[Q] modifying .apk - General Questions and Answers

I am not a developer, while I seem to have more knowledge than the daily user, I do not have the knowledge base to attempt the project that I am curious about. I work for a local tow company as AAA tow truck driver. AAA has provided all its contract stations with an android device that runs an app that is basically a native interface for a web based portal for dispatching the calls. To make a long story short if I were to log into the web interface from my E4GT I can view the dispatched calls ok and the office seems to be able to track me ok, but the native app on the AAA device seems to be able to update statuses while the web interface doesn't seem to actually send the information. I got a hold of the native app apk file and it installed ok, however it asks for a user name that the web interface does not ask for. I assume that this is to prevent people (like me ) from installing on devices that weren't approved by AAA. I was wondering if perhaps there was a way to modify the program to skip this step and allow me to move right in to the log in. If anyone can point me in the direction of someone who may be able to undertake this project for me, I know several people who would rather use their own devices than the AAA device which we are held financially responsible for if it ever is broken or lost. If I were able to run it on my device I could toss their device in a drawer where it will stay safe until I need to return it. Please help. I included the .apk file if anyone is interested in giving this a go.

The likelihood is that modifying this original app in any way works break the law.
AAA obviously paid for the app to be developed and they will own the rights to it.
I suspect that your request breaks the rules of XDA.

The app was downloaded fire free with no copyright permissions agreed to at this location. (I tried to post a link but I guess in too new, I have it tho if you need evidence] therefore I would assume no laws were broken. That web page is the web based program and allows you to download the app without agreeing to anything.
Sent from my SPH-D710 using xda app-developers app

Mark1537 said:
The app was downloaded fire free with no copyright permissions agreed to at this location. (I tried to post a link but I guess in too new, I have it tho if you need evidence] therefore I would assume no laws were broken. That web page is the web based program and allows you to download the app without agreeing to anything.p
Click to expand...
Click to collapse
You can post a link by sticking it in as clear text, with no 'http://' if you really need to.
Just because you are able to download it for free doesn't mean there are no inherent copyright and licences - you will often find them as part of the installation procedure.

OK here's the link. d3me.ersace.com/d3me/htmls/index.jsp
The AAA servers have been having issues over the last couple days so the website seems to be down right now. It actually has been making with really tough because all or calls are being dispatched late and customers aren't happy. But there were no permissions on the installation either. It installed fast and asked for a user ID that I'm assuming belongs to someone in their tech dept. That's all.
After that it should go straight to the contract station and driver log in.
Sent from my SPH-D710 using xda app-developers app

The website is up again. Feel free to check it out. I've been trying to get a hold of someone from AAA to talk about getting me a log on, but I have no response. I can't see how they could object to me using software that they want me to use. I just don't want to risk the device that they are holding me responsible for. Aside from the fact that I don't want to carry multiple devices around. I don't want to break any laws, but there doesn't seen to be any restrictions on this particular app.
Sent from my SPH-D710 using xda app-developers app

Mark1537 said:
The website is up again. Feel free to check it out. I've been trying to get a hold of someone from AAA to talk about getting me a log on, but I have no response. I can't see how they could object to me using software that they want me to use. I just don't want to risk the device that they are holding me responsible for. Aside from the fact that I don't want to carry multiple devices around. I don't want to break any laws, but there doesn't seen to be any restrictions on this particular app.
Click to expand...
Click to collapse
The website seems to be back down again, at least as far as I can tell.

I just checked it this moment. And it's up.
Sent from my SPH-D710 using xda app-developers app

Mark1537 said:
I just checked it this moment. And it's up.
Click to expand...
Click to collapse
Yeah, just discovered that it's an https:// not an http:// link
By pressing ACCEPT, you agree not to use this application while operating a motor vehicle, and agree to the other limitations with respect to the use of this application as described in the accompanying materials.
Click to expand...
Click to collapse
That would be implicit to the software as well, so I would assume that the 'accompanying materials' probably includes their restrictions of use.
Regardless, I can't see you getting anywhere without the username and password. I reckon that social engineering is likely to be more successful than hacking the app, but I may be proved wrong.

I'm finally getting some response from AAA, it was a handbook given during the training for the software. I have read through it and an struggling to find anything regarding the licensing or copyright infringement. I don't deny the ethical gray area that I am standing in, I am just trying to make my working life easier. If I can accomplish the task through the proper means by acquiring a log in of my own I will do that, I was just wondering if the same results could be achieved through alternative means.
Sent from my SPH-D710 using xda app-developers app

Mark1537 said:
I'm finally getting some response from AAA, it was a handbook given during the training for the software. I have read through it and an struggling to find anything regarding the licensing or copyright infringement. I don't deny the ethical gray area that I am standing in, I am just trying to make my working life easier. If I can accomplish the task through the proper means by acquiring a log in of my own I will do that, I was just wondering if the same results could be achieved through alternative means.
Sent from my SPH-D710 using xda app-developers app
Click to expand...
Click to collapse
Hi I know this is a little old but my station just up graded to the tablets also so I am in the same boat now and was wondering if you where able to get any further with this

nope
bearclaw001 said:
Hi I know this is a little old but my station just up graded to the tablets also so I am in the same boat now and was wondering if you where able to get any further with this
Click to expand...
Click to collapse
Noboy was willing to help either here or at AAA, however; if you are a reliable driver that doesn't need to be tracked everywhere that you go, justmake sure that your dispatch tells you when they send you a call and the web link will work. It will even track you if you leave it runnng. But there is no alert sound. So if dispatch just sends calls and doesn't tell you, its no good. Luckily I have been able to just deal with it for now. I'm extra careful with their device, and hopefully nothing will happen. But the tablets...... that sems pricey.

Mark1537 said:
Noboy was willing to help either here or at AAA, however; if you are a reliable driver that doesn't need to be tracked everywhere that you go, justmake sure that your dispatch tells you when they send you a call and the web link will work. It will even track you if you leave it runnng. But there is no alert sound. So if dispatch just sends calls and doesn't tell you, its no good. Luckily I have been able to just deal with it for now. I'm extra careful with their device, and hopefully nothing will happen. But the tablets...... that sems pricey.
Click to expand...
Click to collapse
To say "Noboy was willing to help either here or..." is rather unfair. Nobody here would have any benefit from modifying the application to do what you wished, even if they did want to get involved in the legal gray area, and you can't exactly expect a developer to simply spend hours or days taking an app apart in the hope of modifying it when there is no real reason for them to do so.
Your best bet always was, and still is, to go back to AAA and ask them. If enough of the drivers start doing so they may consider allowing installation on a different device - although they may demand the device by sent to them first for the installation so they can pre-enter the required log-on information.

not an insult.
SimonTS said:
To say "Noboy was willing to help either here or..." is rather unfair. Nobody here would have any benefit from modifying the application to do what you wished, even if they did want to get involved in the legal gray area, and you can't exactly expect a developer to simply spend hours or days taking an app apart in the hope of modifying it when there is no real reason for them to do so.
Your best bet always was, and still is, to go back to AAA and ask them. If enough of the drivers start doing so they may consider allowing installation on a different device - although they may demand the device by sent to them first for the installation so they can pre-enter the required log-on information.
Click to expand...
Click to collapse
My post was not meant as an insult, just a statement of fact. I always aknowledged the legal gray area, and more than understand why nobody would get involved. I guess I was hoping somebody might point me in the right direc,tion to accomplish the task on my own. I have since given up the task as I have stated already, and continue to utilize the various recources this site provides. I'm sorry you were offended, but once agan, it was not an insult. Have a nice day.

simple
Guys i know this is kinda a dead post but AAA locks the tablet to go to the one website only.. that is when you click on the "app" on the tablet, it is just opening the web page. its your shop number, password, truck id and user id.. no install needed.

If you install this on your own device (only some clubs allow "bring your own device") you need to enter the location url for your particular club usually http://spp.aaa.com/d3me*** where the *'s are your club number. Then you have to have an application username which is simply a password that gives you access rights to install the application. You will never see this on a club owned device like a cell phone or tablet provided by the club you are contracted for because it is preinstalled. So as "simple" as stated that is all you need on a club device but if you are trying to install on your device (which likely runs much faster and better anyway) then you need a club that allows BYOD to get the application installer password. (And no I wont post the installer password!)

Related

{DEV} Remember the CIQ Apps Found In HTC Devices?There Is More And It Isn’t Pretty!!

Taken From XDA Portal
For the last few weeks, we have been intensely covering security and privacy issues that involve quite a few of the latest HTC devices (Sensation, EVO 3D, etc). It was discovered by XDA Recognized Developer TrevE that there are multiple apps and services that basically collect all sorts of information about our devices, their usage, and everything that is done on them to later on be sent to some Amazon cloud drive. HTC has come back a couple of times with official statements saying that the apps are indeed harmless and that the information collected is to basically help HTC and the carriers to improve their products and services to us. Moreover, they claimed that, at least, the HTC services can be opted out and they would stop collecting said information. Well, TrevE has been doing a lot of research as of lately and further proved that not only can these services not be turned off by regular means, but also has shown, by doing an experiment in a controlled environment, that the apps are inherently dangerous as they can be easily exploited by virtually any app that has android.permission.INTERNET enabled, which a ton of apps in the market currently do.
The kind of information that can be pulled from the device could be enough, potentially, to clone a device completely if the person receiving this knows how to do it. The app seems to allow the dump of virtually all stats and values by the device. Regardless of HTC’s motives to collect this information, the important part about this, and really the core of the issue, is that the information from these apps can be easily intercepted and sent anywhere to anyone. For the skeptics in the room, TrevE has put together a small demo app (proof of concept) that shows what could potentially happen when this is intercepted. He also has put together a Youtube video that shows exactly what is going on. It seems that the only real way to get rid of these services is by rooting the device and manually removing them, but there is no known way to remove them from an unrooted device.
HTC has been notified about the issue approximately 5 days ago and we are still waiting for a response, which they said they are working on. You will have to keep in mind that this is only the first app that TrevE is working on, and if you remember from previous articles, there are 5 of them. Long story short, you can expect one of these articles on XDA at least once a week for the next month or so.
Well, HTC, as you may see it, this is no longer about us wondering why you are getting our information, but it was discovered that whatever you are using to get it is simply not secure. For the sake of your customer’s privacy, we request that you take the proper measures and release any and all necessary patches to fix this for any and all devices being affected. This is about people’s data falling in the wrong hands, so please we ask that you take action on this soon.
HTCLogger allows any app that has access to android.permission.INTERNET on devices such as the evo3d to obtain full access to query sensitive info such as network/appusagestats/meid/esn/phone#/past 10 location broadcasts and last known locations/and more.
http://www.youtube.com/watch?v=YoTUkQ7SlNU&feature=player_embedded
You can find the original thread here. Also, you can check if you are vulnerable by using the app found in this thread.
Want something published in the Portal? Contact any News Writer.
Thanks TrevE for the tip!
More links regaurding new findings!!..
http://infectedrom.com/showthread.php/559-Vunerability-1-Android-Security-Elevation
and heres an app to check if you are vulnerable...
http://forum.xda-developers.com/showpost.php?p=17612559&postcount=110
Does this help anyone?! LOL....Im sure NOBODY like BIG BROTHER WATCHING YOU!
lightninbug said:
Does this help anyone?! LOL....Im sure NOBODY like BIG BROTHER WATCHING YOU!
Click to expand...
Click to collapse
Well you kind of threw that out the door when you decided to buy an ANDROID device.. didn't ya ? LOL
so if you run something like cyanogen or miui am i right in thinking you would prob not be vulnerable, but custom sense based roms prob would be?
meegs said:
so if you run something like cyanogen or miui am i right in thinking you would prob not be vulnerable, but custom sense based roms prob would be?
Click to expand...
Click to collapse
Thats basically what Im thinking.. But who knows...For all we know the STOCK sms app is sending HTC all our texts...think of how many drug dealers/ or other illegal things people do that is uploaded to htc....I For-see a NEW AGE IN CRIME STOPPING upon us...and the general public doesnt even know it.
About the big brother watching you.
Why do you think Android is free? Companies like HTC and Google want you to spend as much time as possible on the internet so you can see the ads that pay their bills. That's the whole idea behind Android, cheap access to the internet so you can use Google products and see their ads. HTC is probably doing something similar here. HTC has access to lots of user data via the phones that they sell. This is valuable data to data miners who can sell their products using this information.
Personally I don't have a problem with this. But if you do it makes sense to stop using the internet
Call me crazy but I quite frankly don't care much about them knowing what apps I run or where my wifi network is located or where my phone has been. I voluntarily share that kind of information with Google in return for making my life easier by allowing my to use services like Google Maps and Google Search. Now if I were a terrorist or someone running from law enforcement I could see how this would bother me a lot more.
Moreover, if this information actually helps HTC improve the user experience on my next device (similar to how it has helped Google improve their services), I'll personally send it to them in a .zip file. It is troubling though that they kind of just take these kinds of stats regardless of your consent.
Anyway, let me know when they start listening in on my phone calls and reading my text messages. Maybe then I'll care more. -_-
EDIT: I still really do appreciate TrevE taking time out of his day to do this research and share his findings with the community.
Guys I think there trying to say that HTC or google is not gathering our info securely,and anyone with the knowledge can intercept our info from google or HTC. Say the president uses a HTC sensation,and a terrorist intercepts the presidents info that is suppose to go to google or HTC. Now that terrorist knows where the president is,etc. See how that's a problem? I sure don't want no crazed lunatic knowing were I'm at,worst,cloning my phone!
Sent from my HTC Sensation XE with Beats Audio using xda premium
brd912 said:
Guys I think there trying to say that HTC or google is not gathering our info securely,and anyone with the knowledge can intercept our info from google or HTC. Say the president uses a HTC sensation,and a terrorist intercepts the presidents info that is suppose to go to google or HTC. Now that terrorist knows where the president is,etc. See how that's a problem? I sure don't want no crazed lunatic knowing were I'm at,worst,cloning my phone!
Sent from my HTC Sensation XE with Beats Audio using xda premium
Click to expand...
Click to collapse
just in case we wondered why the president still uses a crackberry
Another reason to use Cyanogenmod. Yipee!
Sent from my Sensation using Cyanogenmod
I'm running a stock T-Mobile version of sense, rooted and when I installed the app, it says connecton refused, I looked for the app htclog.apk in /system/app and it's not there...

[SUGGESTION] Setting a Bounty on the bootloader.

As most of you would know, we have learned quite a bit about Defy bootloader during the last week.
We always thought that Motorola don't have a method to unlock production defys (defys shipped to end users). Well we have sufficient information now to prove that Motorola have a method, and that it converts production defys to engineering defys (Phones used by Motorola engineers to make ROMs and other stuff)
This is actually better than a simple unlocked boot-loader because eng defys have unlimited applications (because we have direct access to MOBO/CPU) like overclocking gpu, installing other OS like Ubuntu, Debian, WP7 etc. into NAND and a lot more.
So the problem here is that the tools required for ENG switch is only available to Motorola employees. Till now we have no further information on it. The tools are TI OMAP BOARD CONFIGURATION TOOL and a 16MB .bin file. Other significance of this method is that it might also unlock other phones with OMAP(3xxx/xxxx?) board. Also this method seems to be very stable.
So the good news is that this software is available for most Motorola repair centers. That means it would be easier to get a leak. Of course the highly paid Motorola engineers with 6digit paycheck wont leak it but we should consider low level repair executives (they already leak sbfs and RSDlite).
So my suggestion is we start a bounty thread in XDA to tempt them.
If you have a solution and if you are concerned about anonymity, please PM me.
PS : There are lots of bounty threads in xda.
Hi,
Setting a Bounty would be cool, but is legal ?
Cause it is not like "I pay you a lot of money if you steal this software for me"
the|gamer said:
Hi,
Setting a Bounty would be cool, but is legal ?
Cause it is not like "I pay you a lot of money if you steal this software for me"
Click to expand...
Click to collapse
hmm. It depend's on which country you are from.
I'm quite on it. Minimum/maximum fee could be set (like US$2 min and 20 bucks max, or anything like this). And someone with access to Motorola's employees (I think the user racca works on a Moto distributor, but I'm not sure of it, I think he mentioned it in some thread a few months ago) could rush and "bribe" them. If people could be a bit more clear about which kind of employees should have access to this software, I could try and convince one of them (you know, people here in Brazil aren't that much into honesty, but are a lot into money) about heading us a leak from TI's software. I'll have to take my phone to MOTOAssist soon ("menu" and "back" keys' backlights are weaker than normal), so I'd have at least an actual reason to talk to an assist technician (assuming they have access to the board configuration tool).
Yet, since I'm no hacker (yet, I'm planning on getting a Nook Color - which community here in XDA seems to provide all you need to start your own ROM - and starting messing around with it) nor coder (know only a little about C programming), I would not try and mess around with TI's software, but only upload it somewhere and give you guys a link for it.
K3n bH1mur4 said:
I'm quite on it. Minimum/maximum fee could be set (like US$2 min and 20 bucks max, or anything like this).
Click to expand...
Click to collapse
We could even promote it with ads. The best way would be to set up our on website, maybe in Brazil(or with some webhost who would like to host this) where you could bribe your way out and then promote it with ads. There is a remote chance that XDA might not approve a bounty thread here (of illegal implications), but we could publish the website here and all other major forums (chinese forums as well).
royale1223 said:
We could even promote it with ads. The best way would be to set up our on website, maybe in Brazil(or with some webhost who would like to host this) where you could bribe your way out and then promote it with ads. There is a remote chance that XDA might not approve a bounty thread here (of illegal implications), but we could publish the website here and all other major forums (chinese forums as well).
Click to expand...
Click to collapse
Dunno, since it's illegal, it may not be the best option to promote it. Obviously, it's still not immoral, but we all know that morality and law often do not converge, so it may be better to go rogue, talking in private with motoassist technicians and stuff like that, because, even if we're just fighting for our rights, we're still using non-legal ways, and risking to be sued for it.
I don't think promoting a website is illegal. What's illegal is hosting an illegal one.
Promoting a website who promises cash for employees of a corporation who leak internal software used by that corp. might be considered illegal in most places. Fortunately (or not, I'll explain why), we have jurisprudence to embase of: in september 1st, last year, a judge here in Brazil condemned Moto to update a customer's Dext/CLIQ to Android 2.1 (Moto did not provide this update here in Brazil, even though it did in many countries) without voiding the warranty.
I know it's just one case, in just one country, and updating an android version is way different than providing unlocked bootloaders (or the tools for users to do so). And, yes, I agree with placing a bounty at the tool. Yet, if we get caught, Moto can still argue that we had other ways to pursue our rights, and we should have used the justice system to do so, if we believed we were that right. Yet, they're a multimillion-worthy company (even bigger after being purchased by Google), and we're a bunch of broke users, at most devs making a couple thousand dollars, and would have little chance against their lawyers. Last, but not least, employers who help us may get caught and fired because of us, and I sincerely want nobody (ok, maybe a few of the highest executives) to get fired just for me to get an unlocked BL.
So, my point is: let's make this a stealth action. Get a reason for your phone to be taken to Motoassist (no intentional bricking, please! You must flash an official SBF before taking it there! - at least if your phone is still under warranty), get to talk with one of their technicians, and mention - indifferently - that some guys are giving alway big money for any Moto employee who leaks that TI OMAP software. Something like this: "hey, did you hear that crazy devs at this dev forum are paying the first moto technician to hand them some sort of software? Something OMAP-related, I don't know for sure. All I know is that the reward is some nice cash."
When the word spread, we could have an unlocked bootloader within a month.
Yet, we got a single issue to deal: how to ensure the person who gives us the SW first will actually receive the cash? I've seen a few bounties here before, but them all were settled by XDA devs (so the bounty keeper could just donate the sum to that dev), never saw something like paying "outsiders".
One of my friends (Defy+ user) has a contact with a Motorola service guy. He says that that guy knows everything about Motorola software and he's with us because he himself uses custom ROMs and controls an entire service center. He's ready to take my device under warranty though it's rooted along every single hack/MOD for Defy installed
Will try contacting him
And let's post this in the forums of all other locked Motorola devices with OMAP 3xxx chips.
Sent from my MB525 using XDA App
swapnil360 said:
One of my friends (Defy+ user) has a contact with a Motorola service guy. He says that that guy knows everything about Motorola software and he's with us because he himself uses custom ROMs and controls an entire service center. He's ready to take my device under warranty though it's rooted along every single hack/MOD for Defy installed
Will try contacting him
And let's post this in the forums of all other locked Motorola devices with OMAP 3xxx chips.
Sent from my MB525 using XDA App
Click to expand...
Click to collapse
Talk with this guy. If he has access to a copy of TI's SW, and handle it to us, I'm pretty sure we could him get a nice reward. Not as high as if putting a bounty, but definitely enough to make the effort worth it.
I mean, supposing that this is actually gonna help unlock EVERY OMAP 3 (and possibly all OMAP-based phones) out there, and that this way the process is reversible (at least to me, it looks like no eFuse is being blown there, you know, assistance technicians can't just blow eFuses like that - taking the phone to the assistance under warranty shouldn't void it, and that's what a blown eFuse would do), loads of people would help. Imagine a single dollar from every OMAP 3 XDA user (take a look here for an INCOMPLETE list of OMAP 3 devices with ~30 ANDROID ONLY phones/tablets), that would make a lot of money.
this is good....and i think it will be best to not mention the location,identities,or any hint of similarities of the perosn source once you guys get contacts & manifests from that guy(source). so as not to compromise his profession.
he could be fired & worse can be sued by leaking private details.
best discuss it in private,after getting in touch w/ him...
just a tought of CAUTION...
hailmary said:
this is good....and i think it will be best to not mention the location,identities,or any hint of similarities of the perosn source once you guys get contacts & manifests from that guy(source). so as not to compromise his profession.
he could be fired & worse can be sued by leaking private details.
best discuss it in private,after getting in touch w/ him...
just a tought of CAUTION...
Click to expand...
Click to collapse
Yeah we would ensure him that.
I'll help u out....juzz tell me what to get from moto officials
hemil said:
I'll help u out....juzz tell me what to get from moto officials
Click to expand...
Click to collapse
do u know motorola mobility service center in mbai?
we only hav private shops with motos certificate...
i dont think they can help...
all they say is we'll send it to factory(?)
Sent from my MB525 using xda premium
@hemil Please pm me.
hemil said:
I'll help u out....juzz tell me what to get from moto officials
Click to expand...
Click to collapse
Hey buddy... just wait for my call today...
Sent from my MB525 using XDA App
Putting up an ads offering money for violation the law may be a bit problematic. No website will be excited to host it. Another issue is that in the end someone will have to actually post it, someone in particular. And that one person will be in danger of being a subject of interest of various law enforcement agencies. You know, at the end of the day they always want someone to put the responsibility on, the culprit, a scapegoat. So you make heat and you put some particular person into it even before there is any result.
I would prefer to focus more on personal face to face private communications with the service guys. It's harder to prove and if something goes wrong (the guy records it etc.) our guy can always say he was just kidding, bullshitting, bigmouthing.
Anyway, if you are thinking about this seriously, here are few remarks.
don't offer the particular sum, it's not tactical; not even here should be mentioned any particular number; instead, let the service guy ask his price
if the first contact with a potential source is established, ask first for a proof; specify what the proof is supposed to be (a screenshot? a video recording of the software in action?)
figure out a way how to actually collect the money; people are willing to donate but they will not donate to anyone, only to someone trustworthy (but Epsylon will surely want to have nothing to do with everything even remotely questionable, let alone illegal); the "collector" will be under the lights, he may get attention of people we don't want to deal with
who actually will be allowed to donate? anyone? how to avoid an agent to donate and then simply track where the money is going?
figure out a way how to actually make a safe and smooth deal (money <-> software); will it be in person or electronically? how to verify we are given what we paid for? classical problem: no one of both parties is willing to make his move first, but we can't give away the money for a software we would start verifying not until the money is gone
figure out how to avoid being robbed (fake offers from people who would want to grab the money and run away) as well as being caught (fake offers from the dummy guy - LE agent); in both cases the correct proof might be given, though, but the intentions are wrong
For the particular mechanics of the exchange in person, one of numerous possible ways may go like this:
our guy comes with an intentionally bricked Defy repairable only with the software in question together with the ordinary USB cable (or without, if special USB cable is needed; in that case the cable must be part of the deal), and with an empty flash drive recognizable at the first sight; no money on him
our guy passes the flash drive and the Defy (and the USB cable, if no special cable is needed) to the "source" and watches closely
the source copies the software onto the flash drive, runs the software from the flash drive, connects the Defy via the cable provided and actually unbricks the phone (this must be more elaborated on; what if the software uses some libraries from the windows directories etc. which are not copied onto the flash drive? he may or may not have the installer, but just copying the installer isn't enough, he would have to copy the installer on the flash drive, then run the installer from it and install it back onto the flash drive and run it from there)
our guy gets the phone (and the cable) back, the source unplugs the flash drive and keeps it for now, our guy watches the flash drive is not connected to anything from now on
now the software is copied onto the flash drive and verified it's working, thus ordinary hand-to-hand exchange may proceed; our guy didn't bring the money to avoid being robbed, they both now may go grab the money or our guy may call his buddy with the money etc. (also needs to be heavily elaborated on)
Sensitive parts must be detailed in-depth, I am just indicating the outline, one of many possible. Still it's very far from perfect.
As you can see it's not that easy and there are many potential points of failure so this action may never really come to the practical realization.
What about a little bit different or alternative ways? Are there any? It would be useful to ask Epsylon what he would actually wish for the most - had he been able to wish for anything.
isn't it illegal to post copyrighted stuff and also its against forum rules..
i mean that if someone gets his hand on that super tool, then how can he shares it with us???
rishi2100 said:
isn't it illegal to post copyrighted stuff and also its against forum rules..
i mean that if someone gets his hand on that super tool, then how can he shares it with us???
Click to expand...
Click to collapse
huh !! think about moto when they actually ditch us with promises ? whats wrong if what we are screaming for last 1 year . and didnt get any updates ? huh think about tht before u speak about illegal stuffs . if moto is doing all sought of ways to keep us away from our rights . what we do undercover to get us right can no way be questioned when we have told thousands of times that we need updates .
more over the authority can question us only and only when they are themselves self guilt free .... but instead they are pretending to be saint sitting behind the curtains and doing all sought of locking stuff to deprive us of our rights
@jhonsmithx Let's not get ahead of ourselves. First of all lets concentrate on getting the source. Also I urge users to use a bit of social engineering to do that(using fb/g ). We'll put together a plan according to the situation after that. Also note that this is a pretty long shot. We might not get a source after all.
rishi2100 said:
isn't it illegal to post copyrighted stuff and also its against forum rules..
i mean that if someone gets his hand on that super tool, then how can he shares it with us???
Click to expand...
Click to collapse
I could think of atleast 10 ways to share anonymously. Though I wont be posting them here.

[APP] Cerberus Hits 100,000 Users, Offers Free Lifetime Licenses For A Few Days!

A very Powerful Anti-Theft App
The app is always free to download and comes with a 1 week free trial, but a lifetime license is normally $4. I say normally because, as you have likely deduced from the title, the developer is offering free lifetime licenses in celebration of hitting 100,000 users.
To get the license, just download the app and register an account (it requires a username, password, and email address - nothing tricky), then fill out the form and hit Submit. The developers will take care of the rest. The promotion ends with the month (by GMT standards), so better move fast - you only have a few days left!
App: http://goo.gl/12Oye
Website: http://goo.gl/I58Ke
Source: Android Police
I've just reinstalled this. I tried it out back in the early days but was never too impressed. It has come a long way since then though.
The only issue I have with apps like this, including Lookout, is how much information is available to it. Not only does it require permissions to just about everything but if you wanted to (and have root), you can also grant it root access.
You place a lot of trust in the developers of apps like this that your information wont get misused in anyway.
Only 2 more days until its over! Fill out the form now!
hey I filled out the form but didn't get anything in my email do I have to wait more or what?
Do you need to wait for a license to be activated? Filled out the form and haven't received an e-mail and the license status hasn't changed.
Really glad I saw this thread. Was looking for a good security app and I am really impressed by how well cerberus can control your phone.
Edit: sorry I need to slow down a bit. From the website:
All licenses will be activated on March 1.
Click to expand...
Click to collapse
It says licenses will be activated March 1st. Read it before you post.
Sent from my PC36100 using XDA App
qccoles said:
It says licenses will be activated March 1st. Read it before you post.
Sent from my PC36100 using XDA App
Click to expand...
Click to collapse
Lol!
Posted with SwiftKeyX on my CM9 Motorola Photon!
I hopped on this. Was looking for a good standalone app that provided web based methods of access. Thanks. I shared this post on my facebook profile as well to get the word out. I know a couple of co-workers that could of used this including one who did actually lose their phone.
The browser interface is pretty awesome. Couldn't believe how accurate this app is. I'm glad that I finally decided to get on this at the right time!
Just curious if there were any other apps that offered the SMS control that this app does. It's probably the defining feature, since no data = no way to reach your phone. The SMS idea is honestly amazing.
However, I'm curious to see the battery hit (since I would assume it's constantly active). Battery's the main reason why I leave something like webkey off by default...
2hvy4grvty said:
Just curious if there were any other apps that offered the SMS control that this app does. It's probably the defining feature, since no data = no way to reach your phone. The SMS idea is honestly amazing.
However, I'm curious to see the battery hit (since I would assume it's constantly active). Battery's the main reason why I leave something like webkey off by default...
Click to expand...
Click to collapse
the developer claims there is no battery drain until you activate the app via web commands or sms commands, it's no different than any dormant app on your device. since Cerberus isn't broadcasting anything or doing anything until you tell it to, it's logical that there is no impact on CPU or battery.
i've been using it for a few days now and i can't say my battery drains any faster than usual.
as for another "find my device" app that takes sms commands, avast! mobile security does. i use it regularly for the lost device protection and firewall capabilities. if you don't have google voice, avast will also take care of blocking calls and sms for you too. i have only recently switched to Cerberus because of the free life time service and web interface, avast does not offer a web interface for finding your lost device yet. also, avast will run constantly, due to it's more robust nature. you can install the theft aware portion of avast! and discard the main app though, putting it on par with Cerberus' offering.
really really thanks, I was just looking for something like this!
My free trial ended about 2 months ago and since I am 14 and parents don't trust a 14 year old with a credit card. I couldn't get the life time license but this might be my chance.
Thanks for this awesome offer. Really powerful app. Hope I don't have to use it...
Love this app! I had been using Mobile Defense beta for quite some time as it had a great web UI with options. But this has a lot more options. Personally, it didn't pinpoint my location as great, but that could just be my device (rooted Thunderbolt). Still, it was close and I'm sure with some extra work I'd be able to find my device if it were ever lost.
I like the extra options for rooted users. Mobile Defense had this. The ability to embed it in the ROM is very helpful.
This is feature rich and even without free license offer, I still purchased this because I appreciate all the work that the dev put into this! For that 14yo kid on here, you need to tell your parents to purchase this for you. Any smartphone nowadays is worth $$. My kids have lost phones before and for $4, it's better insurance than having to buy a new phone! So tell your parents this..."buy me the $4 app and keep my phone, that you bought, safe...or pay full/partial price if it gets lost or stolen." To me, as a parent who buys his kids' phones, this is a no-brainer. Not to mention the fact that as a worried parent, I can login and creep my kids' phones to see where they are. Yeah, I do that. Don't judge. When you have teenagers some day, you'll understand.
As far as gripes, the only one I have is that a better How-to/Help section could be way better. I like the Q/A type, but it's short on useful information such as exactly how to use the wipe features. Yes, these are no-brainers, but do I get a chance to cancel if I accidentally hit it? What's the process? Is it like the government nuke big red button? Once you hit, you can't undo? Maybe a better tutorial would be better. Also, exactly how do you use the SMS feature? I found a number embedded in the menu within the app, but the Help section on the website just mentions SMS commands. If I never looked at that number, how would I know how to use this function?
When you write how-to sections, you have to write it from the perspective that you're explaining to someone who has NO IDEA how to use this. If you know the app inside and out, and then create a how-to section, most likely you're going to leave a lot of information out.
Keep up the great work!!

[conspiracy theory] the government can tap phones even when on stand by....

Few days ago I was involved in a conversation where couple of people were sure that the government can tap our phones even when not in conversation but when they are actually in stand by on the table.
I tried to argue that when in stand by, android for example has very minimal processes going on, just enough to keep the time and realize when the power button is pressed or send notification.
The counter-argument was that there might be backdoors in the ROM for example which enables the authorities to get sound from the mic directly without the need of the OS as an interface.
I don't see how this can be done, but you as developers might want to provide some solid, technical arguments which would set the discussion once at for all
I guess if you're really that worried about it, there's always airplane mode.
Sent from my HTC PH39100 using xda premium
Worried about monitoring using a google/facebook/twitter device?
Pull some foil off your hat, and wrap it around the phone. Problem solved.
Just do what Eric says "Do no Evil" and who cares if the gummint is watching you!
I'm not worried at all as should be obvious if you actually read my post :>
Fking1 said:
I don't see how this can be done, but you as developers might want to provide some solid, technical arguments which would set the discussion once at for all
Click to expand...
Click to collapse
Well, I'm no developer but if you are going to lurk deeper on backdoors, you'll soon find out that bigger corporations than Gooogle have implemented backdoors in their systems.
Still, this doesn't tell you how it's done, but proofs that has been done and afaics is no problem to do it again.
If I remember correctly some time ago Indian government tried to force BlackBerry to backdoor their devices for Indian market.
So judge it for yourself, but don't think that this is some Atlantis conspiracy but is actually happening all over the place..
B33zal said:
Well, I'm no developer but if you are going to lurk deeper on backdoors, you'll soon find out that bigger corporations than Gooogle have implemented backdoors in their systems.
Click to expand...
Click to collapse
Care to elaborate?
Also it will be enough if someone says why it's impossible to pull audio from the mic when the phone is on standby
In all actuality if the gumment wanted to monitor you they already are....
Fking1 said:
Care to elaborate?
Also it will be enough if someone says why it's impossible to pull audio from the mic when the phone is on standby
Click to expand...
Click to collapse
It's not impossible. Don't brick your head with such things. And why is that question anyway? Do you affraid that you can get caught?
If you are not doin anything against the law, after a while they would not even listen to you
chaki- said:
It's not impossible. Don't brick your head with such things. And why is that question anyway? Do you affraid that you can get caught?
If you are not doin anything against the law, after a while they would not even listen to you
Click to expand...
Click to collapse
well to be honest, i'm big time criminal in my country, so the answer to that question is critical to me :>
Fking1 said:
I tried to argue that when in stand by, android for example has very minimal processes going on, just enough to keep the time and realize when the power button is pressed or send notification.
Click to expand...
Click to collapse
Just because a listening device is not always on doesn't mean it doesn't exist. A single push notification can activate a hidden app or feature, should a government have installed it.
Indeed, there are "lost phone" apps on the market that let you do similar things (though I'm not sure about listening in per se, more like gps, alarm sound, take photos).
so, it's technically possible?
Fking1 said:
so, it's technically possible?
Click to expand...
Click to collapse
It is possible and google patented an ad technique that involved using the microphone to listen for background noises and words to produce better more personalised ad results but haven't implemented it yet.
Also you can remotely activate phone features as well as push data to a phone so yes it could be done but they would need at least an app installed on your phone to do so.
So unless you allow someone to install hidden apps on your phone there's no chance of it.
Dave
( http://www.google.com/producer/editions/CAownKXmAQ/bigfatuniverse )
Sent from my LG P920 using Tapatalk 2
Interesting.
What if the government forces Google, Apple and Rim to leave such backdoors accessible by them?
Android is open source but the kernel is not as far as i know?
Fking1 said:
Interesting.
What if the government forces Google, Apple and Rim to leave such backdoors accessible by them?
Android is open source but the kernel is not as far as i know?
Click to expand...
Click to collapse
even if thats the case: just flash an own kernel like we all do.
i don't think there's something in android, because it's open source. someone would see that..
and the kernel problem is solved when you flash another one i guess
but those normal ppl out there.. the weird ones who doesn't flash their devices, they are ****ed then. xP
but are the kernels we flash open source? I guess even with custom ROM you use the default google kernel, since if it haven't been open source in the first place, i don't think anyone has written it from scratch.
The more important question is, can something like this be hidden in the kernel, or it needs to run in the OS as normal, but hidden app?
Fking1 said:
Care to elaborate?
Click to expand...
Click to collapse
NSAKEY. I'd post links but I can't.
B33zal said:
NSAKEY. I'd post links but I can't.
Click to expand...
Click to collapse
NSAKEY?
post them sripped or PM me
Is it possible? Yes is it likely? No. At least in the US they would need to prove you were a threat to national security to get a judge to sign off on it.
The android kernel is open source completely.
As an example there is a root binary that grants root access without user prompt or notification of any kind. So while it can be done I would not worry about it much.
FEMA chip anyone?
Sent for a corner cell in Arkham
dmhdogpro said:
In all actuality if the gumment wanted to monitor you they already are....
Click to expand...
Click to collapse
Bingo
I do not worry about my Government, if they want me they
will come and get me (and I won't be able to stop them)
It is my fellow citizens whom scare me the most.
B33zal said:
Well, I'm no developer but if you are going to lurk deeper on backdoors, you'll soon find out that bigger corporations than Gooogle have implemented backdoors in their systems.
Click to expand...
Click to collapse
That is true and some EULAs even suggest that there is no privacy on the data commited to the systems. Simple software we use daily (specially in the MS Windows world) is gathering info about what data you search, what you download, what kinda documents you type, etc. Even cloud storage services have a EULA that guarantee you no privacy (Box, Dropbox, Google drive, etc)
As for Android, I highly doubt the problem lies in the operating system, since it is open source and anyone can take a look at it.
Now if you want a conspiracy theory, then read on...
Have you guys noticed how many of the browsers in Play Store are from chinese developers? Specially Dolphin, which many of you adore. Who can tell it isn't secretly sending your browsing habits to the Chinese government? How many people have been sniffing traffic to/from Dolphin (using tcpdump, for instance) to make sure it isn't doing other things?
Chrome (and Chromium) is another example: most people simply have to access their google accounts from these browsers. These browsers effectively send private user data to google. The question here is: how is google making use of such data and who is it sharing it with (for a profit or not)???
It's almost a paradox that in the information age we are more and more willing to have privacy but we have never shared so much of their personal lives with so many as we do now. Take, for instance, Facebook, Google+, Twitter,
I could go on and on... but I gotta some wifi sniffing to do right now and some wardriving later.

Xposed/Xprivacy conflict (bug/security leak) with a popular game.

OK guys I'm new here (kinda) , I searched the forum, read etc and haven't come across any of the above mentioned issue.
Now my reason for not naming the above game is because I do not want other users to go doing anything they shouldn't.
I'm not sure if this is really really serious or its just a feature I didn't read in the App (xposed/xprivacy). Anyways I'll get to the point!
I recently found out I can access another users account (on a popular game) when xposed is installed and activated.
I tried it two times and it actually works (I didn't do anything to the account but I was curious).
Now my question is, could this be a bug in the game or something? M thinking this could be a real big issue if gotten in the wrong hands.
I will report it to the devs of the game but I want to know first etc.
Sent from my SGH-T999V using XDA Premium 4 mobile app
Best thing to do is follow industry standard and practice responsible disclosure. Generally a secure, private message notifying your discovery to the developers that have made the potential mistake is the first step to take.
If they don't respond kindly and promptly explaining how they're working to resolve the issue, then it would be best to inform them that you're going to be responsible in informing the app's distributors (play store?) to have them figure out if it's a serious problem enough to disable distribution until the bug is fixed.
If after that you've still not seen any honest progress in mitigating the vulnerability, call the press, those vultures love rotting flesh for the front page.
What is Responsible Disclosure? http://forum.xda-developers.com/showthread.php?t=2338337
Thanks dude! Will do as u suggested, however I posted in their forum asking them to contact me as I'm on my phone n isn't close to a pc n it's really hard to navigate their website on the phone.
Sent from my SGH-T999V using XDA Premium 4 mobile app
Understandable. If you can, see if their team has a direct contact anywhere I their site when you have a desktop to work with. play store usually has a contact link for app Developers too. I'd like to think most software teams are at least responsible enough for reputations sake and will give their due diligence depending on severity, but I've not a clue. Someone brings me a tip like this and I'd be all ears, but some of the projects I work with deal with a bit more sensitive data (unless this app you're talking about had in app billing, which would make this much more serious. Legal implications for improper handling of consumer financial data can be quite serious unless you're on wall street.)
Well, it DOES have in-app purchase! I went ahead and checked out again, I realise it can (continually) access only one set account based on Xprivacy 's "global fake account", settings, when I go manual and change uses random settings, it does not access that said account, from further test I realise accessing another players account has to do with the email address, because when I unchecked the other features it does not work (it takes me to a new game instead) I'm not sure how the devs of Xprivacy provide or Crete the "global fake account" but it has something to do with accessing the app, if someone is really determine n decide to modify/rewrite Xprivacy I believe it can be used to access anyone's account based on If u know who actually plays that game, easiest way is to just go on play store see who comment and find some way to get their email address!
Edit: I also emailed them with pictures of the users account and how I accessed it, I didn't mentioned Xprivacy as I was uncertain if I should. Do u think I should?
Btw I still don't get any reply and that was from about 12 hours ago.
Sent from my SGH-T999V using XDA Premium 4 mobile app
wow
geminixx said:
Well, it DOES have in-app purchase! I went ahead and checked out again, I realise it can (continually) access only one set account based on Xprivacy 's "global fake account", settings, when I go manual and change uses random settings, it does not access that said account, from further test I realise accessing another players account has to do with the email address, because when I unchecked the other features it does not work (it takes me to a new game instead) I'm not sure how the devs of Xprivacy provide or Crete the "global fake account" but it has something to do with accessing the app, if someone is really determine n decide to modify/rewrite Xprivacy I believe it can be used to access anyone's account based on If u know who actually plays that game, easiest way is to just go on play store see who comment and find some way to get their email address!
Edit: I also emailed them with pictures of the users account and how I accessed it, I didn't mentioned Xprivacy as I was uncertain if I should. Do u think I should?
Btw I still don't get any reply and that was from about 12 hours ago.
Sent from my SGH-T999V using XDA Premium 4 mobile app
Click to expand...
Click to collapse
Awesome it's great to see that there is always someone to test those boundaries, as its people like myself that always take it for granted that, when someone says a game is safe we take it as "Gospel" so to speak, that it actually is.I found this thread a genuinely interesting read and I learned that not everything is as plain as the nose on my face...thanks guys!
geminixx said:
Well, it DOES have in-app purchase! I went ahead and checked out again, I realise it can (continually) access only one set account based on Xprivacy 's "global fake account", settings, when I go manual and change uses random settings, it does not access that said account, from further test I realise accessing another players account has to do with the email address, because when I unchecked the other features it does not work (it takes me to a new game instead) I'm not sure how the devs of Xprivacy provide or Crete the "global fake account" but it has something to do with accessing the app, if someone is really determine n decide to modify/rewrite Xprivacy I believe it can be used to access anyone's account based on If u know who actually plays that game, easiest way is to just go on play store see who comment and find some way to get their email address!
Edit: I also emailed them with pictures of the users account and how I accessed it, I didn't mentioned Xprivacy as I was uncertain if I should. Do u think I should?
Btw I still don't get any reply and that was from about 12 hours ago.
Sent from my SGH-T999V using XDA Premium 4 mobile app
Click to expand...
Click to collapse
Xprivacy forces your 'phone' to report bunk settings, which xPrivacy also allows you to manually set. So if this is a vulnerability in this particular app, where the app developers are relying on what they previously thought was solid and unmanipulable data from the users' phone.... then there's certainly potential for abuse, and potential for this vulnerability to be fairly widespread. It seems like an honest mistake on the part of the game developers because most situations the data that xprivacy is allowing manipulation to is in most cases static and unique per phone/user. You very well may have opened up pandora's box... Authentication to an app with purchasing power shouldn't rely solely on supposedly static strings within the android system...
Well either they don't take it seriously or they don't reach to my mail as yet cuz nobody replied to my email or my forum post, I'm thinking it's cuz I leave out the app I used to get the access, I dunno what else to do so imo just leave it... Or maybe email them one more time...
Sent from my SGH-T999V using XDA Premium 4 mobile app
Thanks flower! Always willing to help out! I do enjoy bug testing! Lol its my fave pass time!
Sent from my SGH-T999V using XDA Premium 4 mobile app
geminixx said:
Thanks dude! Will do as u suggested, however I posted in their forum asking them to contact me as I'm on my phone n isn't close to a pc n it's really hard to navigate their website on the phone.
Sent from my SGH-T999V using XDA Premium 4 mobile app
Click to expand...
Click to collapse
You are possibly violating CFAA (a felony) but continuing to access data on their servers. I would stop accessing their sevices/using the app, and alert them. If you have issues contacting them, I can act as an intermediary, most companies will respond to me.
jcase said:
You are possibly violating CFAA (a felony) but continuing to access data on their servers. I would stop accessing their sevices/using the app, and alert them. If you have issues contacting them, I can act as an intermediary, most companies will respond to me.
Click to expand...
Click to collapse
They contact me on their forum, and what would they charge me for? I didn't do it deliberately. And I wouldn't give u any information cuz I don't know u anyways.
Sent from my SGH-T999V using XDA Premium 4 mobile app
geminixx said:
They contact me on their forum, and what would they charge me for? I didn't give u any information didn't do it deliberately. And I would cuz I don't know u anyways.
Sent from my SGH-T999V using XDA Premium 4 mobile app
Click to expand...
Click to collapse
I recently found out I can access another users account (on a popular game) when xposed is installed and activated.
I tried it two times and it actually works (I didn't do anything to the account but I was curious).
Click to expand...
Click to collapse
intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information from any protected computer
Click to expand...
Click to collapse
Source: http://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act
jcase said:
Source: http://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act
Click to expand...
Click to collapse
Thank u for your info mate but if you realise I POSTED ABOUT IT OUT OF CONCERN! I tested to see if it was INDEED what I suspected! If ur a Dev (I'm not but I know because I do alot of beta testing) I'm sure u would no ALOT of people report false positive.
And HOW would I be able to explain in details as to how I was able to access it if it was done my mistake in the first place? That's what ur normally asked to do isn't it? Hmmmm
So me checking to make sure it wasn't isn't any violation as u call it. I'm not abusing anything...
Sent from my SGH-T999V using XDA Premium 4 mobile app
geminixx said:
Thank u for your info mate but if you realise I POSTED ABOUT IT OUT OF CONCERN! I tested to see if it was INDEED what I suspected! If ur a Dev (I'm not but I know because I do alot of beta testing) I'm sure u would no ALOT of people report false positive.
And HOW would I be able to explain in details as to how I was able to access it if it was done my mistake in the first place? That's what ur normally asked to do isn't it? Hmmmm
So me checking to make sure it wasn't isn't any violation as u call it. I'm not abusing anything...
Sent from my SGH-T999V using XDA Premium 4 mobile app
Click to expand...
Click to collapse
Yes I am a developer, working in the mobile security field (hence being a moderator of this forum). Yes, it was a violation of CFAA. If the company wants to be an vindictive, they certainly could get you charged for it (unlikely). Your post was (and is) fully welcome here, and exactly what we want to see. You possibly stepped too far the first time you accessed it, you certainly stepped too far the second time. If you do this or not, I personally don't care, I was merely offering you (accurate) advice.
K
Sent from my SGH-T999V using XDA Premium 4 mobile app

Categories

Resources