app idea: block communicatioon to service, servers by installing into /system/app - Security Discussion

Where to put this thread?
It may be an app idea as I am no developer.
This is regarding info gathering by certain companies, e.g. Google with its Password saving.
The question is:
Is there an app which blocks all access to certain servers, services, etc. just by being put onto the phone?
To be more specific:
When a custom ROM is created this app is put into /system/app. It will be installed when the ROM is installed. After installation but before the phone is initialized on the first boot this app blocks all access to servers, services, which are intendet to gather information or data such as Googles password saving without the need of doing something by the user.
The thing is: The blocking is done before the first initialisation so an inexperienced user cannot give info to Google. Or by human error.

Related

Real Android firewall - doable? Does it exist?

DroidWall in the marketplace allows full WiFi access to all apps.
Is it possible to code an application for Android (perhaps with root access) that can:
- deny all outbound data access per app basis
- specify the rules (ip-range/port-range) per app basis
Like a real alternative to a desktop software firewall?
Way too many apps are leaking all sorts of information (in plain text!) from the user account database to the Internet.
The android security makes me really scared to use the platform for anything requiring security. The privacy/security model is basically a swiss cheese that can be poked through by almost any app that just asks for certain rights at install time.
I'm hoping a firewall would be able to limit this issue, no?
I don't know about the other stuff you mentioned, but my version of DroidWall has a block/allow option for wifi and 3g, separately. It's the latest version from the market place, 1.4.2
Thanks, I just checked it out and it seems DroidWall indeed has a Wifi side blocking by app basis as well. I'm still testing though.
Ah, just tried it. Force closes on Galaxy S (rooted). Sigh.

Question about android security

So i am just wondering, there are so much different apps for android on the market, and most of them has a lot of access to phone's functions. Now for example i am always logged in to Gmail, and theoretically can a random app scan and copy my gmail's data and send it trough internet? Really curious..
Kblavkalash said:
Now for example i am always logged in to Gmail, and theoretically can a random app scan and copy my gmail's data and send it trough internet? Really curious..
Click to expand...
Click to collapse
This question is not really an issue of Android security this is a question about general security. Can an app look at your gmail app directly and copy data and send it out...not exactly no, an app can't forcibly connect itself to another app to scan data.
However...
That question is actually not relevant because such a task is unnecessary for malicious apps. Lets say you install a malicious app that wants to copy your gmail data. What it will do is not watch the app itself but it will watch the network packets being sent to and from the app, logging and tracking those.
This is not the only way to get the data though because any data saved on your sdcard is accessible from an app if you give it permission to do so.
The MOST important thing to look at when installing an app is the permissions the app is requesting when it installs. This can be confusing as well because some apps will request full internet access because they need it but this can also be used by a malicious app to steal your data.
The important thing to do is research. The more you learn about the app the better off you are.
-------
Just to clarify, this applies to all apps of any kind on any platform including but not limited to Android, iPhones, Blackberry, Windows Phone, WebOS, Windows PC, Mac OSX, Linux or etc. - ALWAYS learn as much as you can and are comfortable with before installing anything...if you are not comfortable with a particular app or learning more about it then don't install it. That is not to say it may be malicous, it is just to say it could be a bad idea for other reasons. (for example, if it is a developer tool or a configuration tool that you don't understand or haven't researched enough to understand...then you could potentially damage your device with something that is a legitimate tool)
Kblavkalash said:
So i am just wondering, there are so much different apps for android on the market, and most of them has a lot of access to phone's functions. Now for example i am always logged in to Gmail, and theoretically can a random app scan and copy my gmail's data and send it trough internet? Really curious..
Click to expand...
Click to collapse
edit
MichaelTunnell said:
This question is not really an issue of Android security this is a question about general security. Can an app look at your gmail app directly and copy data and send it out...not exactly no, an app can't forcibly connect itself to another app to scan data.
However...
That question is actually not relevant because such a task is unnecessary for malicious apps. Lets say you install a malicious app that wants to copy your gmail data. What it will do is not watch the app itself but it will watch the network packets being sent to and from the app, logging and tracking those.
This is not the only way to get the data though because any data saved on your sdcard is accessible from an app if you give it permission to do so.
The MOST important thing to look at when installing an app is the permissions the app is requesting when it installs. This can be confusing as well because some apps will request full internet access because they need it but this can also be used by a malicious app to steal your data.
The important thing to do is research. The more you learn about the app the better off you are.
-------
Just to clarify, this applies to all apps of any kind on any platform including but not limited to Android, iPhones, Blackberry, Windows Phone, WebOS, Windows PC, Mac OSX, Linux or etc. - ALWAYS learn as much as you can and are comfortable with before installing anything...if you are not comfortable with a particular app or learning more about it then don't install it. That is not to say it may be malicous, it is just to say it could be a bad idea for other reasons. (for example, if it is a developer tool or a configuration tool that you don't understand or haven't researched enough to understand...then you could potentially damage your device with something that is a legitimate tool)
Click to expand...
Click to collapse
Good answer, you are right!, but you say do a research before installing, but it's not really possible unless you are a programmer and checking whole code The best rated apps still have many different permission requirement and i have no idea what they are doing.
For example app can request a new password change for example on paypal and steal packets which come to my gmail about new password.^^
Security Apps
Hi,
in my eyes the best way is to use programs like PDroid. You cann adjist the rights of every App regarding send SMS for example.
LBE Privacy Guard may be also an Option. (runs not on my Device - SGS+)
(i use Pdroid 2.0)
you should also read the comments in the store, and the needed rights from the app before install. The best Apps to trust are open source apps.
Kblavkalash said:
Good answer, you are right!, but you say do a research before installing, but it's not really possible unless you are a programmer and checking whole code The best rated apps still have many different permission requirement and i have no idea what they are doing.
For example app can request a new password change for example on paypal and steal packets which come to my gmail about new password.^^
Click to expand...
Click to collapse
Research generally involves a Google search...
Editor's Choice in the market are safe bets, you know, the blue icon.
But then there are the millions of other apps, and frankly, I tend to toe the app name plus xda for instance, Google will show you xda threads about the app, if the posts are normal, you can be sure it's not malicious.
Stuff like that...
Also, fake market comments are really easy to spot and are a dead giveaway
Sent from my GT-I9000 using xda premium

App uid sharing is a security risk.

Most things that restrict actions in Android use the applications uuid to identity it.
UUID is an immutable representation of a 128-bit universally unique identifier (UUID).
However recently I installed firefox and firefox beta..
Both share the same uuid..
And when I installed firefox beta. It gained all the rights and permissions and internet access that firefox had..
Both applications are installed on my device both run separately
But I cannot secure one with out the other getting the same security access.
If you look at system files many of them have the same uuid
That is a huge security issue with Android..
Is there a way to assign a new uuid to a application
Even if you have to rebuild the apk?
(Almost everything I have is open-source so I can build it from scratch if required)
In android, apps can share the UUID by declaring it in the manifest:
android:sharedUserId
The name of a Linux user ID that will be shared with other applications. By default, Android assigns each application its own unique user ID. However, if this attribute is set to the same value for two or more applications, they will all share the same ID — provided that they are also signed by the same certificate. Application with the same user ID can access each other's data and, if desired, run in the same process.
So if you just resign the APK with a different certificate (you can quickly generate one) they won't share the same ID anymore (because you don't have the mozilla certificate)
And FYI, it is not a security issue. In fact, it is an added security measure. Because apps that need to communicate with each other can share the same memory space and filesystem. The security is based on the signature of the app. So it is as strong as your ability to not leak the certificate
h4oxer said:
And FYI, it is not a security issue. In fact, it is an added security measure. Because apps that need to communicate with each other can share the same memory space and filesystem. The security is based on the signature of the app. So it is as strong as your ability to not leak the certificate
Click to expand...
Click to collapse
Except that many apps can be installed under the same id number.
If they where given a completely unique number for every app installed then I would agree
But that is not the case.
Multiple apps with the same id is just bad security
It's like giving two different people the same identification because they share an office.
I will look into resigning some apks and see what I can find.
Thank you for the info.
nutpants said:
Except that many apps can be installed under the same id number.
If they where given a completely unique number for every app installed then I would agree
But that is not the case.
Multiple apps with the same id is just bad security
It's like giving two different people the same identification because they share an office.
I will look into resigning some apks and see what I can find.
Thank you for the info.
Click to expand...
Click to collapse
Signatures have nothing to do with uid. If you have the same app with a different signature, you will simply not be able to install them together. Uid has to do with app's internal name like com.xxx. Apps with the same internal name will always have the same uid (like firefox stable and beta) and different apps will always have different uid, except for some system apps that come from os makers, which is true for many, if not all os. A third party app will never have any of the system app uid. So, there is no security issue at all.
ukanth talked about the android:sharedUserId attribute.
Android's documentation says that apps have to be signed by the same certificate.
Having the same package name (or a similar one) is not mandatory to share the same UID (example: dev tools & fused location).
Firefox and firefox beta..
Two similar apps
Same uid last time I installed both..
So a unscrupulous developer could create a separate app with separate functions with the same uid and if you installed it where would you be?
And god knows that no one ever has an issue with developers creating unscrupulous apps that try to get data from your device.
nutpants said:
So a unscrupulous developer could create a separate app with separate functions with the same uid and if you installed it where would you be?
Click to expand...
Click to collapse
He could only do that if both apps were his, and if both apps were his, he doesn't gain access to anything that he didn't already have access to.
nutpants said:
Firefox and firefox beta..
Two similar apps
Same uid last time I installed both..
So a unscrupulous developer could create a separate app with separate functions with the same uid and if you installed it where would you be?
And god knows that no one ever has an issue with developers creating unscrupulous apps that try to get data from your device.
Click to expand...
Click to collapse
Your scenario is impossible. Firefox can only obtain permission from another firefox and both must be made by the same developer. And Firefox cannot get permissions from apps made by others.
optimumpro said:
Your scenario is impossible. Firefox can only obtain permission from another firefox and both must be made by the same developer. And Firefox cannot get permissions from apps made by others.
Click to expand...
Click to collapse
Firefox is an example.
But a similar situation could come from any developer.
Develop one good popular app
And one data mining, soul stripping life stealing app with the same uid and maybe even a hidden icon..
Personally I give apps only the access the need. Not what they ask for.
With marshmallow everyone can restrict information
But you can not when two apps share the same uid.
For example Firefox stable had no serious privacy holes
Firefox beta could. It's beta.
Two apps one uid..
Bad idea..
nutpants said:
Firefox is an example.
But a similar situation could come from any developer.
Develop one good popular app
And one data mining, soul stripping life stealing app with the same uid and maybe even a hidden icon..
Personally I give apps only the access the need. Not what they ask for.
With marshmallow everyone can restrict information
But you can not when two apps share the same uid.
For example Firefox stable had no serious privacy holes
Firefox beta could. It's beta.
Two apps one uid..
Bad idea..
Click to expand...
Click to collapse
"Develop one good popular app. And one data mining, soul stripping life stealing app with the same uid and maybe even a hidden icon."
But that doesn't make any sense. If there is another (bad) app by the same developer with the same com.name, it will install only on top of the good one and it will be a totally different app. By the way, beta firefox shouldn't have the same uid as stable (unless they, as a big developer, have a special arrangements with Google, so that their certificate is preinstalled, but you don't really think that firefox would need another app to steal your data, they can do it anyway). Also, what's the point of having both firefox beta and stable? It is bad for system. Firefox is known to stay in the background after you exit it, unless you literally kill it with a specially configured back button. So, now, you have 2 web browsers in the background.
optimumpro said:
"Develop one good popular app. And one data mining, soul stripping life stealing app with the same uid and maybe even a hidden icon."
But that doesn't make any sense. If there is another (bad) app by the same developer with the same com.name, it will install only on top of the good one and it will be a totally different app. By the way, beta firefox shouldn't have the same uid as stable (unless they, as a big developer, have a special arrangements with Google, so that their certificate is preinstalled, but you don't really think that firefox would need another app to steal your data, they can do it anyway). Also, what's the point of having both firefox beta and stable? It is bad for system. Firefox is known to stay in the background after you exit it, unless you literally kill it with a specially configured back button. So, now, you have 2 web browsers in the background.
Click to expand...
Click to collapse
Check out Firefox and firefox beta..
Different names, different app.Same developer, Same uuid
Both together on your device at the same time.
Unless there is something wrong with my nexus
You can get both from Google play and see for yourself.
Which means that any developer could do it.
The next question would be how secure is the app signing method. Can it be duplicated? Coerced ? Or just commandeered by the fbi on the off chance some one committed a crime that could support terrorism.
Uuid sharing bad idea.
How does Android assign the uuid to each app?
And yes I test beta apps to see if they have fixed bugs that are present in stable
I support open source every chance I can.
nutpants said:
Check out Firefox and firefox beta..
Different names, different app.Same developer, Same uuid
Both together on your device at the same time.
Unless there is something wrong with my nexus
You can get both from Google play and see for yourself.
Which means that any developer could do it.
The next question would be how secure is the app signing method. Can it be duplicated? Coerced ? Or just commandeered by the fbi on the off chance some one committed a crime that could support terrorism.
Uuid sharing bad idea.
How does Android assign the uuid to each app?
And yes I test beta apps to see if they have fixed bugs that are present in stable
I support open source every chance I can.
Click to expand...
Click to collapse
Signing process cannot be replicated. However, if you use Google services (including Googleplay), then it is possible to have Google sign a modified application to take over your phone, but this could be defeated completely by removing google services and google services framework and using roms and apps that you have compiled by yourself. Moreover, before compiling, you will have to re-generate all build keys (test key, platform key and media key). In this case, the only way to take control over your phone would be over the air through the operator's sim card and if that fails, then through the king of all - baseband/modem...
nutpants said:
Check out Firefox and firefox beta..
Different names, different app.Same developer, Same uuid
Both together on your device at the same time.
Unless there is something wrong with my nexus
You can get both from Google play and see for yourself.
Which means that any developer could do it.
The next question would be how secure is the app signing method. Can it be duplicated? Coerced ? Or just commandeered by the fbi on the off chance some one committed a crime that could support terrorism.
Uuid sharing bad idea.
How does Android assign the uuid to each app?
And yes I test beta apps to see if they have fixed bugs that are present in stable
I support open source every chance I can.
Click to expand...
Click to collapse
Just to clear the record: previously I said that signatures make no difference to uid. This was not entirely correct.
Signatures identify a unique developer. Package name/internal app name identify a unique application. The only way an app can get a shared uid is if it has the same signature, i.e., made by the same developer. In other words, an app cannot have a shared uid with an app by another developer.
Now, security: apps using a shared uid share data/database with each other; they also share the same permissions. This creates no additional security threat.
Your example of a dev creating a good app and then adding a bad/data stealing app that would have the same permissions as the good one. This absolutely makes no sense, as data stealing features could be easily implemented in the good app. In addition, the bad app cannot have higher level permissions than the good one.
If you, however, don't want to have shared uid for 3rd party apps, there is an easy way do that: all you need is to sign any third party app with your own signature, which will prompt android to assign a different uid.
optimumpro said:
If you, however, don't want to have shared uid for 3rd party apps, there is an easy way do that: all you need is to sign any third party app with your own signature, which will prompt android to assign a different uid.
Click to expand...
Click to collapse
So if I sign firefox beta, it will automatically have a different uuid,
What happens is I also sign the original Firefox also?
Will that cause the uuids to again be the same or will they both be different?
Can a apk be signed from an Android device?
Is there any other way to change how Android assigns uuids to apps?
(Ie force Android to assign new uuids to every app, extract the rom and change the uuids on the apks so every apk have a truly unique id (which I would expect form something called universal unique id)
Why would anyone ever want a uuid to be shared with another app (Even system apps)?
Thanks for the info btw..
nutpants said:
So if I sign firefox beta, it will automatically have a different uuid,
What happens is I also sign the original Firefox also?
Will that cause the uuids to again be the same or will they both be different?
Can a apk be signed from an Android device?
Is there any other way to change how Android assigns uuids to apps?
(Ie force Android to assign new uuids to every app, extract the rom and change the uuids on the apks so every apk have a truly unique id (which I would expect form something called universal unique id)
Why would anyone ever want a uuid to be shared with another app (Even system apps)?
Thanks for the info btw..
Click to expand...
Click to collapse
In order to have a shared uid, both apps must have that permission in their manifests. Having this benefits performance and minimizes space on the device. Since android apps run in a sandbox/virtual machine, you can imagine the slowdown if you have system apps with unique uids.
You shouldn't sign the other firefox with the same key , as you will defeat your purpose.
I am not aware of a procedure to sign the app on the device, however, you can search xda. You can certainly sign the app on linux or windows. You can also generate multiple keys for signing.

Need Help: BEEN Infected by MALWARE Lenovo tab model a5500-hv android version 4.4.2

model number : lenovo a5500-hv
android version: 4.4.2
baseband version: a5500-hv.v34, 2014/05/08 22:28
kernel version: 3.4.67
build number: a5500hv_a442_000_011_140508_row
As shared in subject, my tab ANDROID is infected by malware where multiple issues have starting lately
a) Constant popup message stating" Unfortunately, com.system.update has stopped"
b) Constant popup message stating" Unfortunately, org.snow.down.update has stopped"
c) Constant popup displaying to INSTALL application" com.android.keyguard"
d) Automatic checking (on) in Settings> Security> Allow installation of apps from unknown sources, despite my regular check off( its gets reactivated again). Device Administrators viewed are Android Device Manager (ticked), Daemon Service( twice listed- unchecked).
e) Installed Malwarebytes Anti-malware, upon scanning detected these 11 malwares, which it is unable to delete ( Norton is unable to detect those even). Any open app which I try to use after some seconds are abruptly closed.
Malware name- Path
Android/ Backdoor.Triada.c - /system/priv-app/higher.apk ( File linked to be uninstalled- AppManage)
Android/ Backdoor.Triada.js - /system/priv-app/BCTService.apk ( File linked to be uninstalled- bcct_service)
Android/ Trojan.Rootnik.I - /system/priv-app/Bseting.apk ( File linked to be uninstalled- com.android.sync)
Android/ Trojan.SMSSend.ge - /system/app/com.android.token.apk ( File linked to be uninstalled- com.android.taken)
Android/ Trojan.OveeAd.F - /system/priv-app/com.mws.tqy.vsdp.apk ( File linked to be uninstalled- com.system.update)
Android/ Backdoor.Triada.J - /system/priv-app/com_android_goglemap_services.apk ( File linked to be uninstalled- GoogleMapService)
Android/Trojan.Dropper.Shedun.dc - /system/priv-app/parlmast.apk ( File linked to be uninstalled- GuardService)
Android/Trojan.Dropper.Agent.MJ - /system/priv-apk/Sooner.apk ( File linked to be uninstalled- PhoneService)
Android/Trojan.OveeAd.J - /system/priv-apk/com.tsr.eny.hyu.apk ( File linked to be uninstalled- system.bin)
Android/Trojan.Guerrilla.Q - /system/priv-apk/NAT.apk ( File linked to be uninstalled- SysTool)
Android/Trojan.Triada.m - /system/priv-apk/com.glb.filemanager.apk ( File linked to be uninstalled- UPDATE)
PS: If I try to connect to Internet, app icons are downloaded and auto open displaying porn images.
Please assist to REMOVE the MALWARE INFECTION. Tried FACTORY DATA RESET from Settings, but no help. Tab not rooted.
Solution
Last night i got some pesky malwares. For now i think i removed them. Get Avast and see what it can find. After that try to remove the files from file explorer and the most important thing - go to Settings-Security-Device Administrators. From there remove everything and now from Avast you should be able to remove the infected apps. Hope i helped
Tried cm's stubborn Trojan remover from play store and it did the trick- as in disabled the infected processes but at end took my mail ID with followup request if raised to get the device cleaned from malware. Cross checked from Malwarebytes and kaspersky, and looks seemingly clean with no active culprits. Though not checked with WiFi or data connection through sim.
Sent from my A0001 using XDA-Developers mobile app
Ashish1+1 said:
Tried cm's stubborn Trojan remover from play store and it did the trick- as in disabled the infected processes but at end took my mail ID with followup request if raised to get the device cleaned from malware. Cross checked from Malwarebytes and kaspersky, and looks seemingly clean with no active culprits. Though not checked with WiFi or data connection through sim.
Sent from my A0001 using XDA-Developers mobile app
Click to expand...
Click to collapse
Did it root your phone first? Else I can't see how it would be able to get to those apps installed as system. If so, if it was me, I'd unroot my phone at the very least & uninstall the CM apps since they do not have a good reputation so far as data snooping goes and excessive app permissions etc goes.
eg (from The Capitol Forum)
The apps require extensive access to the devices on which they run, and they are able to harvest a great deal of data about users’ interests, demographics and location. Cheetah Mobile’s business model is not significantly different from the way in which some major American tech companies such as Facebook monetise their free products. However, Cheetah Mobile is different from American tech companies in that its headquarters are located in China and its data servers are primarily located there as well, and its main business partners are major Chinese tech firms. The Chinese government, according to sources, accesses its companies’ data for internal security, economic competitiveness or other purposes. Cheetah Mobile, and similar companies, represents a major point of entry for China to access American app marketplaces and their users to gather information. However, U.S. government officials in national security and intelligence agencies are highly aware of surveillance and hacking both inside and outside China, presumably coming from actors affiliated with the Chinese state.
Click to expand...
Click to collapse
see the alteco report (about investment risks but they ran tests on other apps that didn't do anything, what battery savers don't help!!! :silly: )
https://drive.google.com/file/d/0B_zW4GWDn5wpVDBiLUpDcE9IS0E/view
Now I haven't used the app you quote but if it didn't root your phone then it can't have removed the malware and they are likely up to their old tricks ie the app doesn't really work, they have just been blocked or something. (Ask yourself why aren't there other apps from well known companies that can remove trojans in system on play store?) ANd with their dodgy reputation for ads, & selling user data if it did root your phone you may only be slightly better off!!?? But at least it should only be your user data they are gathering and not your bank account number to try and get ya money like the malware guys!
Anyhow happy for you if you really are free of malware and don't forget to change all your passwords for all accounts, your routers etc else you could be reinfected by the time you read this!
I would reflash the stock ROM to be sure (backup ALL your pics, txts address, whatsapp etc etc)
I would also be interested to know how the app worked, if you can explain it. Did it say it would ROOT your phone? (there is nothing in their write up to say it will, Google would not allow an app that can root on play store, as far as I know) Do you have an app that can read what system apps are installed, like Link2sd? Does that show any of the malicious apk?
Thanks, No I did not root my phone but judging by the way removal came (easy) I too was bit surprised with outcome. No sooner I decided to remove the cm app Trojans and malware again became evident meaning it was just being suppressed in a way not removed and now again came back (when removed).
Sent from my A0001 using XDA-Developers mobile app
Ashish1+1 said:
Thanks, No I did not root my phone but judging by the way removal came (easy) I too was bit surprised with outcome. No sooner I decided to remove the cm app Trojans and malware again became evident meaning it was just being suppressed in a way not removed and now again came back (when removed).
Sent from my A0001 using XDA-Developers mobile app
Click to expand...
Click to collapse
Sorry to hear this. However I think it is possible that the CM app did its job as those malicious apps have probably already rooted your phone, so CM may have just used that root access without informing you, though whether or not other apps like CM app can still use that root, I'm not sure, it depends if its been left "on". I did watch a video on youtube for CM Stubborn Trojan app and the guy had to root his phone first. (You could try some/several of the root checker apps, if you want to know). So lets assume the CM app worked properly and removed trojan as it could get root without giving you a root request notification.
It's entirely possible that your reinfection is from your external SD card or via some other means eg. your router has had some ports opened or some other means. (Sorry I should have said reset router when I said change router password [do this for all routers you use & update firmware & ensure remote access is off (ref. dirty cow) while you are about it too!]
So I would reinstall CM Stubborn Trojan (lets assume it removes malware as it has root, even if it just blocks them it helps us) so you can then reflash official stock ROM for your country (& update to newest version if available), you must flash the FULL stock ROM so all partitions are reflashed. partial stock or custom ROM will not do this & potentially leave you open to reinfection! Reflash the FULL STOCK ROM is the only way to "easily" be sure you have cleaned the malware from your phone. NOTE: just doing a factory reset will NOT remove the malicious apps if they are in operating system folders, this only works for malicious apps in user data areas! Then you must make sure all possible ways you can be reinfected eg via sync, external SD cards or storage, your PC, router etc are cleaned/blocked/reset/updated
If you are not getting updates for your ROM you might want to consider installing a custom ROM (AFTER you have flashed the stock ROM!) from a reliable & trustworthy source, if available for your model, so that you get security patch updates. But you need to research and consider the risks of things like bricks, security etc for yourself first.
Hope this helps you clean your phone
Sometimes, it's times, it's the firmware itself that is infected
IronRoo said:
Did it root your phone first? Else I can't see how it would be able to get to those apps installed as system. If so, if it was me, I'd unroot my phone at the very least & uninstall the CM apps since they do not have a good reputation so far as data snooping goes and excessive app permissions etc goes.
eg (from The Capitol Forum)
see the alteco report (about investment risks but they ran tests on other apps that didn't do anything, what battery savers don't help!!! :silly: )
https://drive.google.com/file/d/0B_zW4GWDn5wpVDBiLUpDcE9IS0E/view
Now I haven't used the app you quote but if it didn't root your phone then it can't have removed the malware and they are likely up to their old tricks ie the app doesn't really work, they have just been blocked or something. (Ask yourself why aren't there other apps from well known companies that can remove trojans in system on play store?) ANd with their dodgy reputation for ads, & selling user data if it did root your phone you may only be slightly better off!!?? But at least it should only be your user data they are gathering and not your bank account number to try and get ya money like the malware guys!
Anyhow happy for you if you really are free of malware and don't forget to change all your passwords for all accounts, your routers etc else you could be reinfected by the time you read this!
I would reflash the stock ROM to be sure (backup ALL your pics, txts address, whatsapp etc etc)
I would also be interested to know how the app worked, if you can explain it. Did it say it would ROOT your phone? (there is nothing in their write up to say it will, Google would not allow an app that can root on play store, as far as I know) Do you have an app that can read what system apps are installed, like Link2sd? Does that show any of the malicious apk?
Click to expand...
Click to collapse
In my case, I have a similar issue - however, it's an infected SYSTEM file - which Malwarebytes spotted (but is unable to remove), and is NOT related to the KingRoot dodgy file. It's actually two different Trojans - both in /system/priv-app (settings.apk and smsservices.apk) - the first is the more problematical. (It's problematical because it's a critical system file/app/service - killing it without a replacement is NOT an option.) How the heck do you replace such a critical system file when it got itself hijacked?
In this case, I would agree with just a complete factory reset or ROM reflash. Like it is simply too much of an issue to try removing and recovering everything. Especially, once it's deep within your system....
Josh Ross said:
In this case, I would agree with just a complete factory reset or ROM reflash. Like it is simply too much of an issue to try removing and recovering everything. Especially, once it's deep within your system....
Click to expand...
Click to collapse
This was what I did finally, I went to service centre and spent bucks. They reloaded the firmware I suppose ( not flashing it) and instantaneously it was as good as new. I think, malware was itself part of original installation like uc browser- it was there. It just activated after some time or may be I clicked on some advertisement while running app and then the hell happened.
Any ways, its working fine, added an adblocker, restricted usage to few apps and keeping my fingers crossed for future.
Sent from my A0001 using XDA-Developers Legacy app
Yeah, the bloatware that you get with some phones nowadays is unbearable. If there is an option, go with a rooted phone, custom ROM, some couple custom solutions for protection and you will be good to go. And they work better than defaults most of the time. Good luck! Hopefully, we will only be hearing good news from you
PGHammer said:
In my case, I have a similar issue - however, it's an infected SYSTEM file - which Malwarebytes spotted (but is unable to remove), and is NOT related to the KingRoot dodgy file. It's actually two different Trojans - both in /system/priv-app (settings.apk and smsservices.apk) - the first is the more problematical. (It's problematical because it's a critical system file/app/service - killing it without a replacement is NOT an option.) How the heck do you replace such a critical system file when it got itself hijacked?
Click to expand...
Click to collapse
I'd reflash stock.

Securing/controlling OnePlus 8 with OOS 11.0.88.IN21BA

I am a brand new owner of a OP 8. First thing I did was flash it to OOS 11, then installed Magisk. The phone is now up and running and rooted.
I am coming from a galaxy S5 that I have owned and used for more than 7 years, and for most of that time it has been running Lineage OS. I am used to the control that Lineage gives me, and I would expect that I could exercise the same degree of control with a rooted OOS.
But, this appears to not be true.
On the S5, I had 3C System Tuner Pro which is now an obsolete app, so I have replaced it with the current variant; 3C All-In-One toolbox. This package should allow me to control which apps start at boot, but it seems I cannot turn any of the apps off; when I uncheck them, the app fails to actually remove them from the startup list.
Also, I expect the 3C tool to allow me to uninstall pretty much any app, but there are a lot of google apps that I just can't remove.
I also use greenify (the paid version) and mostly it seems to be working OK, except that I cannot seem to access system apps from it, which makes it very hard for me to shut down things that I don't want running.
I also use afwall (the paid version) and it seems to work as expected. Which is good.
My focus is security and privacy, and my mantra is: "on android, the app that is not running is the app that is not spying". Thus, I want everything that is not needed to satisfy my purposes to not be running, and I only want apps running when *I* say that they can run.
Now, my S5 was running Lineage 17.1 which is android 9. I did not update it past that. And now I am running android 11, and I note that there is a lot of new hardware-based validation in android 11. So possibly I can't remove some things without disabling this validation (which I would prefer not to do). But even if I can't remove, I can disable (which, fortunately, I AM able to do). But I should be able to remove things from the startup list so they don't get started automatically at boot time. Right now, the way it works is they all start, then greenify shuts them down (and that isn't always completely reliable). I need more to make this phone genuinely secure and private.
So.
Does anyone here know how I could gain the capability to remove apps (including system apps) from the startup list and have it stick? Does anyone know what I need to do to get greenify to recognize system apps so I can shut them down when they are not needed, or failing that, can anyone steer me to a different app than greenify that will do that?
Perhaps I would gain by adding the xposed framework? I have not used it in a very long time (since I move to lineage) and I recall it being a bit of a pain.
I suppose I could move to Lineage from OOS, but I would prefer to not do that because of the camera software. This device seems to have a fine camera and not a lot of bloatware, so I would much prefer to stay with OOS for as long as the device is supported by the manufacturer.
But I do insist on being able to completely control it, and disabling apps that I can't stop from running is a much bigger hammer than I would like to use; some of those apps I might actually want to use from time to time.
OK, after some work I have successfully taken full control of the OnePlus 8 and have been able to configure startups as I want them. I installed xposed through Magisk.
I also installed the latest greenify (3.7.8) and afwall, and have those set up too. Since I did purchase greenify, I am able to greenify system apps as well. So, generally, I have full control over the device.
But there remains a problem.
I have disabled wifi and data connections in settings for all apps that I don't want to have accessing a network. I have also blocked those apps in afwall. And yet, my pihole DNS server that services my LAN shows me some of my apps are trying to call home, even when their capability to talk on the internet is denied.
Specifically, greenify is denied network access and is firewalled off, yet there is an attempt to connect to oasisfeng.com.
Also, I use an old version of ES File Explorer (from before it was sold and turned into something very like malware) and it is allowed LAN access but denied any access beyond the LAN...and I see it trying to call its old home domain (estrongs.com).
Similarly, I use an old version of UB Reader (later versions again approach malware status), and it is completely denied network access. But, I see a connection to mobisystems.com.
This clearly indicates that there is a proxy in use somewhere in the system, that is allowing these guys past my blocks. I am using adaway to block these specific domains, but it would be far better to just block that proxy.
However, I don't know where the proxy is and what it is called. Can someone here tell me?
If not, it will be trial and error, which is painful because functionality will break when I turn something off to see if this is it.
jiml8 said:
OK, after some work I have successfully taken full control of the OnePlus 8 and have been able to configure startups as I want them. I installed xposed through Magisk.
I also installed the latest greenify (3.7.8) and afwall, and have those set up too. Since I did purchase greenify, I am able to greenify system apps as well. So, generally, I have full control over the device.
But there remains a problem.
I have disabled wifi and data connections in settings for all apps that I don't want to have accessing a network. I have also blocked those apps in afwall. And yet, my pihole DNS server that services my LAN shows me some of my apps are trying to call home, even when their capability to talk on the internet is denied.
Specifically, greenify is denied network access and is firewalled off, yet there is an attempt to connect to oasisfeng.com.
Also, I use an old version of ES File Explorer (from before it was sold and turned into something very like malware) and it is allowed LAN access but denied any access beyond the LAN...and I see it trying to call its old home domain (estrongs.com).
Similarly, I use an old version of UB Reader (later versions again approach malware status), and it is completely denied network access. But, I see a connection to mobisystems.com.
This clearly indicates that there is a proxy in use somewhere in the system, that is allowing these guys past my blocks. I am using adaway to block these specific domains, but it would be far better to just block that proxy.
However, I don't know where the proxy is and what it is called. Can someone here tell me?
If not, it will be trial and error, which is painful because functionality will break when I turn something off to see if this is it.
Click to expand...
Click to collapse
If you are concerned about security, you should stay away from Xposed.
First of all, Xposed requires disabling Selinux, otherwise, it won't work. So during the installation, your Selinux status is turned to 'permissive'. That, coupled with the fact that almost every custom rom sets 'ro.secure to Zero', exposes your System partition to third party apps. So, basically, anything can exploit your phone.
Second, Greenify, with all due respect to its great developer, is not needed anymore, since Android 10, because now we have builtin sleep mode that does the same thing as Greenify.
Third, even if Xposed didn't require disabling Selinux, it is still an exploit that creates a back door to your system.
optimumpro said:
If you are concerned about security, you should stay away from Xposed.
First of all, Xposed requires disabling Selinux, otherwise, it won't work. So during the installation, your Selinux status is turned to 'permissive'. That, coupled with the fact that almost every custom rom sets 'ro.secure to Zero', exposes your System partition to third party apps. So, basically, anything can exploit your phone.
Second, Greenify, with all due respect to its great developer, is not needed anymore, since Android 10, because now we have builtin sleep mode that does the same thing as Greenify.
Third, even if Xposed didn't require disabling Selinux, it is still an exploit that creates a back door to your system.
Click to expand...
Click to collapse
Device security is only one aspect of security, and I handle that mostly through device configuration and usage policy anyway.
Overall security involves many other factors, which include maintaining full privacy and control over all data that gets out of the device and goes...elsewhere. To maintain this level of privacy requires reconfiguring any android device to prevent the release of that information. If this requires setting Selinux to permissive, then that tradeoff is quite acceptable. I might prefer it not be the case, but so long as all android devices sold into the marketplace represent the interests of google, the manufacturer, and any third-party that pays the manufacturer ahead of my interests then I will make that tradeoff.
As for Greenify, I have not found the sleep mode that is available in Android 11 to be adequate because it does not allow me to control system apps. You can take it as a maxim that the only android app that does not spy is the android app that is not running - and this includes lots of system apps that I might not want to delete or disable but also don't want running unless I say so, and then only while I am satisfying MY purpose for them.
As for the problem I was asking about, I added the specific URIs to the adaware blocklist and that suppressed them. Prior to that, I was seeing the DNS requests on my LAN DNS. I suspect the network utility I am using to monitor the phone's traffic is reporting requests ahead of the iptables FILTER table, and the packets were being suppressed prior to leaving the device, but I am not certain of that. The only way I could tell would be to monitor the device traffic as it went through the upstream VPN gateway on my LAN, and I did not do that.
Adaware works adequately for this, and I am not seeing any other unexpected/unacceptable traffic from my phone. The one remaining thing I need to check for will involve monitoring from the VPN gateway, as I look for any DoH or DoTLS traffic. I hope I don't find any; that will be a ***** to block. I do block it on the IOT VLAN on my network, but it requires a separate device running a script I wrote. To block DoH/DoTLS on my phone, while allowing appropriate DNS will be...fun.
Edit: And, actually, I just took a quick look. The sestatus command returns that my selinux status is "enforcing". The xposed framework I installed, actually, is lsposed, which is a systemless install using magisk. It implements the xposed framework but in a systemless way; I was just lazy when I wrote about it in my previous post.
jiml8 said:
Device security is only one aspect of security, and I handle that mostly through device configuration and usage policy anyway.
Overall security involves many other factors, which include maintaining full privacy and control over all data that gets out of the device and goes...elsewhere. To maintain this level of privacy requires reconfiguring any android device to prevent the release of that information. If this requires setting Selinux to permissive, then that tradeoff is quite acceptable. I might prefer it not be the case, but so long as all android devices sold into the marketplace represent the interests of google, the manufacturer, and any third-party that pays the manufacturer ahead of my interests then I will make that tradeoff.
As for Greenify, I have not found the sleep mode that is available in Android 11 to be adequate because it does not allow me to control system apps. You can take it as a maxim that the only android app that does not spy is the android app that is not running - and this includes lots of system apps that I might not want to delete or disable but also don't want running unless I say so, and then only while I am satisfying MY purpose for them.
As for the problem I was asking about, I added the specific URIs to the adaware blocklist and that suppressed them. Prior to that, I was seeing the DNS requests on my LAN DNS. I suspect the network utility I am using to monitor the phone's traffic is reporting requests ahead of the iptables FILTER table, and the packets were being suppressed prior to leaving the device, but I am not certain of that. The only way I could tell would be to monitor the device traffic as it went through the upstream VPN gateway on my LAN, and I did not do that.
Adaware works adequately for this, and I am not seeing any other unexpected/unacceptable traffic from my phone. The one remaining thing I need to check for will involve monitoring from the VPN gateway, as I look for any DoH or DoTLS traffic. I hope I don't find any; that will be a ***** to block. I do block it on the IOT VLAN on my network, but it requires a separate device running a script I wrote. To block DoH/DoTLS on my phone, while allowing appropriate DNS will be...fun.
Edit: And, actually, I just took a quick look. The sestatus command returns that my selinux status is "enforcing". The xposed framework I installed, actually, is lsposed, which is a systemless install using magisk. It implements the xposed framework but in a systemless way; I was just lazy when I wrote about it in my previous post.
Click to expand...
Click to collapse
I have been building Android roms for multiple devices for 9 years. When I started, I also gave a significant positive weight to Xposed, etc... . But the more I learned Android code, the more I became convinced that all those 'privacy' layers are mostly useless and even harmful, because they create a false sense of security.
Vanilla Android roms, actually, contain very little advertising/spying, and it makes a perfect sense: why would Google open-source their spying/advertising machine?
The only thing that might be considered spying (in vanilla Android) is captive portal detection that checks the internet connection and a few other network tools/tests that periodically connect to the internet, but not necessarily with nefarious purposes. But even these could be disabled or changed to other servers.
Android becomes an advertising tool only when you install Google Apps/Google Services Framework, register a Google account, etc. Once you have that, and 100% of stock roms do, no amount of tweaking can prevent spying, because these Google 'structures' sit lower than any systemless layer. In other words, they can go around Magisk/Xposed tricks. Moreover, on devices with stock roms, one doesn't even need encryption and the use of apps like Signal/Telegram/Silence etc.. Google Services Framework can see your outgoing messages before they are encrypted, and incoming messages after decryption. In other words, they can see what your eyes see on the screen.
So, the only way to prevent Google interests from taking over your phone is never install Google 'things', which is the case with my rom and my phone.
optimumpro said:
I have been building Android roms for multiple devices for 9 years. When I started, I also gave a significant positive weight to Xposed, etc... . But the more I learned Android code, the more I became convinced that all those 'privacy' layers are mostly useless and even harmful, because they create a false sense of security.
Vanilla Android roms, actually, contain very little advertising/spying, and it makes a perfect sense: why would Google open-source their spying/advertising machine?
The only thing that might be considered spying (in vanilla Android) is captive portal detection that checks the internet connection and a few other network tools/tests that periodically connect to the internet, but not necessarily with nefarious purposes. But even these could be disabled or changed to other servers.
Android becomes an advertising tool only when you install Google Apps/Google Services Framework, register a Google account, etc. Once you have that, and 100% of stock roms do, no amount of tweaking can prevent spying, because these Google 'structures' sit lower than any systemless layer. In other words, they can go around Magisk/Xposed tricks. Moreover, on devices with stock roms, one doesn't even need encryption and the use of apps like Signal/Telegram/Silence etc.. Google Services Framework can see your outgoing messages before they are encrypted, and incoming messages after decryption. In other words, they can see what your eyes see on the screen.
So, the only way to prevent Google interests from taking over your phone is never install Google 'things', which is the case with my rom and my phone.
Click to expand...
Click to collapse
I don't really program Android, though I am a kernel developer in both Linux and Freebsd. I also am one of the principal architects of a network infrastructure appliance that is getting a lot of attention in the industry.
So, while I do not know android in detail at a low level, I know linux thoroughly and I am fully equipped to completely monitor and control what access that android (or any other computer) has to any network. And that has been my dilemma; I can see what my device is doing and I am determined to stop it.
I agree with you about vanilla Android, absent all the google stuff. It is just linux with a different desktop on it, and the connections it makes to google are just for network management functions; the network device I have built also contacts google (and a few others) for network maintenance only and not any information transfer.
Unfortunately, the google apps infrastructure is required for some things that I use the phone for. Google maps is required by both Uber and Lyft; without Maps, I can't use those apps - and there are times when I am traveling where I really need to be able to use those apps.
Also, unfortunately, the company I am contracted to (where I am part-owner) for which I have built this network appliance makes heavy use of google tools. I have not been able to convince my partners to move away from google, and they can outvote me.
I have to allow Meet, and Chat to run on my device; I don't have a practical alternative. So I have spent a lot of time determining exactly which google components are the minimum required to allow those apps to run, and I have disabled or blocked or restricted permissions for all other google components - and both greenify and afwall play key roles in this activity.
With my old Galaxy S5, I just would install the smallest google package that supported Maps onto my Lineage OS on that device, but on this OnePlus 8, I have elected to stick with OOS for as long as it receives updates. So, tying google's hands is a lot more work.
My monitoring tells me I have it now as good as it will be. There are a few connections to google, as expected, but the frequency of those connections is not high and very little data is being transferred in either direction. I believe most of the traffic is administrative. The only thing I have not yet checked is whether there is any DoH or DoTLS traffic. My IOT VLAN watches for and blocks such traffic (my IOT VLAN exists to isolate and completely control my Android TV), and I have connected the phone to the IOT VLAN for a short while to see if any DoH/DoTLS was detected and none was - but I really need to connect it to that VLAN for an extended period.
I do root around in the phone's databases (which reveals what Google is doing, and Google can't stop that...) and the result is that I know Google is not doing much.
So, it isn't perfect. I would be much happier if the company would move away from google. But it is as good as its going to get, and I don't believe google is sneaking anything by me; I would have detected it. I do block a LOT of google URIs.
Also, as far as google open-sourcing their spying machine...that, quite explicitly, is the purpose of Android. It is open-sourced spyware for google.
They open-sourced it partly because they had to (the gnu licensing ties their hands) and partly to gain acceptance; its open source nature is why it is now the dominant architecture. It greatly reduces development costs for device manufacturers while providing a standardized framework upon which they can build.
Those of us who put in the effort to exploit that open-source nature to stop the spying are a small fraction of the total marketplace, and google can easily tolerate us.
Android has increased google's reach and ability to collect data about individuals to an enormous extent. From the standpoint of knowing everything about everybody (which is google's explicit goal) it is an enormous win for them.

Categories

Resources