Related
So after starting this thread it has raised a stir. And I wanted to point out why the data that Google collects from Android devices is in my own opinion not at all "anonymous" although it is claimed to be.
The WSJ article fully explains. Please read it in full but I'm just going to cite a short passage here and embolden a few words:
...an HTC Android phone collected its location every few seconds and transmitted the data to Google at least several times an hour. It also transmitted the name, location and signal strength of any nearby Wi-Fi networks, as well as a unique phone identifier.
Click to expand...
Click to collapse
Apple does not collect the unique phone identifier in the data that they collect.
So Google is collecting location, unique ID, and if you sign into Google services they have your full account information and all within it. This means, via your phone ID that Google could very easily associate YOU PERSONALLY with the location data if they so choose. I know, they say they don't but it's one heck of a data mining marketer's dream to do it!
So I stop Android from phoning home.
I agree i own both a iPhone and a Droid but the difference is the Unique Identifier being sent from some Droid phones ... The real question is what is this unique identifier that is being sent is it the IMEI or MAC address
Looks like Google claims it's not the IMEI, according to this article: Google Responds To Smartphone Location Tracking Uproar, Says Android Is Opt-In
From the article:
Google explains that when a phone transmits data back to its servers some location data is actually assigned a unique identification number, but it says that this number is in no way associated with the device’s IMEI, the user’s name, or other information. In other words, they’d have a hard time associating a user with that data.
Click to expand...
Click to collapse
That makes me wonder, why must they create this "unique identification number" at the device level in the first place? If they simply want a unique value in their database for incoming data, it's much cheaper and easier to assign the value inside Google within their own databases as each new report comes in. (RowID for example. You who do any database level programing know what I'm talking about.) Than to assign each device a "unique" identifier that is sent with other data each time. The fact the device is sending some sort of "unique" identifier is troubling. And it's the researchers that found the value sent is unique and could be used to identify a phone. So do I believe the researchers who first told us exactly what is being sent or Google, since Google didn't tell us exactly what was being sent till the researchers uncovered it? I suspect if anyone could overcome that "hard time associating", Google could, but that's that my opinion. They know what method they used to create the supposedly unique value and they know how "unique" it is in relation to a specific device. In all my years of software engineering, I can't see how it would be so "hard" for Google to associate all the data they're pulling in with a specific device and person.
I'll just keep my device from phoning such data to Google and leave it at that. I'm also finding my battery life and GPS lock times have improved since stopping Android from phoning home.
ROMs need to address this directly
Darnell_Chat_TN said:
So Google is collecting location, unique ID, and if you sign into Google services they have your full account information and all within it. This means, via your phone ID that Google could very easily associate YOU PERSONALLY with the location data if they so choose.
Click to expand...
Click to collapse
Thanks for starting this thread. This is definitely an issue that we should be concerned about. I wasn't aware that Google was collecting more data than Apple, and your above point is very worrying!
I've asked this on the previous thread too, but I'm keen to see if/how ROM developers can directly manipulate Android to remove this malicious transmission to Google. How can we pressure them to do so? Beyond that, Google themselves need to be held accountable for this,
It actually makes perfect sense; when you're collecting all of this data from random phones, you need a way to vet the quality of the data. If some joker starts having fun and injecting bogus data into the uploads, they can eventually identify which phone the bad data came from and remove it all from their database. If the data is purely anonymous, with no ID tag whatsoever, it's much more difficult to maintain the quality of the data.
highlandsun said:
It actually makes perfect sense; when you're collecting all of this data from random phones, you need a way to vet the quality of the data. If some joker starts having fun and injecting bogus data into the uploads, they can eventually identify which phone the bad data came from and remove it all from their database. If the data is purely anonymous, with no ID tag whatsoever, it's much more difficult to maintain the quality of the data.
Click to expand...
Click to collapse
So, is there a way of "injecting" bogus data deliberately by phones to degrade Google's database? I've also read a report from a NCSU research team creating an application called TISSA for turning off or deliberately feeding misleading info for apps that try to read and transmit personal data. It says with development, this app will be launched on the Android market. Can such methods be used to 'rein in' Google?
Sent from my HTC Incredible S
Of course there is. Just disable the phone-home connection while accumulating data in the cache (using iptables/DroidWall). Then edit the cache files, putting whatever you want in them, and then reenable the connection. The phone won't be able to send the data before you edit it, if you keep the connection locked down.
Sent from my TP2 using Tapatalk
Apple has banned certain hackers from their app store. I'm not trying to send any bogus data to Google, because that might be the tipping point for them to try and ban my device.
Interestingly enough, Steve Jobs himself has come out to proclaim Apple does not track anyone, but he claims Android does: Steve Jobs: Apple doesn't track anyone
Don't iPhones have IMEIs too? Apple have denied using it. So have Google. As far as Google services go, Apple have your info through their store. What's the difference?
deejaylobo said:
Don't iPhones have IMEIs too? Apple have denied using it. So have Google. As far as Google services go, Apple have your info through their store. What's the difference?
Click to expand...
Click to collapse
Read through the earlier posts for details.
Darnell_Chat_TN said:
Read through the earlier posts for details.
Click to expand...
Click to collapse
Yes, and despite Google denying using unique identifiers with their data you are of the opinion that they do. But, you believe that Apple does not use unique identifiers based on what? Them saying so?
Nexus SuperAosp
deejaylobo said:
Yes, and despite Google denying using unique identifiers with their data you are of the opinion that they do. But, you believe that Apple does not use unique identifiers based on what? Them saying so?
Nexus SuperAosp
Click to expand...
Click to collapse
Not based on them saying so at all. Please read in full the article that I've cited, which is the account of 3rd party researchers who looked into what the devices are actually sending. Read the article and view the video on that page as well. Both provide details into the research that was performed and the findings of that research.
Darnell_Chat_TN said:
Not based on them saying so at all. Please read in full the article that I've cited, which is the account of 3rd party researchers who looked into what the devices are actually sending. Read the article and view the video on that page as well. Both provide details into the research that was performed and the findings of that research.
Click to expand...
Click to collapse
Just a small update. Once again, Google deny using unique identifiers.
http://online.wsj.com/article/SB10001424052748703387904576279451001593760.html?mod=googlenews_wsj
I wonder what came of TISSA? I can't find any release information on it. Just the paper:
http://t.co/Rsuq4L2
Also TaintDroid code is still not widely available in custom kernels or as an add-on module, which is quite sad.
We all know the Android privacy and security are quite bad and all Google does is clean up after-the-fact.
Are there any new developments in this arena that users can deploy themselves?
thanks for this info and the iptables tip above. I think I'll add a log and check it after about a week. I'm real curious as to what info my device is sending out and how much.
Hey XDAian...:laugh:
Here I am back again for few suggestions & discussion.
Based on some pretty interesting facts about "mobile in general", The smartphone segment has brought accessibility to millions around the world, at work and at home. Naturally, all the data in those devices, wirelessly accessible, becomes a gold mine for those with nefarious motives to exploit.
On the work front, smartphones are a huge contributor to productivity. At home, they provide meaningful and useful (and sometimes redundant) ways to stay in touch with friends and family. The more of these devices we buy, the bigger the opportunity is for criminals, because there are so many ways to get the data. We might lose a device, or its is stolen, we might download a bad application, or soon brush against an NFC tag or visit a bad web-page. The possibilities are so diverse compared to a PC or server farm hardwired to the internet.
With the tremendous growth of the smartphone market not expected to slow down anytime soon, people and organizations must be vigilant in guarding against breaches of their data and/or personal information. Even as organized hackers work on ways to score the high-value breach, they are working on high-volume, low-risk attacks against weaker targets as well.
In addition to some tips about securing mobile devices, the infographic has some interesting facts from 2011 in there as well, such as 855 breaches resulted in the theft of 174 million records.
We Need some Security Applications for preventing our valuable data (like Msgs, Contacts, Pin codes etc). Therefore, from my side this thread belong to all XDAians.
Please suggest the latest, finest Applications & few tremendous suggestion from all Devs, RC, RD & Members.
I like a Security based Application called LBE Privacy Guard to Prevent sending data through various applications installed at our Mobile.:good:
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Some Great Ideas Received from Our XDA Members. Which are here follows:
As this OP thread may become too long so, for Batter view just press "Show Contents" for there suggestions.
This One is provided by Our Great Sr.MOD Justin:
Personally, I place little emphasis on mobile security. Things like antivirus, password protectors etc. make sense if you store a lot of mission-critical, sensitive data on your phone, or frequent a lot of open hotspots, leave your Bluetooth on and 'visible' in public places, but otherwise just chew battery, CPU cycles and money.
I can appreciate the need for such things, in some instances (proper business users, etc.). I have little faith in an app to look after my security however, and would instead recommend a few lifestyle changes where possible, to improve your security:
1. Never use open, public WiFi. If you must, never use it for sites you log into, sites that control your money, or sites that contain other sensitive information. Doesn't take much for that guy outside McDonalds on his laptop to be sniffing packets.
2. Turn on Bluetooth and NFC only when you intend to use them. Not only do you save precious battery, you ensure that your close-range transmission technologies are only on when you need them, and not at other times. Also, set a unique Bluetooth passcode for your device, rather than the generic '0000'.
3. Never let your browser remember any passwords.
4. When setting passwords and PINs, never use a bank PIN, and always use 'leetspeak' for your passwords. For example, I would like my password for XDA to be 'firewood'. Rather than just typing it, try substituting letters for numbers, like this: F1r3W00d. Mix up your capital and lower-case letters, even substitute characters for letters or numbers. Do anything you can to ensure your passwords don't resemble anything from a dictionary!
I have no idea whether these steps have helped, but I haven't been the victim of online identity theft yet - even my passwords have never been compromised.
I think it's something we should always keep in mind, but never worry too much about. The risk is always there but it's a big, wide world.
This One is provided by Our Great buddy Adam77root:
Mobile security is getting more and more important nowadays. But the worst is that people don't know about and are not aware of the security issues that all pose a high threat to gadget users. There are plenty of ways for which stolen data can be used for and most of the people don't even think of themselves being impersonated by hackers.
Because of the design of the Android system it's very easy to write fully-featured malwares for this platform as the permissions are not handled on a low native (even kernel) level, but there are the Android permissions most of you are already aware of. A lot of users don't read through the permissions that the application they install asks for, making it easy to fool them.
Hackers usually give such application and package names that they are very similar to those of the inner Android system, so the users don't delete those apps after a little Google search.
Coding in Java is extremely easy, you don't even have to free memory, as the garbage collector does that for you. This opens this platform for the so-called script-kiddies who are wannabe 'hackers' and want to create the 'best malware ever'. They're dangerous as there are a lot of them. There are also a lot of prebuilt libraries for Java, which can be used for making for example network communication easy.
If such an application is installed on a system, its easy to root the victim's device, opening a new way to compromise the OS. There are methods to root a great deal of devices (of course excluding some) and plant a rootkit on them for a longer stay. For example the app is then moved to the system partition where it cannot be deleted from.
Most of the modern malwares communicate through the internet with their author. If somebody uses a 2G/3G data connection and has no or limited data plan, it may cost high amount of money for the user. For example: Here, in Hungary, lot of teenagers use 0.facebook.com which allows them to browse Facebook without paying for it. Just imagine their parents when they get the bill because of a hacker.
I, personally, do not use any antiviruses on my phone. Even, I use only a free AVG on my Windows PC and nothing on my Linux box. Every system can be hacked and all AV-s can be bypassed. Sometimes I check the autorun apps to see if there isn't any suspicious.
To sum up: I advise you not to download/install any suspicious app on your phones and if you notice some strange network activity, do a deeper inspection on it and wipe your data (very important as most of the malwares are still installed there) or reflash your system if you want to make sure everything.
Here is few more points from our great RC Selva.simple.
Mobile security not only matters about protecting our data from phising and virus attacks but also protecting it when v lost our device. Because a smartphone falling into wrong hands can cause so much of trouble. So just wanna list down following points interms of mobile security
* When u buy a new smartphone, take a mobile-insurance along with it (atleast for an year). We may sometime doesn't know its importance. But it matters a lot. It comes around of 3% of mobile cost. Keep your bills and insurance papers safely.
* For all important personal contents (Contacts, Pics, Videos, Docs, Messages) you store in smartphone, have a secondary backup in your system or hard disk. It comes in handy when ur phone is totally dead or lost. Take this backup atleast once in two months. Lots of software available for this.
* Use personal lock apps like "Keep safe" to lock/hide your personal data.
* Use Mobile security apps like "Lookup" or "Avast". Even if not for its ant-virus feature, but must for its features of "Anti-theft" features. Apps that help in locating the device if in case the mobile is stolen and kept on.Or when your sim card is replaced with a new sim, sending out a sms from the new sim to a pre-configured number.
* Apart from all these, an important feature is to destroy all your personal contents (complete Erase) in your mobile if in case it is stolen. This will prevent our data falling in hands of wrong people.More than device, our data matters a lot.
I'm a personal victim of a stolen mobile phone, my Wave II. Since that was the time, i flashed a leaked Bada 2.0, no data was there in my mobile. So atleast i was happy with that. I had my mobile insurance which got me the 80% of money which led my way to Android world via Galaxy R.
Source of this amazing ad is Phone Arena.
"How to secure your Android phone and protect your data"
Just Go to this thread for the same ->How to secure your Android phone and protect your data
Download LBE privacy Gaurd / master for mobile -> Click here for thread.
FOA, good thread (Y)
i know two apps which are good in security...
one is APPLOCK - https://play.google.com/store/apps/details?id=com.domobile.applock&feature=search_result
another AFARIA - my bro uses this on his note, its suggested by his company to maintain their mails and lot other office stuff store on the phone-
https://play.google.com/store/apps/details?id=com.Android.Afaria&feature=search_result
U brought to my attention the importance of security...
Till nw i was least bothered n never paid attention...
Bt thanks...
Sent from my GT-I9103 using Tapatalk 2
vipul12389mehta said:
U brought to my attention the importance of security...
Till nw i was least bothered n never paid attention...
Bt thanks...
Sent from my GT-I9103 using Tapatalk 2
Click to expand...
Click to collapse
security is important man!! how can you let others read your messages or your mails or even look at your gallery ???
security is must!!
chandrus1983 said:
FOA, good thread (Y)
i know two apps which are good in security...
one is APPLOCK - https://play.google.com/store/apps/details?id=com.domobile.applock&feature=search_result
another AFARIA - my bro uses this on his note, its suggested by his company to maintain their mails and lot other office stuff store on the phone-
https://play.google.com/store/apps/details?id=com.Android.Afaria&feature=search_result
Click to expand...
Click to collapse
Thanks buddy. U r like my bro.. :thumbup:can u pls add few more lines abt these two application. I will add both of it in OP.
Sent from my GT-I9103 using xda premium
vipul12389mehta said:
U brought to my attention the importance of security...
Till nw i was least bothered n never paid attention...
Bt thanks...
Sent from my GT-I9103 using Tapatalk 2
Click to expand...
Click to collapse
Buddy if u will PM me then i will disclose u few points of applications.. bt security is highly recommended over android mobiles.
Sent from my GT-I9103 using xda premium
chandrus1983 said:
security is important man!! how can you let others read your messages or your mails or even look at your gallery ???
security is must!!
Click to expand...
Click to collapse
This is what i was telling in whole thread buddy. Security is as much as essential like security of ur bank account. If a unknown person is having ur personal data, it means u are in big trouble. So, for security point of view we must have knowledge abt the same.
Edit: thats why i asked fron Devs/RC/RD to come ahead and provide us the right path of security.
Sent from my GT-I9103 using xda premium
kataria.vikesh said:
Thanks buddy. U r like my bro.. :thumbup:can u pls add few more lines abt these two application. I will add both of it in OP.
Sent from my GT-I9103 using xda premium
Click to expand...
Click to collapse
Yes I will write when I get on pc, and ask more info about the afaria app from my brother.and update it.
From my Limited Edition SGR
Mobile security is getting more and more important nowadays. But the worst is that people don't know about and are not aware of the security issues that all pose a high threat to gadget users. There are plenty of ways for which stolen data can be used for and most of the people don't even think of themselves being impersonated by hackers.
Because of the design of the Android system it's very easy to write fully-featured malwares for this platform as the permissions are not handled on a low native (even kernel) level, but there are the Android permissions most of you are already aware of. A lot of users don't read through the permissions that the application they install asks for, making it easy to fool them.
Hackers usually give such application and package names that they are very similar to those of the inner Android system, so the users don't delete those apps after a little Google search.
Coding in Java is extremely easy, you don't even have to free memory, as the garbage collector does that for you. This opens this platform for the so-called script-kiddies who are wannabe 'hackers' and want to create the 'best malware ever'. They're dangerous as there are a lot of them. There are also a lot of prebuilt libraries for Java, which can be used for making for example network communication easy.
If such an application is installed on a system, its easy to root the victim's device, opening a new way to compromise the OS. There are methods to root a great deal of devices (of course excluding some) and plant a rootkit on them for a longer stay. For example the app is then moved to the system partition where it cannot be deleted from.
Most of the modern malwares communicate through the internet with their author. If somebody uses a 2G/3G data connection and has no or limited data plan, it may cost high amount of money for the user. For example: Here, in Hungary, lot of teenagers use 0.facebook.com which allows them to browse Facebook without paying for it. Just imagine their parents when they get the bill because of a hacker.
I, personally, do not use any antiviruses on my phone. Even, I use only a free AVG on my Windows PC and nothing on my Linux box. Every system can be hacked and all AV-s can be bypassed. Sometimes I check the autorun apps to see if there isn't any suspicious.
To sum up: I advise you not to download/install any suspicious app on your phones and if you notice some strange network activity, do a deeper inspection on it and wipe your data (very important as most of the malwares are still installed there) or reflash your system if you want to make sure everything.
I never thought this but after reading this i am also thinking .....
Yep buddy you are correct, we need to think about this very seriously ....
Sent from my GT-I9103 using xda premium
mj.vikram said:
I never thought this but after reading this i am also thinking .....
Yep buddy you are correct, we need to think about this very seriously ....
Sent from my GT-I9103 using xda premium
Click to expand...
Click to collapse
Yup MJ buddy, I wasn't so much aware but when I saw that my installed applications is getting access to my device & sharing the data, I jst start searching the help.
Nice thread Vikesh, great idea.
Personally, I place little emphasis on mobile security. Things like antivirus, password protectors etc. make sense if you store a lot of mission-critical, sensitive data on your phone, or frequent a lot of open hotspots, leave your Bluetooth on and 'visible' in public places, but otherwise just chew battery, CPU cycles and money.
I can appreciate the need for such things, in some instances (proper business users, etc.). I have little faith in an app to look after my security however, and would instead recommend a few lifestyle changes where possible, to improve your security:
1. Never use open, public WiFi. If you must, never use it for sites you log into, sites that control your money, or sites that contain other sensitive information. Doesn't take much for that guy outside McDonalds on his laptop to be sniffing packets.
2. Turn on Bluetooth and NFC only when you intend to use them. Not only do you save precious battery, you ensure that your close-range transmission technologies are only on when you need them, and not at other times. Also, set a unique Bluetooth passcode for your device, rather than the generic '0000'.
3. Never let your browser remember any passwords.
4. When setting passwords and PINs, never use a bank PIN, and always use 'leetspeak' for your passwords. For example, I would like my password for XDA to be 'firewood'. Rather than just typing it, try substituting letters for numbers, like this: F1r3W00d. Mix up your capital and lower-case letters, even substitute characters for letters or numbers. Do anything you can to ensure your passwords don't resemble anything from a dictionary!
I have no idea whether these steps have helped, but I haven't been the victim of online identity theft yet - even my passwords have never been compromised.
I think it's something we should always keep in mind, but never worry too much about. The risk is always there but it's a big, wide world
juzz86 said:
. I have little faith in an app to look after my security however, and would instead recommend a few lifestyle changes where possible, to improve your security:
Click to expand...
Click to collapse
Happy to see u again juzz Yes thats true, more than an app, we shud be more conscious in our lifestyle and trend towards using our smartphone. And Congrats that u r part of "DEVELOPER COMMITEE".. Or is it u were already there in it and am i just noticing it now
juzz86 said:
Nice thread Vikesh, great idea.
I have no idea whether these steps have helped, but I haven't been the victim of online identity theft yet - even my passwords have never been compromised.
I think it's something we should always keep in mind, but never worry too much about. The risk is always there but it's a big, wide world
Click to expand...
Click to collapse
Thanks Buddy. You suggestion is marvelous as like always.:good: But finest one is password setting in Alphanumeric ("Mix up your capital and lower-case letters, even substitute characters for letters or numbers"). I must add your suggestion & Adam one in OP. Thanks buddy.
You're welcome. Thank you both for the kind words always happy to catch up with my Royal friends!
chandrus1983 said:
Yes I will write when I get on pc, and ask more info about the afaria app from my brother.and update it.
From my Limited Edition SGR
Click to expand...
Click to collapse
AppLocker is a SW which lets you Lock ANYTHING n EVERYTHING in your phone,
you can lock, Messages,Contacts,Mail,Gallaery, etc etc, if you wish, you can lock all the apps, by just selecting LOCK ALL option, which is there in the App.
AFARIA is a device administrator, it is used by professionals whose mails and calender events strictly private/confidential,
my brother works for HP, he uses this app, and ofc it is recommended by the company,
he cannot access his mails and events, if this app is disable or enabled,
in his Galaxy Note he has installed it, and all the security options like swipe,number lock is disabled...
only Password is available, you cant set anyother lock other than Password...
If you try to remove this app, all your mails,events and personal data will be deleted
APP Lock - https://play.google.com/store/apps/details?id=com.domobile.applock&feature=search_result
Afaria - https://play.google.com/store/apps/details?id=com.Android.Afaria&feature=search_result
Mobile security not only matters about protecting our data from phising and virus attacks but also protecting it when v lost our device. Because a smartphone falling into wrong hands can cause so much of trouble. So just wanna list down following points interms of mobile security
When u buy a new smartphone, take a mobile-insurance along with it (atleast for an year). We may sometime doesn't know its importance. But it matters a lot. It comes around of 3% of mobile cost. Keep your bills and insurance papers safely.
For all important personal contents (Contacts, Pics, Videos, Docs, Messages) you store in smartphone, have a secondary backup in your system or hard disk. It comes in handy when ur phone is totally dead or lost. Take this backup atleast once in two months. Lots of software available for this.
Use personal lock apps like "Keep safe" to lock/hide your personal data.
Use Mobile security apps like "Lookup" or "Avast". Even if not for its ant-virus feature, but must for its features of "Anti-theft" features. Apps that help in locating the device if in case the mobile is stolen and kept on.Or when your sim card is replaced with a new sim, sending out a sms from the new sim to a pre-configured number.
Apart from all these, an important feature is to destroy all your personal contents (complete Erase) in your mobile if in case it is stolen. This will prevent our data falling in hands of wrong people.More than device, our data matters a lot.
I'm a personal victim of a stolen mobile phone, my Wave II. Since that was the time, i flashed a leaked Bada 2.0, no data was there in my mobile. So atleast i was happy with that. I had my mobile insurance which got me the 80% of money which led my way to Android world via Galaxy R.
This seems so fine when our mods and RC buddies are giving there time for issues which we usually neglect. Thanks selva buddy. Added ur suggestion in OP.:thumbup:
Sent from my GT-I9103 using xda premium
FAQ
below are few questions which might help you to update FAQ in OP :
1) Can we change/contol the permissions of an application in a rooted/non-rooted phone dynamically ? could any adverse effect if i do this ?
2) I there any encryption software which encrypt stored data/password (remembered password etc)? is this required ( or android inharit encryption is sufficient ) ?
3) what is meaning of basic permissions in layman's terms ?
4) if i trust application A and give it sensitive permissions and application B does not required major permission ; is it possible application B gain access of application A's data instead of direct access of system data ? how dangerous it is and if there any example out there?
5) any indication on device (behaviour) through which i can find out if my device is hacked/leaking information etc ??
6) is andorid secure then windos in normal uses terms ? for example is it more secure if i use a bank website on my android phone insted of my anti-virous protected windows machine or vice-versa ?
ashvyas said:
below are few questions which might help you to update FAQ in OP :
Click to expand...
Click to collapse
Hey buddy. Nice suggestion.:good: But we Need answer of these Question first. So, I think we must find them. What do you say.?:fingers-crossed:
Okay, so, I summed up some 5 articles on this subject - in the hope of starting a discussion about device security. I hope you will find this interesting and meaningful and perhaps you will find out about some of the risks of using Android.
2 months ago Juniper Networks, one of the two biggest network equipment manufactures, published a blog post (1) about an intensive research their mobile threat department had on the Android market place.
In essence they analyzed over 1.7 million apps in Google Play, revealing frightening results and prompting a hard reality check for all of us.
One of the worrying findings is that a significant number of applications contain capabilities that could expose sensitive information to 3rd parties. For example, neither Apple nor Google requires apps to ask permission to access some forms of the device ID, or to send it to outsiders. A Wall Street Journal examination (2) of 101 popular Android (and iPhone) apps found that showed that 56 — that's half — of the apps tested transmitted the phone's unique device ID to other companies without users' awareness or consent. 47 apps — again, almost a half — transmitted the phone's location to other companies.
That means that the apps installed in your phone are 50% likely to clandestinely collect and sell information about you without your knowledge nor your consent. For example when you give permission to an app to see your location, most apps don't disclose if they will pass the location to ad companies.
Moving on to more severe Android vulnerabilities. Many applications perform functions not needed for the apps to work — and they do it under the radar! The lack of transparency about who is collecting information and how it is used is a big problem for us.
Juniper warns, that some apps request permission to clandestinely initiate outgoing calls, send SMS messages and use a device camera. An application that can clandestinely initiate a phone call could be used to silently listen to ambient conversations within hearing distance of a mobile device. I am of course talking about the famous and infamous US Navy PlaceRaider (3).
Thankfully the Navy hasn't released this code but who knows if someone hadn't already jumped on the wagon and started making their own pocket sp?. CIO magazine (4) somewhat reassures us though, that the "highly curated nature of [smartphone] application stores makes it far less likely that such an app would "sneak through" and be available for download."
A summary by The Register (5) of the Juniper Networks audit reads that Juniper discovered that free applications are five times more likely to track user location and a whopping 314 percent more likely to access user address books than paid counterparts. 314%!!!
1 in 40 (2.64%) of free apps request permission to send text messages without notifying users, 5.53 per cent of free apps have permission to access the device camera and 6.4 per cent of free apps have permission to clandestinely initiate background calls. Who knows, someone might just be recording you right now, or submitting your photo to some covert database in Czech Republic — without you even knowing that your personal identity is being compromised.
Google, by the way, is the biggest data recipient — so says The Wall Street Journal. Its AdMob, AdSense, Analytics and DoubleClick units collected data from 40% of the apps they audited. Google's main mobile-ad network is AdMob, which lets advertisers target phone users by location, type of device and "demographic data," including gender or age group.
To quote the The Register on the subjec, the issue of mobile app privacy is not new. However Juniper's research is one of the most comprehensive looks at the state of privacy across the entire Google Android application ecosystem. Don't get me wrong. I love using Google's services and I appreciate the positive effect this company has had over how I live my life. However, with a shady reputation like Google's and with it's troubling attitude towards privacy (Google Maps/Earth, Picasa's nonexistent privacy and the list goes on) I sincerely hope that after reading this you will at least think twice before installing any app.
Links: (please excuse my links I'm a new user and cannot post links)
(1) forums.juniper net/t5/Security-Mobility-Now/Exposing-Your-Personal-Information-There-s-An-App-for-That/ba-p/166058
(2) online.wsj com/article/SB10001424052748704694004576020083703574602.html
(3) technologyreview com/view/509116/best-of-2012-placeraider-the-military-smartphone-malware-designed-to-steal-your-life/
(4) cio com/article/718580/PlaceRaider_Shows_Why_Android_Phones_Are_a_Major_Security_Risk?page=2&taxonomyId=3067
(5) theregister co.uk/2012/11/01/android_app_privacy_audit/
____________________________________________________________________________________________
Now I am proposing a discussion. Starting with - do we have the possibility to monitor device activity on the phone? By monitoring device activity, such as outgoing SMSs and phone calls in the background, the camera functions and so on we can tell if our phone is being abused under the radar and against our consent. What do you think?
.
I am finding it sad and troubling but even more so ironic that nobody here cares about this stuff.
Pdroid allows you to tailor your apps and what permissions your device actually allows on a per app basis. Requires some setup, and the GUI is nothing fancy.. but for those worried about permissions, it is quite ideal.
Edit : http://forum.xda-developers.com/showthread.php?t=1357056
Great project, be sure to thank the dev
Sent from my ADR6425LVW using Tapatalk 2
DontPushButtons said:
Pdroid allows you to tailor your apps and what permissions your device actually allows on a per app basis
Click to expand...
Click to collapse
Sounds good for a start, I'll look it up
pilau said:
Sounds good for a start, I'll look it up
Click to expand...
Click to collapse
Okay, so I looked it up, and Pdroid does look like a fantastic solution to control what apps have access to what information on your droid.
However, it doesn't cover monitoring hardware functions such as texts being sent, calls being placed etc. as described in the OP. Besides, it only works in Gingerbread as far as I could gather.
EDIT: looking at PDroid 2.0, it does exactly what I originally asked
pilau said:
Okay, so I looked it up, and Pdroid does look like a fantastic solution a control what apps have access to what information on you droid.
However, it doesn't cover monitoring hardware functions such as texts being sent, calls being placed etc. as described in the OP. Besides, it only works in Gingerbread as far as I could gather.
Click to expand...
Click to collapse
I actually first found out about it on an ics rom, so it's definitely not just gb. As for monitoring, no clue. Any sort of extra process logging would likely bog down resources or space eventually.
Sent from my ADR6425LVW using Tapatalk 2
DontPushButtons said:
Any sort of extra process logging would likely bog down resources or space eventually.
Click to expand...
Click to collapse
I definitely wouldn't know. This solution looks very complicated in first impression but on the Google play page it says 100% no performance effects.
Anyway, I looked up PDroid 2.0 here on XDA, which is the rightful successor of the original app. It does everything the original app does and also monitors many device activities! Here is the full list of features. I would add a working link but I'm still a n00b and I am restricted from doing so. Sigh....
forum.xda-developers com/showthread.php?t=1923576
PDroid 2.0 allows blocking access for any installed application to the following data separately:
Device ID (IMEI/MEID/ESN)
Subscriber ID (IMSI)
SIM serial (ICCID)
Phone and mailbox number
Incoming call number
Outgoing call number
GPS location
Network location
List of accounts (including your google e-mail address)
Account auth tokens
Contacts
Call logs
Calendar
SMS
MMS
Browser bookmarks and history
System logs
SIM info (operator, country)
Network info (operator, country)
IP Tables(until now only for Java process)
Android ID
Call Phone
Send SMS
Send MMS
Record Audio
Access Camera
Force online state (fake online state to permanent online)
Wifi Info
ICC Access (integrated circuit-card access, for reading/writing sms on ICC)
Switch network state (e.g. mobile network)
Switch Wifi State
Start on Boot (prevents that application gets the INTENT_BOOT_COMPLETE Broadcast)
I've always had the luxury of someone else integrating it into the Rom, then I just had to set it up through the app. It is time-consuming, but not very difficult at all. I say give it a shot and see if that's what you had in mind. Maybe the logging is less detrimental than I had previously thought.
I'm sure you could get your post count up by asking for some tips in that thread. Every forum on xda has at least one person that's EXCESSIVELY helpful, frequently more. So have a ball
Sent from my ADR6425LVW using Tapatalk 2
is online shopping on android phones actually safe ...i am confused ..any views on this
That depends on what your security concerns are. For me, I think it is totally safe to buy things online with your phone. I would do just about anything but financial activities in this context. However, my answer is a bit loaded so now I need to explain that part a bit. Credit Cards have built in protections. If you check your statements and dispute all charges that you did not authorize, then shopping through your phone is completely safe. I have had tons of fraudulent activity on my credit cards and I haven't paid a single cent that wasn't my own charge. The catch here is that you run pretty much the same risk doing your shopping online through an ordinary computer. Granted, phones have terrible security. My real point here is that you should use your phone assuming you cannot trust it. In this case, I use my credit card fraud protection as my mitigation for an untrustable platform.
dipinv.2007 said:
is online shopping on android phones actually safe ...i am confused ..any views on this
Click to expand...
Click to collapse
It is risky, indeed. Luckily, you can do something to protect your safety online. Android has a lot of flaws and it's vulnerable to malware and viruses- more vulerable than your personal computer because it's an open system( in theory) with millions of unverified apps for Download.
My recommendations:
[Remember, there's no 100% guarantee/solution, but it's better than doing nothing at all!]
Avoid using open WiFi Hotspots( Starbucks, McDonalds, City Hotspots, etc.) if it's not an URGENT purchase.
However, sometimes you find yourself in a situation where you need to purchase something right away. When connected to public networks( again, Sturbucks, City Hotposts, etc) consider using a VPN service to encrypt your connection.
I don't want to start a war over which VPN provider is better, but PIA( Private Internet Access) is ultra cheap and reliable.
Why using a VPN? VPN connections, like L2tp IPsec PSK connections can encrypt your data, securing your connection from sniffing( Wireless network tapping/monitoring).
When shopping online use the shop's app rather than your Android browser. Using your browser can have catastrophic consequences. Your eyes can deceive you! Don't trust them.^ ^
When using your browser( Chrome, Android browser, etc) always check your connection to the shop's sing-in page - if it's unsecured( http websites) leave the page! The same goes for links. Make sure to check the URL address! Again, don't rely on your eyes, when using public hotspots. Why? In layman's terms: When you connect to the internet, your Android resolves IP's(URL's/websites) via DNS servers, which can be infected. If a Hotspot is infected and you search for, let's say, PayPal you might actually get somehwere else! Relying on URL's when shopping via Hotspots is a stupid idea! That's why, again, you should consider using a VPN, which encrypt's your traffic+ paid VPN's have a lower chance of getting infected since the folks working there regularly check their servers+ most VPN providers use secure DNS servers, which overide the Hotspot's default DNS settings.
When downloading apps verify the company's name and make sure it's an original app! Avoid using user-made apps to access your eBay/Amazon account! Stay away from unknown&unverified, hence untrusted Android markets.
Antivirus/anitmalware. Scan your phone frequently!
GOLDEN RULE: NOTHING IS BULLETPROOF!
I guess that's it for the average user. :cyclops:
The same applies for your personal computer.
Thanks guys !! great replies, sums it all up ...every one should follow this advice !! :good:
dipinv.2007 said:
Thanks guys !! great replies, sums it all up ...every one should follow this advice !! :good:
Click to expand...
Click to collapse
You're welcome. Have a good day/night/whatever! :silly:
Of course it is just make sure you are using https:// means secure server that encrypts your data
Of course it is just make sure if you install the official apps
One Question reagarding the apps: Are they using a safe connection to the server or might there be a securtiy problem?
Im talking about the "big player apps" like amazon, ebay, paypal etc.
Good day!
I have a page for online privacy ( www.4yourprivacy.com) and want to add more information regarding smart phones and personal privacy and anonymity to that site.
Anyone who can offer insight to these questions as well as suggest additional questions I may not have thought of I will be most appreciative.
It is understood that using mobile networks data, tower triangulation can still provide coarse location information that is saved as part of your phone record. Assume that location services and GPS are disabled
1. Using cell data how much privacy is afforded by having an active VPN connection with regard to third party apps or with carrier provided SMS?
With no mobile data but using WiFi only with VPN.
2. Does VPN offer any actual privacy to the user of standard SMS messages? I realize that alternative means such as "Signal app" provide end-2-end privacy even without VPN.
3. Do some, all, most third party apps obtain and transmit the specific device ID such as phone number and IMEI etc back to a server some where? This is a technical/software question not related to developers privacy practice. Is this totally dependent upon permissions you can control per-app?
4. App tagging. I read that when a user downloads an app from PlayStore that app is tagged to your device to permit developers to monitor accounts for such things as billing etc to be able to disable apps where user either has not paid or has violated some TOS...also by Google to register it to your phone for updates etc.
But what about the same app obtained and manually installed as an APK file without going through PlayStore?
Any thoughts, links to authority or additional questions I failed to ask please let me here what you have to say. ( Yes this may appear on more than one forum! )
Again thanks in advance for any thoughts or info that you believe should make their way to a discussion about privacy and security when using a mobile device. ( Android in this case...will address iPhone elsewhere )
Paul
paulckruger said:
Good day!
I have a page for online privacy ( www.4yourprivacy.com) and want to add more information regarding smart phones and personal privacy and anonymity to that site.
...
Click to expand...
Click to collapse
Interesting... Just had a look to your site regarding privacy and anonymity by Webbkoll and got interesting results: https://webbkoll.dataskydd.net/en/results?url=http://www.4yourprivacy.com/
Do you agree that having Google and Linkin cookies already contradicts privacy etc.?
Well for starters there is no information on this page that Google does not already index. I am not concerned about the privacy of this web site simply because if the site itself is too "private" people searching for this kind of info won't be able to find me in Google...kinda defeats the purpose of such a site in the first place!
The actual "privacy" aspect is the responsibility of the user not this web site which by definition must be findable for people to access the information. The assumption should be that a first visit will be by someone already exposing their tracks online seeking info on how to avoid just that.
Second...not a response to my question!
But thanks.