Related
I don't know if this is just an advertising scheme of AVG Mobile Solutions through their Facebook page, but when the banning of banking connections (PayPal, online banking, etc.) on rooted devices is pushed through, DAMN IT WE'RE REALLY F*****!
Read more on AVG Blogs HERE
Definitively a marketing scheme... for the clueless...
"Google is blocking access to some services on rooted devices."
Well.. they did get that spot on..
narflynn619 said:
I don't know if this is just an advertising scheme of AVG Mobile Solutions through their Facebook page, but when the banning of banking connections (PayPal, online banking, etc.) on rooted devices is pushed through, DAMN IT WE'RE REALLY F*****!
Read more on AVG Blogs HERE
Click to expand...
Click to collapse
Don't worry, there is no way for a website to detect if you are rooted or not. There's also no reason for financial companies to do that - they would piss off users for zero gain in security.
Rooted devices are currently unsupported by Google due to requirements related to copyright protection.
Click to expand...
Click to collapse
Uh, what? Google has *only* shipped devices with root capability so far, what is this "unsupported" crap?
kllrnohj said:
Don't worry, there is no way for a website to detect if you are rooted or not. There's also no reason for financial companies to do that - they would piss off users for zero gain in security.
Uh, what? Google has *only* shipped devices with root capability so far, what is this "unsupported" crap?
Click to expand...
Click to collapse
I'm sure they're referring to video rentals from the new market being blocked for people on rooted devices.
Well the security increases a litle on non-rooted devices. Or so they claim.
On a rooted device you tend to screw around a litle more and install some infected software that might steal more info then what you know.
They so call wanna protect you against that by not allowing rooted devices.
But as the past already showed us you can aswell get infected apps from market if it passes google filters.
So this is just marketing for AVG. Besides i think AVG is more insane then a virus uninstalling it from your device is not always working perfect.
Also it would become possible to detect if a phone is rooted or not. If google adds a tag when you are using a rooted phone and allows android to send that tag to sites/apps and those sites/apps read those tags and according to them give access or not well then we are screwed.
I don't think they will push it that far thought with the block rooted access.
They just did it now in an attempt to block pirating of their new movie service.
I also remember Google saying once in an article that rooting isn't forbidden and they won't block it as it is just a way to tweak your phone.
It just voids your warranty
its always somethin isnt it..
Sorry if I sound dumb, but what exactly have Google blocked on rooted devices aside from video rentals?
Atomix86 said:
Sorry if I sound dumb, but what exactly have Google blocked on rooted devices aside from video rentals?
Click to expand...
Click to collapse
Well except the movies they havn't blocked rooted phones from anything else yet
For now i don't mind the block that much since i don't plan to view movies on my phone but i understand allot of other users that are pissed at this.
I mean my phone also has to Voodoo sound control app installed so yeah it needs root for that.
Things like this remind me of the phrase I say that "a phone is only as good as it is unrooted" in case one day our rooted phones are cut off from the world.
I am not, but if I had to guess I'd say: If Google decides to block more/too many services on rooted phones we are going to see an "root cloaking app" or something like that, pretending the phone was not rooted while it is.
On Topic, as a computer science student with focus on security: Yes, rooted phones are more vulnerable, because malicous apps could gain root from a stupid user or a dumb user install warez/cracks/stolen stuff with virii in them. Thinking about prices for most apps it's such a users own fault if his data is in trouble.
A bigger problem are the actual security holes in the system. I know from my old iPhone that those are the biggest problem. Especially if those can be triggered from a website, like the pdf or tiff exploit (the later still present on iPhone 3G as firmware is no longer updated).
Oh, on that note, I have a nice topic, but I think I should start a new one instead...
kllrnohj said:
Don't worry, there is no way for a website to detect if you are rooted or not. There's also no reason for financial companies to do that - they would piss off users for zero gain in security.
Uh, what? Google has *only* shipped devices with root capability so far, what is this "unsupported" crap?
Click to expand...
Click to collapse
Not really. From what I understand, to gain root in a device, you have to find a way to exploit it. There is no bonafide root access from Google. The Evo 4G, for example, the exploit was found in the Flash Lite app.
http://forum.xda-developers.com/showpost.php?p=15664846&postcount=3
im rooted
Root is nothing more than admin privileges. Look at your desk top is it "rooted" and do you think they will deny your money from and an admin account on your desktop? Take a deep breath and calm down.
root or not, security problem always occur
I don't know
JDenson77 said:
Root is nothing more than admin privileges. Look at your desk top is it "rooted" and do you think they will deny your money from and an admin account on your desktop? Take a deep breath and calm down.
Click to expand...
Click to collapse
i am rooted too.. and it's for the same reason i wouldn't like using a computer as a pathetic "user"..
Those 'Security Experts' are government agents that don't know sh#t about high tech rooted devices!
Better Security
I am running the MIUI ROM and I think the security features are much better than the non rooted ROM. It actually asked me if I wanted the XBMC app to intercept SMS's.
I don't know how many of you pay attention to security issues but I thought I would post a link to this Threatpost article.
http://threatpost.com/en_us/blogs/staggering-increase-android-malware-variants-trojan-apps-051612
It behooves one to pay attention to what you are installing and what permissions apps are requesting. I just ditched Evernote due to increased permissions, even though it is from what one might call a trusted source.
Edit: I have not finished perusing the F-Secure Mobile Threat Report, but so far it is a good read.
I've never once had a problem with any kind of malware or virus on my phone. Then again I'm careful and use common sense. Which goes a long way
Sent from my SGH-I777 using xda premium
Phalanx7621 said:
I've never once had a problem with any kind of malware or virus on my phone. Then again I'm careful and use common sense. Which goes a long way
Click to expand...
Click to collapse
Common sense does go a long way. With some of the posts I've seen on XDA, there seems to be a lack of that not-so-common attribute. Flashing without thinking, sideloading apps from unknown sources, etc.
Google appears to be reacting (albeit slowly) with Bouncer, trying to police Market/Play. I'm not sure if Amazon is doing anything similar for their app store. The big picture still looks rather grim. Will we be looking at large scale botnets this year? Hopefully not. The idea of Android botnets makes me a bit ill.
Unless malware can show up on the store, I don't see the issue here. It's a risk we've all known about since the day Android came out.
alpha-niner64 said:
Unless malware can show up on the store, I don't see the issue here. It's a risk we've all known about since the day Android came out.
Click to expand...
Click to collapse
Malware has shown up on the store. The issue is that Android is increasing its market share by leaps and bounds, black hats are writing more sophisticated malware, and more people are hacking their devices without a clue as to what they are doing. If you read the F-Secure Mobile Threat Report (linked in Threatpost), the number of detected malware APK's has grown tenfold over the last year.
Golly gosh.
Sent from my GT-I9100 using XDA
Phalanx7621 said:
I've never once had a problem with any kind of malware or virus on my phone. Then again I'm careful and use common sense. Which goes a long way
Sent from my SGH-I777 using xda premium
Click to expand...
Click to collapse
Exactly the same here
Windows has had malware threats for well over a decade and as it matured the OS was patched to deal with it. Android is more secure than Windows is, you not only have to download a malicious app you also have to install it before anything bad can happen.
Google will hopefully implement a more effective way of preventing malware from entering the Play Store but this may have the side effect of false positives on certain rooting/tweaking apps.
As pc are being replaced by tablets, its a juicy business for anti virus companies.
So i wouldn't trust any report from av companies...
It's usually pretty vague. Which app on android market?
As you get virus when you install warez games on pc, the same goes for android if you manually install an apk out of android market. Nothing new.
rchtk said:
As pc are being replaced by tablets, its a juicy business for anti virus companies.
So i wouldn't trust any report from av companies...
It's usually pretty vague. Which app on android market?
As you get virus when you install warez games on pc, the same goes for android if you manually install an apk out of android market. Nothing new.
Click to expand...
Click to collapse
I think you guys are missing the OP's point. You dont have to manually install an .apk.
A fake company called "MYOURNET" (touche for the name, rather ironic now) took a bunch of real apps from the market, injected them with malware and resubmitted them back onto the marketplace. The new malware could root your phone, steal your data, and keep a backdoor open for more goodies. Crazy ****.
http://androidcommunity.com/android-virus-served-up-by-user-myournet-20110302/
I admi i didn't open the pdf (pdf is now the number one virus vector ;-) but as far as i see it didn't mention reinjection in the market. Well.. pay attention to permissions..
Nothing else to do.
How to define a virus? That is the question..
Only install trusted editor from the market. Only install applications which provide ttheir source code and read it..
Easy answer for malware pike: piracy, period
This writer seems to think so.
http://www.theverge.com/2012/2/16/2801916/home-baked-roms-its-going-to-blow-up-sometime-soon
Actually he makes some valid points (and I use a Custom ROM myself).
Absolutely ZERO disrespect intended to the ROM developers here --- we should appreciate their very hard work and opening our devices up to so many other options and enhancing performance.
But after reading this article, what do people think about the safety of ROM flashing .... not in terms of bricking the device (we all know the risks), but in terms of:
A) Unintentionally opening the device up to exploits due to poor coding etc
B) A rogue developer intentionally exploiting to capture data for profit
Are you comfortable doing bank transactions on a rooted android device w/ custom ROM?
Interesting question
I have never even thought about what I do and don't do on my custom devices.
Forget the internet banking etc, there's also the entire gamit of email, social sites, work email etc etc
Just as well I trust you all!
This is definitely a concern......
Here in Korea though, the banking apps do not allow you to use them with a rooted device.....So each time, I have to unroot my device in order to do banking.
I do not know, however, if once I root again it would give the developer or hackers access to that data......
Something to think about as well though!
I realized: I never looked for an app that investigates security issues on a smart phone.
perhaps someone with knowledge in this field can give a few hints to usefull apps?
and yes, "I am with stupid too"
Motorola Defy+ with Quarx's CM9 nightlies and most of the time I still have no clue to what I am doing precisly.
But on the bright side: I do not use my phone for banking, there's nothing to "bank around"
Hmmm -- I had never considered that banks would block it -- have not tried yet. You make a good point about what remains on the device later -- at a minimum clearing browser history is a good idea -- but even that could be circumvented with a devious enough approach.
[email protected] said:
This is definitely a concern......
Here in Korea though, the banking apps do not allow you to use them with a rooted device.....So each time, I have to unroot my device in order to do banking.
I do not know, however, if once I root again it would give the developer or hackers access to that data......
Something to think about as well though!
Click to expand...
Click to collapse
I agree. From what I have seen most of the "advanced" posters here dismiss antivirus packages as a waste of time and money and they could well be right. Still I have not been able to find any real discussions on the risks the article I posted raised. It would be great if some of the more "expert" members here could offer their views.
I am loving my rooted G-Note with custom ROM ---- but I do not really have confidence in Android and its various hacks yet. Unfortunately the alternatives are rather poor.
gentle_giant said:
I realized: I never looked for an app that investigates security issues on a smart phone.
perhaps someone with knowledge in this field can give a few hints to usefull apps?
and yes, "I am with stupid too"
Motorola Defy+ with Quarx's CM9 nightlies and most of the time I still have no clue to what I am doing precisly.
But on the bright side: I do not use my phone for banking, there's nothing to "bank around"
Click to expand...
Click to collapse
I would say I agree and disagree with the article.
For me personally, when I decide to get all flash happy with my Android devices, I tend to not put any information regarding banking or credit cards. Logically, at least to me, the concerns sited in this article do occur to me. Then again, to be honest I do not put any of this information on my non jail broken company secured and encrypted I phone either. Call me paranoid.
Where I disagree with the article is in the insinuation that using a stock ROM with apps downloaded from let's say th he iTunes store is really much more secure. If a baked ROM can be pulling information behind your back, and somehow bypass security measures written into a banking app, why could not a fart app some momo downloads to be the life of the party do the same?
Flyer
I have been thinking about this ever since I've rooted my phone and flashed the first custom rom...
-and I still don't have a real answer.
Thats why I prefer stock ROM
finally its your (user) wish, weather to use custom rom or stock rom.
none of the developers are forcing to use their custom rom.
rom development is hobby,passion, and part-time for some of developers.
my few words.pls correct me if I'm wrong
Ever heard of pdroid? Droidwall?
reversegear said:
finally its your (user) wish, weather to use custom rom or stock rom.
none of the developers are forcing to use their custom rom.
rom development is hobby,passion, and part-time for some of developers.
my few words.pls correct me if I'm wrong
Click to expand...
Click to collapse
You are not wrong, but you are definitely off topic.
This is so one sided. You can say the same about any OpenSource program with small userbases. Take any little Linux Distri, any small OSS and you get to this problem quickly. Most of us can't review the source code properly so we have to rely on others. But at least you CAN rely on someone. You can't rely on anyone at closed source programs.
That's why you use Truecrypt for encrypting your hard drive and not Bitlocker, that's why you should use a Linux Distri and not Windows and that's why i use OpenSource ROMs and not the closed source StockRoms and even try to have as much OpenSource Apps on my Phone as possible.
Just my 2 cents.
He has the points and those are sorely his.
Calling other ROM flashers idiots is ridiculous and not very nice. In fact, based on what he typed, he seems to be an idiot himself.
Now to other Rom flashers, as long as then understand the risk of doing so, they entitle and fully responsible for their actions, no need to teach them.
Security issue? I drive a car to a bad area, get off, windows still lower, not even care to lock the car. That is my choice.
Now I'm going to the very nice, high educated area, I choose to lock the car, put the steering-wheel lock on. Again, it's my choice. Home wireless network, I choose to set the password or not, it's my decision. I understand the risk of not doing that. And if I choose not to do that, it doesn't make me an idiot.
Next, not all baked ROM are based on leaked official one. CyanogenMod team is well-known and they based on the Google source code, ASOP, not a leak one from vendors.
So, if ROM flashers realize what source they use, they're all set.
Writing a long article with just one-minded lopsided thinking like this is pretty lame.
an0nym0us_ said:
Ever heard of pdroid? Droidwall?
Click to expand...
Click to collapse
Pdroid: looks very promissing but you need to be a programmer and only for Gingerbread.
Droidwall: from what I understand from it it is a kind of fine-tuning of your data traffic. Pdroid goes much, much further and I would prefer it.
A real shame I'm not a developper/programmer and also very happy with my custom ICS ROM.....
On the bright side; I like tweaking but not social networking or any other more "dangerous stuff" Just like I'm used on my PC.
I've never bothered with a custom ROM, partly because I just realise that pretty much everything I could do with a custom ROM, I can do manually with a rooted phone. I don't like to install a package of software someone else thinks I should use, I prefer to pick and choose the stuff I want. Security concerns never really bothered me, I don't care too much about the security of my phone (I guess maybe some people would be annoyed at me if my contacts were stolen or something, but other than that there isn't really anything I care about on my phone). I never do online banking etc. on it, but that's just because that's something I do very rarely and only do when I'm at a computer anyway.
gentle_giant said:
Pdroid: looks very promissing but you need to be a programmer and only for Gingerbread.
Click to expand...
Click to collapse
You don't need to be a programmer. All you do is get your ROM zip, run the PDroid patcher on the ROM zip, it'll give you a patch zip, flash the patch zip in recovery, install PDroid from market. And I think there are unofficial ports to ICS possibly.
Doesn't stop me from flashing custom ROMs.
Oh well...?
Sent from the future.
I though the article itself was a bit sensationalistic but at the same time I think changing the ROM in a system (not to mention giving root permissions to apps) is a lot more potentially intrusive than downloading apps from Itunes or Gplay.
Anyway I like my custom ROM setup but I sort of feel like I am whistling in the dark at times. I think a lot depends on how sophisticated we are as users.
Case in point:
When I flashed my ROM for the first time, I freaked out seeing a bunch of Chinese names every time I made a call to certain numbers. The good thing about XDA is if you search you can find anything about ROM issues and in this case I learned that this was due to the developer using the contacts part from the leaked Chinese ICS and it had something to do with a "Phone locator service" that could be disabled. Ok so I disable and go back to whistling in the dark --- but I have not been able to learn what the phone locator service is in the first place or WHY i had Chinese names showing in my calls.
As a relative Noob I can follow instructions from most of the generally well written instructions on XDA and not get into trouble --- but (rhetorically) do I really understand the background issues and risks with some of these things?
What is this phone locator service anyway? Why the Chinese Names and Locations in the call indicators?
mcord11758 said:
Where I disagree with the article is in the insinuation that using a stock ROM with apps downloaded from let's say th he iTunes store is really much more secure. If a baked ROM can be pulling information behind your back, and somehow bypass security measures written into a banking app, why could not a fart app some momo downloads to be the life of the party do the same?
Flyer
Click to expand...
Click to collapse
Well you are right that we are all responsible for our own choices. I just think it is better for all that people can make as informed as choices as possible. That is why discussions like these can be good (even if the article was inflammatory).
To extend your analogy, maybe you think it is your choice to leave your car unprotected. But maybe your insurance company will disagree and try to teach you better? Maybe the police inform you to secure your car because you make more work for them when your car is stolen?
So as a car driver it is your choice, but many might argue that the community of car drivers needs to be educated on the risks of their behavior so that they can make more informed decisions. Then you benefit and the community benefits (keep insurance rates down, free up police resources etc.)
I hope I made sense
votinh said:
Now to other Rom flashers, as long as then understand the risk of doing so, they entitle and fully responsible for their actions, no need to teach them.
Security issue? I drive a car to a bad area, get off, windows still lower, not even care to lock the car. That is my choice.
Click to expand...
Click to collapse
I'd rather take the risk and enjoy life than sit on the sidelines. Considering that all smartphones have vulnerabilities, stock or no, I'll take my chances. I also have a bit of faith left in humanity in general and more so some in communities like XDA and Rootz where the general idea is clearly that these are places for everyone to contribute to everyone else, not to come in and scam.
Let's be real: if someone comes through here and drops something that ends up defrauding other for every person involved in coding the malicious item there are ten more capable devs who will have the motivation to take them to task in most unpleasant ways. I, for one, would not put my butt on the line by choosing a dev forum to release or market my malware.
Responsible Disclosure is a term often used in security, but what is it?
In essence, responsible disclosure is the process of making the vendor or OEM of the vulnerable software or system aware of the problem before disclosing details of the vulnerability to the public. The idea here is that the vendor will promptly solve the issue, and release a fix to users of the software, and accredit the finding of the issue to the researcher, who then discloses the vulnerability in full, now the software has been patched.
Responsible disclosure is named as such, as vendors feel it's the most responsible way to go about handling a security issue you have found. It's often the best strategy to try if you do find an issue - look for a security contact for the company, and give them a shout.
Unfortunately, some companies are rather poor at dealing with security issues, and either don't respond, or don't issue a patch or inform users of a mitigation strategy. Or in severe cases, might not even inform users of there being an issue whatsoever, and appear to ignore the vulnerability. Do bear in mind though when dealing with mobile devices that many carriers add significant delays to software releases (where on the desktop, a fix may be available the next day, the OEM might take a week or more to make a patch available on unbranded firmware, since devices and firmwares often must be approved by regulators before release, and carriers will then want further changes applied to these firmwares before their own testing).
Often if a vendor acts like this, the only solution is Full Disclosure, a process where the full details of the vulnerability are publicly released, in order to raise awareness of the vendor's insecurity and inaction (particularly if efforts were already made to contact them). Full disclosure permits the end user to be made aware of the extent and details of the security issue, and attempt to mitigate or resolve it themselves (for example, by removing an affected plugin, deleting an APK, or using a firewall to prevent access to a vulnerable service until a fix is produced).
If you are new to security, and are unsure, responsible disclosure is usually the best way forwards, but there are plenty of people around who can give good advise about this. This may well change, in light of recent practices by some companies pertaining to how they handle security vulnerabilities which are responsibly disclosed (see https://www.openrightsgroup.org/blog/2013/nsa-affects-responsible-disclosure)
Good writeup, thanks!
Is full disclosure really an effective way of handling things though? I can understand that the intention is to make the vulnerability so well known that vendor has no choice but to fix it, but during that lead time there's going to be a vulnerability going around that people could really capitalize on. I don't have figures, but I would imagine that even if a user-made solution is found, the number of people that would actually adopt it has got to be a tiny fraction of a percent. If you're going full-disclosure, aren't you essentially ensuring the worst-case scenario? Security through obscurity is weak, but isn't it still better to sit on your hands and just hope that the vendor will get around to fixing it eventually?
Grand Guignol said:
Good writeup, thanks!
Is full disclosure really an effective way of handling things though? I can understand that the intention is to make the vulnerability so well known that vendor has no choice but to fix it, but during that lead time there's going to be a vulnerability going around that people could really capitalize on. I don't have figures, but I would imagine that even if a user-made solution is found, the number of people that would actually adopt it has got to be a tiny fraction of a percent. If you're going full-disclosure, aren't you essentially ensuring the worst-case scenario? Security through obscurity is weak, but isn't it still better to sit on your hands and just hope that the vendor will get around to fixing it eventually?
Click to expand...
Click to collapse
True, but also depends on the type of vulnerability. Is not the same finding a vulnerability where you need physical access to the device (ie a way of unlocking without PIN) than finding a vulnerabilty that allows remote access to sensite data without user action. I suppose that some sort of waiting can be defined. Like waiting for a week for the first type of vulnerabity and 3 months for the other....just my 2 cents.
Great writeup BTW!
For the security enthusiasts here: The Full DIsclosure Mailing List has been reopened. ENJOY!
Talking about responsible disclosure, I have the following question for you guys:
I found a vulnerability that can be exploited to drain the battery of a device. I informed the application vendor and they reacted that they agree with my finding and will fix it soon. I send my vulnerability and PoC 24th of February and they responded 3 weeks after. Now I am waiting for the vulnerability to be fixed.
I found this bug when writing my thesis and I really want to include it in my paper which should be published on the 31th of May. Does that fit responsible disclosure? Should I send them an e-mail stating that I will publish the details at the end of May?
It can't hurt to let them know youre doing it.
Sent from my Xperia ZL using XDA Free mobile app
Is full disclosure really an effective way of handling things though?
rakoczy12 said:
Is full disclosure really an effective way of handling things though?
Click to expand...
Click to collapse
If the end result of the disclousre is that the users can protect themselves, then yes. As the OP pointed out:
pulser_g2 said:
Full disclosure permits the end user to be made aware of the extent and details of the security issue, and attempt to mitigate or resolve it themselves (for example, by removing an affected plugin, deleting an APK, or using a firewall to prevent access to a vulnerable service until a fix is produced).
Click to expand...
Click to collapse
How did I just now see this forum? Pulser I was talking to you about such an area for many many moons ago.
@pulser_g2
I have a question about posting things I find that script kiddies would love. Like today, I opened up an apk that was supposed to be an icon pack. Instead, it has @Stericson 's RootTools package in it and someone else's libpush work. So it starts out as a script kiddies dream, cause that's all it is. But it would be good for people to learn from.
When I came here, before I installed @DaveShaw 's power menu .cab, I first learned what a cab was, what it did, how it worked, and what all the little bits and pieces did inside of it. You just can never be too safe. Which is probably why I don't go jumping on a new ROM, or app someone just released. I'll mull it over and let some other people be the testers. How could I post something like without giving away how it works, but showing what's inside. So as to let people know to be careful? Teach them how to open it up, the different parts of an apk, how to read it and such. That's the kind of thing I was meaning way back when I was asking you about making this kind of area. But you had the same concerns as me. It not turning into a scriptkiddy funhouse.
Are we going to be able to disclose threats among ourselves? You can't make everyone wear a white hat. Lord knows we didn't all wear one back in compsci. I see it like teaching firemen how to put out a fire. Yea they are going to learn what makes a really big fire that's hard to stop. But if you don't teach them how to build the fire, just put it out, then they have to go through just that extra bit of effort to do bad.
Maybe some parts of this thread belongs here. http://forum.xda-developers.com/general/security/security-threat-middle-attack-umts-t3374626
It is Awesome
wow
hi,
I would really appreciate if someone could help answer these two questions for me :
1. I have to revert back to marshmallow from nougat, to use xprivacy with better compatibility. But the security patch of custom roms are not latest, mostly '16.
Is it something to look out for, security wise?
2. Are open source apps actually secure as compared to closed source ones? Yes their code is open but I heard they are more vulnerable to attacks. Please enlighten me.
Thanks.
1. newer version of os is better prepared against attacks, but marshmallow is good enough for NOW. in the future marshmallow will become not good enough.
2. it depends how well the app/code is maintained. open source means revealing more attack vectors to an malicious attacker, however it also means broader chance for the good guys to review code and find security holes and patch them before bad guys uses the security holes. more developer involved = better security generally. same principle goes to closed source code; more developers paid by the company who is responsible for the code generally means better security. thus it is not a matter of source being open or closed; it is a matter of how many active people are involved in maintaining the code and how much effort is made in keeping the code secure.
juniecho said:
1. newer version of os is better prepared against attacks, but marshmallow is good enough for NOW. in the future marshmallow will become not good enough.
2. it depends how well the app/code is maintained. open source means revealing more attack vectors to an malicious attacker, however it also means broader chance for the good guys to review code and find security holes and patch them before bad guys uses the security holes. more developer involved = better security generally. same principle goes to closed source code; more developers paid by the company who is responsible for the code generally means better security. thus it is not a matter of source being open or closed; it is a matter of how many active people are involved in maintaining the code and how much effort is made in keeping the code secure.
Click to expand...
Click to collapse
Thanks pal.
juniecho said:
1. newer version of os is better prepared against attacks, but marshmallow is good enough for NOW. in the future marshmallow will become not good enough.
2. it depends how well the app/code is maintained. open source means revealing more attack vectors to an malicious attacker, however it also means broader chance for the good guys to review code and find security holes and patch them before bad guys uses the security holes. more developer involved = better security generally. same principle goes to closed source code; more developers paid by the company who is responsible for the code generally means better security. thus it is not a matter of source being open or closed; it is a matter of how many active people are involved in maintaining the code and how much effort is made in keeping the code secure.
Click to expand...
Click to collapse
shadowbone said:
Thanks pal.
Click to expand...
Click to collapse
Just be careful of what u doing and always be update your latest security patch and android.
Sent from my Pixel 2 XL using Tapatalk
JohnMichaelCost said:
Just be careful of what u doing and always be update your latest security patch and android.
Click to expand...
Click to collapse
Thank you for your advice But thing is cm13 for my device has its last security patch from dec 2016. And lineage OS 14.1 has latest security patch, but lacks xposed stability, especially for xprivacy, the one I need the most( because I am on No Gapps). So, that's the confusion I have.
And I completely go along with your words of being careful with what I do with my device.
After moving into a NoGapps environment I mostly use open source apps except for 2 or 3 apps whose functionality are not found in any apps on FOSS. Yet those apps from play store themselves have google analytics and measurement services in them. For a privacy freak like me, it is intimidating, I guess.
To be honest open source apps are just as secure as closed Sourced apps. The reason being is very few people are looking at either for security exploits. As for the security updates that is a personal choice. I don't put much worth to them as they are exploits that have been around since the beginning and Google is just pushing patches so they appear to be worried about security. Kinda funny coming from a company that makes its money from collecting and using personal data
zelendel said:
To be honest open source apps are just as secure as closed Sourced apps. The reason being is very few people are looking at either for security exploits. As for the security updates that is a personal choice. I don't put much worth to them as they are exploits that have been around since the beginning and Google is just pushing patches so they appear to be worried about security. Kinda funny coming from a company that makes its money from collecting and using personal data
Click to expand...
Click to collapse
Ooo.... Interesting. I didn't look at it in that perspective (regarding google and its patches). :laugh:
shadowbone said:
Ooo.... Interesting. I didn't look at it in that perspective (regarding google and its patches). :laugh:
Click to expand...
Click to collapse
Sounds familiar "android vs ios" sorry i mean open vs closed sources, the cloesd sources is very hard part for security longntime to hacked & hard finding the source "pay developer just like Apple"
Android other hand is open source is very cool unlike "cloesd sources" is updated everyday and developer are fighting against hackers to does not hacked the source
I will not to worried. Look my screen shot.
JohnMichaelCost said:
Sounds familiar "android vs ios" sorry i mean open vs closed sources, the cloesd sources is very hard part for security longntime to hacked & hard finding the source "pay developer just like Apple"
Android other hand is open source is very cool unlike "cloesd sources" is updated everyday and developer are fighting against hackers to does not hacked the source
I will not to worried. Look my screen shot.
Click to expand...
Click to collapse
Um not its not. Android isnt open source. Only AOSP is open source and that comes preloaded on 0 devices. Everything else is closed sourced. Even Google uses closed sourced files for their devices.
Also no one is looking at open source apps. Developers dont care about open source apps. As there is no money to be made from open source apps.
As for your screen shots. They mean nothing really as any hack would bypass it as it would happen when you are using the device. A perfect example is a built in screen recorder that then loads the videos up into a server when the device is asleep (Xiaomi is known for doing this)
Mobile security really is a myth. If someone wants your info (they really dont. They couldnt care less as your personal info is worth less then nothing) they can get it from social media sites easy enough.
zelendel said:
Um not its not. Android isnt open source. Only AOSP is open source and that comes preloaded on 0 devices. Everything else is closed sourced. Even Google uses closed sourced files for their devices.
Also no one is looking at open source apps. Developers dont care about open source apps. As there is no money to be made from open source apps.
As for your screen shots. They mean nothing really as any hack would bypass it as it would happen when you are using the device. A perfect example is a built in screen recorder that then loads the videos up into a server when the device is asleep (Xiaomi is known for doing this)
Mobile security really is a myth. If someone wants your info (they really dont. They couldnt care less as your personal info is worth less then nothing) they can get it from social media sites easy enough.
Click to expand...
Click to collapse
you're right. Android security So really is nothing special in fact.
May i ask you about Xiaomi why they are doing this ? And google vs AOSP ?
JohnMichaelCost said:
you're right. Android security So really is nothing special in fact.
May i ask you about Xiaomi why they are doing this ? And google vs AOSP ?
Click to expand...
Click to collapse
They are required to by the Chinese government. I take it you don't know much about how they do things. Here is a fast run down. China requires all data from its citizens to be monitored and recorded. This is part of the reason for China's great firewall. When people buy devices made for China this is something that happens.
As for Google vs aosp. Think about it this way. Why would you buy a pixel device is you can get all the same features from aosp? No money to be made there so not good business. Yes Google pushes a lot to aosp. But it is getting less and less. Heck even the base aosp apps have not gotten any real updates in years. Google wants you to use their closed Sourced apps. Allo, duo, Gmail, contacts, phone etc. If it wasn't for 3rd party developers like the ones here aosp apps would still be bare bones.
I second your view zelendel. Although, I have to ask, not that I don't understand your valuable thoughts you posted before, but..
Now that more and more vulnerabilities are brought to light these days like the blueborne or KRACK, and google or devs here, for that matter, pushes security patches to fend against these vulnerabilities. Would you say extending privacy capabilities using root and xposed tools and some common sense while using apps , should suffice against threats of these sorts?
Edit : nvm. Got hold of the desired ROM with latest patch. Thanks for your input guys.
shadowbone said:
I second your view zelendel. Although, I have to ask, not that I don't understand your valuable thoughts you posted before, but..
Now that more and more vulnerabilities are brought to light these days like the blueborne or KRACK, and google or devs here, for that matter, pushes security patches to fend against these vulnerabilities. Would you say extending privacy capabilities using root and xposed tools and some common sense while using apps , should suffice against threats of these sorts?
Edit : nvm. Got hold of the desired ROM with latest patch. Thanks for your input guys.
Click to expand...
Click to collapse
Just not to be worried about hacking our phone. Developer of app/google/aosp/etc. here to save us from hackers in fact maybe.....
But as for root,CFW,etc they doesn't hooked even you have gapp.
But hacking WiFi WAP so... i don't worries, just i said earlier "be careful what you doing" remember that.
If you need very privacy like "donald trump" [emoji13] so vpn your phone install x private and cover with your camera, encryption your phone and always be updated your apps/security patch and android of course.
Sent from my Pixel XL using XDA-Developers Legacy app
shadowbone said:
I second your view zelendel. Although, I have to ask, not that I don't understand your valuable thoughts you posted before, but..
Now that more and more vulnerabilities are brought to light these days like the blueborne or KRACK, and google or devs here, for that matter, pushes security patches to fend against these vulnerabilities. Would you say extending privacy capabilities using root and xposed tools and some common sense while using apps , should suffice against threats of these sorts?
Edit : nvm. Got hold of the desired ROM with latest patch. Thanks for your input guys.
Click to expand...
Click to collapse
To be honest if I was really worried about security then root would be out of the question as it opens up doors that can be exploited. An example is a root binary that was found to work so it auto granted root to every app and removed the logs of it doing so.
The KRACK vulnerability is a whole other thing as patching a device is pointless if the router you are connecting to is not patched.
Just use common sense really. As long as Android pushes a lot of code open source there will always be issues like this that pop up. (its soo much easier to find exploits when you have access to all the code. And before you say it, no not as many people are looking for security threats as people think)
Thanks you guys for your valuable advice's. I'll make sure to keep a watch out. :good:
(might be this is off topic but i need your help guys)
Hi guys i need your help with my Old nexus 5 (stock never did ctf or rooted) and mtk phone as a same problem.
In google camera when I video mode it crash even open it please help me.
Nexus 5 and mtk phone are running both android 6.0 stock.
Any idea what happened ?
JohnMichaelCost said:
(might be this is off topic but i need your help guys)
Hi guys i need your help with my Old nexus 5 (stock never did ctf or rooted) and mtk phone as a same problem.
In google camera when I video mode it crash even open it please help me.
Nexus 5 and mtk phone are running both android 6.0 stock.
Any idea what happened ?
Click to expand...
Click to collapse
Have a take a look.
JohnMichaelCost said:
Have a take a look.
Click to expand...
Click to collapse
I'm not sure. Are you using official/stock build or some ported apk?
shadowbone said:
I'm not sure. Are you using official/inbuilt build or some ported apk?
Click to expand...
Click to collapse
Ok.. but thanks anyway is working again.....
i am officially build.
Sent from my Pixel XL using XDA-Developers Legacy app
JohnMichaelCost said:
Ok.. but thanks anyway is working again.....
i am officially build.
Sent from my Pixel XL using XDA-Developers Legacy app
Click to expand...
Click to collapse
You are Gonna have to run a logcat to find out. Chances are if you are not rooted or been messing around then it will be hard are.