{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
The term "privacy" means many things in different contexts. Different people, cultures, and nations have a wide variety of expectations about how much privacy a person is entitled to or what constitutes an invasion of privacy. Information or data privacy refers to the evolving relationship between technology and the legal right to, or public expectation of, privacy in the collection and sharing of data about one's self. Privacy concerns exist wherever uniquely identifiable data relating to a person or persons are collected and stored, in digital form or otherwise. In some cases these concerns refer to how data is collected, stored, and associated. In other cases the issue is who is given access to information. Other issues include whether an individual has any ownership rights to data about them, and/or the right to view, verify, and challenge that information.
This post does not intend to address the many definitions of privacy or the many technical means of protecting and invading one's privacy. There are already many posts addressing this aspect and brief search can turn up lots of answers for you.
This post is only intended to help the least technically savvy among us in maintaining some small amount of data security and privacy without getting very technical about things. It was derived from many diverse sources on basic privacy.
Note that I do NOT have a DONATE button anywhere.
I am not looking for donations.
If you feel that you should donate something, by all means,
send it to your favorite XDA developer and/or XDA itself!
And don't be shy about the
button for the many posters who were of help to you!
Recently, a friend handed me his phone and asked me to take a picture. “What’s the password?” I asked. “I don’t have one,” he said. I think I must have had a puzzled look on my face as, I suppose, I tend to grimace when someone I know tells me they’re choosing not to take one of the very simplest steps for privacy protection, allowing anyone to look through their phone with the greatest of ease, to see whichever messages, photos, and sensitive apps they please.
So, this post is for you, big guy with no password on your Galaxy/iPhone/Nexus/whatever, and for you, girl who stays signed into GMail on your boyfriend’s computer, and for you, person walking down the street having a loud conversation on your mobile phone about your recent doctor’s visit of that odd ailment you have. These are the really, really simple things you could be doing to keep casual intruders from invading your privacy.
1 Password protect your phone! It is one of the simplest things you can do to most devices (smartphones, tablets, etc.) with the least amount of effort. Many people tell me it is “annoying” to take the two seconds to type in a password each time before using the phone. Gimme a break, everyone!. Choosing not to password protect these devices is the digital equivalent of leaving your home or car unlocked. If you’re lucky, no one will take advantage of you. Or maybe the contents will be ravaged and your favorite speakers and/or secrets stolen. If you’re not paranoid enough, spend some time reading entries in Reddit, where many Internet users go to discuss issues of the heart. A good percentage of the entries start, “I know I shouldn't have, but I peeked at my gf’s phone and read her text messages, and…” Oh, and before you pick a password like "123456" or "password" do yourself a big favor and visit the Worst passwords of all time web page! No laughing allowed!
2 Turn on 2-step authentication in GMail (that is, if you use GMail, of course). The biggest conclusion you can derive from the epic hack of Wired’s Mat Honan is that it probably wouldn't have happened if he’d turned on “2-step verification” in GMail. This simple little step turns your device into a security fob — in order for your GMail account to be accessed from a new device, a person (you?) needs a code that’s sent to your phone. This means that even if someone gets your password somehow, they won’t be able to use it to sign into your account from a strange computer. (How it works - video) Google says that millions of people use this tool, and that “thousands more enroll each day.” Be one of those people! Yes, it can be annoying if your phone battery dies or if you’re traveling. Of course, you can temporarily turn it off when you’re going to be abroad or phone-less. Alternately, you can leave it permanently turned off, and increase your risk of getting epically hacked. Which do you like better?
3 Put a Google Alert on your name! This is an incredibly easy way to stay on top of what’s being said about you online. It takes less than a minute to do. Go here: http://www.google.com/alerts; anyone can do it easily. Google Alerts are email updates of the latest relevant Google results (web, news, etc.) based on your queries. Enter your name, and variations of your name, with quotation marks around it. Boom. You’re done. Now, that wasn't too tough, was it? I didn't think so. :-]
4 Sign out of your Facebook / Twitter / GMail / etc. account! Do it each time you are done with your emailing, social networking, tweeting, and other forms of general time-wasting. Not only will this reduce the amount of tracking of you as you surf the Web, this also prevents someone who later sits down at your computer from loading one of these up and getting snoopy. This becomes much more important when you’re using someone else’s or a public computer. Yes, people actually forget to do this, with terrible outcomes. Incidentally, if you have the Chrome browser on your PC and you use “incognito” (Ctrl Shift N) or Internet Explorer and you use “InPrivate” (Ctrl Shift P) you will automatically be logged out when you close the window, and no cookies or passwords will be stored. Pretty cool, right?
5 Don’t give out your email address, phone number, or zip code when asked. Hey, if some scary (or weird) looking dude in a bar asked for your phone number, you'd say no, wouldn't you? But when the person asking is a uniform-wearing employee at a local store, many people hand over their digits without hesitation. Stores often use this info to help profile you and your purchase. Yes, you can say no. If you feel badly about it, just pretend the employee is that scary looking dude!
6 Change Your Facebook settings to “Friends Only.” I really thought that by now, with the many Facebook privacy stories which have been published, everyone would have their accounts locked down and boarded up like a cheap Florida house before a hurricane. Not so. There are still lots and lots of people on Facebook who are as exposed on the internet as Katy Perry at that water park. Go to your Facebook privacy settings and make sure the “default privacy” setting isn't set to "public"! If it’s set to “Custom” make sure you know and understand any “Networks” you’re sharing with.
7 Use unique passwords for every site you go to. This sounds really difficult but - surprise - it is quite simple! Password managers come in many sizes and flavors these days. They will generate complex passwords and remember them for you. Protect yourself against phishing scams, online fraud, and malware. Many of these apps have versions you can use on your computer as well as on your tablet and phone. Some are free and some cost money. Your choice. Here, let me show you how simple it is to find a bunch of them: http://bit.ly/V4xehO! As I said, there are many - the one I use is this one here.
8 Clear your browser history and cookies on a regular basis. Do you remember the last time you did that? If you just shrugged, consider changing your browser settings so it is automatically cleared every session. Go to the “privacy” setting in your Browser’s “Options.” Tell it to “never remember your history.” This will reduce the amount you’re tracked online. Consider one of the several browser add-ons, like TACO, to further reduce tracking of your online behavior.
9 Read the posted privacy policy. Boring, isn't it? Every web site has one and likely for a good reason. Have you ever seen the XDA Privacy Policy? Yup, that's just what I thought!
In conclusion, here's one from the Wall Street Journal's Law Blog.
As I said, this is not a technical article but it may make you think if it does the job right.
Sixth Circuit: No Expectation of Privacy in Cell Phone GPS Data
Drug dealers, beware. Your pay-as-you-go phones probably have GPS. And, according to a federal appeals court in Cincinnati, police can track the signal they emit without a warrant.
The U.S. Court of Appeals for the Sixth Circuit ruled that the Drug Enforcement Administration committed no Fourth Amendment violation in using a drug runner’s cellphone data to track his whereabouts. The DEA obtained a court order to track Melvin Skinner’s phone, after finding his number in the course of an investigation of a large-scale drug trafficking operation.
The DEA didn’t know much about Mr. Skinner or what he looked like. They knew him as Big Foot, the drug mule, and they suspected he was communicating with the leader of the trafficking operation via a secret phone that had been registered under a false name. Agents used the GPS data from his throw-away phone to track him, and he was arrested in 2006 at a rest stop near Abilene, Texas, with a motorhome filled with more than 1,100 pounds of marijuana.
Mr. Skinner was convicted of drug trafficking and conspiracy to commit money laundering. On appeal, he argued that the data emitted from his cell phone couldn’t be used because the DEA failed to obtain a warrant for it, in violation of the Fourth Amendment.
The question in the case was whether Mr. Skinner had a reasonable expectation of privacy in the data his phone emitted. It’s a question that several courts are wrestling with. Federal law enforcement authorities, as in this case, say that investigators don’t need search warrants to gather such information.
Justice Department lawyers argued in a court brief that “a suspect’s presence in a publicly observable place is not information subject to Fourth Amendment protection.”
Judge John M. Rogers, writing for the majority, agreed:
There is no Fourth Amendment violation because Skinner did not have a reasonable expectation of privacy in the data given off by his voluntarily procured pay-as-you-go cell phone. If a tool used to transport contraband gives off a signal that can be tracked for location, certainly the police can track the signal. The law cannot be that a criminal is entitled to rely on the expected untrackability of his tools. Otherwise, dogs could not be used to track a fugitive if the fugitive did not know that the dog hounds had his scent. A getaway car could not be identified and followed based on the license plate number if the driver reasonably thought he had gotten away unseen. The recent nature of cell phone location technology does not change this. If it did, then technology would help criminals but not the police.
He was joined by Judge Eric L. Clay. Judge Bernice B. Donald, who concurred but disagreed with the majority’s Fourth Amendment reasoning, said the DEA couldn’t have figured out the identity of Mr. Skinner, the make and model of his vehicle or the route he would be driving without the GPS data from his phone.
“It is not accurate…to say that police in this case acquired only information that they could have otherwise seen with the naked eye,” she wrote. “While it is true that visual observation of Skinner was possible by any member of the public, the public would first have to know that it was Skinner they ought to observe.”
A lawyer for Mr. Skinner didn’t immediately respond to a request for comment.
Comments? Suggestions? Ideas? They are all welcome.
Flame wars (relating to privacy or otherwise) are not. :-]
[GUIDE] Some incredibly simple things to protect YOUR PRIVACY - Part 2
Cameras on smart phones, getting better with each generation of new devices, allow people to take pictures or videos on the go and transmit these images by e-mail or post them to the Web. With phone in hand, unexpected sightings of celebrities can be snared with a flick of the wrist (turning the celled into the 'snaparazzi'), as can chance encounters with pretty girls or gorgeous sunsets. Their impact can be great for both good and evil.
Not too long ago two men lit themselves on fire in protest. But only one of them is credited with starting a revolution.
The difference between the two? Mobile phones recorded Mohamed Bouazizi, a Tunisian fruit vendor, as he set himself ablaze in despair over his economic plight. Those videos kicked off the wave of 2011 Arab Spring demonstrations.
Abdesslem Trimech, the other man, fell into relative obscurity. (Source: The Mobile Wave: How Mobile Intelligence Will Change Everything by Michael Saylor)
Back in 2005, a retail fraud investigator for one of the larger chain stores said that while he was still unable to capture a usable image of a credit card from even the then newer camera phones, he has been able to grab readable images of all account and routing info from the personal checks customers have produced at the checkout. Check writers, he says, have a tendency to "lay out" their check books on the writing counter at the registers and keep them stationary enough to obtain a clear image of all the personal information printed on the check. He has also tested this theory with camera-equipped palm tops and has found that with the adjustable resolution he has been able to get a pretty clear picture, with zoom, from a reasonable distance away (3-5 feet). So at this point in time, as phone cameras get better and better, your credit card might still be secure but your personal check might not be.
So, what personal information does your mobile phone reveal about you? Do you know? Do you care?
It seems that many people are slowly becoming more aware of the pitfalls and the mobile-privacy concerns.
According to reports, 54% of cell phone users in the U.S. have decided not to install an app once they discovered how much of their personal information it would access. (The amount of sensitive info an app can access typically is indicated by the "permissions" the app requests, listed on its information page.)
Also, nearly one-third of mobile app users report uninstalling an app from their phone because they learned it was collecting personal information they didn't wish to share.
We need to first be aware and also be willing to actively take steps in order to protect our own privacy. Children of all ages need to be carefully taught as well.
Okay, but what about students? Do students have an expectation of privacy on their cell phones while at school?
The short answer to this in the U.S. is a qualified yes. Whether educators have the authority to search the contents of student cell phones depends on a lot of factors. The key issue in this is the standard of reasonableness. According to New Jersey v. T.L.O (1985) students are protected by the Fourth Amendment to the U.S. Constitution which protects citizens against unreasonable searches and seizures. In T.L.O., the Supreme Court goes on to say that the standard that law enforcement officers must reach to conduct a search (probable cause that a crime has been committed), is not required of educators. In general, the standard applied to school officials is whether the search is “justified at its inception and reasonable in scope.” (See When can educators search student cell phones)
What information should children be taught NEVER to reveal?
The suggestions depend on their age. Common 'wisdom' suggests the following:
Elementary School Kids should NEVER share (their own or another’s):
Age
Full Name
Address
Phone Number
Name of School
Password Information
Images (with possible exception depending on parental involvement)
Middle School Kids should NEVER share (their own or another’s):
Age
Full Name
Address
Phone Number
Name of School
Password Information (even to friends)
Most Images (At this age, kids get into social networking and will be sharing images via cell phones and digital cameras. Parents should focus on limiting the images their children share online)
High School Kids should NEVER share (their own or another’s):
Address
Phone Number
Password Information (even to friends)
Offensive or Sexually Suggestive Images or Messages
If you managed to get this far there must have been something that concerned you.
Congratulations! Learning more about privacy is the first step.
Here's one more little trick you might try since you spent all the time getting here. :highfive:
Want to have an unlisted phone but would not like to have to pay monthly for it? Ask your phone company to replace your last name with another name - your grandmother’s maiden name or something that you never use. This will cost a few dollars, but works very well. Many phone companies will do this for you. No monthly fees for having your number unlisted and as soon as you hear someone calling you Mr. {your grandmother’s maiden name}, you can either block the number or request to be put on the company’s Do Not Call List or <fill in the blank of your choice>. Note that Caller ID takes its information from the phone book, so you will be identified as Mr. {your grandmother’s maiden name} on Caller ID units of people you call unless you turn this feature off.
Another helpful addition to the listing (available in some areas) is: "(data line)", meaning that the phone number is connected to a fax or computer and not to a live person. Check with your local company if this option is available.
Some time ago, in a concerted effort, multiple ACLU affiliates filed a total of 381 Freedom of Information Act (FoIA) requests in 32 states, asking local law enforcement agencies to disclose how they are using mobile phone location data.
The FoIA request in North Carolina struck gold: a copy of an official Department of Justice flyer, dated August 2010 that explains exactly what data is retained by Verizon Wireless, T-Mobile, AT&T, Sprint, and Sprint division Nextel. There's an enhanced copy on the ACLU website.
The eye-openers:
All of the mobile phone companies keep details about the location of cell towers used by every phone, for a year or longer.
All of the mobile phone companies keep records about voice calls and text messages received and sent for a year or longer. Verizon stores the contents of every text message for three to five days. (The others don't keep the text.)
IP session information -- tying your phone to an IP address -- is kept for a year by Verizon and 60 days on Sprint and Nextel.
IP destination information -- which IP addresses you connected to -- is stored for 90 days at Verizon and 60 days on Sprint and Nextel.
The ACLU is gathering information on what steps local police have to go through in order to acquire that stored data: warrants, formal requests, emergencies, possibly even informal procedures. They're also trying to figure out how law enforcement agencies share the data and how long it is retained.
There doesn't appear to be any sort of uniform nationwide policy or widespread judicial precedent.
The ACLU is also looking at law enforcement requests to "identify all of the cell phones at a particular location" and "systems whereby law enforcement agents are notified whenever a cell phone comes within a specific geographic area."
If you have been concerned about privacy and location data being leaked sporadically on your iOS or Android or Windows Phone device it seems you have been looking at very, very small potatoes!
Comments? Suggestions? Ideas? They are all welcome.
Flame wars (relating to privacy or otherwise) are not. :-]
[ Another place holder ]
[GUIDE] Some Incredibly Simple Things To Protect Your Privacy!
If you find this thread helpful then do not forget to
Rate: *****
Submit thread as News Tip
If you find a particular post is helpful, please click on the Thanks button
If you are using XDA App or Tapatalk, long press on the post and select :good: Thanks
Thanks ny_limited - I just did all these!
Cheers
Tom
Szczepanik said:
If you find this thread helpful then do not forget to
Rate: *****
Submit thread as News Tip
If you find a particular post is helpful, please click on the Thanks button
If you are using XDA App or Tapatalk, long press on the post and select :good: Thanks
Thanks ny_limited - I just did all these!
Cheers
Tom
Click to expand...
Click to collapse
Appreciate the kind works, Tom, but.. This thread is for the non-technical ones among us. I suspect you are more technical than I am thus you hardly qualify to be here.
Thanks for the tips.
For extra protection, there's quite a few security apps on the market that will lock whatever information sensitive apps you want locked, usually with the same security options that your phone offers i.e. Password, PIN, pattern etc.
Just search "app lock" in the play store, for those interested.
--> dominating your screen from my t-mobile gs3, powered by: FreeGS3 R7 "Resurrection"
Complacency is one thing that most if not all internet/mobile/computing user have. I always advocate "Do not remember my password" while browsing from any form of medium to my friends. You never know when you will get compromised. Just leave your computer for a moment, your friend with malicious intent can extract all your private information with a simple and obtainable usb trick..
Even the thing most personal to me, my mobile phone, has no sites on "Log me in always" checked.
I hope websites would leave the box unchecked, as sites I visit always encourage user to have that option enabled. E.g. Ebay, Facebook..
Post # 2 has been updated just in case you need more reading material.
ny_limited said:
Post # 2 has been updated just in case you need more reading material.
Click to expand...
Click to collapse
like 1 better :good:
coohdeh said:
like 1 better :good:
Click to expand...
Click to collapse
Agreed. I guess I really didn't need the 3rd placeholder after all.
---
Spes in virtute est. (via XDA app)
This article is just over a year old but still makes good reading if you haven't seen it yet.
Few people would willingly carry around a device that tracks their movements, records their conversations, and keeps tabs on all the people they talk to. But, according to documents recently released by the American Civil Liberties Union, cell phone companies are doing all of that -- and may be passing the information on to law enforcement agencies.
"Retention Periods of Major Cellular Service Providers," an August 2010 document produced by the Department of Justice, outlines the types of information collected by various cell phone companies, as well as the amount of time that they retain it. On some levels, this is reassuring: Verizon (VZ) is the only company that holds on to text message content, and they erase it after 3-5 days. However, text message details -- the information about who you text with -- is retained for a minimum of a year, with some companies keeping it for up to seven years. In other words, that little back-and-forth you had with Bernie Madoff back in 2007 will be on the books until 2014.
Complete article is here
Click to expand...
Click to collapse
The privacy buck stops with the user
Yes, those terms of service are annoying. They're usually too complicated and too long, and users who want a certain mobile app will be inclined to click 'next' without actually reading the fine print, even if they're worried about what rights they're signing away. Still, "cellphone users need to take responsibility for their own data," maintains Steve Durbin, global VP of the Information Security Forum.
Click to expand...
Click to collapse
Cellphone and smartphone users have a love-hate relationship with mobile apps. While they love the functionality and enhanced user experience they bring to the table, clearly many hate the perceived privacy intrusions, suggests a newly released report from the Pew Internet & American Life Project.
More than half -- 54 percent -- of app users surveyed decided against installing a cellphone app when they discovered how much personal information they would need to share in order to use it. Thirty percent uninstalled an app that was already on their cellphone because they learned it was collecting personal information that they didn't wish to share.
Many cellphone users take additional steps to protect the personal data on their mobile devices, including backing up photos, contacts and other files -- tasks performed by 41 percent of those surveyed. Some 32 percent have cleared the browsing or search histories on their phone, and 19 percent have turned off the location-tracking feature due to privacy concerns.
Finally, 12 percent of cell owners say that another person has accessed their phone's contents in a way that made them feel that their privacy had been invaded.
The complete article was written by Erika Morphy and published in the E-Commerce Times in September.
i just know that you can monitor the keywords via google alerts
some useful information here. Thanks a lot!
More cell phone privacy notes
Police Searches of Cell Phones
You may have a legitimate expectation of privacy of the information stored in your cell phone, and so a search warrant may be needed before a police officer can look at your phone's data. However, an officer has the authority to search a cell phone when the search is "incident to an arrest." The search is deemed similar to an officer that searches a closed container on or near a person that he's arresting.
Traditional search warrant exceptions apply to the search of cell phones. Where the accessing of memory is a valid search incident to arrest, the court need not decide whether exigent circumstances also justify the officer's retrieval of the numbers from your cell phone. Police officers are not limited to search only for weapons or instruments of escape on the person being arrested. Rather, they may also, without any additional justification, look for evidence of the arrestee's crime on his person in order to preserve it for use at trial.
Illegally Intercepted Communications
Most people would think that public broadcasting of an illegally intercepted cell phone conversation would be illegal. Well, the US Supreme Court has found that (U.S.) the First Amendment allows an illegally intercepted cell phone conversation to be shared with others when the conversation involves matters of significant public interest. The lesson here is to be careful because technology has increased the chances that your cell phone conversations are being recorded and could be made public or used against you.
Cell Phone GPS Tracking
Although there are many advantages to cell phone GPS tracking, there are also privacy concerns. As most people carry their cell phone with them at all times, the ability is in place to track the exact movements of all individuals. Cell phone GPS could prove useful in saving lives during emergencies.
For these reasons the (U.S.) Federal Communications Commission (FCC) requires wireless network providers to give the cell phone GPS tracking location information for 911 calls that have been made from cell phones. This is known as E911. The law on E911 is fairly explicit. It allows carriers to provide tracking location information to third parties for E911 emergency calls only, however not under any other circumstances whatsoever without the consent of the cell phone owner. Recent court hearings have disallowed the requests of law enforcement agencies to obtain cell phone GPS tracking information from the cell phone companies for suspects in criminal investigations.
The complete article was written and published on Lawyers.com.
Instagram says it now has the right to sell your photos
Instagram said today that it has the perpetual right to sell users' photographs without payment or notification, a dramatic policy shift that quickly sparked a public outcry.
The new intellectual property policy, which takes effect on January 16, comes three months after Facebook completed its acquisition of the popular photo-sharing site. Unless Instagram users delete their accounts before the January deadline, they cannot opt out.
Under the new policy, Facebook claims the perpetual right to license all public Instagram photos to companies or any other organization, including for advertising purposes, which would effectively transform the Web site into the world's largest stock photo agency. One irked Twitter user quipped that "Instagram is now the new iStockPhoto, except they won't have to pay you anything to use your images."
"It's asking people to agree to unspecified future commercial use of their photos," says Kurt Opsahl, a senior staff attorney at the Electronic Frontier Foundation. "That makes it challenging for someone to give informed consent to that deal."
The complete article is written by Declan McCullagh and published in c|net.
Thanks to FameWolf for the link!
Horrible Autoplay Video Ads Are Coming to Facebook
Facebook will unveil a new video ad product that will auto-play commercials upon arrival, executives told AdWeek's Jason del Ray. This most annoying addition, which will allow advertisers a chance to slap unsolicited videos all over the Facebook news feed, is expected to launch by April 2013, the sources say. And, to reiterate, yes, these will be the same variant of videos that pollute the ESPN.com homepage — the ones that start without you asking them to.
Facebook, which has been trying just about every kind of new ad it can this year, has not yet decided if these commercials will automatically play with or without sound. But in either case, you can bet they'll be a pain — and you can expect plenty of frustrated users. On the desktop version of Facebook, the vids will expand "out of the news feed into webpage real estate in both the left and right columns -- or rails -- of the screen," explains del Ray. Meaning: they will be everywhere. Also, for people who use a million tabs on older computers, imagine a ton of video playing over and over: slow-load city. Add a little audio in the mix and we can already see the confused masses looking for that one tab with the unwanted sound coming out of it. Oh, yeah, this is a really great idea, Facebook. As if you weren't full of those this week already.
The complete article is written by Rebecca Greenfield, published in The Atlatic Wire
ny_limited said:
Instagram said today that it has the perpetual right to sell users' photographs without payment or notification, a dramatic policy shift that quickly sparked a public outcry.
The new intellectual property policy, which takes effect on January 16, comes three months after Facebook completed its acquisition of the popular photo-sharing site. Unless Instagram users delete their accounts before the January deadline, they cannot opt out.
Under the new policy, Facebook claims the perpetual right to license all public Instagram photos to companies or any other organization, including for advertising purposes, which would effectively transform the Web site into the world's largest stock photo agency. One irked Twitter user quipped that "Instagram is now the new iStockPhoto, except they won't have to pay you anything to use your images."
"It's asking people to agree to unspecified future commercial use of their photos," says Kurt Opsahl, a senior staff attorney at the Electronic Frontier Foundation. "That makes it challenging for someone to give informed consent to that deal."
The complete article is written by Declan McCullagh and published in c|net.
Thanks to FameWolf for the link!
Click to expand...
Click to collapse
Instagram has backed off the language in its new privacy and terms of service policies that set off a significant firestorm online. Instagram cofounder Kevin Systrom posted on the company’s blog under the title “Thank you, and we’re listening”. Whether you believe him or not you can read more about it at Forbes.
Happy New Year, everyone!
Enjoy the festivities!
Will see you all next year!
New 2013 CA laws affect online privacy, homeowners, schools
From protecting your online privacy to party buses, there are 750 new California (USA) laws taking effect in 2013.
The complete KABC-TV (Los Angeles) article of January 1, 2013 can be found here.
[USA] New laws keep employers out of worker social media accounts
Employers in Illinois and California cannot ask for usernames and passwords to the personal social media accounts of employees and job seekers under laws that took effect on Jan. 1.
Illinois Gov. Patrick Quinn in August signed legislation amending the State's 'Right to Privacy in the Workplace Act.'
California Gov. Jerry Brown signed legislation adding the prohibitions to the State's Labor Code in September.
The two states join Maryland, Michigan, New Jersey and Delaware in implementing such privacy laws.
Full ComputerWorld article: http://bit.ly/118L2tM
Hey XDAian...:laugh:
Get ready for few suggestions & discussion.
Based on some pretty interesting facts about "mobile in general", The smartphone segment has brought accessibility to millions around the world, at work and at home. Naturally, all the data in those devices, wirelessly accessible, becomes a gold mine for those with nefarious motives to exploit.
On the work front, smartphones are a huge contributor to productivity. At home, they provide meaningful and useful (and sometimes redundant) ways to stay in touch with friends and family. The more of these devices we buy, the bigger the opportunity is for criminals, because there are so many ways to get the data. We might lose a device, or its is stolen, we might download a bad application, or soon brush against an NFC tag or visit a bad web-page. The possibilities are so diverse compared to a PC or server farm hardwired to the internet.
With the tremendous growth of the smartphone market not expected to slow down anytime soon, people and organizations must be vigilant in guarding against breaches of their data and/or personal information. Even as organized hackers work on ways to score the high-value breach, they are working on high-volume, low-risk attacks against weaker targets as well.
In addition to some tips about securing mobile devices, the infographic has some interesting facts from 2011 in there as well, such as 855 breaches resulted in the theft of 174 million records.
We Need some Security Applications for preventing our valuable data (like Msgs, Contacts, Pin codes etc). Therefore, from my side this thread belong to all XDAians.
Please suggest the latest, finest Applications & few tremendous suggestion from all Devs, RC, RD & Members.
I like a Security based Application called LBE Privacy Guard to Prevent sending data through various applications installed at our Mobile.:good:
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Some Great Ideas Received from Our XDA Members. Which are here follows:
As this OP thread may become too long so, for Batter view just press "Show Contents" for there suggestions.
A Very Big thanks to Android Police, Phone Arena & Android Authority for survey about malwares & security.
How to secure your Android phone and protect your data
All software has security vulnerabilities. It is a fact. You only need to look at the software updates that are issued by the big companies like Microsoft, Adobe, Apple and Google to see how prevalent is this security problem. Smartphones aren’t immune, not iPhones, not Windows Phones and not Android. But there are some simple things you can do that will drastically reduce your exposure and help secure your Android phone or tablet, as well as protect your data.
A recent report by Check Point, the firewall maker, estimated that €36+ million has been stolen from corporate and private bank accounts in Europe by a group running a campaign of attacks known as “Eurograbber”. The campaign infected victim’s mobile phones with a piece of malware which could intercept SMS messages. When the victim used their online banking the SMS authentication code sent to the phone was intercepted. This then allowed the attackers to access the victim’s account.
Securing your smartphone and protecting yourself against malware isn’t about stopping some annoying virus getting on your device, it is about protecting your money, data and privacy.
There are several different areas in which you can improve your phone’s security including physical access, malware protection and encryption.
Who has access to your phone?
RULE #1 – Never leave your phone laying around where uninvited guests can access it
Before looking at things like malware and data stealing apps, the simplest form of security is to limit physical access to your phone. There maybe lots of sophisticated remote attacks out there but if all I need to do is quickly pickup your phone and access your emails, PayPal, eBay or Amazon account while you pop off to get a coffee then all the security software in the world won’t do you any good.
RULE #2 – Use a lock screen
It is also essential that you use a lock screen. This stops everyone from small kids to determined snoopers from sneakily accessing your device. Modern Android versions have a whole gamut of lock screen options including pattern unlock, PIN numbers and password protection. To set these go to Settings and then tap Security. You can also customize how quickly the lock is automatically applied.
RULE #3 - Set a PIN to protect purchases on Google Play
It is also possible to set a PIN for purchases in Google Play. With the PIN any would-be trickster (or small child) won’t be able to buy content from Google’s app store. To set it, start the Google Play app, go to setting and then tap “Set or change PIN”. After the PIN is set, tap “Use PIN for purchases” to require the PIN before purchasing anything from the store.
RULE #4 – Install a phone location app or use a security app with an anti-theft component
Keeping your phone nearby and using a lock screen will thwart snoopers but the determined criminal will simply just walk away with your phone and try to extract the data later or simple wipe your phone and try and selling it. The first few hours after you phone has been taken are the most critical. To find your phone it is important to use a phone location service like Where’s My Droid or install a security app with an anti-theft option like avast! Mobile Security.
Malware
RULE #5 – Don’t install apps from dodgy third party sites, stick to places like Google Play or the Amazon appstore
Because Android is so popular, it is normal for it to become a malware target. Malware authors don’t waste their time writing malware for a phone operating system that no one is using. This means that there is lots of Android malware out there. But here is thing, how does Android malware spread? Unlike worms, which spread automatically over the network or viruses which tend to spread via USB flash drives etc., the majority of Android malware needs to be installed manually. There have been some exceptions but in general it is unsuspecting users that install the malware themselves onto their own phones.
The malware authors have lots of dirty tricks to try and fool potential victims into installing their malware. One very common approach is to offer a free version of a popular non-free app with the malware hidden inside the app. Greedy users who think they are getting a bargain because they have managed to save $0.69, but in fact are infecting their devices with malware. Over 99% of Android malware is spread via third party app sites. Don’t use them.
RULE #6 – Always read the reviews of apps before installing them
RULE #7 – Check the permissions the app needs. Games generally don’t need to send SMS messages etc
A small percentage of malware is spread via Google Play, but the apps in question normally only survive a few hours on the store before being removed. To avoid such rare cases it is always important to read the reviews of other users and always check the app permissions.
RULE #8 – Never follow links in unsolicited emails or text messages to install an app
If the malware authors can’t get you via a third party store or their apps are taken down from Google Play, they have one more trick, unsolicited emails and text messages asking you to install an app. In the “Eurograbber” campaign, what the attackers did was infect the victim’s PC with a piece a malware (something which is a lot easier than infecting an Android phone) and then via that malware they tricked the user into installing their “enhanced security” app on their phone. The PC malware monitored the victim’s Internet usage and when they went to an online banking site the malware pretended to be a warning from the bank telling them to install an app on their smartphone. It was all downhill from there for the poor victim.
RULE #9 – Use an anti-virus / anti-malware app
Even with diligence it is possible for malware to find its way on to your device. It is therefore important that you install an anti-virus / anti-malware app. This best antivirus apps for Android article will help you choose one, but if you don’t have time right now then go for Kaspersky Mobile Security (paid) or avast! Mobile Security (free)
Rooting
RULE #10 – Don’t root your phone unless you absolutely need to
Some of my colleagues here at Android Authority are very keen on rooting and I can understand why. The lure of custom ROMs and the ability to tweak different parts of the OS are all part of what makes Android great. But, Android was designed with a very particular security model which limits what an app can do. By rooting a device this security model breaks. Even the CyanogenMod team acknowledged that there are limited uses for root and none that warrant shipping the OS defaulted to unsecured. The problem is there are specific types of Android malware that circumvent Android’s security mechanisms by using the existing root access. With root access, the malware can access parts of Android that are supposed to be protected by the permissions system.
Encryption
RULE #11 - If your device has valuable data on it then use encryption
Since Android 3 it is possible to use full encryption on a phone or tablet. By encrypting your device all the data including your Google Accounts, application data, media and downloaded information etc. becomes inaccessible without the right password or PIN. Every time you boot the device you must enter the PIN or password to decrypt it. If your device has valuable data on it using this encryption is a must. NASA recently had an embarrassing episode where a laptop was taken that held personally identifiable information of “at least” 10,000 NASA employees and contractors. After the incident NASA decided that any devices that leave a NASA building need to use full disk encryption.
RULE #12 – Use a VPN on unsecured Wi-Fi connections
While on the subject of encryption it is worth remembering that if you are using a public unsecured Wi-Fi hot spot all of the data that is send using http:// (rather than https://) can be seen my any network snooper. In the past security researchers have shown how easy can be to steal passwords to the popular social networking sites just by using a laptop and waiting around near a public open hot spot. To avoid revealing your password and other data, don’t use open Wi-Fi hot spots or use a virtual private network (VPN) to secure your connection.
Conclusion
If you follow these twelve rules and remain vigilant you should never have any security troubles with malware, thieves, hackers or any small furry animals! OK, that last part isn’t true, but the rest is!
Source: Android policereserved for articles
Android malware perspective: only 0.5% comes from the Play Store
Are Android apps secure enough for us to let them handle our finances and personal information? Quite a few of them aren't, according to a recent research that analyzed how well various applications protect the user's sensitive data. The study was conducted by the Leibniz University of Hannover, Germany, in partnership with the Philipps University of Marburg, the researchers came up with a list of 41 Android apps that should use tighter security measures.
In particular, these apps were discovered to expose the user's data at risk while a device running Android 4.0 is communicating with a web server. What's even more worrying is that these insecure apps were among the most popular ones on Google Play, being downloaded between 39.5 million and 185 million times already. The names of the applications were not disclosed.
"We could gather bank account information, payment credentials for PayPal, American Express and others," the researchers wrote after conducting their study. "Furthermore, Facebook, email and cloud storage credentials and messages were leaked, access to IP cameras was gained and control channels for apps and remote servers could be subverted." The contents of e-mails and instant messages could also be accessed.
But how could one use these apps' security flaws to their advantage? Simply put, if an Android smartphone or a tablet is connected to a vulnerable local area network, such as a Wi-Fi hotspot, an attacker could potentially crack the security protocols used by the apps and snoop on the data they exchange. Sure, the attacker will need to have a certain exploit monitoring the activity on the network, but obtaining access to such a tool isn't as hard as it may seem.
Scary stuff, we know, which is why there should be more awareness amongst developers about implementing proper security features within apps, as the researchers suggest. There are certain methods that can make security protocols tougher to crack, or the apps could simply be checked for vulnerabilities at the time they are being installed. In fact, Google is said to have ramped up security in Android 4.2, thus likely making the platform more resistant to hacks like the one described above. What measures have been taken, however, will be known with certainty in a few days – On October 29, to be more specific, which is when a new Android release is probably going to be unveiled.
For more in Deep: check out here: Click Here
Over 60% of Android malware steals your money via premium SMS, hides in fake forms of popular apps
Over 60% of Android malware steals your money via premium SMS, hides in fake forms of popular apps
Like any popular platform, Android has malware. Google’s mobile operating system is relatively new, however, so the problem is still taking form. In fact, it turns out that the larger majority of threats on Android come from a single malware family: Android.FakeInstaller, also known as OpFake, which generates revenue by silently sending expensive text messages in the background.
McAfee says that the malware family makes up more than 60 percent of Android samples the company processes. So now the question is: why is this malware so popular amongst cybercriminals?
The reason is simple: it’s extremely effective. Android users seem to fall for fake apps on a regular basis. Furthermore, since the whole of the malware appears to make money, it’s not surprising that those behind this one continue to keep it updated. McAfee agrees:
Malware authors appear to make lots of money with this type of fraud, so they are determined to continue improving their infrastructure, code, and techniques to try to avoid antivirus software. It’s an ongoing struggle, but we are constantly working to keep up with their advances.
This malware type has been in the news for months, mainly because there have been so many fake apps created, including for popular ones like Instagram and Skype. On top of that, those behind it seem to keep adding various types of functionality to avoid detection by antimalware solutions, including server-side polymorphism, obfuscation, antireversing techniques, and frequent recompilation.
How it works
Cybercriminals typically create fake versions of a given popular Android app to earn money from unsuspecting users. There have also been instances of the malware being bundled with a legitimate version of popular apps. The apps appear to be legitimate, including screenshots, descriptions, user reviews, videos, and so on. Users never get the app they want, but instead get a lot more than they bargained for.
The malware authors often set up fake websites advertising the fake version of the app. Many of these are shared on questionable websites, but many are also shared on fake Facebook and Twitter accounts that spam legitimate users on social networks.
Upon installation, the malware often displays a service agreement that tells the user that one or more SMS messages will be sent. The user is forced to click an Agree or Next button, but some versions send the messages before the victim even taps the button. There are often fake progress bars to keep the user further in the dark.
Either way, the devil is in the details. In the background, the malicious app sends expensive international text messages to earn its creators revenue. Some variants even connect to a Command & Control (C&C) server to send and retrieve data, as well as await further instructions.
Early versions of FakeInstaller were created only for Eastern European users, but malware developers have expanded their fraud to other countries by adding instructions to get the device’s Mobile Country Code and Mobile Network Code. Based on that information, the malware selects a corresponding premium-rate numbers.
How to protect yourself
The good news here is that since this malware family is so prevalent, it’s rather easy to avoid it: just don’t download fake apps. Android lets you download and install apps from anywhere, but unless you know what you’re doing, you shouldn’t be installing anything and everything you can on your phone or tablet.
If you want to significantly reduce your chance of getting malware such as this one, only install apps from the official Google Play store. That being said, malware has snuck into the store before, so it can happen again.
As a result, the way to protect yourself is the same as on any other platform: don’t click on questionable links and don’t download random apps. Always check to see if what you’re getting is legitimate and you should be fine.
Android’s malware problem is getting worse, and only users of the latest version are safe from harm
Earlier this year, we saw a report that said there was a 163% rise in the number of malware-infected Android devices in 2012. As shocking as that figure might be, we have a new report now that says the problem has blown up even further.
According to a recently published report[1] from networking vendor Juniper Networks, the number of mobile threats grew an astonishing 614% from March 2012 to March 2013. This equates to a grand total of 276,259 malicious samples, according to research done by the company's Mobile Threat Center or MTC.
What exactly constitutes such a large amount of mobile threats? It is said that the majority of these mobile threats — 77% of the total — come in the form of money-siphoning applications that either force users to send SMS messages to so-called premium-rate numbers or somehow manage to perform the sending of SMS messages all on their own.
They go virtually undetected as they are normally bundled with pirated apps and appear as normal applications. Typically, these malicious apps can net their creators an average profit of about $10 per user, according to Juniper Networks.
As it is currently the most popular mobile device platform in the world, it's easy to see why Android would be targeted with such malicious activities. But perhaps you're wondering, is there anything that can be done to combat this problem?
ndeed, there is. In Android 4.2 Jelly Bean, a new safety feature was introduced in order to stop wayward SMS messages dead in their tracks. But that in itself is a huge problem: Android 4.2, the latest version of the Google mobile operating system, is only available on a tiny fraction of all Android-powered devices out on the market. In fact, many of today's newer devices don't even ship with it. So the relevant safety features, as useful as they might be, becomes pretty much useless.
Even worse, the money-making malware mentioned above represents only one type of mobile threat on Android. Android spyware is also present, accounting for 19% of the total malicious samples collected in the above-mentioned research. These could potentially put a user's privacy at risk, collecting sensitive data and all kinds of information then relaying them to the spyware's creator.
Trojan apps have also been discovered to be part of the overall Android ecosystem. Although they form a very small part of the entire body of mobile threats on Android right now, it is possible for them to become more widespread in the future. If the fix really only lies in having the latest version of Android installed on a device, and the issue of fragmentation — not to mention the slow software updates from carriers and OEMs — persists, that's almost a certainty.
What do you think could be done to finally overcome these kinds of problems? Will it be the end of Android as we know it? Let us hear your thoughts in the comments.
Mobile malware getting out of control? Study claims 614% increase on year, Android accounts for 92% of total infections
A terrifying report was released two days ago by the Mobile Threat Center arm (MTC) of Juniper Networks – a manufacturer of network equipment with a hefty stake in enterprise security. According to Juniper, its MTC research facility is dedicated to 'around-the-clock mobile security and privacy research'. The MTC found mobile malware growing exponentially at an alarming rate – a 614% on year increase reaching a total of just about 280,000 malicious apps.
Read full article here
A major app vulnerability has been found which can be effect 99 percent of the Android smartphones on the planet.
A major app vulnerability has been found which can be effect 99 percent of the Android smartphones on the planet. The issue was unraveled by Bluebox security, which claimed to have found an ‘Android Master Key’ that could allow a hacker to turn any Android app into a malicious zombie.
This basically means that an app could allow hackers to capture data and control a device remotely, without the owner and the app developer knowing about it.
And the kicker is that, this is not a new vulnerability as Bluebox has discovered that it has existed since Android 1.6 Donut, which is four years old.
Jeff Forristal, CTO of Bluebox securities revealed that his company had found a way where in a hacker could possibly load an app with malware and still make it appear to be a legitimate file. This bit is important because verified apps are granted full access by default on the Android system.
However, on the bright side apps on the Google Play store are impervious to this problem, so if one sticks to downloading apps from the Play store then one is in the clear. That said, there are a number of third party app stores and users can even download APKs directly off the web and here’s where the danger lies as it is possible for users to download tampered apps.
This problem is accentuated more in countries like China where users like to use local app store over the Google Play store and many OEMs like Xiaomi don’t even bundle the Google Play store on the device by default.
Bluebox securities claims that it reported the problem to Google way back in February and the issue has already been resolved for the Galaxy S4 and currently Google is taking a look at the Nexus range of hardware.
Cryptographic bug in Android lets hackers create malicious apps with system access
Security researchers have found a bug in Android which allows them to create malicious Android apps which appear to be genuine with the correct digital signatures. In computing, digital signatures allow any piece of data, including an app, to be checked to see that it is genuine and actually comes from the author. Now, due to a bug in Android, it is possible to create a fake app and sign it so it looks like a real app from any author including Google, or others like Samsung, HTC and Sony.
Since the digital signatures of Google and handset manufacturers can be faked it is possible to create a low level system app which has absolute access to the device. These system apps, which have what is known as 'System UID access' can perform any function on the phone including modifying system-level software and system-level parameters.
If such an app is installed on an Android phone, the user would be completely vulnerable to a multitude of attacks including key-logging and password sniffing. The researchers at Bluebox Security informed Google about the flaw (Android security bug 8219321) back in February and are now planning to reveal details of the bug at an upcoming security conference.
More details -> here
Survey: Juniper Networks Whitepaper (Warning: PDF)
reserved.
Thanks for this thread buddy
Sent from my GT-N7100 using xda app-developers app
Tha TechnoCrat said:
Thanks for this thread buddy
Sent from my GT-N7100 using xda app-developers app
Click to expand...
Click to collapse
Great to see you here buddy. Actually I wanted to shift my whole thread here but MOD denied and ask me to carry on with new phase. So here I am.
Thank you Vikesh for creating this thread.
In my view
Everyday every hour and every minute hackers are coming up with new viruses and malware
Not only they can corrupt your phone but also steal confidential information like credit card number, password and other important data.So every Android user should spend some money on the anti viruses to save your confidential information and money of course.
Sent from my GT-I9103 using xda app-developers app
Major app vulnerability found, could effect 99 percent Android smartphones
A major app vulnerability has been found which can be effect 99 percent of the Android smartphones on the planet. The issue was unraveled by Bluebox security, which claimed to have found an ‘Android Master Key’ that could allow a hacker to turn any Android app into a malicious zombie.
Continue in post 3
Cryptographic bug in Android lets hackers create malicious apps with system access
Security researchers have found a bug in Android which allows them to create malicious Android apps which appear to be genuine with the correct digital signatures. In computing, digital signatures allow any piece of data, including an app, to be checked to see that it is genuine and actually comes from the author. Now, due to a bug in Android, it is possible to create a fake app and sign it so it looks like a real app from any author including Google, or others like Samsung, HTC and Sony.
continue in Post 3
Every GSM phone needs a SIM card, and you'd think such a ubiquitous standard would be immune to any hijack attempts. Evidently not, as Karsten Nohl of Security Research Labs -- who found a hole in GSM call encryption several years ago -- has uncovered a flaw that allows some SIM cards to be hacked with only a couple of text messages. By cloaking an SMS so it appears to have come from a carrier, Nohl said that in around a quarter of cases, he receives an error message back containing the necessary info to work out the SIM's digital key. With that knowledge, another text can be sent that opens it up so one can listen in on calls, send messages, make mobile purchases and steal all manner of data.
Apparently, this can all be done "in about two minutes, using a simple personal computer," but only affects SIMs running the older data encryption standard (DES). Cards with the newer Triple DES aren't affected; also, the other three quarters of SIMs with DES Nohl probed recognized his initial message as a fraud. There's no firm figure on how many SIMs are at risk, but Nohl estimates the number at up to 750 million. The GSM Association has been given some details of the exploit, which have been forwarded to carriers and SIM manufacturers that use DES. Nohl plans to spill the beans at the upcoming Black Hat meeting. If you're listening, fine folks at the NSA, tickets are still available.
Source-Tech Geek
"Thanks button is just to avoid "THANKS" posts in threads. Nothing more than that. Don't ask in signature or post for it and defeat the purpose why it was introduced"
Great info buddy. :good:
Thanks,
Disturbed™
Sent from my Disturbed™ Galaxy S4 using Tapatalk (VIP)
______________________________________________________
Wait for my time, U gonna pay for what U have done. - Disturbed™
Informative read. You also understand why the stores charge their Developer fees now. Not all third party sites host malware however. A lot of the buying community is ignorant (and understandably so) in detecting if malware has been applied. It's up to the community of ubiquitous OSs to report
JeffM123 said:
Informative read. You also understand why the stores charge their Developer fees now. Not all third party sites host malware however. A lot of the buying community is ignorant (and understandably so) in detecting if malware has been applied. It's up to the community of ubiquitous OSs to report
Click to expand...
Click to collapse
can provide more info for it?
Thanks,
Disturbed™
Sent from my Disturbed™ Galaxy S4 using Tapatalk (VIP)
______________________________________________________
Wait for my time, U gonna pay for what U have done. - Disturbed™
Malware using the Android Master Key intercepted in the wild, here's how to protect i
Malware using the Android Master Key intercepted in the wild, here's how to protect yourself
It was back at the beginning of the month when we first broke for you the news of a new, massive vulnerability, plaguing 99% of Android devices. First discovered by mobile security company Bluebox, the flaw was reported to Google back in February. Since then, Google has patched the Play Store and has provided its OEM partners with a patch for it.
Yet here we are again. And now it's official – the first detected malware taking advantage of the vulnerability has been intercepted by Symantec whilst running amok in China. The security giant reports that the code has been implanted in otherwise legit apps that help you find and appoint a meeting with a doctor. The source of the infected app? A third-party store, of course.
We won't get into the tech lingo, instead we'll just report that according to Symantec, the exploit grants said malicious code remote access to infected devices. This leaves the gates wide open, the company claims, for a wrongdoer to steal sensitive information such as your IMEI, phone number, and also send premium SMS messages and execute root commands.
Click here to know more
what is the best antivirus?
lolmann101 said:
what is the best antivirus?
Click to expand...
Click to collapse
For android, I may say your awareness is the best. First install the LBE Security Master. Let you know which application is gaining which privilege .
But if you want then you can check the first 1 to 4 posts. its in that.
How Google has been making Android a safer place since 2012
Last year in June, Google brought Android Jelly Bean 4.1 to the world. It was a wonderful day, too. It brought with it Project Butter, which spelled the end for lag for a lot of people. Android was running smoother and more complete than ever. Who’d have known that just a year later, we’d be introduced to Jelly Bean not for the second time, but for the third time. Android 4.3 was a mixed bag. Some people were disappointed that it wasn’t Key Lime Pie, but most were happy to see a plethora of improvements, some new features, and even more optimizations. One little footnote that most people have skimmed over so far, though, has been the added security.
It’s not news that malware stories are everywhere. Some of them are no big deal and some are completely ridiculous. Thanks to that, anti-virus companies have been cleaning up. People are more scared of malware on Android now than ever before and they’re flocking to anti-virus apps by the millions. It’s getting to the point where apps like Lookout are coming pre-installed on many devices when they’re shipped out. All because of some malware that, most of the time, is impossible to get unless you download apps from outside the approved channels.
Well, apparently Google is going to fix this problem themselves. JR Raphael over at Computer World has written up an excellent post about how Google is quietly keeping us safe. As it turns out, that little footnote that says that Android 4.3 contains security improvements probably shouldn’t have remained a footnote. It should’ve been printed on billboards and discussed everywhere.
You may have seen inklings of these security features already. We’ve covered one of them, the Android 4.3 Permission Manager, commonly known as Apps Ops. This nifty little feature lets you control what permissions your apps can use. It’s a lovely and powerful feature that’s baked right into Android 4.3. It’s still in beta right now, but eventually that’ll be a part of everyone’s Android experience.
So what other security enhancements does Google have in store for Android 4.3?
We are glad you asked. According to JR Raphael, Google has been working on these security features for years. We’ll do a quick breakdown.
Starting with Android 4.2, there was a feature called Verify Apps that was added. This scans phones both downloaded and side-loaded to make sure they didn’t contain malware or pose a threat.
Verify Apps was eventually made available to all devices from 2.3 onward. According to JR Raphael, that’s 95% of Android devices running currently.
This now works in tandem with another older feature, the app scanner in the Google Play Store that scans apps as they’re submitted to Google Play to make sure they aren’t malicious. This is why you can always download from Google Play without worries.
All of these features are currently on Android devices right now.
But wait, there’s more. In Android 4.3 specifically, they have added yet another security feature called SELinux. This stands for Security-Enhanced Linux and it essentially keeps the important parts of your phone safe. Most notably the operating system. So there is protection everywhere.
So we’ll add this up one more time. In the last two years, Google has implemented,
An app scanner in the Google Play Store that scans every single app uploaded and submitted. It rejects the bad apps and keeps the good ones.
A system on devices from Android 2.3 and up called Verify Apps that scans every app that gets installed on your device to make sure it’s not malicious. Keep in mind that if you download an app from the Google Play Store, it gets scanned twice.
Apps Ops –which is still in beta– that will let you control the individual permissions of any application you download and install. So if you don’t want, say, Facebook to see your location, you can prevent that from happening.
SELinux, a Linux security feature that protects the core operation system functionality.
Let’s not forget what you, the consumer can do to protect yourself,
Only download apps from known and trusted sources. These include the Play Store and the Amazon App Store, among others.
Use your common sense. In most cases, malware apps are easy to spot. If you download the free Angry Birds cheat app from GivingYouMalware.com, the end result is rather predictable.
So without an anti-virus app, there are 6 things that are protecting you from the big bad malware threats. That’s a whole lot more than most people realize and it’s an ever expanding project from Google to keep everyone safe from garbage applications. Now here’s the big question. Do you think it’s enough? Or should Google keep going?
@Disturbed™ buddy could you post that new KNOX feature here?
Sent from my GT-I9103 using xda app-developers app
Few words from Wikipedia:
Samsung Knox (trademarked Samsung KNOX) is an enterprise mobile security solution that addresses the needs of enterprise IT without invading its employees' privacy. The service, first released on the Samsung Galaxy S4 mobile device, provides security features that enable business and personal content to coexist on the same mobile device. Samsung Knox is an Android-based platform that uses container technology, among other features, to allow for separation of work and personal life on mobile devices.
Services
Samsung Knox provides enterprise security features that enable business and personal content to coexist on the same handset. The user presses an icon that switches from Personal to Work use with no delay or reboot wait time. Knox will be fully compatible with Android and Google and will provide full separation of work and personal data on mobile devices. Samsung claims that the Knox service "addresses all major security gaps in Android."
The Knox service is part of the company's Samsung for Enterprise (SAFE) offerings for smartphones and tablets. Samsung Knox’s primary competitor is Blackberry Balance, a service that separates personal and work data, but BlackBerry’s service does not include management of work space through containers in Active Directory and other features such as direct Office 365 and Exchange 2010, ActiveSync, iOS management, Single Sign-On, and complete customization for operability on Samsung device settings.
The service's name, Samsung Knox, is inspired by Fort Knox.
From Engadget:
Samsung's Knox security solution has tended to mostly garner headlines when the company's phones get approval from the likes of the US Defense Department, but it's now set to broaden its user base considerably. In addition to announcing that it's bolstering the offering with some help from Lookout, Samsung has also confirmed today that its opening the platform up to all consumers. That will give security-minded users an added layer of protection, with Knox letting you store personal data and run a set of pre-screened apps in a so-called container -- other apps can still be run outside the container, but with only limited access to your personal information. Naturally, you'll need a Samsung device to take advantage of it.
For more information : http://www.samsungknox.com.
Thanks: Wiki & Engadget
Almost 1,000 fraudulent apps published on Google Play in August alone
Almost 1,000 fraudulent apps published on Google Play in August alone
Yes, there are downsides to Google’s policy of letting anyone publish their apps on Google Play. Symantec has found that scammers published almost 1,000 fraudulent apps on Google Play in August alone, most of which were deleted within hours of posting on the store.
But even though Google was quick to delete the fraudulent Android apps, Symantec estimates that they were still downloaded more than 10,000 times. Symantec also says that one group is responsible for 97 percent of the fraudulent apps, which typically “include numerous links to various online adult-related sites, but one or two links actually lead to fraudulent sites that attempt to con people into paying a fee without properly signing them up for the paid service.”
Source:BGR.in
Hi, I am wondering to what extent Google has built into the android OS, ways of collecting data on the user, even when the user does not open a google account and uses only side loaded apps. ? Does anyone know the answer to this?
jaifora said:
Hi, I am wondering to what extent Google has built into the android OS, ways of collecting data on the user, even when the user does not open a google account and uses only side loaded apps. ? Does anyone know the answer to this?
Click to expand...
Click to collapse
Read this thread, even if it's about Xiaomi, on the 2nd page you will find your answer!
setmov said:
Read this thread, even if it's about Xiaomi, on the 2nd page you will find your answer!
Click to expand...
Click to collapse
I've read trough the second page and couldn't find what you're aiming at. So far as I can see it's only about xiaomi ROMs and their proprietary apps, that cause the security holes.
nerotNS said:
I've read trough the second page and couldn't find what you're aiming at. So far as I can see it's only about xiaomi ROMs and their proprietary apps, that cause the security holes.
Click to expand...
Click to collapse
What you were asking is actually just the same! Short answer: Google is in your phone at a API level, and there is no way to get rid of it!
setmov said:
What you were asking is actually just the same! Short answer: Google is in your phone at a API level, and there is no way to get rid of it!
Click to expand...
Click to collapse
It's not the same as the API itself is not the thing that sends the data. The apps that USE those APIs are the ones that route the data.
The apps on the thread
* AntHalService
* XiaomiServiceFramework
* Cleanmaster
* com.xiaomi.gamecenter.adk.service
* com.duokan.airkan.phone
Click to expand...
Click to collapse
None of them are Google apps. All of them are 3rd party. For example, my nexus 4 with stock Android doesn't have these apps, therefore no data is sent.
nerotNS said:
It's not the same as the API itself is not the thing that sends the data. The apps that USE those APIs are the ones that route the data.
The apps on the thread
None of them are Google apps. All of them are 3rd party.
Click to expand...
Click to collapse
An app has not to be Google proprietary. Android is!!! Are you aware of what info are sent out of your android phone without you will be able to intercept them? You are right, apps are sending info, as also Google per se are collecting info, all the time. Please, don't believe me, actually I'm suggesting you not to believe me, but sooner or later, you'll see! There is no firewall, root, or any other trick able to stop them or control them! The only way is to strip Android apart, and recreate a new API, but then, bye bye functionality!
setmov said:
An app has not to be Google proprietary. Android is!!! Are you aware of what info are sent out of your android phone without you will be able to intercept them? You are right, apps are sending info, as also Google per se are collecting info, all the time. Please, don't believe me, actually I'm suggesting you not to believe me, but sooner or later, you'll see! There is no firewall, root, or any other trick able to stop them or control them! The only way is to strip Android apart, and recreate a new API, but then, bye bye functionality!
Click to expand...
Click to collapse
Android is open source, if there were serious security exploits they would have already been found and patched out. If not by Google itself, then by 3rd party developers. It's true that Google collects data like your location, but ONLY if you allow it. Also, even if you're correct, disabling the internet will help anyone who's paranoid enough. Besides, the xiaomi thread deals in stuff a lot more serious (eg. money) than the misc data such as the % of time you spent playing a game. All in all, while it's possible to exploit Android and steal data from incautious users, Android as a system doesn't sell or give your key info (user, pass, card no etc.) to anyone.
nerotNS said:
Android is open source, if there were serious security exploits they would have already been found and patched out. If not by Google itself, then by 3rd party developers. It's true that Google collects data like your location, but ONLY if you allow it. Also, even if you're correct, disabling the internet will help anyone who's paranoid enough. Besides, the xiaomi thread deals in stuff a lot more serious (eg. money) than the misc data such as the % of time you spent playing a game. All in all, while it's possible to exploit Android and steal data from incautious users, Android as a system doesn't sell or give your key info (user, pass, card no etc.) to anyone.
Click to expand...
Click to collapse
That's right, we don't have to be afraid of Google to use our data like Xiaomi, but....here is what I know for sure:
(copied from Xiaomi thread)
The point is that is not important what OS you are using, or what is the phone manufacturer. All of them send your data to their "masters". Said that, let's take a look at google. The first time you boot your precious phone, and you connect to the net, Google will receive your IMEI, your phone number, your location (based on network or gps, depends) an all the data you have on your phone. Ok, I know, I know, they are the owners of the Android OS, and they can do whatever they want, and you will never know what they are doing if you have a stock rom, You will not know what they are doing as a power user with highly customized rom as well. Why? Well, because their API. To be clear, the API, also known as "application programming interface (API) specifies a software component in terms of its operations, their inputs and outputs and underlying types. Its main purpose is to define a set of functionalities that are independent of their respective implementation, allowing both definition and implementation to vary without compromising each other.(as per wikipedia)" in not always an "open source project" and the Android core platform API is not "open source" at all, even in the "AOSP" project. The point is that when you use an android platform, if you want it or not, Google receive your data. Let me go further....a month or so ago, Google has implemented their Gmail policy, and started a new monitoring program against pedophilia, and at my point of view, this is a good thing, but, you have to know what's going on. actually they scan every email in your inbox and to or from their Gmail service searching for clues. If they find something, then you're screwed, because they know who you are. Believe me, they know! But this is not the point, so, where they store all the infos on you, and your Gmail account, when they find nothing? Oh, of course on their servers in the US!!! Based on the Patriot Act, the "Agencies" do not need any kind of "court order" to take a peek inside your life. They can do whatever they want, and actually they are doing it. Google will never say NO, and it's obvious why. Based on what is above mentioned, all the US based companies do the same. Unfortunately, the most of the world use Android, even if the manufacturer is Chinese or Vietnamese or whatever else. If you strip Android apart because all of that and you want your privacy back, you will find an interesting thing, that your Android will no more work correctly, and you will find it unusable. This is exactly because the core functionalities that spy on us. We can discuss this as much as we want, but these are facts. To be completely sure that no one is spying on you, someone would have to rebuild the whole Android system, but without a lot of money and the right "crew" this will never happen. Same thing you can expect from Apple (no need to mention the leakage of their cloud system) or Microsoft. Xiaomi, also use services that need your personal data...cloud, sms, mms, whatever, and by buying their product you agreed with them. They will not stole your credit card, but their "agencies" will know who you are, and what you do. But, to be honest, they will do you nothing if you are a non-Chinese citizen. I have never seen Chinese Agencies doing something to the rest of the world, but I have seen US agencies doing bad things to their citizens and the rest of the world. So, let's be honest and admit it, as much as we talk about laws, no one is protected by them. If you are gonna buy a phone, you have to face the fact that you will be under surveillance and monitored. If you have the luck and you live in Switzerland, then you're ok, if not, well....face it, you are SOL. You have just to understand that no provider, manufacturer or OS developer will never solve this issue, because there is no interest.
About AOSP: (from their site!!!)
- First, the software gets built into a system image for a device, and put through various forms of certification, including government regulatory certification for the regions the phones will be deployed. It also goes through operator testing. -really? YES!
- Once the release is approved by the regulators and operators, the manufacturer begins mass producing devices, and we turn to releasing the source code. hmm....
- In some releases, core platform APIs will be ready far enough in advance that we can push the source code out for an early look in advance of the device's release; however in others, this isn't possible. - hahahaha, ask yourself why!!!
And this is just for start. This is not an app-related issue, we are talking about Android CORE! I love Android, I am using it actively and I am happy with it, it's just that sometimes I feel that this is not fair, but hey, who am I to told them what is or it's not fair? Is not a matter of OS, nor device. All have the same core functionality! NO PRIVACY for them! Accept it or not, these are facts.
I'll start with this:
First, the software gets built into a system image for a device, and put through various forms of certification, including government regulatory certification for the regions the phones will be deployed. It also goes through operator testing. Once the release is approved by the regulators and operators, the manufacturer begins mass producing devices.
Click to expand...
Click to collapse
Government regulatory certification means that the device being certified is built in compliance with the laws of a specific country. That includes building materials, but is mostly focused on radio frequencies. This is to ensure that you don't get a "wild" device with random frequencies (since it has various radios for ex. GSM, GPS, Wi-Fi etc.) which can disrupt the normal functionality of a GSM tower for example. It also ensures that the device is safe (that's what we need FCC for), in terms of radio waves radiation. Operator testing means that when the device is being sold via a carrier like Verizon, AT&T etc., it is compliant with their proprietary software (more commonly known as bloatware) as well as that the device will work properly on their frequency bands. This is the main reason OTAs for Carrier devices are usually quite late compared to the "stock" or OEM devices.
Now about that Gmail scanning service, it doesn't mean that they STORE the results of the scan, they could be read only, meaning that their bot goes over the contents, but doesn't save anything on their servers (this was an issue earlier, but due to lawsuits, Google had to stop saving data, and delete the data already saved).
Next, it's true that Google receives your IMEI, but only AFTER you log in to your Google account. And this is not that they can sell it to someone, but to help identify that particular device on your account for uses of Google services (for example the Google Play web interface; if you had two same device models on your account how would you know which is which?), and IMEI is easy to get and since it's unique it fits the purpose. Your location is used for the same purpose, and even that is not pinpointed exact location but approximate location (which serves the purpose, but isn't intrusive). There is also the use of services such as the Android Device Manager which is a good thing, since it helps find and lock lost/stolen devices. Again, for this you need a unique identifier, and location (in this case precise).
Also, depending on your country of residence they DO have to get at least a court order with reasons for the investigation in order to access your files.
Further down the road, an API can't do anything by itself, it's sort of something that enables an APP to do something. Now that's a big difference, because you can't say "That API sent my data". It' the app that USES the specific API that transmits the data to a 3rd party. That's two worlds apart, because an app we can easily block via a firewall or even delete it completely if we find the need to.
Finally, agencies such as the NSA, FBI, or any other state agency don't have much interest in an ordinary person. There just isn't much to find about a regular citizen, as they don't really care about your every day life (setting up private meetings, sending pics to each other etc.).
nerotNS said:
I'll start with this:
Government regulatory certification means that the device being certified is build and in compliance with the laws of the specific country. That includes building materials, but is mostly focused on radio frequencies. This is to ensure that you don't get a "wild" device with random frequencies (since it has various radios for ex. GSM, GPS, Wi-Fi etc.) which can disrupt the normal functionality of a GSM tower for example. It also ensures that the device is safe (that's what we need FCC for), in terms of radio waves radiation. Operator testing means that when the device is being sold via a carrier like Verizon, AT&T etc., it is compliant with their proprietary software (more commonly known as bloatware) as well as that the device will work properly on their frequency bands. This is the main reason OTAs for Carrier devices are usually quite late compared to the "stock" or OEM devices.
Now about that Gmail scanning service, it doesn't mean that they STORE the results of the scan, they could be read only, meaning that their bot goes over the contents, but doesn't save anything on their servers (this was an issue earlier, but due to lawsuits, Google had to stop saving data, and delete the data already saved).
Next, it's true that Google receives your IMEI, but only AFTER you log in to your Google account. And this is not that they can sell it to someone, but to help identify that particular device on your account for uses of Google services (for example the Google Play web interface; if you had two same device models on your account how would you know which is which?), and IMEI is easy to get and since it's unique it fits the purpose. Your location is used for the same purpose, and even that is not pinpointed exact location but approximate location (which serves the purpose, but isn't intrusive). There is also the use of services such as the Android Device Manager which is a good thing, since it helps find and lock lost/stolen devices. Again, for this you need a unique identifier, and location (in this case precise).
Also, depending on your country of residence they DO have to get at least a court order with reasons for the investigation in order to access your files.
Further down the road, an API can't do anything by itself, it's sort of something that enables an APP to do something. Now that's a big difference, because you can't say "That API sent my data". It' the app that USES the specific API that transmits the data to a 3rd party. That's two worlds apart, because an app we can easily block via a firewall or even delete it completely if we find the need to.
Finally, agencies such as the NSA, FBI, or any other state agency don't have much interest in an ordinary person. There just isn't much to find about a regular citizen, as they don't really care about your every day life (setting up private meetings, sending pics to each other etc.).
Click to expand...
Click to collapse
@nerotNS I am not going to make a discussion with you, on some points you are right, on others, you're very wrong! I would love to be like you!
So, between you, you seem to be saying that an android phone can definitely send info to Google via an app, but you disagree on whether there is anything built into the API which sends info to Google independently of any app which can be clearly seen in the OS. I am wondering if there is anyone who actually knows the answer to this, through being involved in the development of the OS, other than a Google employee who may not be free to tell the truth, if the answer would be unpopular. I wonder if a user can be free of their snooping simply by not opening an account or using any of their products, or whether the only solution is to wait for a truly independent developer to produce a stable, quality device?
QUOTE=nerotNS;56965212]I'll start with this:
Government regulatory certification means that the device being certified is built in compliance with the laws of a specific country. That includes building materials, but is mostly focused on radio frequencies. This is to ensure that you don't get a "wild" device with random frequencies (since it has various radios for ex. GSM, GPS, Wi-Fi etc.) which can disrupt the normal functionality of a GSM tower for example. It also ensures that the device is safe (that's what we need FCC for), in terms of radio waves radiation. Operator testing means that when the device is being sold via a carrier like Verizon, AT&T etc., it is compliant with their proprietary software (more commonly known as bloatware) as well as that the device will work properly on their frequency bands. This is the main reason OTAs for Carrier devices are usually quite late compared to the "stock" or OEM devices.
Now about that Gmail scanning service, it doesn't mean that they STORE the results of the scan, they could be read only, meaning that their bot goes over the contents, but doesn't save anything on their servers (this was an issue earlier, but due to lawsuits, Google had to stop saving data, and delete the data already saved).
Next, it's true that Google receives your IMEI, but only AFTER you log in to your Google account. And this is not that they can sell it to someone, but to help identify that particular device on your account for uses of Google services (for example the Google Play web interface; if you had two same device models on your account how would you know which is which?), and IMEI is easy to get and since it's unique it fits the purpose. Your location is used for the same purpose, and even that is not pinpointed exact location but approximate location (which serves the purpose, but isn't intrusive). There is also the use of services such as the Android Device Manager which is a good thing, since it helps find and lock lost/stolen devices. Again, for this you need a unique identifier, and location (in this case precise).
Also, depending on your country of residence they DO have to get at least a court order with reasons for the investigation in order to access your files.
Further down the road, an API can't do anything by itself, it's sort of something that enables an APP to do something. Now that's a big difference, because you can't say "That API sent my data". It' the app that USES the specific API that transmits the data to a 3rd party. That's two worlds apart, because an app we can easily block via a firewall or even delete it completely if we find the need to.
Finally, agencies such as the NSA, FBI, or any other state agency don't have much interest in an ordinary person. There just isn't much to find about a regular citizen, as they don't really care about your every day life (setting up private meetings, sending pics to each other etc.).[/QUOTE]
So, between you, you seem to be saying that an android phone can definitely send info to Google via an app, but you disagree on whether there is anything built into the API which sends info to Google independently of any app which can be clearly seen in the OS. I am wondering if there is anyone who actually knows the answer to this, through being involved in the development of the OS, other than a Google employee who may not be free to tell the truth, if the answer would be unpopular. I wonder if a user can be free of their snooping simply by not opening an account or using any of their products, or whether the only solution is to wait for a truly independent developer to produce a stable, quality device?
It's not about API, it's about what data apps can access and what is sent over the internet, and it actually goes much further than what most people think.
Use apps like Network Log or Network Connections and give Wire Shark a try, and track which IPs apps connect to.
You'll be surprised...
On my Samsung, after I had removed all the google spyware (erggghhh, I mean google apps) and about 150 stock apps, I saw that the kernel was connecting to some google related IPs and to google's DNS, eventhough I had set the phone to use Open DNS in the resolv.conf file, and that the android system was calling home (read "at google's central office in mountain view, California") everytime I connected (note that my phone had never been linked to any google account whatsoever).
Some of the IPs could easily be blocked by using a firewall script, but for some others and for the DNS leaks I had to patch some jars in /system/framework.
One thing is that it differs from phone to phone, I've checked on a Lenovo and there is much less of such unwanted connections.
Is it embedded in the AOSP code? Maybe, I don't use AOSP or CM based roms so I can't tell, but what I can tell is that it's funny to see people screaming about Xiamoi when it's the same elsewhere.
Anyway, if one wants to protect oneself it's possible albeit a bit involved.
First is first, root.
Second, use Xprivacy and a good firewall like AF+.
Then, make a script to block inbound and outbound disturbing IPs.
So, am I good to go now?
Not yet, let's get a step further...
You need now to decompile some of your system apps and some of your jars, and track lines refering to specific websites and DNS.
- Note that if you really are privacy concerned you should uninstall as many system apps as you can (only 11 left on my phone) and replace them with third part apps that are much easier to restrict and have less privileges. Forget about google spyware (erggghhh and sorry again, I mean google apps), facebook spyware-apk, what's app etc... -
That's it?
Still not, there's more!
Xprivacy is a fantastic tool, but due to android limitations it can't restrict ids for the android system.
Have tou ever heard of android.id, build.serial, ro.boot.serialno, ro.serialno etc.? And what about the serial_no and the mac in the efs folder? And the cpu info in proc? And the serial_number in sys?
- I'll deliberately stay vague on those matters, only people that know what they are doing should mess with that kind of stuff. -
Those are ids specific to your device and of course they identify you, that's what they are meant for!
An example, have a look at the wpa_supplicant.conf localised in data/misc/wifi. You'll see that it has your serial_number which means, and experts please correct me if I am wrong, that everytime you connect on the wifi your serial_number gets sent.
You want to change it manually?
Yeah sure, edit it directly from the file. Now start you wifi and check again the serial_number, you are back to the original value.:cyclops:
I'm not sure whether, if your firewall script is well done and if Xprivacy has been well configured (read "VERY restrictively configured"), those ids leaks or not, but since I like to have more than one protection layer I've edited all of them.
Some ids are easily changed using setpropex or an init script, some are harder and require boot.img editing, but I won't explain any further since as written above only people knowing what they do should play with that stuff.
If all of the above has been done I don't think that anyone can get much data from your phone, but I'm not a security expert and I'd like to hear what you guys think.
Note 1
Trust no one.
I found that apps I had created for testing purposes were requesting my serial, my MCC and my MNC upon installation, eventhough I hadn't given them access to that data neither in the code nor in the android manifest), and then I found that nearly all apps request the same.
Does it come from the IDEs (I have tried with two different brands and it was the same) or does it come from the android OS itself?
I have risen the issue here but nobody seemed interested and nobody blessed me with any relevant answer. Was it that they thought I was unworthy of their attention, or was it that they just didn't know? Or both? Who knows but once more I tell you, TRUST NOONE!!!!
Note 2
Someone said that the NSA and other agencies don't have much interest in a regular person which is true, but they nevertheless gather as much info as they can about as many people as they can, just in case.
In the 50's it was illegal to be a communist in the USA, if cell phones had existed at that time Mac Carthy would have found his job greatly eased.
During the Bush era it was either one was with him or one was against him and was dubbed a bad american (even if one wasn't a terrorist but simply agains Bush's policies), with Guantanamo around the corner if one was suspected of too much empathy with the arab victims.
What's next?
They decide what is subversive and what isn't, and maybe one day you could be subversive because you are against capitalism, or against globalisation, or sympathetic to the people that defend their land agains US invasions and US backed puppet governments.
Or because you rooted your phone?
Keep your eyes open and stay aware guys...
Well, you can always turn on Androids built in Device Encryption (if you don't mind slower r/w speeds). Combine that with a firewall and what you mentioned above and I think you're good.
unclefab said:
It's not about API, it's about what data apps can access and what is sent over the internet, and it actually goes much further than what most people think.
Use apps like Network Log or Network Connections and give Wire Shark a try, and track which IPs apps connect to.
You'll be surprised...
On my Samsung, after I had removed all the google spyware (erggghhh, I mean google apps) and about 150 stock apps, I saw that the kernel was connecting to some google related IPs and to google's DNS, eventhough I had set the phone to use Open DNS in the resolv.conf file, and that the android system was calling home (read "at google's central office in mountain view, California") everytime I connected (note that my phone had never been linked to any google account whatsoever).
Some of the IPs could easily be blocked by using a firewall script, but for some others and for the DNS leaks I had to patch some jars in /system/framework.
One thing is that it differs from phone to phone, I've checked on a Lenovo and there is much less of such unwanted connections.
Is it embedded in the AOSP code? Maybe, I don't use AOSP or CM based roms so I can't tell, but what I can tell is that it's funny to see people screaming about Xiamoi when it's the same elsewhere.
Anyway, if one wants to protect oneself it's possible albeit a bit involved.
First is first, root.
Second, use Xprivacy and a good firewall like AF+.
Then, make a script to block inbound and outbound disturbing IPs.
So, am I good to go now?
Not yet, let's get a step further...
You need now to decompile some of your system apps and some of your jars, and track lines refering to specific websites and DNS.
- Note that if you really are privacy concerned you should uninstall as many system apps as you can (only 11 left on my phone) and replace them with third part apps that are much easier to restrict and have less privileges. Forget about google spyware (erggghhh and sorry again, I mean google apps), facebook spyware-apk, what's app etc... -
That's it?
Still not, there's more!
Xprivacy is a fantastic tool, but due to android limitations it can't restrict ids for the android system.
Have tou ever heard of android.id, build.serial, ro.boot.serialno, ro.serialno etc.? And what about the serial_no and the mac in the efs folder? And the cpu info in proc? And the serial_number in sys?
- I'll deliberately stay vague on those matters, only people that know what they are doing should mess with that kind of stuff. -
Those are ids specific to your device and of course they identify you, that's what they are meant for!
An example, have a look at the wpa_supplicant.conf localised in data/misc/wifi. You'll see that it has your serial_number which means, and experts please correct me if I am wrong, that everytime you connect on the wifi your serial_number gets sent.
You want to change it manually?
Yeah sure, edit it directly from the file. Now start you wifi and check again the serial_number, you are back to the original value.:cyclops:
I'm not sure whether, if your firewall script is well done and if Xprivacy has been well configured (read "VERY restrictively configured"), those ids leaks or not, but since I like to have more than one protection layer I've edited all of them.
Some ids are easily changed using setpropex or an init script, some are harder and require boot.img editing, but I won't explain any further since as written above only people knowing what they do should play with that stuff.
If all of the above has been done I don't think that anyone can get much data from your phone, but I'm not a security expert and I'd like to hear what you guys think.
Note 1
Trust no one.
I found that apps I had created for testing purposes were requesting my serial, my MCC and my MNC upon installation, eventhough I hadn't given them access to that data neither in the code nor in the android manifest), and then I found that nearly all apps request the same.
Does it come from the IDEs (I have tried with two different brands and it was the same) or does it come from the android OS itself?
I have risen the issue here but nobody seemed interested and nobody blessed me with any relevant answer. Was it that they thought I was unworthy of their attention, or was it that they just didn't know? Or both? Who knows but once more I tell you, TRUST NOONE!!!!
Note 2
Someone said that the NSA and other agencies don't have much interest in a regular person which is true, but they nevertheless gather as much info as they can about as many people as they can, just in case.
In the 50's it was illegal to be a communist in the USA, if cell phones had existed at that time Mac Carthy would have found his job greatly eased.
During the Bush era it was either one was with him or one was against him and was dubbed a bad american (even if one wasn't a terrorist but simply agains Bush's policies), with Guantanamo around the corner if one was suspected of too much empathy with the arab victims.
What's next?
They decide what is subversive and what isn't, and maybe one day you could be subversive because you are against capitalism, or against globalisation, or sympathetic to the people that defend their land agains US invasions and US backed puppet governments.
Or because you rooted your phone?
Keep your eyes open and stay aware guys...
Click to expand...
Click to collapse
@unclefab - well said!!!
I completely agree with you. I have also tried to rise some awareness, but I keep seeing answers like "agencies don't have much interest in a regular person" and those are the first that are wrong (or are working for "someone")! Yes guys, when you first start your phone, and connect to the internet, in that very first moment, Google will receive your data, no matter what you did to restrict the leakage! You don't connect to internet? No problem, your operator will receive the same thing when you put their sim into your device! I am no developer, and I am not calling myself as such, but I know what I am talking from a security stand point! I am not a conspiracy theorist, and I will not tell you what I am doing for living, but definitely I know what I am talking about! Some times people are definitely dumb! Are you "people" aware that Google has a direct line (yes a "red phone" connect directly with the gov.?Are you aware what a little cookie can do? Are you aware why they use fake cell towers? Are you aware why they collect your data? Ads improvement? Service Improvement? Court orders? Really? Google isn't storing your data? Or Facebook even worse? Can't you really see what is going on? You can think I am an idiot, but as @unclefab said, trust no one! I am telling you this as a fairy tale, you can or can't believe me, but check for yourself and you'll see!
nerotNS said:
Well, you can always turn on Androids built in Device Encryption (if you don't mind slower r/w speeds). Combine that with a firewall and what you mentioned above and I think you're good.
Click to expand...
Click to collapse
No you're not good to go! Not if you're trying to avoid gov. agencies! And just to be fully clear, encryption will help you with the local thief, any gov. agency will break it in no time (at this time only Lollipop is causing issues to decrypt) !!! But hey, you have any right to believe otherwise!
Just a little off topic example....do you think this is the work of some hacker: http://www.symantec.com/connect/blogs/regin-top-tier-espionage-tool-enables-stealthy-surveillance
"I completely agree with you. I have also tried to rise some awareness, but I keep seeing answers like "agencies don't have much interest in a regular person" and those are the first that are wrong (or are working for "someone")! "
Yeah, I've noticed the same, and they sometimes remain suspiciously silent on other subjects (like the questions I asked in my previous post or the issue I rose about illegitimate perms in home made apps), so I start to think the same than you.
Which means that we re back to the:
TRUST NOONE!
"when you first start your phone, and connect to the internet, in that very first moment, Google will receive your data, no matter what you did to restrict the leakage!"
True, that's why before to connect for the first time one should do the things I mentionned in post #12, plus some other settings that I will explain about in a soon to come tutorial on how to secure one's phone.
"You don't connect to internet? No problem, your operator will receive the same thing when you put their sim into your device!"
True again, but there's an easy way to bypass that.
First, don't give your real name when you buy a phone (sounds obvious but most people don't even think about it).
Second, don't give your real name when you buy a sim (same remark as above).
Third, with Xprivacy, AF+ Firewall, AppSettings, a firewall script, some init.d scripts etc. I don't think one's operator can get much in terms of private data out of the phone, apart from the sim imsi, the phone number and how many credits left there are.
To secure the internet connection use Tor, your operator will know that you use it but it won't know anything else.
It still knows who we are calling, for how long etc. when we use the phone functions and AFAIK there's no way to prevent that, except maybe by using those apps that encrypt communications (I can't comment on that since I don't use my phone to phone or to text, and anyway I don't believe in encryption, see below).
But then comes common sense and the TRUST NOONE concept, if you call mum for her birthday you can use your phone, if you want to make a sensitive call use a public phone.
"Are you "people" aware that Google has a direct line (yes a "red phone" connect directly with the gov.?"
Yep, the same applies to Microsoft and Skype, Facebook, Twitter, Apple etc.
It's true that they don't really care about us for now but still, they gather as much data as possible in case one day they need to chase people like you and me because of a new anti subversion law.
"And just to be fully clear, encryption will help you with the local thief, any gov. agency will break it in no time"
I agree with you, and I even think that encryption is dangerous cuz it gives people a false sense of security. I don't think there's any encryption that can resist a two storeys computer, and there probably are anyway backdoors everywhere regardless of what their devs claim.
The same applies to Linux, it has been compromised by the NSA since 2003.
Open source, the code can be reviewed blah blah, yeah, sure, and who reviews it?
Who has weeks to spend reading boring lines of code?
The schema is simple, as soon as you have an app, a website or an operating system, or whatever that becomes relatively popular, the men in black come knocking at your door.
Unless you have been clever enough to hide properly, but most of the time that's not the case (see how easily they caught silk road, how easily they trace anonymous hackers, the list goes endless).
You want another example?
After Snowden's revelation many so called secure emails have popped out here and there. I've tried quite a few and guess what?
You can't use most of them if you are on Tor with java script disabled. The funny thing being that you still can use gmail or yahoo without java script, interesting isn't it?
Now back to encryption, instead of using it once more one has to use one's common sense:
DO NOT store sensitive data in your phone, that's it.
If you have sensitive data keep it on an usb stick, or a hard disk, the idea is to have it on a support that is not web connected.
"do you think this is the work of some hacker: http://www.symantec.com/connect/blogs/regin-top-tier-espionage-tool-enables-stealthy-surveillance"
Hehehe, the only question is which men in black agency made it.
The US? China? Russia? The zionist? India?
unclefab said:
"I completely agree with you. I have also tried to rise some awareness, but I keep seeing answers like "agencies don't have much interest in a regular person" and those are the first that are wrong (or are working for "someone")! "
Yeah, I've noticed the same, and they sometimes remain suspiciously silent on other subjects (like the questions I asked in my previous post or the issue I rose about illegitimate perms in home made apps), so I start to think the same than you.
Which means that we re back to the:
TRUST NOONE!
"when you first start your phone, and connect to the internet, in that very first moment, Google will receive your data, no matter what you did to restrict the leakage!"
True, that's why before to connect for the first time one should do the things I mentionned in post #12, plus some other settings that I will explain about in a soon to come tutorial on how to secure one's phone.
"You don't connect to internet? No problem, your operator will receive the same thing when you put their sim into your device!"
True again, but there's an easy way to bypass that.
First, don't give your real name when you buy a phone (sounds obvious but most people don't even think about it).
Second, don't give your real name when you buy a sim (same remark as above).
Third, with Xprivacy, AF+ Firewall, AppSettings, a firewall script, some init.d scripts etc. I don't think one's operator can get much in terms of private data out of the phone, apart from the sim imsi, the phone number and how many credits left there are.
To secure the internet connection use Tor, your operator will know that you use it but it won't know anything else.
It still knows who we are calling, for how long etc. when we use the phone functions and AFAIK there's no way to prevent that, except maybe by using those apps that encrypt communications (I can't comment on that since I don't use my phone to phone or to text, and anyway I don't believe in encryption, see below).
But then comes common sense and the TRUST NOONE concept, if you call mum for her birthday you can use your phone, if you want to make a sensitive call use a public phone.
"Are you "people" aware that Google has a direct line (yes a "red phone" connect directly with the gov.?"
Yep, the same applies to Microsoft and Skype, Facebook, Twitter, Apple etc.
It's true that they don't really care about us for now but still, they gather as much data as possible in case one day they need to chase people like you and me because of a new anti subversion law.
"And just to be fully clear, encryption will help you with the local thief, any gov. agency will break it in no time"
I agree with you, and I even think that encryption is dangerous cuz it gives people a false sense of security. I don't think there's any encryption that can resist a two storeys computer, and there probably are anyway backdoors everywhere regardless of what their devs claim.
The same applies to Linux, it has been compromised by the NSA since 2003.
Open source, the code can be reviewed blah blah, yeah, sure, and who reviews it?
Who has weeks to spend reading boring lines of code?
The schema is simple, as soon as you have an app, a website or an operating system, or whatever that becomes relatively popular, the men in black come knocking at your door.
Unless you have been clever enough to hide properly, but most of the time that's not the case (see how easily they caught silk road, how easily they trace anonymous hackers, the list goes endless).
You want another example?
After Snowden's revelation many so called secure emails have popped out here and there. I've tried quite a few and guess what?
You can't use most of them if you are on Tor with java script disabled. The funny thing being that you still can use gmail or yahoo without java script, interesting isn't it?
Now back to encryption, instead of using it once more one has to use one's common sense:
DO NOT store sensitive data in your phone, that's it.
If you have sensitive data keep it on an usb stick, or a hard disk, the idea is to have it on a support that is not web connected.
"do you think this is the work of some hacker: http://www.symantec.com/connect/blogs/regin-top-tier-espionage-tool-enables-stealthy-surveillance"
Hehehe, the only question is which men in black agency made it.
The US? China? Russia? The zionist? India?
Click to expand...
Click to collapse
@unclefab finally someone with some common sense!!! BRAVO!!!!
I am really glad you have elaborated my post! Probably the most will not even see what we wrote here, but hey, someone maybe will be able to learn something new!
Again...BRAVO!!!!
unclefab said:
It's not about API, it's about what data apps can access and what is sent over the internet, and it actually goes much further than what most people think.
Use apps like Network Log or Network Connections and give Wire Shark a try, and track which IPs apps connect to.
You'll be surprised...
On my Samsung, after I had removed all the google spyware (erggghhh, I mean google apps) and about 150 stock apps, I saw that the kernel was connecting to some google related IPs and to google's DNS, eventhough I had set the phone to use Open DNS in the resolv.conf file, and that the android system was calling home (read "at google's central office in mountain view, California") everytime I connected (note that my phone had never been linked to any google account whatsoever).
Some of the IPs could easily be blocked by using a firewall script, but for some others and for the DNS leaks I had to patch some jars in /system/framework.
One thing is that it differs from phone to phone, I've checked on a Lenovo and there is much less of such unwanted connections.
Is it embedded in the AOSP code? Maybe, I don't use AOSP or CM based roms so I can't tell, but what I can tell is that it's funny to see people screaming about Xiamoi when it's the same elsewhere.
Anyway, if one wants to protect oneself it's possible albeit a bit involved.
First is first, root.
Second, use Xprivacy and a good firewall like AF+.
Then, make a script to block inbound and outbound disturbing IPs.
So, am I good to go now?
Not yet, let's get a step further...
You need now to decompile some of your system apps and some of your jars, and track lines refering to specific websites and DNS.
- Note that if you really are privacy concerned you should uninstall as many system apps as you can (only 11 left on my phone) and replace them with third part apps that are much easier to restrict and have less privileges. Forget about google spyware (erggghhh and sorry again, I mean google apps), facebook spyware-apk, what's app etc... -
That's it?
Still not, there's more!
Xprivacy is a fantastic tool, but due to android limitations it can't restrict ids for the android system.
Have tou ever heard of android.id, build.serial, ro.boot.serialno, ro.serialno etc.? And what about the serial_no and the mac in the efs folder? And the cpu info in proc? And the serial_number in sys?
- I'll deliberately stay vague on those matters, only people that know what they are doing should mess with that kind of stuff. -
Those are ids specific to your device and of course they identify you, that's what they are meant for!
An example, have a look at the wpa_supplicant.conf localised in data/misc/wifi. You'll see that it has your serial_number which means, and experts please correct me if I am wrong, that everytime you connect on the wifi your serial_number gets sent.
You want to change it manually?
Yeah sure, edit it directly from the file. Now start you wifi and check again the serial_number, you are back to the original value.:cyclops:
I'm not sure whether, if your firewall script is well done and if Xprivacy has been well configured (read "VERY restrictively configured"), those ids leaks or not, but since I like to have more than one protection layer I've edited all of them.
Some ids are easily changed using setpropex or an init script, some are harder and require boot.img editing, but I won't explain any further since as written above only people knowing what they do should play with that stuff.
If all of the above has been done I don't think that anyone can get much data from your phone, but I'm not a security expert and I'd like to hear what you guys think.
Note 1
Trust no one.
I found that apps I had created for testing purposes were requesting my serial, my MCC and my MNC upon installation, eventhough I hadn't given them access to that data neither in the code nor in the android manifest), and then I found that nearly all apps request the same.
Does it come from the IDEs (I have tried with two different brands and it was the same) or does it come from the android OS itself?
I have risen the issue here but nobody seemed interested and nobody blessed me with any relevant answer. Was it that they thought I was unworthy of their attention, or was it that they just didn't know? Or both? Who knows but once more I tell you, TRUST NOONE!!!!
Note 2
Someone said that the NSA and other agencies don't have much interest in a regular person which is true, but they nevertheless gather as much info as they can about as many people as they can, just in case.
In the 50's it was illegal to be a communist in the USA, if cell phones had existed at that time Mac Carthy would have found his job greatly eased.
During the Bush era it was either one was with him or one was against him and was dubbed a bad american (even if one wasn't a terrorist but simply agains Bush's policies), with Guantanamo around the corner if one was suspected of too much empathy with the arab victims.
What's next?
They decide what is subversive and what isn't, and maybe one day you could be subversive because you are against capitalism, or against globalisation, or sympathetic to the people that defend their land agains US invasions and US backed puppet governments.
Or because you rooted your phone?
Keep your eyes open and stay aware guys...
Click to expand...
Click to collapse
setmov said:
@unclefab - well said!!!
I completely agree with you. I have also tried to rise some awareness, but I keep seeing answers like "agencies don't have much interest in a regular person" and those are the first that are wrong (or are working for "someone")! Yes guys, when you first start your phone, and connect to the internet, in that very first moment, Google will receive your data, no matter what you did to restrict the leakage! You don't connect to internet? No problem, your operator will receive the same thing when you put their sim into your device! I am no developer, and I am not calling myself as such, but I know what I am talking from a security stand point! I am not a conspiracy theorist, and I will not tell you what I am doing for living, but definitely I know what I am talking about! Some times people are definitely dumb! Are you "people" aware that Google has a direct line (yes a "red phone" connect directly with the gov.?Are you aware what a little cookie can do? Are you aware why they use fake cell towers? Are you aware why they collect your data? Ads improvement? Service Improvement? Court orders? Really? Google isn't storing your data? Or Facebook even worse? Can't you really see what is going on? You can think I am an idiot, but as @unclefab said, trust no one! I am telling you this as a fairy tale, you can or can't believe me, but check for yourself and you'll see!
No you're not good to go! Not if you're trying to avoid gov. agencies! And just to be fully clear, encryption will help you with the local thief, any gov. agency will break it in no time (at this time only Lollipop is causing issues to decrypt) !!! But hey, you have any right to believe otherwise!
Just a little off topic example....do you think this is the work of some hacker: http://www.symantec.com/connect/blogs/regin-top-tier-espionage-tool-enables-stealthy-surveillance
Click to expand...
Click to collapse
unclefab said:
"I completely agree with you. I have also tried to rise some awareness, but I keep seeing answers like "agencies don't have much interest in a regular person" and those are the first that are wrong (or are working for "someone")! "
Yeah, I've noticed the same, and they sometimes remain suspiciously silent on other subjects (like the questions I asked in my previous post or the issue I rose about illegitimate perms in home made apps), so I start to think the same than you.
Which means that we re back to the:
TRUST NOONE!
"when you first start your phone, and connect to the internet, in that very first moment, Google will receive your data, no matter what you did to restrict the leakage!"
True, that's why before to connect for the first time one should do the things I mentionned in post #12, plus some other settings that I will explain about in a soon to come tutorial on how to secure one's phone.
"You don't connect to internet? No problem, your operator will receive the same thing when you put their sim into your device!"
True again, but there's an easy way to bypass that.
First, don't give your real name when you buy a phone (sounds obvious but most people don't even think about it).
Second, don't give your real name when you buy a sim (same remark as above).
Third, with Xprivacy, AF+ Firewall, AppSettings, a firewall script, some init.d scripts etc. I don't think one's operator can get much in terms of private data out of the phone, apart from the sim imsi, the phone number and how many credits left there are.
To secure the internet connection use Tor, your operator will know that you use it but it won't know anything else.
It still knows who we are calling, for how long etc. when we use the phone functions and AFAIK there's no way to prevent that, except maybe by using those apps that encrypt communications (I can't comment on that since I don't use my phone to phone or to text, and anyway I don't believe in encryption, see below).
But then comes common sense and the TRUST NOONE concept, if you call mum for her birthday you can use your phone, if you want to make a sensitive call use a public phone.
"Are you "people" aware that Google has a direct line (yes a "red phone" connect directly with the gov.?"
Yep, the same applies to Microsoft and Skype, Facebook, Twitter, Apple etc.
It's true that they don't really care about us for now but still, they gather as much data as possible in case one day they need to chase people like you and me because of a new anti subversion law.
"And just to be fully clear, encryption will help you with the local thief, any gov. agency will break it in no time"
I agree with you, and I even think that encryption is dangerous cuz it gives people a false sense of security. I don't think there's any encryption that can resist a two storeys computer, and there probably are anyway backdoors everywhere regardless of what their devs claim.
The same applies to Linux, it has been compromised by the NSA since 2003.
Open source, the code can be reviewed blah blah, yeah, sure, and who reviews it?
Who has weeks to spend reading boring lines of code?
The schema is simple, as soon as you have an app, a website or an operating system, or whatever that becomes relatively popular, the men in black come knocking at your door.
Unless you have been clever enough to hide properly, but most of the time that's not the case (see how easily they caught silk road, how easily they trace anonymous hackers, the list goes endless).
You want another example?
After Snowden's revelation many so called secure emails have popped out here and there. I've tried quite a few and guess what?
You can't use most of them if you are on Tor with java script disabled. The funny thing being that you still can use gmail or yahoo without java script, interesting isn't it?
Now back to encryption, instead of using it once more one has to use one's common sense:
DO NOT store sensitive data in your phone, that's it.
If you have sensitive data keep it on an usb stick, or a hard disk, the idea is to have it on a support that is not web connected.
"do you think this is the work of some hacker: http://www.symantec.com/connect/blogs/regin-top-tier-espionage-tool-enables-stealthy-surveillance"
Hehehe, the only question is which men in black agency made it.
The US? China? Russia? The zionist? India?
Click to expand...
Click to collapse
You guys are way too paranoid. First off, if you're all into don't track us down, why are you using the Internet in the first place? Now for the technical part.
The kernel is trying to get the the DNS because guess what? DNS is needed for Internet connectivity. Android is a smartphone and many of its services rely on having an Internet connection. So it's rather normal that a system-level part is trying to establish a network connection. OEM kernels have more of this compared to AOSP because they use their proprietary services.
And sure, you can use 3rd party apps, but they too can contain tracking data, and prior to 4.4/5.0 core system apps were open source, and you still don't have to use gapps.
Next, you can't change hardware embedded data like serial numbers for a number of reasons, security being one of them. If it was that easy you could never track down stolen phones for example. Much like a motor engine serial number in a car. Same goes for IMEI. Then you spoke about the past. Things change over time, it's not the Cold War ETA anymore. Next yes, court orders. According to international law they DO NEED a court order to see your data. And even that is done only in high profile criminal cases. You can read quite a lot about privacy laws online.
Further, yes you ARE good to go. Androids built in encryption system is pretty tough. If your bootloader is locked down, you have no custom recovery, it ain't that easy to get to your data (excluding nexus devices, because of their development nature this can be relatively easily bypassed). Plus, they'd have to have physical access to your device.
They won't receive any of your "precious" data except your rough location and serial numbers as well as your IMEI that will be bound to your Google account. I've already explained why, plus it's for their statistics for example the number of active android devices, new Android device activations on a daily basis etc.
You say you don't use a real name when buying a phone? Well tell me then, what about ID cards? You fake them too when signing a contract? Buying a prepaid SIM card doesn't need a name anyway. And buying a phone? Same thing, unless bought on contract, in which case the ID card problem persists.
Calling encryption dangerous is ridiculous to say the least. And yes, even "two story computers" are gonna have a bad time cracking it. Ever heard of a 256-bit AES?
Finally saying that nobody reviews "boring source code" is ignorant if nothing else. There are tens of thousands of people PAID to do this. It's not a single guy doing it. Plus just because YOU find it boring, doesn't mean everybody else finds it boring too.
Conclusion: Yes, there are ways to compromise security and data. Yes you can block most of those ways. But this level of paranoia is ridiculous to say the least and sounds like something I'd see in a conspiracy TV commercial. Reading trough your posts here I half expected to see "The end is nigh. Hide your children!" kind of sentence. If you believe that we're all monitored, then throw your router trough the window, smash all your tech, and live in a candle lit room. But please don't spread unfounded fear on a public forum based purely on your assumptions, or on what you see on a TV.
Now setmov I'm speaking directly to you. Calling other people stupid because they don't agree with you is a direct violation of xda's rules. Please refrain from doing it again. Thanks in advance.
nerotNS said:
You guys are way too paranoid. First off, if you're all into don't track us down, why are you using the Internet in the first place? Now for the technical part.
The kernel is trying to get the the DNS because guess what? DNS is needed for Internet connectivity. Android is a smartphone and many of its services rely on having an Internet connection. So it's rather normal that a system-level part is trying to establish a network connection. OEM kernels have more of this compared to AOSP because they use their proprietary services.
And sure, you can use 3rd party apps, but they too can contain tracking data, and prior to 4.4/5.0 core system apps were open source, and you still don't have to use gapps.
Next, you can't change hardware embedded data like serial numbers for a number of reasons, security being one of them. If it was that easy you could never track down stolen phones for example. Much like a motor engine serial number in a car. Same goes for IMEI. Then you spoke about the past. Things change over time, it's not the Cold War ETA anymore. Next yes, court orders. According to international law they DO NEED a court order to see your data. And even that is done only in high profile criminal cases. You can read quite a lot about privacy laws online.
Further, yes you ARE good to go. Androids built in encryption system is pretty tough. If your bootloader is locked down, you have no custom recovery, it ain't that easy to get to your data (excluding nexus devices, because of their development nature this can be relatively easily bypassed). Plus, they'd have to have physical access to your device.
They won't receive any of your "precious" data except your rough location and serial numbers as well as your IMEI that will be bound to your Google account. I've already explained why, plus it's for their statistics for example the number of active android devices, new Android device activations on a daily basis etc.
You say you don't use a real name when buying a phone? Well tell me then, what about ID cards? You fake them too when signing a contract? Buying a prepaid SIM card doesn't need a name anyway. And buying a phone? Same thing, unless bought on contract, in which case the ID card problem persists.
Calling encryption dangerous is ridiculous to say the least. And yes, even "two story computers" are gonna have a bad time cracking it. Ever heard of a 256-bit AES?
Finally saying that nobody reviews "boring source code" is ignorant if nothing else. There are tens of thousands of people PAID to do this. It's not a single guy doing it. Plus just because YOU find it boring, doesn't mean everybody else finds it boring too.
Conclusion: Yes, there are ways to compromise security and data. Yes you can block most of those ways. But this level of paranoia is ridiculous to say the least and sounds like something I'd see in a conspiracy TV commercial. Reading trough your posts here I half expected to see "The end is nigh. Hide your children!" kind of sentence. If you believe that we're all monitored, then throw your router trough the window, smash all your tech, and live in a candle lit room. But please don't spread unfounded fear on a public forum based purely on your assumptions, or on what you see on a TV.
Now unclefab I'm speaking directly to you. Calling other people stupid because they don't agree with you is a direct violation of xda's rules. Please refrain from doing it again. Thanks in advance.
Click to expand...
Click to collapse
@nerotNS
- First thing, I've wrote "Some times people are definitely dumb!" not @unclefab! Please prove me that what I wrote is not right!
- Second, everything WE said is right! Why are you trying so hard prove it otherwise?
- Third, you can see what you have the ability to see! Maybe in your country the prosecutors, law enforcement agencies or else, need a court order, in the US they don't! You know why? Because of Patriot Act! Maybe you don't even know what this is, and you haven't seen the effect of it, but this doesn't mean it not exist!
- Fourth, you have your believes, and I have mine, so I will respect that and not try to change yours, and for me this discussion is over!
To the OP @jaifora, men, believe what you want, you have the right to!
Good luck
@neronS
"Things change over time, it's not the Cold War ETA anymore. Next yes, court orders. According to international law they DO NEED a court order to see your data. And even that is done only in high profile criminal cases. You can read quite a lot about privacy laws online. "
Saying that shows that you are either very young, or that you have never left your home town, or both.
It's not the cold war anymore, true, now it's the so called war on terror, the US allways need to have an ennemy (before that back in the 90's it was the war on narcotics, but you may have not heard about it).
International laws you said?
You think the States care about those laws?
Did they care about it when the UN said that the invasion in Iraq violates such international laws?
Have you heard about the Abou Ghaib jail? That was another nice example on how international laws are followed by the States.
Apart from that, have you heard about corrupted indian officials tracking indian facebook users that expose their scamms?
Have you heard about that indonesian atheist that got severely beaten up by an angry mob because he had declared on his facebook account that he doesn't believe in god, and that endded up in jail (the atheist, not the mob) for blasphemy?
Have you heard about that bangladeshi blogger that may be executed cuz he wrote on his blog that he's an atheist?
You want more examples?
Oh yeah, I almost forgot, the states, the country of freedom and democracy, the country where you need a court order.
What a joke!
Have you heard about all what the US did these last 200 years? And have you heard about what the US is currently doing in 2014?
I guess you didn't, hence your last reply...
But as for me I did, and that's why I can't trust such a country. That said, I can't trust the european, the chinese, the indian or the russian either, not to mention the middle eastern, as I already said I trust NOONE...
"They won't receive any of your "precious" data except your rough location and serial numbers as well as your IMEI that will be bound to your Google account."
Really?
What about permissions like access fine location (precise gps location), read sms, send sms without the user's knowledge, write sms, read bookmarks, write bookmarks, read contats, write contacts, read call log, write call log, read contact card, read user dictionary, get accounts on the device, perms that can be found in apps where such perms are not needed, you want more?
Have a look at all the data leakage when you connect to the internet, and you'll see that it's not only about a few digits...
"You say you don't use a real name when buying a phone? Well tell me then, what about ID cards? You fake them too when signing a contract? Buying a prepaid SIM card doesn't need a name anyway. And buying a phone? Same thing, unless bought on contract, in which case the ID card problem persists. "
You have just proved once more that you have never been away from home.
The vast majority of android users are people from emerging countries where one can buy a phone without giving one's name (so no need to fake anything) and the same applies for the sim.
Those people are not rich arrogant westerners, who think they know everything because mum and dad sent them to a good school, and they don't have any subscription cuz in most of those countries it doesn't exist or if it does it's very limited.Those people buy prepaid credits when they have money, that's it.
How many people in the States? 315 millions.
How many people in western Europe? About 300 millions.
Add Canada, 30, Australia, 20, how many is that?
India, 1.2 billion or even more.
China, 1.2 billion and counting.
Africa, nearly 1 billion.
Indonesia, 250 millions.
Maybe you should leave your hometown and travel a bit, the world doesn't end in the west's boundaries.
"Finally saying that nobody reviews "boring source code" is ignorant if nothing else. There are tens of thousands of people PAID to do this. It's not a single guy doing it. Plus just because YOU find it boring, doesn't mean everybody else finds it boring too. "
Do a search with "linux kernel nsa", you will learn a lot.
" don't spread unfounded fear on a public forum based purely on your assumptions, or on what you see on a TV. "
Well, I haven't seen it on the tv, I have seen it on the field and I know very well what human beings are capable of, which you obviously don't.
So please, don't spread unfounded reinsurance that everything goes fine, that google and the governments are ok, just because a guy talking on their behalf on the tv said they are.
Then, you can call me a conspirationist or whatever, I don't care, I didn't write those posts for people like you but for people that have their eyes open.
"Now unclefab I'm speaking directly to you. Calling other people stupid because they don't agree with you is a direct violation of xda's rules. Please refrain from doing it again. Thanks in advance"
Where did I call anyone "stupid?
You, on the contrary, said that:
"Finally saying that nobody reviews "boring source code" is ignorant if nothing else".
So son, instead of playing mister moderator maybe YOU should watch a bit your language.
Ah the kids of today...:silly:
unclefab said:
@neronS
"Things change over time, it's not the Cold War ETA anymore. Next yes, court orders. According to international law they DO NEED a court order to see your data. And even that is done only in high profile criminal cases. You can read quite a lot about privacy laws online. "
Saying that shows that you are either very young, or that you have never left your home town, or both.
It's not the cold war anymore, true, now it's the so called war on terror, the US allways need to have an ennemy (before that back in the 90's it was the war on narcotics, but you may have not heard about it).
International laws you said?
You think the States care about those laws?
Did they care about it when the UN said that the invasion in Iraq violates such international laws?
Have you heard about the Abou Ghaib jail? That was another nice example on how international laws are followed by the States.
Apart from that, have you heard about corrupted indian officials tracking indian facebook users that expose their scamms?
Have you heard about that indonesian atheist that got severely beaten up by an angry mob because he had declared on his facebook account that he doesn't believe in god, and that endded up in jail (the atheist, not the mob) for blasphemy?
Have you heard about that bangladeshi blogger that may be executed cuz he wrote on his blog that he's an atheist?
You want more examples?
Oh yeah, I almost forgot, the states, the country of freedom and democracy, the country where you need a court order.
What a joke!
Have you heard about all what the US did these last 200 years? And have you heard about what the US is currently doing in 2014?
I guess you didn't, hence your last reply...
But as for me I did, and that's why I can't trust such a country. That said, I can't trust the european, the chinese, the indian or the russian either, not to mention the middle eastern, as I already said I trust NOONE...
"They won't receive any of your "precious" data except your rough location and serial numbers as well as your IMEI that will be bound to your Google account."
Really?
What about permissions like access fine location (precise gps location), read sms, send sms without the user's knowledge, write sms, read bookmarks, write bookmarks, read contats, write contacts, read call log, write call log, read contact card, read user dictionary, get accounts on the device, perms that can be found in apps where such perms are not needed, you want more?
Have a look at all the data leakage when you connect to the internet, and you'll see that it's not only about a few digits...
"You say you don't use a real name when buying a phone? Well tell me then, what about ID cards? You fake them too when signing a contract? Buying a prepaid SIM card doesn't need a name anyway. And buying a phone? Same thing, unless bought on contract, in which case the ID card problem persists. "
You have just proved once more that you have never been away from home.
The vast majority of android users are people from emerging countries where one can buy a phone without giving one's name (so no need to fake anything) and the same applies for the sim.
Those people are not rich arrogant westerners, who think they know everything because mum and dad sent them to a good school, and they don't have any subscription cuz in most of those countries it doesn't exist or if it does it's very limited.Those people buy prepaid credits when they have money, that's it.
How many people in the States? 315 millions.
How many people in western Europe? About 300 millions.
Add Canada, 30, Australia, 20, how many is that?
India, 1.2 billion or even more.
China, 1.2 billion and counting.
Africa, nearly 1 billion.
Indonesia, 250 millions.
Maybe you should leave your hometown and travel a bit, the world doesn't end in the west's boundaries.
"Finally saying that nobody reviews "boring source code" is ignorant if nothing else. There are tens of thousands of people PAID to do this. It's not a single guy doing it. Plus just because YOU find it boring, doesn't mean everybody else finds it boring too. "
Do a search with "linux kernel nsa", you will learn a lot.
" don't spread unfounded fear on a public forum based purely on your assumptions, or on what you see on a TV. "
Well, I haven't seen it on the tv, I have seen it on the field and I know very well what human beings are capable of, which you obviously don't.
So please, don't spread unfounded reinsurance that everything goes fine, that google and the governments are ok, just because a guy talking on their behalf on the tv said they are.
Then, you can call me a conspirationist or whatever, I don't care, I didn't write those posts for people like you but for people that have their eyes open.
"Now unclefab I'm speaking directly to you. Calling other people stupid because they don't agree with you is a direct violation of xda's rules. Please refrain from doing it again. Thanks in advance"
Where did I call anyone "stupid?
You, on the contrary, said that:
"Finally saying that nobody reviews "boring source code" is ignorant if nothing else".
So son, instead of playing mister moderator maybe YOU should watch a bit your language.
Ah the kids of today...:silly:
Click to expand...
Click to collapse
setmov said:
@nerotNS
- First thing, I've wrote "Some times people are definitely dumb!" not @unclefab! Please prove me that what I wrote is not right!
- Second, everything WE said is right! Why are you trying so hard prove it otherwise?
- Third, you can see what you have the ability to see! Maybe in your country the prosecutors, law enforcement agencies or else, need a court order, in the US they don't! You know why? Because of Patriot Act! Maybe you don't even know what this is, and you haven't seen the effect of it, but this doesn't mean it not exist!
- Fourth, you have your believes, and I have mine, so I will respect that and not try to change yours, and for me this discussion is over!
To the OP @jaifora, men, believe what you want, you have the right to!
Good luck
Click to expand...
Click to collapse
I apologize for the mistype I didn't mean unclefab, I meant setmov with his "stupidity" remark.
As for you, I HAVE been around the world quite a lot more than you think. And in case you haven't noticed, I said that you need to give your name ONLY if on contract. I even said that using prepaid doesn't include this. And even according to the Patriot Act they still DO NEED at least a search warrant, otherwise it would be breaking the US Constitution. All the examples you gave above may be true, but you forgot to mention the fact that it was all placed PUBLICLY AND WILLINGLY. The aftermath is a completely unrelated thing. And yes, even though I am 18 I k of quite a lot of the matter as well as other things. Assuming something about someone based on age is immature to say the least. And finally you told me to search Linux kernel NSA. Mate, if you believe everything on Google, I hope you have anti alien cannons in your house. Also claiming that westerners are "rich and arrogant" is considered nationalism. Don't do it, it's bad. Plus everything I learned, I learned on my own. Not in a "good school". As setmov said, as far as I'm concerned the discussion is over, I don't want this to become a public fight. If you wish further talk, you can contact me in a PM.