Association has been given some details of the exploit, which have been forwarded to carriers and SIM manufacturers that use DES. Nohl plans to spill the beans at the upcoming Black Hat meeting. If you're listening, fine folks at the NSA, tickets are still available.
Source-Tech Geek
"Thanks button is just to avoid "THANKS" posts in threads. Nothing more than that. Don't ask in signature or post for it and defeat the purpose why it was introduced"
Great info buddy. :good:
Thanks,
Disturbed™
Sent from my Disturbed™ Galaxy S4 using Tapatalk (VIP)
______________________________________________________
Wait for my time, U gonna pay for what U have done. - Disturbed™
Informative read. You also understand why the stores charge their Developer fees now. Not all third party sites host malware however. A lot of the buying community is ignorant (and understandably so) in detecting if malware has been applied. It's up to the community of ubiquitous OSs to report
JeffM123 said:
Informative read. You also understand why the stores charge their Developer fees now. Not all third party sites host malware however. A lot of the buying community is ignorant (and understandably so) in detecting if malware has been applied. It's up to the community of ubiquitous OSs to report
Click to expand...
Click to collapse
can provide more info for it?
Thanks,
Disturbed™
Sent from my Disturbed™ Galaxy S4 using Tapatalk (VIP)
______________________________________________________
Wait for my time, U gonna pay for what U have done. - Disturbed™
Malware using the Android Master Key intercepted in the wild, here's how to protect i
Malware using the Android Master Key intercepted in the wild, here's how to protect yourself
It was back at the beginning of the month when we first broke for you the news of a new, massive vulnerability, plaguing 99% of Android devices. First discovered by mobile security company Bluebox, the flaw was reported to Google back in February. Since then, Google has patched the Play Store and has provided its OEM partners with a patch for it.
Yet here we are again. And now it's official – the first detected malware taking advantage of the vulnerability has been intercepted by Symantec whilst running amok in China. The security giant reports that the code has been implanted in otherwise legit apps that help you find and appoint a meeting with a doctor. The source of the infected app? A third-party store, of course.
We won't get into the tech lingo, instead we'll just report that according to Symantec, the exploit grants said malicious code remote access to infected devices. This leaves the gates wide open, the company claims, for a wrongdoer to steal sensitive information such as your IMEI, phone number, and also send premium SMS messages and execute root commands.
Click here to know more
what is the best antivirus?
lolmann101 said:
what is the best antivirus?
Click to expand...
Click to collapse
For android, I may say your awareness is the best. First install the LBE Security Master. Let you know which application is gaining which privilege .
But if you want then you can check the first 1 to 4 posts. its in that.
How Google has been making Android a safer place since 2012
Last year in June, Google brought Android Jelly Bean 4.1 to the world. It was a wonderful day, too. It brought with it Project Butter, which spelled the end for lag for a lot of people. Android was running smoother and more complete than ever. Who’d have known that just a year later, we’d be introduced to Jelly Bean not for the second time, but for the third time. Android 4.3 was a mixed bag. Some people were disappointed that it wasn’t Key Lime Pie, but most were happy to see a plethora of improvements, some new features, and even more optimizations. One little footnote that most people have skimmed over so far, though, has been the added security.
It’s not news that malware stories are everywhere. Some of them are no big deal and some are completely ridiculous. Thanks to that, anti-virus companies have been cleaning up. People are more scared of malware on Android now than ever before and they’re flocking to anti-virus apps by the millions. It’s getting to the point where apps like Lookout are coming pre-installed on many devices when they’re shipped out. All because of some malware that, most of the time, is impossible to get unless you download apps from outside the approved channels.
Well, apparently Google is going to fix this problem themselves. JR Raphael over at Computer World has written up an excellent post about how Google is quietly keeping us safe. As it turns out, that little footnote that says that Android 4.3 contains security improvements probably shouldn’t have remained a footnote. It should’ve been printed on billboards and discussed everywhere.
You may have seen inklings of these security features already. We’ve covered one of them, the Android 4.3 Permission Manager, commonly known as Apps Ops. This nifty little feature lets you control what permissions your apps can use. It’s a lovely and powerful feature that’s baked right into Android 4.3. It’s still in beta right now, but eventually that’ll be a part of everyone’s Android experience.
So what other security enhancements does Google have in store for Android 4.3?
We are glad you asked. According to JR Raphael, Google has been working on these security features for years. We’ll do a quick breakdown.
Starting with Android 4.2, there was a feature called Verify Apps that was added. This scans phones both downloaded and side-loaded to make sure they didn’t contain malware or pose a threat.
Verify Apps was eventually made available to all devices from 2.3 onward. According to JR Raphael, that’s 95% of Android devices running currently.
This now works in tandem with another older feature, the app scanner in the Google Play Store that scans apps as they’re submitted to Google Play to make sure they aren’t malicious. This is why you can always download from Google Play without worries.
All of these features are currently on Android devices right now.
But wait, there’s more. In Android 4.3 specifically, they have added yet another security feature called SELinux. This stands for Security-Enhanced Linux and it essentially keeps the important parts of your phone safe. Most notably the operating system. So there is protection everywhere.
So we’ll add this up one more time. In the last two years, Google has implemented,
An app scanner in the Google Play Store that scans every single app uploaded and submitted. It rejects the bad apps and keeps the good ones.
A system on devices from Android 2.3 and up called Verify Apps that scans every app that gets installed on your device to make sure it’s not malicious. Keep in mind that if you download an app from the Google Play Store, it gets scanned twice.
Apps Ops –which is still in beta– that will let you control the individual permissions of any application you download and install. So if you don’t want, say, Facebook to see your location, you can prevent that from happening.
SELinux, a Linux security feature that protects the core operation system functionality.
Let’s not forget what you, the consumer can do to protect yourself,
Only download apps from known and trusted sources. These include the Play Store and the Amazon App Store, among others.
Use your common sense. In most cases, malware apps are easy to spot. If you download the free Angry Birds cheat app from GivingYouMalware.com, the end result is rather predictable.
So without an anti-virus app, there are 6 things that are protecting you from the big bad malware threats. That’s a whole lot more than most people realize and it’s an ever expanding project from Google to keep everyone safe from garbage applications. Now here’s the big question. Do you think it’s enough? Or should Google keep going?
@Disturbed™ buddy could you post that new KNOX feature here?
Sent from my GT-I9103 using xda app-developers app
Few words from Wikipedia:
Samsung Knox (trademarked Samsung KNOX) is an enterprise mobile security solution that addresses the needs of enterprise IT without invading its employees' privacy. The service, first released on the Samsung Galaxy S4 mobile device, provides security features that enable business and personal content to coexist on the same mobile device. Samsung Knox is an Android-based platform that uses container technology, among other features, to allow for separation of work and personal life on mobile devices.
Services
Samsung Knox provides enterprise security features that enable business and personal content to coexist on the same handset. The user presses an icon that switches from Personal to Work use with no delay or reboot wait time. Knox will be fully compatible with Android and Google and will provide full separation of work and personal data on mobile devices. Samsung claims that the Knox service "addresses all major security gaps in Android."
The Knox service is part of the company's Samsung for Enterprise (SAFE) offerings for smartphones and tablets. Samsung Knox’s primary competitor is Blackberry Balance, a service that separates personal and work data, but BlackBerry’s service does not include management of work space through containers in Active Directory and other features such as direct Office 365 and Exchange 2010, ActiveSync, iOS management, Single Sign-On, and complete customization for operability on Samsung device settings.
The service's name, Samsung Knox, is inspired by Fort Knox.
From Engadget:
Samsung's Knox security solution has tended to mostly garner headlines when the company's phones get approval from the likes of the US Defense Department, but it's now set to broaden its user base considerably. In addition to announcing that it's bolstering the offering with some help from Lookout, Samsung has also confirmed today that its opening the platform up to all consumers. That will give security-minded users an added layer of protection, with Knox letting you store personal data and run a set of pre-screened apps in a so-called container -- other apps can still be run outside the container, but with only limited access to your personal information. Naturally, you'll need a Samsung device to take advantage of it.
For more information : http://www.samsungknox.com.
Thanks: Wiki & Engadget
Almost 1,000 fraudulent apps published on Google Play in August alone
Almost 1,000 fraudulent apps published on Google Play in August alone
Yes, there are downsides to Google’s policy of letting anyone publish their apps on Google Play. Symantec has found that scammers published almost 1,000 fraudulent apps on Google Play in August alone, most of which were deleted within hours of posting on the store.
But even though Google was quick to delete the fraudulent Android apps, Symantec estimates that they were still downloaded more than 10,000 times. Symantec also says that one group is responsible for 97 percent of the fraudulent apps, which typically “include numerous links to various online adult-related sites, but one or two links actually lead to fraudulent sites that attempt to con people into paying a fee without properly signing them up for the paid service.”
Source:BGR.in
This message is only for people who live or vote in India. If you are not such a person, please forward it to someone who is.
What is net neutrality?
The principle that all traffic on internet should be treated the same.
No site will be sped up.
No website will be slowed down (throttling).
----------
So what's happening now?
TRAI consultation paper (open to comments till April 24) is the first step in potentially allowing operators to discriminate internet traffic.
----------
How does this impact me?
1. Your internet bill could go up.
2. Apps you love may no longer work.
ISPs and Telcos could charge you more. When you buy a 1 Gb data pack, you can use it for anything you wish. Without neutrality, you could be forced to buy a Skype pack for Skype calls, a video pack to watch YouTube and dailymotion.
Or you could be charged a different rate for each service. 4p/10 KB if you are browsing, but 10p/10 KB for VoIP calls. That would be like your milkman telling you 30 Rs/L if you make tea, but 75 Rs/L if you make milkshake.
You could be denied service as well. Telcos could decide that WhatsApp or Viber is eating into their sms revenue and block them completely.
Or Airtel could block gaana, saavn, hungama, rdio etc and allow access only to wynk (owned by airtel)
----------
Hmm.. I want to know more.
Sure follow the links here:
Well written article: http://www.firstpost.com/politics/b...trai-trying-screw-internet-users-2193321.html
A video explanation: https://m.youtube.com/watch?v=_G-OagxdCws
Another cool video: https://m.youtube.com/watch?v=mfY1NKrzqi0
Another video: https://youtu.be/uQjkCziopLA
Take some Action: http://www.savetheinternet.in/
----------
OK. Got it. What can I do?
Let TRAI know that you hate this idea. Go to http://www.savetheinternet.in/ and follow the instructions to email TRAI letting them know of your displeasure.
----------
Anything else I can do?
Yes. Inform family and friends about net neutrality and TRAI's attempts to kill it (under pressure from telcos probably).
You can also protest on https://www.change.org/p/rsprasad-t...e-how-they-want-to-use-internet-netneutrality
Contact your mp today http://j.mp/MailMyMP if there is no net neutrality, we will have to pay to use WhatsApp, Facebook, hike, Google, YouTube, etc.
Hashtag revolution #NetNeutralityIndia , #SaveTheInternet , #wewantnetneutrality and #TRAIDontevenTry
---------
Why do we need net neutrality?
India is a developing country. If there is no net neutrality, we cant develop ourselves.
Poor people; instead of getting onto the internet would stop using it completely as they wont be able to pay
Answers to those 20 questions (thanks to savetheinternet.in)
To the Chairman, TRAIThank you for giving me this opportunity to share my views on the consultation paper published by TRAI on March 27, 2015 titled "Regulatory Framework For Over-the-Top (OTT) Services”. I am worried that this consultation paper makes sweeping assumptions about the Internet, and does not take a neutral and balanced view of the subject of Internet Licensing and Net Neutrality. Any public consultation must be approached in a neutral manner by the regulator, so that people can form an informed opinion.I strongly support an open internet, for which I believe it is critical to uphold net neutrality and reject any moves towards licensing of Internet applications and Web services. I urge TRAI to commit to outlining measures to protect and advance net neutrality for all Indians. Net neutrality requires that the Internet be maintained as an open platform, on which network providers treat all content, applications and services equally, without discrimination. The TRAI must give importance to safeguarding the interests of our country’s citizens and the national objective of Digital India and Make In India, over claims made by some corporate interests.I request that my response be published on the TRAI website alongside other comments filed, in line with past practice regarding public consultations. I urge that TRAI issue a specific response to user submissions after examining the concerns raised by them, and hold open house discussions across India, accessible to users and startups before making any recommendations.
Question 1: Is it too early to establish a regulatory framework for Internet/OTT services, since internet penetration is still evolving, access speeds are generally low and there is limited coverage of high-speed broadband in the country? Or, should some beginning be made now with a regulatory framework that could be adapted to changes in the future? Please comment with justifications.
No new regulatory framework in the telecom sector is required for Internet services and apps - and no such regulation should come into effect in future either.This question incorrectly presumes that regulation of the Internet is absent and there is a need to create it. Additionally, the technical language of “Over-the-Top” applications used in the consultation paper fails to convey that it is truly referring to the online services and applications which make today’s Internet which we all use; Facebook, Ola, Zomato, Paytm, WhatsApp, Zoho and Skype etc. The Internet is already subject to existing law in India - any extra regulatory or licensing regime will only be detrimental to the customer and to Indian firms developing online services and apps.Under the current regulatory framework, users can access the internet-based services and apps either for a low fee or for free where the application owners make money by selling advertisements based on user data. With additional regulations and licenses, it will make it expensive for these services to reach out to their customers eventually leading to higher prices and undesirable levels of advertising - which is against the public interest and counterproductive.It appears that the telecom companies are shifting goalposts. Many telecom companies have earlier argued in the consultation paper floated by TRAI on mobile value added services (MVAS) that it was not necessary to regulate these value added services. They said MVAS are already governed by general laws under the Indian legal system and comply with the security interests as they operate on the networks of legitimate telecom license holders. Internet platforms also are regulated and governed by general laws in addition to specialised laws such as the Information Technology Act, and the same treatment should be extended to them as well.As TRAI said previously in its recommendations after consulting on MVAS regulation:“The Authority preferred least intrusive and minimal regulatory framework and thus no separate category of licence for value added services is envisaged. After second round of consultations, the Authority is also not favoring registration of Value Added Service Providers (VASPs) or content aggregators under the “Other Service Provider (OSP)” category.”“Content shall be subject to relevant content regulation and compliance of prevailing copyrights including digital management rights and other laws on the subject (para 3.12.2). The content is subjected to content regulation/ guidelines of Ministry of Information and Broadcasting, Information Technology Act, 2000, Cable Television Networks (Regulation) Act, 1995, Indian Copyright Act etc., as amended from time to time. The content regulation shall be as per law in force from time to time. There should be consistency in the treatment of content across all kinds of media including print, digital/multimedia to avoid any discrimination. (para 3.13.3):”
Imposing a licensing and regulation regime carry significant risks of destroying innovation. Launching new services and features will take more time and will make it difficult for new startups with low cash reserves to enter the market. It will basically ring the death knell for the country's fast-growing digital media sector.
Question 2: Should the Internet/OTT players offering communication services (voice, messaging and video call services through applications (resident either in the country or outside) be brought under the licensing regime? Please comment with justifications.
Firstly, there is no need for licensing of internet based communication service providers. To suggest such a move further points towards the TRAI consultation being tilted in favour of telecom operators.
Secondly, fundamentally both Internet-based communication services and non-communication services are the same. They sit on top of the network provided by telecom operators. And the spectrum that telecom operators utilise to offer this network on pipe is already licensed, hence there is no need for additional licensing.
This issue also needs to be looked at from another perspective. Many non-communication services on the Internet also offer real-time chat or video interaction features for the benefit of customers, which will be affected by bringing such services under a licensing regime.
The extent of innovation we have witnessed over the years has been greatly aided by the low cost of entry. Any form of regulation or licensing will increase the entry cost, thereby hindering innovation and equal opportunity to startups to establish themselves in the market. Behind every Zoho, WhatsApp and Skype there are numerous failures. Licensing will essentially increase the cost and likelihood of failure - and greatly discourage innovation.
Question 3: Is the growth of Internet/OTT impacting the traditional revenue stream of Telecom operators/Telecom operators? If so, is the increase in data revenues of the Telecom Operators sufficient to compensate for this impact? Please comment with reasons.
There is no evidence of data revenues cannibalizing revenues from voice or SMS. In fact, data usage is soaring and it is driving the demand for telecom networks.
The question fails to acknowledge that revenue from data services also fall under the traditional revenue streams category as per the Unified Access License Agreement
[http://www.dot.gov.in/access-services/introduction-unified-access-servicescellular-mobile-services]. So, to assume that data services are impacting the growth of “traditional revenue streams” is wrong.
Services such as Skype and WhatsApp have specific use cases. They are not, and should not be, considered as substitutes to voice calling or SMS. For instance, calls made using VoIP don’t have the same clarity that we have on voice calls. Moreover, services such as WhatsApp are used for real-time chatting as opposed to SMS. Voice and SMS have their own benefits and use cases, so do VoIP and internet messaging. Customers should be free to pick and choose among these.
There is still no concrete evidence suggesting that the decline in the revenues from messaging and voice calling is due to the growth of revenues from data services, and statements from experts and industry experts appear to in fact point to there being no cannibalization of revenues.
Gopal Vittal, CEO, Airtel
“There is still no evidence that suggests that there is cannibalization,” he said when asked about whether data is cannibalizing Airtel’s voice business. On internet messaging cannibalizing SMS revenues, he said: “At this point in time is very, very tiny. And so it is not really material as we look at it.”
[http://www.medianama.com/2015/02/22...tion-of-voice-airtel-india-ceo-gopal-vittal/]
Vittorio Colao, CEO, Vodafone
“Growth in India has accelerated again (October-December), driven by data” [http://computer.financialexpress.com/columns/india-high-on-3g/9462/]
The company’s India unit grew by 15%, going past its counterparts during the quarter ending December as customers used its data services. [http://articles.economictimes.india...ervice-revenue-vittorio-colao-vodafone-india]
Question 4: Should the Internet/OTT players pay for use of the Telecom Operators network over and above data charges paid by consumers? If yes, what pricing options can be adopted? Could such options include prices based on bandwidth consumption? Can prices be used as a means of product/service differentiation? Please comment with justifications.
Internet-based services and apps don’t pay for telecom operators for using the network, and it should remain the same going forward. Forcing Internet-based services to pay extra for using a particular network negatively impact consumers and harm the Indian digital ecosystem. As mentioned in the above answer, data revenues of Indian telecom operators is already on an upswing and is slated to increase rapidly over the next few years, hence the argument for creating a new revenue source is not justified.
Charging users extra for specific apps or services will overburden them, which in turn will lead to them not using the services at all. It is also akin to breaking up the Internet into pieces, which is fundamentally against what Net Neutrality stands for. Also, the Internet depends on interconnectivity and the users being able to have seamless experience - differential pricing will destroy the very basic tenets of the Internet.
Question 5: Do you agree that imbalances exist in the regulatory environment in the operation of Internet/OTT players? If so, what should be the framework to address these issues? How can the prevailing laws and regulations be applied to Internet/OTT players (who operate in the virtual world) and compliance enforced? What could be the impact on the economy? Please comment with justifications.
There is no regulatory imbalance in the environment in which the internet services and applications operate. In fact, the word “regulatory imbalance” is incorrect here. Telecom operators holds licenses to spectrum which is a public resource. Internet services and applications don’t have to acquire licenses. Moreover, there is a clear distinction between services provided by telecom operators and internet platforms—so no additional regulation is required.
Also, internet services and applications are already well-covered under the Information Technology Act, 2000 and Indian Penal Code, 1860. More importantly, internet services are intermediaries that allow a communication system for their users—and intermediaries cannot be held responsible for the acts of their users as per Section 79 of the IT Act, 2000. Our Supreme Court has recently ruled on this area in the Shreya Singhal versus Union of India case, holding that Internet content is protected by our Constitution’s right to free expression and setting out the acceptable limits for government regulation.
Question 6: How should the security concerns be addressed with regard to OTT players providing communication services? What security conditions such as maintaining data records, logs etc. need to be mandated for such OTT players? And, how can compliance with these conditions be ensured if the applications of such OTT players reside outside the country? Please comment with justifications.
The internet services and apps are well-covered under the existing laws and regulations. These include the Code of Criminal Procedure, Indian Telegraph Act, Indian Telegraph Rules, and the Information Technology Act and its different rules pertaining to intermediaries and interception. These different regulations allow the Indian government and law enforcement agencies to access the data stored by internet platforms when deemed legally necessary. Any additional regulations carry grave risk of breaching user privacy and would also require constitutional review - especially since the Government is still working on a proposed Privacy Bill.
The government and courts also have the power to block access to websites on the grounds of national security and public order. It has taken similar steps in the past and has been widely reported by the media. The transparency reports periodically published by major internet companies suggests Indian government routinely requests for user data and blocking of user accounts. Between July 2014 and December 2014, Indian authorities had 5,473 requests for data, covering 7,281 user accounts from Facebook and the company had a compliance rate of 44.69%. Google had a compliance rate of 61% with respect to the requests made by different government agencies across India.
Question 7: How should the OTT players offering app services ensure security, safety and privacy of the consumer? How should they ensure protection of consumer interest? Please comment with justifications.
Although user privacy and security is of paramount importance, additional regulation carries the inherent risk of breaching user privacy which is not in the consumer’s interest. The Information Technology Act, 2000 already addresses the security concerns of the user. But more importantly, any criminal act committed using these platforms can be tried under the Indian Penal Code. So, there is no need to burden the internet platforms with additional regulations.
Also, it is worth noting that many telecom companies in India have not made information publicly available as to whether and how they comply with regulations that guarantee security, privacy and safety of the customer. TRAI’s current paper fails to articulate why the internet services and apps should be brought under similar regulations.
Question 8:
In what manner can the proposals for a regulatory framework for OTTs in India draw from those of ETNO, referred to in para 4.23 or the best practices summarised in para 4.29? And, what practices should be proscribed by regulatory fiat? Please comment with justifications.
ETNO is similar to India’s COAI which makes it an industry lobby group. Understandably, the suggestions made by ETNO heavily favor the telecom companies and will be detrimental to customers if India refers to their suggestions.
ETNO’s stand have been widely criticized in the past. Europe’s own group of government regulators [Body of European Regulators for Electronic Communication (BEREC)]
http://berec.europa.eu/files/document_register_store/2012/11/BoR_(12)_120_BEREC_on_ITR.pdf ETNO’s proposals could jeopardize the “continued development of the open, dynamic and global platform that the Internet provides” which will “lead to an overall loss of welfare”. Additionally, the international free expression group Article 19 says ETNO’s proposal “would seriously undermine net neutrality.
According to Access Now, ETNO’s recommendations would have meant higher data charges for customers while from an entrepreneur’s standpoint, it will limit their ability to reach out to a wider market. For a small but fast growing startup and digital media sector in India, this can potentially ring the death knell. ETNO’s suggestions on this subject so far have failed to have been accepted by any government agency - including the regulators in their own host countries. It is therefore especially troubling that TRAI is choosing to make one of their proposals a pillar of this public consultation here in India.
Question 9: What are your views on net-neutrality in the Indian context? How should the various principles discussed in para 5.47 be dealt with? Please comment with justifications.
Net Neutrality, by definition, means no discrimination of traffic flowing on the internet with respect to speed, access and price. Chile and Brazil, which are developing countries just like India, have passed laws supporting net neutrality. This is in addition to government commitments to implement net neutrality legislation in the United States and European Union.
India has 1 billion people without internet access and it is imperative for our democracy to have an open and free internet where users are free to choose the services they want to access—instead of a telecom operator deciding what information they can access.
Internet apps and services are expected to contribute 5% to India’s GDP by 2020. That will only happen of entrepreneurs, big and small, have a level playing field that encourages innovation and non-preferential treatment—something that net neutrality ensures.
Assuming there is no net neutrality, only the big players will be able to strike deals with telcos while the smaller players remain inaccessible, which will go against the principles of net neutrality as listed below:
No blocking by TSPs and ISPs on specific forms of internet traffic, services and applications.
No slowing or “throttling” internet speeds by TSPs and ISPs on specific forms of internet traffic, services and applications.
No preferential treatment of services and platforms by TSPs and ISPs.
It is also worth noting that the proposed framework will give too much power in the hands of the telecom companies, which is not healthy for the ecosystem.
Question 10: What forms of discrimination or traffic management practices are reasonable and consistent with a pragmatic approach? What should or can be permitted? Please comment with justifications.
This question assumes that traffic discrimination is necessary and is a norm. Rather, traffic discrimination should be an exception as it is against the principles of net neutrality.
In such exceptional cases, telecom companies need to have the permission of TRAI or other competent government agency through public hearing to carry out “traffic management” to ensure transparency in the entire process. Further, it should be kept in mind that such steps shouldn’t interfere with the access, affordability and quality of the services.
More importantly, https://ec.europa.eu/digital-agenda.../Traffic Management Investigation BEREC_2.pdf jointly by BEREC and the European Commission suggest that the propensity of the telecom operators to restrict access of internet services is high. The report noted that telecom operators were most inclined to block and throttle P2P services on mobile as well as fixed line networks. VoIP, on the other hand, was blocked mostly on telecom networks.
Keeping this in mind, TRAI needs to ensure that instances of discrimination of traffic should be few, far between and, above all, transparent
Continued
Question 11: Should the TSPs be mandated to publish various traffic management techniques used for different OTT applications? Is this a sufficient condition to ensure transparency and a fair regulatory regime?
The question is based on the premise that publishing various traffic management techniques for Internet services will ensure a fair regulatory regime and therefore such discrimination is permissible. As I have repeatedly said in the above answers, discrimination of services will not bring about a fair regime for users.
Further, a recent study [http://bit.ly/1D7QEp9] in the UK has pointed out that merely publishing data on traffic management will not translate into a fair regime. The study found that most consumers did not understand traffic management or use it as a basis for switching operators. Those who did do so comprised a group perceived to be small or insignificant enough that most network operators did not seek to factor them into their product decisions, despite some consumers’ complaints about traffic management. In India where awareness and activism on issues of net neutrality is considerably less, it is unlikely to play the critical role that the Consultation Paper suggests.
Question 12: How should a conducive and balanced environment be created such that TSPs are able to invest in network infrastructure and CAPs are able to innovate and grow? Who should bear the network upgradation costs? Please comment with justifications
The underlying assumption of the question suggests that currently there is an imbalance in the environment within which telecom operators and internet services operate. However, as I have pointed out it my previous answers, no such imbalance exists. Telecom firms and internet services have distinct functions. The former has to provide the infrastructure to access content and the latter has to provide the platforms for users to create content. As financial results of the telecom operators and analysis by various independent agencies have shown that revenues from data are soaring. So, it makes logical sense for the telecom operators to invest to upgrade and improve their network infrastructure.
On the contrary, I would argue that there is no incentive for the telecom firms to invest to upgrade their networks if they charge the CAP instead of charging the customer for data. They would seek to further increase its revenues coming from the CAPs, a move that will be disastrous for India's telecommunications industry.
Question 13: Should TSPs be allowed to implement non-price based discrimination of services? If so, under what circumstances are such practices acceptable? What restrictions, if any, need to be placed so that such measures are not abused? What measures should be adopted to ensure transparency to consumers? Please comment with justifications.
Discrimination of services in any form is detrimental for the growth of the telecom industry itself and there should be no circumstance for a telecom operator to do so. Given the diverse nature of the Internet, telecom operators should not be allowed to determine what type of service should get more priority. For example, a consumer in India probably relies on VoIP calls to keep in touch with people abroad and if there is throttling of these services, it infringes on the user’s fundamental right of freedom of expression. An Internet service that a telecom operator thinks which could lead to traffic congestion, might be vital to consumers. Further, a telecom operator might use throttling to further a service promoted by them and induce consumers into using them, thereby eliminating choice.
Transparency alone will not bring about a fair regime for users, and it is crucial that TSPs be prohibited from discriminating between services
Question 14: Is there a justification for allowing differential pricing for data access and OTT communication services? If so, what changes need to be brought about in the present tariff and regulatory framework for telecommunication services in the country? Please comment with justifications.
As I have argued in my previous answers, there should be no differential pricing for data access and internet services. Therefore, the need for a change in the tariff and regulatory framework is not required.
It is important to note that nearly one billion people still don't have internet access in India - which means telecom companies stand to gain substantially from their data services in the near future. Moreover, different pricing is tantamount to discrimination which goes against net neutrality.
As stated before, customers should be charged on the basis of volume of data used and not on the basis of the internet services they are accessing.
Question 15: Should OTT communication service players be treated as Bulk User of Telecom Services (BuTS)? How should the framework be structured to prevent any discrimination and protect stakeholder interest? Please comment with justification.
Treating OTT communication service players as Bulk User of Telecom Services again amounts to discrimination of data services and hence it should not be allowed. The question also further assumes that the stakeholders are only the telecom operators and not the consumers. If only the interests of the telecom operators are protected by treating services which compete with their traditional services differently rather than innovating themselves, it would lead to a situation of anti-competitiveness. Telecom companies have an interest in imposing their control over information and communication networks, but the price of that would mean stifling competition, increased barriers for innovation and business and eventually infringe on the fundamental rights of Indian citizens.
Question 16: What framework should be adopted to encourage India-specific OTT apps? Please comment with justifications.
A recent Deloitte report titled Technology, Media and Telecommunications India Predictions 2015 predicted that paid apps will generate over Rs 1500 crore revenues in 2015 (http://bit.ly/1alhH5S). Increased acceptance of paid apps can only be possible if there’s Network Neutrality. In fact, Deepinder Goyal, the founder and CEO of the highly successful app Zomato recently commented "Couldn’t have built Zomato if we had a competitor on something like Airtel Zero"
The moment an app developer/company is forced to tie-up with a telecom operator to ensure that users opt for it, an artificial prohibitive barrier will be created. All app developers and the companies behind them need to be provided an even playing field.
We also need more reports on the Indian app economy, to understand, firstly, how the adoption and usage of apps is changing and, secondly, to comprehend its impact on the Indian economy.
Question 17: If the OTT communication service players are to be licensed, should they be categorised as ASP or CSP? If so, what should be the framework? Please comment with justifications.
The question of categorising doesn’t even arise, because as mentioned earlier any extra regulations or licensing is going to be detrimental to the end user. Requiring licensing of online services and mobile apps under the current telecom framework in India will have enormous negative consequences. The impossibly onerous burdens imposed by such licensing would results in many such globally developed services and apps not being launched in India - and our own startup efforts to develop local versions of such apps being killed in their early stages. The net results would be decreased consumer benefit and a massive slowdown in innovation and reduced “Make in India” efforts due to the regulatory cost of doing business becoming very high.
Question 18: Is there a need to regulate subscription charges for OTT communication services? Please comment with justifications.
Subscription charges for such apps need to be allowed to evolve as it would in a pure market economy. The subscribers (buyers) would want to pay the lowest possible price, and the app developers/companies (sellers) would want to charge as much as possible, eventually leading to a fair price.
Subscription charges for such Internet-based services have remained, more or less, quite low in India, especially because the cost of switching from one service provider to another is also quite low: This competition will ensure that charges remain fair, without the need to regulate them, going forward as well. As noted in response to earlier questions, existing Indian law also applies to online services - which would include the Consumer Protection Act and other regulations meant to prevent cheating or other illegal pricing issues.
Question 19: What steps should be taken by the Government for regulation of non-communication OTT players? Please comment with justifications.
As mentioned earlier, irrespective of what an OTT app is used for (communication, online shopping, etc) they’re all essentially Internet-based services, and hence there is no question of creating new regulatory measures.
Question 20: Are there any other issues that have a bearing on the subject discussed?
Here are the additional steps that I urge the TRAI to undertake in the interest of the public:
- Due to the absence of any formal regulations on net neutrality, TRAI should issue an order or regulation preventing network neutrality violations by telecom service providers. Some telecom companies have shown scant respect for the issues presently under consideration and despite its questionable legality have rolled out various services which violate network neutrality. Any delay in forming regulations or preventing them in the interim till the process is complete is only likely to consolidate their status. This is not only an affront to the Internet users in India but also to the regulatory powers of the TRAI.
- TRAI is requested to publish all the responses and counter responses to the consultation, including any other additional material, on its website.
- For better public involvement and awareness, open house debates should be held in major Indian cities after the consultation process is over.
In the US, there was a time when you had to pay for tethering. Imagine if it would happen in India
Terms of User Data Policy & User Agreement
These terms and conditions (“User Terms”) apply to your visit and your use of our websites (the “Website”), the Service and the Application (as defined below), as well as to all information, recommendations and/or services provided to you on or through the Website, the Service, and the Application. By using our Services, accessing our Website or downloading the Application you hereby agree to be bound by these User Terms.
• PLEASE READ THESE USER TERMS CAREFULLY BEFORE DOWNLOADING OUR APPLICATION AND/OR ACCESSING OUR WEBSITE OR USING OUR SERVICE.
• If you reside in a jurisdiction that restricts or prohibits the use of the Service or Application, you may not use the Service or the Application.
• The Service, Application and Website are provided by Free WiFi Password (hereinafter referred to as “we” or “us”). We provide the ability to obtain Internet access services offered by third party Internet access providers, business owners or individuals (the “Access Provider”), which may be requested through the use of an application supplied by us and downloaded and installed by you on your single mobile device (smart phone) (the “Application”). All services provided by us to you through your use of the Application are hereafter referred to as the “Service”.
• By using the Application or the Service, you enter into a contract with us (the “Contract”). If you are under the age of 13 you must not use our Service or download the Application. Your legal guardian or parent must agree to these terms for themselves and on your behalf if you are between 13 and 18 years old (or the age in your jurisdiction at which you are considered to be a minor). You represent that if you are registering on behalf of a legal entity, that you are authorized by such entity to enter into, and bind the entity to, these User Terms and register for the Service and the Application.
• These User Terms are subject to amendment by us from time to time. The amended version will substitute the former one upon release without further notice to you and will be made available on the Website for your review. The version on the Website shall be the most current version of the terms and shall apply to your use of the Service, Website or Application. By continuing to use the Service, Website or Application following the new User Terms being made available, you give your consent to the amended User Terms and they shall be binding upon you. You shall immediately stop using the Service, Website and Application provided by us if you do not accept the revised User Terms.
1. Service Rules
How does the Service / Application work?
The Application allows you to send a request for Internet access service to us. The Application detects the router information and sends your access information request to our platform. The platform matches the request with the shared password data stored on our platform and provides you with encrypted information via the Application to facilitate your connection. The password data is shared by an authorized Access Provider. The Access Provider has sole and complete discretion to share, not to share, or to blacklist the sharing of the WiFi passwords.
We do not provide Internet access services, and we are not a telecommunications carrier. It is up to the Access Provider to obtain authorization to offer/share Internet access, which may be requested through the use of the Application and/or the Service. We only act as an intermediary between you and the Access Provider.
The Website, the Application and the Service may from time to time contain advertisements or links to content provided by us and any of our third party vendors and partners. You agree that you shall have no claim, whether against us or any of our affiliates, third party vendors or partners, in respect of any income, profit or any other benefit, economic or otherwise, in respect of such advertisement or links. We will not be responsible for any third party content or links to any third party sites on our Website or the Application.
You may use the Services / Application as one of the following:
(a) “User” means a person who has downloaded the Application and consented to the User Terms for the use or potential use of the Application or Service.
(b) “Registered User” means a person who has signed up, consented to the User Terms and is registered with us for the use or potential use of the Application or the Service.
Both Users and Registered Users must agree to these User Terms before using the Website, Application or Services. However, certain additional product features will be made available to Registered Users from time to time, which may not be available to non-registered Users.
Changes to the Service / Application
We reserve the right to unilaterally change, suspend, limit, terminate or cancel the Website, the Application and/or the Service, partly or wholly, at any time for any reason, including but not limited to violation or evidence of violation of the User Terms, and without any prior notice to you.
Your use of the Service / Application
The information, recommendations and/or services provided to you on or through the Website, the Service and the Application is for general information purposes only and does not constitute advice. We will attempt to keep the Website and the Application and its contents correct and up to date but we cannot guarantee and are not responsible for ensuring that the Website and/or Application are free of errors, defects, malware and viruses or that the content on the Website and/or Application are correct, up-to-date and accurate. We may from time to time, but are not obligated to, create or provide any support, corrections, updates, patches, bug fixes or enhancements to the Website, the Application and/or the Services.
Violations of these User Terms
We will have the right to investigate and prosecute violations of any of these User Terms to the fullest extent provided by law. We may involve and cooperate with law enforcement authorities in prosecuting users who violate these User Terms. You acknowledge that we have no obligation to monitor your access to or use of the Website, Service, Application or any in-app content or to review or edit any in-app content, but we have the right to do so for the purpose of operating the Website, the Application and Service, to ensure your compliance with these User Terms, or to comply with applicable law or the order or requirement of a court, administrative agency or other governmental body. We reserve the right, at any time and without prior notice, to remove or disable access to the Website, the Service or Application for or take legal action against you, if we, in our sole discretion, consider you to have committed an illegal act, be in violation of these User Terms or be acting in any way which is otherwise harmful to the Website, the Service or Application or other Users or Registered Users. In addition, we shall assist in the investigation into your activities upon request from any regulatory authority.
Ownership of the Services / Application
We possess the ownership of and the right to operate the Service. We will provide the Service in accordance with the User Terms and the corresponding rules and regulations issued by us.
2. Your Rights and Obligations
2.1 By using the Application or the Service, you further agree that you will:
(a) only use the Service or download the Application for your sole and personal use and will not resell it to a third party;
(b) Not authorize any third party to use your account and will keep secure and confidential your account password or any identification we provide you which allows access to the Service and the Application;
(c) not assign or otherwise transfer your account to any other person or legal entity;
(d) not use an account that is subject to any rights of or belonging to a person other than you without appropriate authorization;
(e) not use the Service or Application:
(i) for unlawful purposes, including but not limited to sending or storing any unlawful material or for fraudulent purposes;
(ii) to send spam or otherwise duplicative or unsolicited messages in violation of applicable laws;
(iii) to send or store infringing, obscene, threatening, libelous, or otherwise unlawful or tortious material, including material harmful to children or in any way which violates any third party’s privacy or other rights;
(iv) to send or store material containing software viruses, worms, Trojan horses, malware or other harmful computer code, files, scripts, agents or programs;
(v) to interfere with or disrupt the integrity or performance of the Website, the Application or Service or the data contained therein;
(vi) for any form of malicious intent;
(vii) to cause nuisance, annoyance or inconvenience;
(viii) to upload or download large files or other unfair uses that may cause impairment of the Service for other Users, Registered Users or the Access Provider;
(f) not impair the proper operation of the network;
(g) not try to harm the Service or Application in any way whatsoever;
(h) not copy or distribute the Application or other content without our prior written permission;
(i) provide us with whatever proof of identity we may reasonably request;
(j) only share an Internet access point or information relating to an Internet access point which you own or are authorized to share;
(k) be responsible for ensuring that any information provided by you in relation to any Internet access point, including access passwords, are kept updated, unless you have notified us in accordance with these User Terms of your wish to withdraw your consent to sharing information to access your Internet access point. If there is any change to such information, you shall notify us and update such information within a reasonable period of time;
(l) notify us in writing if you wish to withdraw your consent to sharing or providing information relating to an Internet access point through the Application. We will remove all information relating to the Internet access point provided by you from the Application within 60 days of receipt of such notification from you;
(m) be responsible for standard messaging charges when requesting the Service or joining any contest held by us by SMS (if available in your jurisdiction);
not use the Service or Application with an incompatible or unauthorized device; and
(o) comply with all applicable laws of your home nation, the country, state and/or city in which you are present while using the Application or Service.
2.2 You must not attempt to gain unauthorized access to the Website, the Application or Service or its related systems or networks.
2.3 We may at our sole discretion cancel or delete your registered account if it has not been active for a reasonably long time.
3. Privacy Policy
Definition of personal data
You acknowledge that personal data is defined as data from which an individual (meaning a living or deceased natural individual and not including legal individuals such as incorporated bodies) can be identified. Examples of this may include: your official name, ID number, phone number, IP address and the email account you used to log in Google Play.
For what purposes do we process your personal data?
When you visit our Website and/or use our Application, we may process technical data such as your IP-address, visited webpages, the internet browser you use, your previous/next visited websites and the duration of a visit/session to enable us to deliver the functionalities of the Website and our Application. In addition, in certain instances, the browser and/or the Application may prompt you for your geo-location to allow us to provide you with an enhanced experience. With this technical data, our administrators can manage the Website and the Application, for instance by resolving technical difficulties or improving the accessibility of certain parts of the Website and/or the Application. This way, we are better able to ensure that you can (continue to) find the information on the Website and/or the Application in a quick and simple manner.
When you visit our Website and/or use our Application, we will also collect and process your data, such as your IP-address, country, language, mobile number, IMEI, device ID, MAC-address, information about the manufacturer, model, and operating system of your mobile device, including your mobile device’s screen resolution, and access point information, including SSID and BSSID. We use this data to enable us to deliver the functionalities of the Application, resolve technical difficulties, and provide you with the correct and most up to date version of the Application and to improve the operation of the Application.
When you register as a Registered User, we will collect your country, language, password, mobile phone number, IP-address and MAC-address. We will use your contact details to send you a welcoming SMS to verify your phone number and password, to communicate with you in response to your inquiries, and to send you service-related announcements, for instance, if our Service is temporarily suspended for maintenance. We will use your registration information to create and manage your account. If you are required to SMS us to complete the registration, standard SMS charges may apply.
We may also use your contact details to send you general updates regarding our news, special offers and promotions with your prior consent. You may at all times opt-out of receiving these updates by emailing us at [email protected] or by following the steps to unsubscribe more fully described in any relevant email you receive from us.
We also use your personal data in an anonymised and aggregated form to closely monitor which features of the Service are used most, to analyze usage patterns and to determine where we should offer or focus our Service. We may share this anonymised information with third parties for industry analysis and statistics.
Referrals
If you choose to use our referral feature in the Application to tell a friend about our Service, you will be prompted to enter your friend’s email address or mobile phone number or log into your preferred social network. Please ensure that you have your friend’s express permission to disclose this personal data before providing it to us. If you elect to refer a friend, we will automatically populate a message for you to send to your friend inviting him or her to try the Service on your behalf, however the actual message will be sent via your mobile device or social network and you will be able to edit the final message before you send it. We do not store your friend’s data.
Disclosure of personal data
When you request for Internet access services via the Application, we do not provide your personal data to any Access Provider.
We may employ third party companies (including our affiliated companies) and individuals to facilitate or provide the Service on our behalf, to provide customer support, to backup, maintain and process data (including your personal data we collected), to host our job application form, to perform Website-related services (e.g., without limitation, maintenance services, database management, web analytics and improvement of the Website or Application’s features) or to assist us in analyzing how our Service is used. These third parties have access to your personal information only to perform these tasks on our behalf, are contractually bound not to disclose or use it for any other purpose, and are bound by legally enforceable obligations to provide to your personal information a standard of protection that is comparable to that under the Personal Data Protection Act (2012) of Singapore, as amended from time to time.
We will disclose your personal data to the extent that this is legally required, necessary for the establishment, exercise or defense of legal claims and legal process, or in the event of an emergency pertaining to your health and/or safety.
Your rights regarding personal data
As a User or Registered User, you have the right to access information regarding your personal account, including information that you’ve provided to us. You may at any time request correction or erasure of your personal data, and object to any processing of your personal data by emailing us at [email protected]. We will respond to your access and/or correction request within four weeks. You may also amend your personal details and withdraw any given consent using your account.
Security of personal data
We have taken appropriate technical and organizational security measures against loss or unlawful processing of your personal data. To this purpose, your personal data is securely stored within our database, and we use standard, industry-wide, commercially reasonable security practices as well as physical safeguards of the locations where data are stored. However, as effective as encryption technology is, no security system is impenetrable. We cannot guarantee the security of our database, nor can we guarantee that information you supply will not be intercepted while being transmitted to us over the Internet. Any transmission of information by you to us or to any third party is at your own risk.
4. Software Trademark
Any IPR involved in the Application, Services and Website (including that of our Connected Partners) signs and names of products and services shall be owned by us (or our Connected Partners as applicable). You are not allowed to display, use or otherwise deal with our (or our Connected Partners’) IPR or signs by any means or represent that you have the right to display, use or otherwise deal with such IPR or signs without our prior written consent. “IPR” shall mean any copyright, design rights (whether registered or unregistered), database rights, patents, utility models, trademarks, signs, logos, trade names, domain names and topography rights and any other intellectual property having a similar nature of equivalent effect anywhere in the world and any applications for or registrations of any of these rights.
5. Liability and Disclaimers
5.1 We shall in no circumstances be liable for:
(a) information or content transmitted over a WiFi hotspot by you or any User, Registered User or third party. Any information or content transmitted by you or other Users or Registered Users of the Application or third parties through the Application does not represent our view or policy;
(b) damages resulting from the use of (or the inability to use) electronic means of communication through the Website or the Application, including, but not limited to, damages resulting from failure or delay in delivery of electronic communications, interception or manipulation of electronic communications by third parties or computer programs, and the transmission of viruses;
(c) damages resulting from the use of (or inability to use) the Website or Application, including damages caused by malware, viruses or any incorrectness or incompleteness of the information on the Website or Application;
(d) any damages, loss or third party claims resulting from your sharing of or providing access to a WiFi hotspot;
(e) the quality of the Internet access services provided by the Access Provider or any acts, actions, behaviour, conduct, and/or negligence on the part of the Access Provider. Any complaints about the Internet access services provided by the Access Provider should therefore be submitted to the Access Provider;
(f) any server crash or network interruptions caused by any event of force majeure or any other circumstance outside of our control, including any data loss or other damage suffered by you;
(g) any data loss or other damage suffered by you during or in connection with any upgrade of the Services, Website or Application; and
(h) any costs incurred by you, including any charges for data, messaging and other wireless access services, associated with your use the Application.
5.2 You hereby agree to compensate and indemnify us and any of our contracted partners and affiliates (our “Connected Partners”) for any claims, suits, requests, damages or losses, including reasonable attorney’s fees, from third-parties resulting from the your breach of this Agreement or resulting from information or content transmitted over a WiFi hotspot by you or any User, Registered User or third party, and hold us and our Connected Partners harmless for any claims, requests and suits against us or our Connected Partners.
5.3 You hereby acknowledge and agree that to the extent permitted by applicable law, we shall not be liable to you for any direct, indirect, accidental, special or follow-up losses, damages or risks caused by your use of or failure to use the Application and/or Services.
Your warranties, representations and undertakings
5.4 You shall be responsible for obtaining appropriate authorization from the owner of a WiFi hotspot when sharing such WiFi hotspot, including but not limited to the password and location of the WiFi hotspot, and for ensuring that all the information of any and all hotspots you share are secure. You hereby:
(a) warrant and undertake that you are either the owner of the WiFi hotspot or are appropriately and validly authorized by the owner of the WiFi hotspot to do so when sharing the details of such with us; and
(b) agree to indemnify us in respect of any loss or damage suffered by us in respect of a breach of this provision.
5.5 You hereby warrant, represent and undertake that any WiFi hotspot information obtained will be used by you strictly in compliance with any applicable laws. Any illegal action or breach of relevant law or rules is forbidden. We shall be exempted from any liability for any problems caused by the breach of this provision.
Exclusion of warranties
5.6 We do not provide the WiFi network connection or internet services and therefore we do not make any warranty or guarantee regarding the timeliness, security and accuracy of the Service, and you hereby agree that we shall have no liability to you in respect of or in connection with any communication failure.
5.7 To the extent permitted by applicable law, we do not give any warranties, representations or undertakings in respect of the Application, whether express or implied, or in decrees, including but not limited to problems related to merchantability, applicability, non-virus, negligence, or technological flaw, and any warrant and conditions, express or implied, to ownership and non-infringement.
6. Miscellaneous
6.1 You should read these User Terms clearly before using the Service, Website and/or Application.
6.2 Any invalidation of any clause, partly or wholly, shall not affect the validity of other clauses herein.
6.3 These User Terms shall be governed by the laws of Singapore. Any dispute, claim or controversy arising out of or relating to these User Terms or the breach, termination, enforcement, interpretation or validity thereof or the use of the Website, the Service or the Application (collectively, “Disputes”) will be settled exclusively by the competent court in Singapore.
6.4 These User Terms, together with any of our policies notified to you from time to time, set out the entire agreement between you and us and you have not entered into these User Terms in reliance upon any promise or understanding which is not expressly set out in these User Terms.
6.5 These User Terms may be translated into non-English language versions. In the event of any inconsistency, conflict or uncertainty between this English language version and any non-English language version of these User Terms, this English language version shall prevail and apply.
6.6 Any failure or delay by either of us in exercising our rights under these User Terms shall not constitute a waiver of such right and shall not restrict the further exercise of that right or any other remedy.
6.7 These User Terms shall apply to your relationship with us and shall not confer any rights on any third party.
Free WiFi Password
Last updated, Nov 2016
Wheres app
Firstly some little rant about keweon which is the most hypocrite security service I've ever seen:
[
The mentioned bet was with me. PM for details or public if you make me care enough.
>Copypasting all the elaborate posts from the Telegram sphere as I cant bother to spend much time on it.
I mostly agree with whats written there.
Seriously I dont care about Thorsten (MrT69) personally or in any other way.
I am actually quite sick of this topic. Even mad that I have to deal with basic **** like that. These people managed to trigger a hermit into logging on to tracking heavy XDA.
Why I do this? It needs to be done.
I could have never imagined that such a blatant scam could gain enough traction that it regularly annoys me.
]
<<< A little bit of ranting about keweon >>>
"
Evidence and proof of concept that keweon Online Security is not as secure as claimed by its developer.
After a group of independent IT and cyber security specialists proved that keweon is not as secure as claimed by the developer, they confronted the developer with the results and reminded him of a bet. All keweon support groups on TG then were deleted by the developer personally and without further explanation on the morning of February 4, 2019.
We all know by now that the way keweon DNS works is based on users using keweon's DNS and the keweon root certificate.
What has now been proven is exactly what keweon could do with its users, but Torsten vehemently denies and claims "that's impossible" and "that doesn't work":
1. get users to use your DNS server.
2. get users to use your root certificate.
3. redirecting a page, e.g. mybank.com, to one of the keweon servers (by changing the DNS record)
4. issue your own SSL certificate for the website, users have installed your Root-CA and so this is not a "witch work"
5. read username/password from the connection (if 2FA is used, just wait until the user logs in and use the token again quickly as it is valid for 30 seconds).
We now have proof that this is possible without a doubt. In fact, this is a classic MITM attack, and anyone who denies that it is possible either has no idea (you shouldn't assume this from Torsten) or is trying to hide something from his users.
The developer of keweon has repeatedly asserted and insisted that a root certificate cannot intercept connections or collect data.
Quote from the keweon developer with his PayPal bet:
"Prove that to me. Give me any DNS and a root certificate and try to get my PayPal data.
I'll then even contact you when I sign up for PayPal. If you manage to get my PayPal data this way, you can log in and transfer 500 Euro to your account. I have made this offer very often and this is a serious offer from my side."
Unfortunately the developer of keweon didn't contribute his part to the test as he promised so often and of course he didn't log into Paypal via our provided DNS and root certificate.
The only reaction on his part was, apart from some insults, the deletion of all keweon groups on TG.
The security test of the keweon servers also revealed that under certain conditions connections are even redirected to keweon's own termination server and answered with 1x1 pixel gifs.
The fact is that the requests contain tracking IDs that can be easily managed from these servers.
So even Torsten's statement that the keweon SSL server only terminates requests with empty (0 byte) responses is wrong.
This again contradicts Torsten's own statement.
The point now is that the developer of keweon Online Security is actively trying to deny that it is possible for him to abuse the root certificate, although it has now been proven that it is actually possible for him to do exactly that with the keweon root certificate and its users.
Until the developer decides to disprove the accusations made against keweon Online Security or can prove that the accusations against him are unfounded, it is advisable for obvious reasons of security not to use keweon Online Security for the time being.
Anyone who is interested in repeating this test can do so at:
http://https-interception.info.tm/, where you will find a DNS and a root certificate, same as with keweon Online Security.
Furthermore there is a real-time log about recorded connections.
Everything else can be found there.
Please be careful not to use your correct email address or password for this test!
#keweon #test #bet #evidence #ProofOfConcept
"
<<< /rant >>>
<<< Explanation of some DNS and TLS/HTTPS basics for noobs >>>
DNS And Root Certificates - What You Need To Know
e8aebe8eb8b24035ae75260ca0ea80a7 / 20190205
Due to recent events we felt compelled to write an impromptu article on this matter. It's intended for all audiences so it will be kept simple - technical details may be posted later.
1. What Is DNS And Why Does It Concern You?
DNS stands for Domain Name System and you encounter it daily. Whenever your web browser or any other application connects to the internet it will most likely do so using a domain. A domain is simply the address you type: i.e. duckduckgo.com. Your computer needs to know where this leads to and will ask a DNS resolver for help. It will return an IP like 176.34.155.23; the public network address you need to know to connect. This process is called a DNS lookup.
There are certain implications for both your privacy and your security as well as your liberty:
- Privacy
Since you ask the resolver for an IP for a domain name, it knows exactly which sites you're visiting and, thanks to the "Internet Of Things", often abbreviated as IoT, even which appliances you use at home.
- Security
You're trusting the resolver that the IP it returns is correct. There are certain checks to ensure it is so, under normal circumstances, that is not a common source of issues. These can be undermined though and that's why this article is important. If the IP is not correct, you can be fooled into connecting to malicious 3rd parties - even without ever noticing any difference. In this case, your privacy is in much greater danger because, not only are the sites you visit tracked, but the contents as well. 3rd parties can see exactly what you're looking at, collect personal information you enter (such as password), and a lot more. Your whole identity can be taken over with ease.
- Liberty
Censorship is commonly enforced via DNS. It's not the most effective way to do so but it is extremely widespread. Even in western countries, it's routinely used by corporations and governments. They use the same methods as potential attackers; they will not return the correct IP when you ask. They could act as if the domain doesn't exist or direct you elsewhere entirely.
2. Ways DNS lookups can happen
2.1 3rd Party DNS Resolvers Hosted By Your ISP
Most people are using 3rd party resolvers hosted by their internet service provider. When you connect your modem, they will automatically be fetched and you might never bother with it at all.
2.2 3rd Party DNS Resolver Of Your Choice
If you already knew what DNS means then you might have decided to use another DNS resolver of your choice. This might improve the situation since it makes it harder for your ISP to track you and you can avoid some forms of censorship. Both are still possible though, but the methods required are not as widely used.
2.3 Your Own (local) DNS Resolver
You can run your own and avoid some of the possible perils of using others'. If you're interested in more information drop us a line.
3. Root Certificates
3.1 What Is A Root Certificate?
Whenever you visit a website starting with https, you communicate with it using a certificate it sends. It enables your browser to encrypt the communication and ensures that nobody listening in can snoop. That's why everybody has been told to look out for the https (rather than http) when logging into websites. The certificate itself only verifies that it has been generated for a certain domain. There's more though:
That's where the root certificate comes in. Think of it as the next higher level that makes sure the levels below are correct. It verifies that the certificate sent to you has been authorized by a certificate authority. This authority ensures that the person creating the certificate is actually the real operator.
This is also referred to as the chain of trust. Your operating system includes a set of these root certificates by default so that the chain of trust can be guaranteed.
3.2 Abuse
We now know that:
- DNS resolvers send you an IP address when you send a domain name
- Certificates allow encrypting your communication and verify they have been generated for the domain you visit
- Root certificates verify that the certificate is legitimate and has been created by the real site operator
How can it be abused?
- A malicious DNS resolver can send you a wrong IP for the purpose of censorship as said before. They can also send you to a completely different site.
- This site can send you a fake certificate.
- A malicious root certificate can "verify" this fake certificate.
This site will look absolutely fine to you; it has https in the URL and, if you click it, it will say verified. All just like you learned, right? No!
It now receives all the communication you intended to send to the original. This bypasses the checks created to avoid it. You won't receive error messages, your browser won't complain.
All your data is compromised!
4. Conclusion
4.1 Risks
- Using a malicious DNS resolver can always compromise your privacy but your security will be unharmed as long as you look out for the https.
- Using a malicious DNS resolver and a malicious root certificate, your privacy and security are fully compromised.
4.2 Actions To Take
Do not ever install a 3rd party root certificate! There are very few exceptions why you would want to do so and none of them are applicable to general end users.
Do not fall for clever marketing that ensures "ad blocking", "military grade security", or something similar. There are methods of using DNS resolvers on their own to enhance your privacy but installing a 3rd party root certificate never makes sense. You are opening yourself up to extreme abuse.
5. Seeing It Live
5.1 WARNING
A friendly sysadmin provided a live demo so you can see for yourself in realtime. This is real.
DO NOT ENTER PRIVATE DATA!
REMOVE THE CERT AND DNS AFTERWARDS
If you do not know how to, don't install it in the first place. While we trust our friend you still wouldn't want to have the root certificate of a random and unknown 3rd party installed.
5.2 Live Demo
Here is the link: http://keweonbet.info.tm/
- Set the provided DNS resolver
- Install the provided root certificate
- Visit https://paypal.com and enter random login data
- Your data will show up on the website
6. Further Information
If you are interested in more technical details, let us know. If there is enough interest, we might write an article but, for now, the important part is sharing the basics so you can make an informed decision and not fall for marketing and straight up fraud. Feel free to suggest other topics that are important to you.
For more information/feedback/corrections visit our chat linked in the pinned post. (Search ID 0728e516cf2446e7b25af7622c26d8d + 5 in case you hid it.)
All content is licensed under CC BY-NC-SA 4.0. (Attribution-NonCommercial-ShareAlike 4.0 International https://creativecommons.org/licenses/by-nc-sa/4.0/)
- DNS resolvers send you an IP address when you send a domain name
- Certificates allow encrypting your communication and verify they have been generated for the domain you visit
- Root certificates verify that the certificate is legitimate and has been created by the real site operator
How can it be abused?
- A malicious DNS resolver can send you a wrong IP for the purpose of censorship as said before. They can also send you to a completely different site.
- This site can send you a fake certificate.
- A malicious root certificate can "verify" this fake certificate.
This site will look absolutely fine to you; it has https in the URL and, if you click it, it will say verified. All just like you learned, right? No!
It now receives all the communication you intended to send to the original. This bypasses the checks created to avoid it. You won't receive error messages, your browser won't complain.
All your data is compromised!
4. Conclusion
4.1 Risks
- Using a malicious DNS resolver can always compromise your privacy but your security will be unharmed as long as you look out for the https.
- Using a malicious DNS resolver and a malicious root certificate, your privacy and security are fully compromised.
4.2 Actions To Take
Do not ever install a 3rd party root certificate! There are very few exceptions why you would want to do so and none of them are applicable to general end users.
Do not fall for clever marketing that ensures "ad blocking", "military grade security", or something similar. There are methods of using DNS resolvers on their own to enhance your privacy but installing a 3rd party root certificate never makes sense. You are opening yourself up to extreme abuse.
5. Seeing It Live
5.1 WARNING
A friendly sysadmin provided a live demo so you can see for yourself in realtime. This is real.
DO NOT ENTER PRIVATE DATA!
REMOVE THE CERT AND DNS AFTERWARDS
If you do not know how to, don't install it in the first place. While we trust our friend you still wouldn't want to have the root certificate of a random and unknown 3rd party installed.
5.2 Live Demo
Here is the link: http://https-interception.info.tm
- Set the provided DNS resolver
- Install the provided root certificate
- Visit https://paypal.com and enter random login data
- Your data will show up on the website
6. Further Information
If you are interested in more technical details, let us know. If there is enough interest, we might write an article but, for now, the important part is sharing the basics so you can make an informed decision and not fall for marketing and straight up fraud. Feel free to suggest other topics that are important to you.
For more information/feedback/corrections visit just PM the poster here.
He activated Mail forwarding.
All content is licensed under CC BY-NC-SA 4.0. (Attribution-NonCommercial-ShareAlike 4.0 International https://creativecommons.org/licenses/by-nc-sa/4.0/)
I appreciate you taking the time to write this up.
After reading this, im a bit scared because yesterday i installed both the dns and cert from keweon and since then i logged into bank accounts and several important sites (apps and browser).
Is this really that bad? Is keweon creator really capable of stealing users data just by using a custom dns and cert?
2 yrs later the same s**t again?
I'm honored about the fact that you try to fight against keweon. It seems you are someone from the advertising industries and this statement is almost the same as you have started the big ****storm against me 2 yrs ago.
Did you ever talk about the 46 Root Certificates within Windows which are responsible to share Ransomware, Malware, Spyware and other crap? No.
Did you ever talks about all the Apps which are using hidden root certificates to spy user data? No.
Did you ever talk about custom ROMS which contains hidden Root Certificates? No.
But you are still fighting against me? What will ever happens when I would shut down keweon?
keweonDNS is cleaning up the internet for various threats and of cause advertising. Because of blocking this it's causing HTTPS errors. To suppress this errors I have developed this Root Certificate. At the moment everything is still just for testing and when I launch the "real Infrastructure" there will be definitely a different Root Certificate.
You can use the DNS even without the certificate. Where is the problem? It's not a need or a must to use it but then Adblock detection is possible and a lot of other things. All addresses outside are working via HTTPS and the only reason for this certificate is to prevent HTTPS errors caused by Adblocking. I was asking you for a better Idea - no answer. Even various data protection agreed to me that this is a good Idea to protect against data collections.
I'm 100% sure you are someone from the advertising industries because until today you are only talking about common things that "might" happens or that "can" happens or "possibilities". In the meantime a lot of companies are using keweonDNS and there are some big Companies and this will definitely show that you have no idea about HTTPS and how it is working.
I repeat again. Using keweonDNS is cleaing up the internet within an incredible way. If you want to have everything faster or if you want to suppress the upcomming HTTPS errors cause by Adblocking YOU CAN USE the Certificate. It's not a MUST HAVE. But if you ever have a better Idea to fight against data collection and privacy violation without a certificate then any idea is welcome. That's the reason why it's still a TEST SYSTEM.
This certificate suppress all Adblock detections and data collections. Why you don't talk about this? Why you only talk about this is possible and that is possible? Why you don't write about the actual facts? Why you don't write about the things which are possible with the certificate?
In the meantime there are worldwide 32 million users who are using keweonDNS. Do you honestly think I didn't expect someone to try a ****storm against me or keweon? keweonDNS is a war declaration against Google, Facebook, Microsoft, Yahoo and the entire worldwide ads industry and you are talking about evil things what "might" happens? But hey, it's OK for me
I still offer to you - if you have a better idea let's do it together. I'm open for any idea or help. If you still want to fight against me then this shows me you support Google, data collection and privacy violation.