Related
Pronounced "say candy", the goal of SecAndy is to come up with as secure and private of an OS as possible. So as not to reinvent the wheel, we'll base this initiative on our open source code of choice (Android or maybe other developers' choice).
I am not a developer myself but I can without a doubt, because of former professional experiences, organize a project and gather the right people together as a community in order to make sure that project sees the light of day after it has acquired a life of its own if needed, which I think we will agree is something that this kind of project requires because of the scrutiny it will quickly attract.
I am officially calling upon this post all interested developers that could help us fork Android or other open source OS.
Let's get a kickstarter funded and let the party begin. I will update you later today on the advancement of such.
This thread welcomes constructive ideas and developer participation, but here are beginning requirements we'll need to fulfill eventually to privatize and secure android :
- default browser allowing custom search engines such as https://ixquick.com or duckduckgo
- default system search pointing to those custom engines for online component
- control of gps at firmware level to allow full disability
- peer to peer file exchange (think BitTorrent sync) with 1024 to 2048 bit encryption
- implementation of secure sms and mms exchange (think textsecure)
- implementation of encrypted voice channels (think redphone or SIP with end-to-end encryption)
- root vpn for all online access
- systemwide warning of insecure solutions (example : wanting to use gmail or regular email)
- PGP transparent email solution
- Tor option for root vpn (subject to mitm attacks but more on that later)
- peerguardian type auto-updated database to identify suspicious IP address ranges
- systematic in-out firewall control auto updated with peerguardian database and community based rules database
- hardened malware protection and app permissions with automatic permission audit based on application type
- full device encryption and lockup (in case of unauthorized user)
- full remote wipe out and bricking with auto IMEI reporting (in case of theft, might have to be amended because of attack vector)
- full remote location capability with real time tracking (that one might have to be scratched, high security risk because of attack vector)
This obviously doesn't cover all the bases but would be a good start... I know a lot of these options can be implemented with a mismatch of apps and custom Roms but having it all at an OS level AOKP style would greatly help in building an android by the people for the people community that could eventually loosen the stranglehold of less than transparent corporations.
60 views in 24 hours and not one comment. Obviously I'm approaching this the wrong way. More news at 11.
e-motion said:
60 views in 24 hours and not one comment. Obviously I'm approaching this the wrong way. More news at 11.
Click to expand...
Click to collapse
I don't want to be insulting, but no programming work has been done on your part, and you're just asking for people to dive in this project to get managed by someone they never heard of. It's not really surprising no one has commented yet.
I understand what you're saying but any comment, even if only just to show interest in such a project, will be key to drive developers to it.
I might not have started any development but I have clear understanding of how to design secure solutions. I can't go into details of why that is, however you can clearly see with my 2nd post that some research has been done. If I wanted a solution for me alone, I could just go on with my own little pudding of custom ROM and security apps.
However, because of the recent news events that SHOULD have awaken this population, I thought now might finally be the right time to try to get such a project off the ground. But without anyone even showing any interest, why would any developer be drawn to it ? If people would rather focus more on content consumerism than on what might happen under an umbrella of spooks that they're paying for with their taxes, then they have learned nothing from history and deserve what's coming to them, simple as that.
This is NOT a development thread in case you haven't noticed, so telling me I haven't developed anything yet is not even relevant.
In case anyone cares, this will be moved shortly in the t-mobile Note 2 Android development thread as a Touchwiz proof of concept ROM. Little steps, little steps...
Sent from my SGH-T889 using Tapatalk 2
mobile sec
While I am not a developer I would be interested in this project. I've been thinking about this a bit lately given recent events. I think a useful privacy preserving security related app and phone combo might have these features:
-some way to separate the baseband processor (radio) from the OS. It seems most phones share memory with the radio and this fact can and has been exploited. Own the bb processor and you own the phone. Perhaps a 3g dongle plugged into an android phone in host mode would work. Some of these usb "data only" radios can be unlocked for voice too. I believe a rooted phone with IP tables/firewall running would be much more secure than a conventional mobile phone.
-an anonymising network for connecting to servers/peers. I think the i2p network is well suited for this purpose. Rather than connect to services that are not designed with your anonymity/privacy in mind, connect to hidden/darknet servers that make it extremely difficult to ascertain your real IP and location. Perhaps an i2p router running on your home computer relaying i2p traffic while also maintaining a long lived encrypted connection to your mobile in order to "push" data to it. In this way the user benefits from the anonymising network, contributes to the network, but doesn't have the battery drain of relaying packets from the phone (if this is even possible).
-end-to-end encryption. Perhaps OTR messaging for texting and perhaps openPGP for transferring binary files as I don't believe file transfer in OTR is available at this time.
-an app that uses the above network that is capable of sending/receiving encrypted text, audio, video, gps location etc and does not leak any personal information that you don't want leaked. XMPP might be a good choice (with perhaps out-of-band binary transfers for efficiency). Giving your unique identifier to another person that is using the same app would allow you to communicate with them while not revealing your phone number, imei, imsi, etc. There would be some latency in the communication especially with binary transfers but I would gladly accept that for the added security.
anyway, just wanted to add this to the conversation and hope to see this project take shape as we definitely need more security enabled os's and apps.
Hey XDAian...:laugh:
Get ready for few suggestions & discussion.
Based on some pretty interesting facts about "mobile in general", The smartphone segment has brought accessibility to millions around the world, at work and at home. Naturally, all the data in those devices, wirelessly accessible, becomes a gold mine for those with nefarious motives to exploit.
On the work front, smartphones are a huge contributor to productivity. At home, they provide meaningful and useful (and sometimes redundant) ways to stay in touch with friends and family. The more of these devices we buy, the bigger the opportunity is for criminals, because there are so many ways to get the data. We might lose a device, or its is stolen, we might download a bad application, or soon brush against an NFC tag or visit a bad web-page. The possibilities are so diverse compared to a PC or server farm hardwired to the internet.
With the tremendous growth of the smartphone market not expected to slow down anytime soon, people and organizations must be vigilant in guarding against breaches of their data and/or personal information. Even as organized hackers work on ways to score the high-value breach, they are working on high-volume, low-risk attacks against weaker targets as well.
In addition to some tips about securing mobile devices, the infographic has some interesting facts from 2011 in there as well, such as 855 breaches resulted in the theft of 174 million records.
We Need some Security Applications for preventing our valuable data (like Msgs, Contacts, Pin codes etc). Therefore, from my side this thread belong to all XDAians.
Please suggest the latest, finest Applications & few tremendous suggestion from all Devs, RC, RD & Members.
I like a Security based Application called LBE Privacy Guard to Prevent sending data through various applications installed at our Mobile.:good:
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Some Great Ideas Received from Our XDA Members. Which are here follows:
As this OP thread may become too long so, for Batter view just press "Show Contents" for there suggestions.
A Very Big thanks to Android Police, Phone Arena & Android Authority for survey about malwares & security.
How to secure your Android phone and protect your data
All software has security vulnerabilities. It is a fact. You only need to look at the software updates that are issued by the big companies like Microsoft, Adobe, Apple and Google to see how prevalent is this security problem. Smartphones aren’t immune, not iPhones, not Windows Phones and not Android. But there are some simple things you can do that will drastically reduce your exposure and help secure your Android phone or tablet, as well as protect your data.
A recent report by Check Point, the firewall maker, estimated that €36+ million has been stolen from corporate and private bank accounts in Europe by a group running a campaign of attacks known as “Eurograbber”. The campaign infected victim’s mobile phones with a piece of malware which could intercept SMS messages. When the victim used their online banking the SMS authentication code sent to the phone was intercepted. This then allowed the attackers to access the victim’s account.
Securing your smartphone and protecting yourself against malware isn’t about stopping some annoying virus getting on your device, it is about protecting your money, data and privacy.
There are several different areas in which you can improve your phone’s security including physical access, malware protection and encryption.
Who has access to your phone?
RULE #1 – Never leave your phone laying around where uninvited guests can access it
Before looking at things like malware and data stealing apps, the simplest form of security is to limit physical access to your phone. There maybe lots of sophisticated remote attacks out there but if all I need to do is quickly pickup your phone and access your emails, PayPal, eBay or Amazon account while you pop off to get a coffee then all the security software in the world won’t do you any good.
RULE #2 – Use a lock screen
It is also essential that you use a lock screen. This stops everyone from small kids to determined snoopers from sneakily accessing your device. Modern Android versions have a whole gamut of lock screen options including pattern unlock, PIN numbers and password protection. To set these go to Settings and then tap Security. You can also customize how quickly the lock is automatically applied.
RULE #3 - Set a PIN to protect purchases on Google Play
It is also possible to set a PIN for purchases in Google Play. With the PIN any would-be trickster (or small child) won’t be able to buy content from Google’s app store. To set it, start the Google Play app, go to setting and then tap “Set or change PIN”. After the PIN is set, tap “Use PIN for purchases” to require the PIN before purchasing anything from the store.
RULE #4 – Install a phone location app or use a security app with an anti-theft component
Keeping your phone nearby and using a lock screen will thwart snoopers but the determined criminal will simply just walk away with your phone and try to extract the data later or simple wipe your phone and try and selling it. The first few hours after you phone has been taken are the most critical. To find your phone it is important to use a phone location service like Where’s My Droid or install a security app with an anti-theft option like avast! Mobile Security.
Malware
RULE #5 – Don’t install apps from dodgy third party sites, stick to places like Google Play or the Amazon appstore
Because Android is so popular, it is normal for it to become a malware target. Malware authors don’t waste their time writing malware for a phone operating system that no one is using. This means that there is lots of Android malware out there. But here is thing, how does Android malware spread? Unlike worms, which spread automatically over the network or viruses which tend to spread via USB flash drives etc., the majority of Android malware needs to be installed manually. There have been some exceptions but in general it is unsuspecting users that install the malware themselves onto their own phones.
The malware authors have lots of dirty tricks to try and fool potential victims into installing their malware. One very common approach is to offer a free version of a popular non-free app with the malware hidden inside the app. Greedy users who think they are getting a bargain because they have managed to save $0.69, but in fact are infecting their devices with malware. Over 99% of Android malware is spread via third party app sites. Don’t use them.
RULE #6 – Always read the reviews of apps before installing them
RULE #7 – Check the permissions the app needs. Games generally don’t need to send SMS messages etc
A small percentage of malware is spread via Google Play, but the apps in question normally only survive a few hours on the store before being removed. To avoid such rare cases it is always important to read the reviews of other users and always check the app permissions.
RULE #8 – Never follow links in unsolicited emails or text messages to install an app
If the malware authors can’t get you via a third party store or their apps are taken down from Google Play, they have one more trick, unsolicited emails and text messages asking you to install an app. In the “Eurograbber” campaign, what the attackers did was infect the victim’s PC with a piece a malware (something which is a lot easier than infecting an Android phone) and then via that malware they tricked the user into installing their “enhanced security” app on their phone. The PC malware monitored the victim’s Internet usage and when they went to an online banking site the malware pretended to be a warning from the bank telling them to install an app on their smartphone. It was all downhill from there for the poor victim.
RULE #9 – Use an anti-virus / anti-malware app
Even with diligence it is possible for malware to find its way on to your device. It is therefore important that you install an anti-virus / anti-malware app. This best antivirus apps for Android article will help you choose one, but if you don’t have time right now then go for Kaspersky Mobile Security (paid) or avast! Mobile Security (free)
Rooting
RULE #10 – Don’t root your phone unless you absolutely need to
Some of my colleagues here at Android Authority are very keen on rooting and I can understand why. The lure of custom ROMs and the ability to tweak different parts of the OS are all part of what makes Android great. But, Android was designed with a very particular security model which limits what an app can do. By rooting a device this security model breaks. Even the CyanogenMod team acknowledged that there are limited uses for root and none that warrant shipping the OS defaulted to unsecured. The problem is there are specific types of Android malware that circumvent Android’s security mechanisms by using the existing root access. With root access, the malware can access parts of Android that are supposed to be protected by the permissions system.
Encryption
RULE #11 - If your device has valuable data on it then use encryption
Since Android 3 it is possible to use full encryption on a phone or tablet. By encrypting your device all the data including your Google Accounts, application data, media and downloaded information etc. becomes inaccessible without the right password or PIN. Every time you boot the device you must enter the PIN or password to decrypt it. If your device has valuable data on it using this encryption is a must. NASA recently had an embarrassing episode where a laptop was taken that held personally identifiable information of “at least” 10,000 NASA employees and contractors. After the incident NASA decided that any devices that leave a NASA building need to use full disk encryption.
RULE #12 – Use a VPN on unsecured Wi-Fi connections
While on the subject of encryption it is worth remembering that if you are using a public unsecured Wi-Fi hot spot all of the data that is send using http:// (rather than https://) can be seen my any network snooper. In the past security researchers have shown how easy can be to steal passwords to the popular social networking sites just by using a laptop and waiting around near a public open hot spot. To avoid revealing your password and other data, don’t use open Wi-Fi hot spots or use a virtual private network (VPN) to secure your connection.
Conclusion
If you follow these twelve rules and remain vigilant you should never have any security troubles with malware, thieves, hackers or any small furry animals! OK, that last part isn’t true, but the rest is!
Source: Android policereserved for articles
Android malware perspective: only 0.5% comes from the Play Store
Are Android apps secure enough for us to let them handle our finances and personal information? Quite a few of them aren't, according to a recent research that analyzed how well various applications protect the user's sensitive data. The study was conducted by the Leibniz University of Hannover, Germany, in partnership with the Philipps University of Marburg, the researchers came up with a list of 41 Android apps that should use tighter security measures.
In particular, these apps were discovered to expose the user's data at risk while a device running Android 4.0 is communicating with a web server. What's even more worrying is that these insecure apps were among the most popular ones on Google Play, being downloaded between 39.5 million and 185 million times already. The names of the applications were not disclosed.
"We could gather bank account information, payment credentials for PayPal, American Express and others," the researchers wrote after conducting their study. "Furthermore, Facebook, email and cloud storage credentials and messages were leaked, access to IP cameras was gained and control channels for apps and remote servers could be subverted." The contents of e-mails and instant messages could also be accessed.
But how could one use these apps' security flaws to their advantage? Simply put, if an Android smartphone or a tablet is connected to a vulnerable local area network, such as a Wi-Fi hotspot, an attacker could potentially crack the security protocols used by the apps and snoop on the data they exchange. Sure, the attacker will need to have a certain exploit monitoring the activity on the network, but obtaining access to such a tool isn't as hard as it may seem.
Scary stuff, we know, which is why there should be more awareness amongst developers about implementing proper security features within apps, as the researchers suggest. There are certain methods that can make security protocols tougher to crack, or the apps could simply be checked for vulnerabilities at the time they are being installed. In fact, Google is said to have ramped up security in Android 4.2, thus likely making the platform more resistant to hacks like the one described above. What measures have been taken, however, will be known with certainty in a few days – On October 29, to be more specific, which is when a new Android release is probably going to be unveiled.
For more in Deep: check out here: Click Here
Over 60% of Android malware steals your money via premium SMS, hides in fake forms of popular apps
Over 60% of Android malware steals your money via premium SMS, hides in fake forms of popular apps
Like any popular platform, Android has malware. Google’s mobile operating system is relatively new, however, so the problem is still taking form. In fact, it turns out that the larger majority of threats on Android come from a single malware family: Android.FakeInstaller, also known as OpFake, which generates revenue by silently sending expensive text messages in the background.
McAfee says that the malware family makes up more than 60 percent of Android samples the company processes. So now the question is: why is this malware so popular amongst cybercriminals?
The reason is simple: it’s extremely effective. Android users seem to fall for fake apps on a regular basis. Furthermore, since the whole of the malware appears to make money, it’s not surprising that those behind this one continue to keep it updated. McAfee agrees:
Malware authors appear to make lots of money with this type of fraud, so they are determined to continue improving their infrastructure, code, and techniques to try to avoid antivirus software. It’s an ongoing struggle, but we are constantly working to keep up with their advances.
This malware type has been in the news for months, mainly because there have been so many fake apps created, including for popular ones like Instagram and Skype. On top of that, those behind it seem to keep adding various types of functionality to avoid detection by antimalware solutions, including server-side polymorphism, obfuscation, antireversing techniques, and frequent recompilation.
How it works
Cybercriminals typically create fake versions of a given popular Android app to earn money from unsuspecting users. There have also been instances of the malware being bundled with a legitimate version of popular apps. The apps appear to be legitimate, including screenshots, descriptions, user reviews, videos, and so on. Users never get the app they want, but instead get a lot more than they bargained for.
The malware authors often set up fake websites advertising the fake version of the app. Many of these are shared on questionable websites, but many are also shared on fake Facebook and Twitter accounts that spam legitimate users on social networks.
Upon installation, the malware often displays a service agreement that tells the user that one or more SMS messages will be sent. The user is forced to click an Agree or Next button, but some versions send the messages before the victim even taps the button. There are often fake progress bars to keep the user further in the dark.
Either way, the devil is in the details. In the background, the malicious app sends expensive international text messages to earn its creators revenue. Some variants even connect to a Command & Control (C&C) server to send and retrieve data, as well as await further instructions.
Early versions of FakeInstaller were created only for Eastern European users, but malware developers have expanded their fraud to other countries by adding instructions to get the device’s Mobile Country Code and Mobile Network Code. Based on that information, the malware selects a corresponding premium-rate numbers.
How to protect yourself
The good news here is that since this malware family is so prevalent, it’s rather easy to avoid it: just don’t download fake apps. Android lets you download and install apps from anywhere, but unless you know what you’re doing, you shouldn’t be installing anything and everything you can on your phone or tablet.
If you want to significantly reduce your chance of getting malware such as this one, only install apps from the official Google Play store. That being said, malware has snuck into the store before, so it can happen again.
As a result, the way to protect yourself is the same as on any other platform: don’t click on questionable links and don’t download random apps. Always check to see if what you’re getting is legitimate and you should be fine.
Android’s malware problem is getting worse, and only users of the latest version are safe from harm
Earlier this year, we saw a report that said there was a 163% rise in the number of malware-infected Android devices in 2012. As shocking as that figure might be, we have a new report now that says the problem has blown up even further.
According to a recently published report[1] from networking vendor Juniper Networks, the number of mobile threats grew an astonishing 614% from March 2012 to March 2013. This equates to a grand total of 276,259 malicious samples, according to research done by the company's Mobile Threat Center or MTC.
What exactly constitutes such a large amount of mobile threats? It is said that the majority of these mobile threats — 77% of the total — come in the form of money-siphoning applications that either force users to send SMS messages to so-called premium-rate numbers or somehow manage to perform the sending of SMS messages all on their own.
They go virtually undetected as they are normally bundled with pirated apps and appear as normal applications. Typically, these malicious apps can net their creators an average profit of about $10 per user, according to Juniper Networks.
As it is currently the most popular mobile device platform in the world, it's easy to see why Android would be targeted with such malicious activities. But perhaps you're wondering, is there anything that can be done to combat this problem?
ndeed, there is. In Android 4.2 Jelly Bean, a new safety feature was introduced in order to stop wayward SMS messages dead in their tracks. But that in itself is a huge problem: Android 4.2, the latest version of the Google mobile operating system, is only available on a tiny fraction of all Android-powered devices out on the market. In fact, many of today's newer devices don't even ship with it. So the relevant safety features, as useful as they might be, becomes pretty much useless.
Even worse, the money-making malware mentioned above represents only one type of mobile threat on Android. Android spyware is also present, accounting for 19% of the total malicious samples collected in the above-mentioned research. These could potentially put a user's privacy at risk, collecting sensitive data and all kinds of information then relaying them to the spyware's creator.
Trojan apps have also been discovered to be part of the overall Android ecosystem. Although they form a very small part of the entire body of mobile threats on Android right now, it is possible for them to become more widespread in the future. If the fix really only lies in having the latest version of Android installed on a device, and the issue of fragmentation — not to mention the slow software updates from carriers and OEMs — persists, that's almost a certainty.
What do you think could be done to finally overcome these kinds of problems? Will it be the end of Android as we know it? Let us hear your thoughts in the comments.
Mobile malware getting out of control? Study claims 614% increase on year, Android accounts for 92% of total infections
A terrifying report was released two days ago by the Mobile Threat Center arm (MTC) of Juniper Networks – a manufacturer of network equipment with a hefty stake in enterprise security. According to Juniper, its MTC research facility is dedicated to 'around-the-clock mobile security and privacy research'. The MTC found mobile malware growing exponentially at an alarming rate – a 614% on year increase reaching a total of just about 280,000 malicious apps.
Read full article here
A major app vulnerability has been found which can be effect 99 percent of the Android smartphones on the planet.
A major app vulnerability has been found which can be effect 99 percent of the Android smartphones on the planet. The issue was unraveled by Bluebox security, which claimed to have found an ‘Android Master Key’ that could allow a hacker to turn any Android app into a malicious zombie.
This basically means that an app could allow hackers to capture data and control a device remotely, without the owner and the app developer knowing about it.
And the kicker is that, this is not a new vulnerability as Bluebox has discovered that it has existed since Android 1.6 Donut, which is four years old.
Jeff Forristal, CTO of Bluebox securities revealed that his company had found a way where in a hacker could possibly load an app with malware and still make it appear to be a legitimate file. This bit is important because verified apps are granted full access by default on the Android system.
However, on the bright side apps on the Google Play store are impervious to this problem, so if one sticks to downloading apps from the Play store then one is in the clear. That said, there are a number of third party app stores and users can even download APKs directly off the web and here’s where the danger lies as it is possible for users to download tampered apps.
This problem is accentuated more in countries like China where users like to use local app store over the Google Play store and many OEMs like Xiaomi don’t even bundle the Google Play store on the device by default.
Bluebox securities claims that it reported the problem to Google way back in February and the issue has already been resolved for the Galaxy S4 and currently Google is taking a look at the Nexus range of hardware.
Cryptographic bug in Android lets hackers create malicious apps with system access
Security researchers have found a bug in Android which allows them to create malicious Android apps which appear to be genuine with the correct digital signatures. In computing, digital signatures allow any piece of data, including an app, to be checked to see that it is genuine and actually comes from the author. Now, due to a bug in Android, it is possible to create a fake app and sign it so it looks like a real app from any author including Google, or others like Samsung, HTC and Sony.
Since the digital signatures of Google and handset manufacturers can be faked it is possible to create a low level system app which has absolute access to the device. These system apps, which have what is known as 'System UID access' can perform any function on the phone including modifying system-level software and system-level parameters.
If such an app is installed on an Android phone, the user would be completely vulnerable to a multitude of attacks including key-logging and password sniffing. The researchers at Bluebox Security informed Google about the flaw (Android security bug 8219321) back in February and are now planning to reveal details of the bug at an upcoming security conference.
More details -> here
Survey: Juniper Networks Whitepaper (Warning: PDF)
reserved.
Thanks for this thread buddy
Sent from my GT-N7100 using xda app-developers app
Tha TechnoCrat said:
Thanks for this thread buddy
Sent from my GT-N7100 using xda app-developers app
Click to expand...
Click to collapse
Great to see you here buddy. Actually I wanted to shift my whole thread here but MOD denied and ask me to carry on with new phase. So here I am.
Thank you Vikesh for creating this thread.
In my view
Everyday every hour and every minute hackers are coming up with new viruses and malware
Not only they can corrupt your phone but also steal confidential information like credit card number, password and other important data.So every Android user should spend some money on the anti viruses to save your confidential information and money of course.
Sent from my GT-I9103 using xda app-developers app
Major app vulnerability found, could effect 99 percent Android smartphones
A major app vulnerability has been found which can be effect 99 percent of the Android smartphones on the planet. The issue was unraveled by Bluebox security, which claimed to have found an ‘Android Master Key’ that could allow a hacker to turn any Android app into a malicious zombie.
Continue in post 3
Cryptographic bug in Android lets hackers create malicious apps with system access
Security researchers have found a bug in Android which allows them to create malicious Android apps which appear to be genuine with the correct digital signatures. In computing, digital signatures allow any piece of data, including an app, to be checked to see that it is genuine and actually comes from the author. Now, due to a bug in Android, it is possible to create a fake app and sign it so it looks like a real app from any author including Google, or others like Samsung, HTC and Sony.
continue in Post 3
Every GSM phone needs a SIM card, and you'd think such a ubiquitous standard would be immune to any hijack attempts. Evidently not, as Karsten Nohl of Security Research Labs -- who found a hole in GSM call encryption several years ago -- has uncovered a flaw that allows some SIM cards to be hacked with only a couple of text messages. By cloaking an SMS so it appears to have come from a carrier, Nohl said that in around a quarter of cases, he receives an error message back containing the necessary info to work out the SIM's digital key. With that knowledge, another text can be sent that opens it up so one can listen in on calls, send messages, make mobile purchases and steal all manner of data.
Apparently, this can all be done "in about two minutes, using a simple personal computer," but only affects SIMs running the older data encryption standard (DES). Cards with the newer Triple DES aren't affected; also, the other three quarters of SIMs with DES Nohl probed recognized his initial message as a fraud. There's no firm figure on how many SIMs are at risk, but Nohl estimates the number at up to 750 million. The GSM Association has been given some details of the exploit, which have been forwarded to carriers and SIM manufacturers that use DES. Nohl plans to spill the beans at the upcoming Black Hat meeting. If you're listening, fine folks at the NSA, tickets are still available.
Source-Tech Geek
"Thanks button is just to avoid "THANKS" posts in threads. Nothing more than that. Don't ask in signature or post for it and defeat the purpose why it was introduced"
Great info buddy. :good:
Thanks,
Disturbed™
Sent from my Disturbed™ Galaxy S4 using Tapatalk (VIP)
______________________________________________________
Wait for my time, U gonna pay for what U have done. - Disturbed™
Informative read. You also understand why the stores charge their Developer fees now. Not all third party sites host malware however. A lot of the buying community is ignorant (and understandably so) in detecting if malware has been applied. It's up to the community of ubiquitous OSs to report
JeffM123 said:
Informative read. You also understand why the stores charge their Developer fees now. Not all third party sites host malware however. A lot of the buying community is ignorant (and understandably so) in detecting if malware has been applied. It's up to the community of ubiquitous OSs to report
Click to expand...
Click to collapse
can provide more info for it?
Thanks,
Disturbed™
Sent from my Disturbed™ Galaxy S4 using Tapatalk (VIP)
______________________________________________________
Wait for my time, U gonna pay for what U have done. - Disturbed™
Malware using the Android Master Key intercepted in the wild, here's how to protect i
Malware using the Android Master Key intercepted in the wild, here's how to protect yourself
It was back at the beginning of the month when we first broke for you the news of a new, massive vulnerability, plaguing 99% of Android devices. First discovered by mobile security company Bluebox, the flaw was reported to Google back in February. Since then, Google has patched the Play Store and has provided its OEM partners with a patch for it.
Yet here we are again. And now it's official – the first detected malware taking advantage of the vulnerability has been intercepted by Symantec whilst running amok in China. The security giant reports that the code has been implanted in otherwise legit apps that help you find and appoint a meeting with a doctor. The source of the infected app? A third-party store, of course.
We won't get into the tech lingo, instead we'll just report that according to Symantec, the exploit grants said malicious code remote access to infected devices. This leaves the gates wide open, the company claims, for a wrongdoer to steal sensitive information such as your IMEI, phone number, and also send premium SMS messages and execute root commands.
Click here to know more
what is the best antivirus?
lolmann101 said:
what is the best antivirus?
Click to expand...
Click to collapse
For android, I may say your awareness is the best. First install the LBE Security Master. Let you know which application is gaining which privilege .
But if you want then you can check the first 1 to 4 posts. its in that.
How Google has been making Android a safer place since 2012
Last year in June, Google brought Android Jelly Bean 4.1 to the world. It was a wonderful day, too. It brought with it Project Butter, which spelled the end for lag for a lot of people. Android was running smoother and more complete than ever. Who’d have known that just a year later, we’d be introduced to Jelly Bean not for the second time, but for the third time. Android 4.3 was a mixed bag. Some people were disappointed that it wasn’t Key Lime Pie, but most were happy to see a plethora of improvements, some new features, and even more optimizations. One little footnote that most people have skimmed over so far, though, has been the added security.
It’s not news that malware stories are everywhere. Some of them are no big deal and some are completely ridiculous. Thanks to that, anti-virus companies have been cleaning up. People are more scared of malware on Android now than ever before and they’re flocking to anti-virus apps by the millions. It’s getting to the point where apps like Lookout are coming pre-installed on many devices when they’re shipped out. All because of some malware that, most of the time, is impossible to get unless you download apps from outside the approved channels.
Well, apparently Google is going to fix this problem themselves. JR Raphael over at Computer World has written up an excellent post about how Google is quietly keeping us safe. As it turns out, that little footnote that says that Android 4.3 contains security improvements probably shouldn’t have remained a footnote. It should’ve been printed on billboards and discussed everywhere.
You may have seen inklings of these security features already. We’ve covered one of them, the Android 4.3 Permission Manager, commonly known as Apps Ops. This nifty little feature lets you control what permissions your apps can use. It’s a lovely and powerful feature that’s baked right into Android 4.3. It’s still in beta right now, but eventually that’ll be a part of everyone’s Android experience.
So what other security enhancements does Google have in store for Android 4.3?
We are glad you asked. According to JR Raphael, Google has been working on these security features for years. We’ll do a quick breakdown.
Starting with Android 4.2, there was a feature called Verify Apps that was added. This scans phones both downloaded and side-loaded to make sure they didn’t contain malware or pose a threat.
Verify Apps was eventually made available to all devices from 2.3 onward. According to JR Raphael, that’s 95% of Android devices running currently.
This now works in tandem with another older feature, the app scanner in the Google Play Store that scans apps as they’re submitted to Google Play to make sure they aren’t malicious. This is why you can always download from Google Play without worries.
All of these features are currently on Android devices right now.
But wait, there’s more. In Android 4.3 specifically, they have added yet another security feature called SELinux. This stands for Security-Enhanced Linux and it essentially keeps the important parts of your phone safe. Most notably the operating system. So there is protection everywhere.
So we’ll add this up one more time. In the last two years, Google has implemented,
An app scanner in the Google Play Store that scans every single app uploaded and submitted. It rejects the bad apps and keeps the good ones.
A system on devices from Android 2.3 and up called Verify Apps that scans every app that gets installed on your device to make sure it’s not malicious. Keep in mind that if you download an app from the Google Play Store, it gets scanned twice.
Apps Ops –which is still in beta– that will let you control the individual permissions of any application you download and install. So if you don’t want, say, Facebook to see your location, you can prevent that from happening.
SELinux, a Linux security feature that protects the core operation system functionality.
Let’s not forget what you, the consumer can do to protect yourself,
Only download apps from known and trusted sources. These include the Play Store and the Amazon App Store, among others.
Use your common sense. In most cases, malware apps are easy to spot. If you download the free Angry Birds cheat app from GivingYouMalware.com, the end result is rather predictable.
So without an anti-virus app, there are 6 things that are protecting you from the big bad malware threats. That’s a whole lot more than most people realize and it’s an ever expanding project from Google to keep everyone safe from garbage applications. Now here’s the big question. Do you think it’s enough? Or should Google keep going?
@Disturbed™ buddy could you post that new KNOX feature here?
Sent from my GT-I9103 using xda app-developers app
Few words from Wikipedia:
Samsung Knox (trademarked Samsung KNOX) is an enterprise mobile security solution that addresses the needs of enterprise IT without invading its employees' privacy. The service, first released on the Samsung Galaxy S4 mobile device, provides security features that enable business and personal content to coexist on the same mobile device. Samsung Knox is an Android-based platform that uses container technology, among other features, to allow for separation of work and personal life on mobile devices.
Services
Samsung Knox provides enterprise security features that enable business and personal content to coexist on the same handset. The user presses an icon that switches from Personal to Work use with no delay or reboot wait time. Knox will be fully compatible with Android and Google and will provide full separation of work and personal data on mobile devices. Samsung claims that the Knox service "addresses all major security gaps in Android."
The Knox service is part of the company's Samsung for Enterprise (SAFE) offerings for smartphones and tablets. Samsung Knox’s primary competitor is Blackberry Balance, a service that separates personal and work data, but BlackBerry’s service does not include management of work space through containers in Active Directory and other features such as direct Office 365 and Exchange 2010, ActiveSync, iOS management, Single Sign-On, and complete customization for operability on Samsung device settings.
The service's name, Samsung Knox, is inspired by Fort Knox.
From Engadget:
Samsung's Knox security solution has tended to mostly garner headlines when the company's phones get approval from the likes of the US Defense Department, but it's now set to broaden its user base considerably. In addition to announcing that it's bolstering the offering with some help from Lookout, Samsung has also confirmed today that its opening the platform up to all consumers. That will give security-minded users an added layer of protection, with Knox letting you store personal data and run a set of pre-screened apps in a so-called container -- other apps can still be run outside the container, but with only limited access to your personal information. Naturally, you'll need a Samsung device to take advantage of it.
For more information : http://www.samsungknox.com.
Thanks: Wiki & Engadget
Almost 1,000 fraudulent apps published on Google Play in August alone
Almost 1,000 fraudulent apps published on Google Play in August alone
Yes, there are downsides to Google’s policy of letting anyone publish their apps on Google Play. Symantec has found that scammers published almost 1,000 fraudulent apps on Google Play in August alone, most of which were deleted within hours of posting on the store.
But even though Google was quick to delete the fraudulent Android apps, Symantec estimates that they were still downloaded more than 10,000 times. Symantec also says that one group is responsible for 97 percent of the fraudulent apps, which typically “include numerous links to various online adult-related sites, but one or two links actually lead to fraudulent sites that attempt to con people into paying a fee without properly signing them up for the paid service.”
Source:BGR.in
The Main Problem with KNOX
Is that end-users are left-out cold without any form of privacy control.
As cool as MDM is to the "enterprise" developer and from a hacker's
perspective, there's nothing attractive with this to the end-user. How
can the end-user be certain that his store-bought KNOX enabled device,
hasn't already been compromised by some "enterprise"?
Without fully transparent, open source and public KNOX documentation,
this will be practically impossible to answer. As far as we know from
recent past experiences, on how "curious" enterprises like Google,
Samsung and NSA have been, why should we trust them this time? Or what
about the mobile service providers themselves? We know from many recent
examples how companies like Verizon and AT&T have been spying on their
customers before.
What follows is a few enlightening excerpts from the latest KNOX
white-paper. Before reading this and having recent major KNOX related
developer issues, I have gone from a "KNOX-who-cares" person, to a vivid
Anti-KNOX-er! I will most likely stay that way, at least until our
devices are sold without KNOX, and only available as a voluntary device
add-on/feature, using open source as it's basis.
What about you? Would you be happy to walk around the streets with a
laptop that has a remote access tool that constantly tracks your every
move, picture, sound and friends you meet and call, all while not
informing of any of that? While being way beyond you control? In fact,
you will not even have any choice, if Godzilla and Samsung gets their
way, in the next year.
Attestation
Attestation offers verification of a mobile device's core system
software i.e, the boot loaders and the kernel, at runtime based on the
measurement data collected during trusted boot. Attestation can be
requested at any time by the enterprise's Mobile Device Management (MDM)
system. All security critical operations of attestation are performed in
Trustzone.
When requested, the Attestation feature reads the previously stored
measurement information and the fuse value (see Trusted Boot above) and
combines these data to produce an Attestation "verdict". This verdict,
which essentially an indicate for whether tampering has occured, is
simply returned to the requesting MDM. The Attestation result is
returned to the requesting MDM server with a signature based on the
device's unique "Attestation Certificate" that is configured in the
device during the manufacturing process. This ensures that the
Attestation verdict cannot be altered during transfer.
Any further action is determined by the enterprise's MDM security
policy. It might choose to detach from the device, erase the contents of
the secure application container, ask for the location of the device, or
any of many other possible security recovery procedures.
The KNOX Container
...
The enterprise can manage the container like any other IT asset using an
MDM solution. Samsung KNOX supports many of the leading MDM solutions on
the market. Container management is affected by setting policies in the
same fashion as those traditional MDM policies. Samsung KNOX Container
includes a rich set of policies for authentication, data security, VPN,
email, application blacklisting, whitelisting, etc.
...
The new container also allows enterprise IT administrators to control
the flow of information between the container and the rest of the
device. This allows enterprises to strike the right balance between
security and user productivity. Users can also control the data sharing
capability based on their personal preferences, within the limits
specified by the enterprise IT administrator.
Mobile Device Management (MDM)
Enrolling an Android device into a company’s MDM system typically begins
with the user downloading the agent application from the Google Play
store and then configuring it for work. Enterprises are facing
increasing help desk calls as more and more users are activating mobile
devices for work and run into issues during this process. In addition
the user is presented with prompts, privacy policies and license
agreements at various stages resulting in a poor overall experience.
The KNOX platform provides a unified enrollment solution that is simple
and intuitive, and eliminates many steps in the enrollment process.
The process begins with the employee navigating to a web page and
clicking on an enrollment link. The link to the original web page may be
provided to the employee via an e-mail or SMS, or via the company’s
internal or external website. Clicking on the enrollment link brings up
a screen that prompts for the user’s corporate email address. The device
then displays all notices for the user to accept, which include privacy
policies and agreements from Samsung, the MDM vendor and the enterprise.
Upon accepting the terms, the user is directed to a screen to enter the
password for the corporate account. If authentication is successful the
enrollment is complete. Any agent application required by the MDM server
is automatically downloaded and installed, without user intervention.
MDM vendors can take advantage of this feature and simplify the
onboarding process for enterprise users and significantly improve the
user experience and reduce support costs.
In a nutshell, this is legalized control and spying.
I believe the quoted features have to be enabled by the company paying for the subscription (ie employer providing the devices), which is pretty standard MDM. If you are going to agree to use a MDM (as such an employee would have to) I see no issue here unless I am missing something.
I would be much more worried about abuse of the baseband, than MDM software which isn't enabled by default. Much more likely, and better target.
E:V:A said:
The Main Problem with KNOX
Is that end-users are left-out cold without any form of privacy control.
As cool as MDM is to the "enterprise" developer and from a hacker's
perspective, there's nothing attractive with this to the end-user. How
can the end-user be certain that his store-bought KNOX enabled device,
hasn't already been compromised by some "enterprise"?
Without fully transparent, open source and public KNOX documentation,
this will be practically impossible to answer. As far as we know from
recent past experiences, on how "curious" enterprises like Google,
Samsung and NSA have been, why should we trust them this time? Or what
about the mobile service providers themselves? We know from many recent
examples how companies like Verizon and AT&T have been spying on their
customers before.
What follows is a few enlightening excerpts from the latest KNOX
white-paper. Before reading this and having recent major KNOX related
developer issues, I have gone from a "KNOX-who-cares" person, to a vivid
Anti-KNOX-er! I will most likely stay that way, at least until our
devices are sold without KNOX, and only available as a voluntary device
add-on/feature, using open source as it's basis.
What about you? Would you be happy to walk around the streets with a
laptop that has a remote access tool that constantly tracks your every
move, picture, sound and friends you meet and call, all while not
informing of any of that? While being way beyond you control? In fact,
you will not even have any choice, if Godzilla and Samsung gets their
way, in the next year.
Attestation
Attestation offers verification of a mobile device's core system
software i.e, the boot loaders and the kernel, at runtime based on the
measurement data collected during trusted boot. Attestation can be
requested at any time by the enterprise's Mobile Device Management (MDM)
system. All security critical operations of attestation are performed in
Trustzone.
When requested, the Attestation feature reads the previously stored
measurement information and the fuse value (see Trusted Boot above) and
combines these data to produce an Attestation "verdict". This verdict,
which essentially an indicate for whether tampering has occured, is
simply returned to the requesting MDM. The Attestation result is
returned to the requesting MDM server with a signature based on the
device's unique "Attestation Certificate" that is configured in the
device during the manufacturing process. This ensures that the
Attestation verdict cannot be altered during transfer.
Any further action is determined by the enterprise's MDM security
policy. It might choose to detach from the device, erase the contents of
the secure application container, ask for the location of the device, or
any of many other possible security recovery procedures.
The KNOX Container
...
The enterprise can manage the container like any other IT asset using an
MDM solution. Samsung KNOX supports many of the leading MDM solutions on
the market. Container management is affected by setting policies in the
same fashion as those traditional MDM policies. Samsung KNOX Container
includes a rich set of policies for authentication, data security, VPN,
email, application blacklisting, whitelisting, etc.
...
The new container also allows enterprise IT administrators to control
the flow of information between the container and the rest of the
device. This allows enterprises to strike the right balance between
security and user productivity. Users can also control the data sharing
capability based on their personal preferences, within the limits
specified by the enterprise IT administrator.
Mobile Device Management (MDM)
Enrolling an Android device into a company’s MDM system typically begins
with the user downloading the agent application from the Google Play
store and then configuring it for work. Enterprises are facing
increasing help desk calls as more and more users are activating mobile
devices for work and run into issues during this process. In addition
the user is presented with prompts, privacy policies and license
agreements at various stages resulting in a poor overall experience.
The KNOX platform provides a unified enrollment solution that is simple
and intuitive, and eliminates many steps in the enrollment process.
The process begins with the employee navigating to a web page and
clicking on an enrollment link. The link to the original web page may be
provided to the employee via an e-mail or SMS, or via the company’s
internal or external website. Clicking on the enrollment link brings up
a screen that prompts for the user’s corporate email address. The device
then displays all notices for the user to accept, which include privacy
policies and agreements from Samsung, the MDM vendor and the enterprise.
Upon accepting the terms, the user is directed to a screen to enter the
password for the corporate account. If authentication is successful the
enrollment is complete. Any agent application required by the MDM server
is automatically downloaded and installed, without user intervention.
MDM vendors can take advantage of this feature and simplify the
onboarding process for enterprise users and significantly improve the
user experience and reduce support costs.
In a nutshell, this is legalized control and spying.
Click to expand...
Click to collapse
jcase said:
I believe the quoted features have to be enabled by the company paying for the subscription (ie employer providing the devices), which is pretty standard MDM. If you are going to agree to use a MDM (as such an employee would have to) I see no issue here unless I am missing something.
I would be much more worried about abuse of the baseband, than MDM software which isn't enabled by default. Much more likely, and better target.
Click to expand...
Click to collapse
I don't know to what extent you're playing devils advocate, but I am still a bit surprised, you can't see any issues with this.
The issue is, that we're not able to see how this enabling mechanism work, and therefore cannot even make any half-baked guess if this is actually secure, or can be easily broken, abused or circumvented, if not so, already. In addition the MDM software is enabled by default, at least as far as my processes and device drivers present, shows. It's just not visibly activated, until you go through the signup procedures. Furthermore it seem that the MDM features are very well weaved into the baseband functionality. Not that baseband is using MDMD, but that MDM makes extensive use of the baseband and features not documented. But to what extent that is true, I can 't really say at this time, as I have not spent any time on it.
One more thing. They say that KNOX is a security "addition" to the default SELinux policies, but that is not the whole story. Actually it seem more that KNOX is replacing or overriding the SEL policies already present. How can we actually test and see this, when we're not even allowed (or given) the tools to do so?
E:V:A said:
I don't know to what extent you're playing devils advocate, but I am still a bit surprised, you can't see any issues with this.
The issue is, that we're not able to see how this enabling mechanism work, and therefore cannot even make any half-baked guess if this is actually secure, or can be easily broken, abused or circumvented, if not so, already. In addition the MDM software is enabled by default, at least as far as my processes and device drivers present, shows. It's just not visibly activated, until you go through the signup procedures. Furthermore it seem that the MDM features are very well weaved into the baseband functionality. Not that baseband is using MDMD, but that MDM makes extensive use of the baseband and features not documented. But to what extent that is true, I can 't really say at this time, as I have not spent any time on it.
One more thing. They say that KNOX is a security "addition" to the default SELinux policies, but that is not the whole story. Actually it seem more that KNOX is replacing or overriding the SEL policies already present. How can we actually test and see this, when we're not even allowed (or given) the tools to do so?
Click to expand...
Click to collapse
I'm not playing devils advocate, I'm saying that I don't think this is the route the NSA would take.
puzzled
I don't get it - I thought "knox" was just that thing that counts how many times you've flashed a custom rom (which can easily be removed and reset).
b
jcase said:
I'm not playing devils advocate, I'm saying that I don't think this is the route the NSA would take.
Click to expand...
Click to collapse
We are not able to see how any closed source security component works, and you investigate it the same way you investigate any closed source feature.
jcase said:
I'm not playing devils advocate, I'm saying that I don't think this is the route the NSA would take.
Click to expand...
Click to collapse
I think it's pointless to speculate in which route they would take, as they would certainly take whatever route available to accomplish their mission. Together with Google own INSTALL ASSET methods, MDM makes that even more simple on Samsungs.
I'm sure we'll see more posts like this in the near future.
FYI - How the NSA can 'turn on' your phone
E:V:A said:
I think it's pointless to speculate in which route they would take, as they would certainly take whatever route available to accomplish their mission. Together with Google own INSTALL ASSET methods, MDM makes that even more simple on Samsungs.
I'm sure we'll see more posts like this in the near future.
FYI - How the NSA can 'turn on' your phone
Click to expand...
Click to collapse
I'll make sure to remove such paranoia posts in the future, one is enough. I think a baseband attack is more likely, as it is more likely to impact more phones, from more OEMs, running more firmwares etc. The baseband is much harder to investigate as well, less people looking at it, more potential for bugs living longer, easier not to get noticed.
jcase said:
I'll make sure to remove such paranoia post in the future, one is enough. I think a baseband attack is more likely, as it is more likely to impact more phones, from more OEMs, running more firmwares etc. The baseband is much harder to investigate as well, less people looking at it, more potential for bugs living longer, easier not to get noticed.
Click to expand...
Click to collapse
Well, I'm not sure that post fulfill all the criteria of "paranoia", especially since it is mostly grounded in truth, apart from the CNN journalism. But my point is already there. When people have no insight or control over what's happening in their pockets, they start getting religiously paranoid. I guess from an anthropological point of view, paranoia has some kind of good survival function for the group. So it serves well as a counter balance to being completely ignorant.
E:V:A said:
Well, I'm not sure that post fulfill all the criteria of "paranoia", especially since it is mostly grounded in truth, apart from the CNN journalism. But my point is already there. When people have no insight or control over what's happening in their pockets, they start getting religiously paranoid. I guess from an anthropological point of view, paranoia has some kind of good survival function for the group. So it serves well as a counter balance to being completely ignorant.
Click to expand...
Click to collapse
It has been removed from the security forum, it is a copy paste of an article reportedly from cnn (no source link to back that), without any citations to the claims made. I will make a better effort to keep the forum accurate, and fud free in the future.
It has factual inaccuracies, and seems to be just a promo piece for a custom Android ROM that indeed has it's own issues.
@E:V:A
I do appreciate your posts, they are welcome here, but some of the posts ive been removing are just FUD, way out there or unsourced.
when I got my phone rooted and opened supersu, it suggested to disable KNOX. Before then, I didn't even know what KNOX is. I searched some information about it, looks like it is just security solution.
explanation
yueyejinghun said:
when I got my phone rooted and opened supersu, it suggested to disable KNOX. Before then, I didn't even know what KNOX is. I searched some information about it, looks like it is just security solution.
Click to expand...
Click to collapse
It's just a feature that counts how many times you've flashed a custom rom to your phone; easily removed and reset.
FIRST Read the OP and then the KNOX whitepaper.
and maybe someone will open this thread again...or remove it.
Before I begin, I'm not here to flame tbe devs as I would love this app if these issues weren't present and do hope this problem is resolved as a result of bringing it to the attention of the community and hopefully this app's devs.
This application has serious vulnerabilities, some of which should be quite easily patched yet have not been for months to a year or so of them having been made public by a reputable security researcher working for Zimperium.
Login information via the browser is not utilizing a secure form of encryption for both web.airdroid.com or when accessing via local IP despite their SSL cert being valid for *.airdroid.com. The key for the DES encryption being used to hash the password and e-mail being hardcoded into the application despite having a POC for an attack on their users is inexcusable and shows a blatant disregard for their application's level of access as well as their user's safety and security.
My finding (as a security noob) has also deeply disturbed me following no response to bug reports or email contact. While attempting to check out their Windows desktop client, my antivirus discovered the installer attempting to download a variant of adware which monitored the user's activities and provides monetary incentives to developers which include it within their programs and applications. I do understand that if something is free, the product is you. However, I am a paying customer of this service as I'm sure many who use xda would be in an effort to support development of software and applications we enjoy. This adware was ran through and confirmed with VirusTotal and certainly is not a false positive. This desktop client also does not use SSL for communication.
Due to discovering these problems, I immediately discontinued use (the same day I renewed my yearly subscription). However, I was unable to remove the application from my phone without a full factory reset even after both application updates and upgrading android versions. With it set as a device administrator, it's access must first be revoked before uninstalling. However, across multiple devices and versions of android, attempting to remove it from device administrators causes a crash of the android settings app.
I had planned to do a POC for what I feel is an extremely likely scenario based off both public vulnerabilities as well as what I had discovered myself, but I have been far too busy with a few other projects as well as work to complete it yet. I had just stumbled across this section of the xda forums while looking for something else and hoped to get a response from the devs of this app.
I would love to be able to utilize an app with this functionality. However, there needs to be far more focus on security in its design before I would ever feel comfortable utilizing it again.
In theory, it would be entirely possible for an unstable, technically inclined person at a local coffee shop (or other public location with unsecured an wireless network) to hijack a user's login information with minimal skill level required then giving them full, unadulterated access to the application's functions such as forcing gps or camera on to track or watch someone without their consent as all connections aren't even requiring the user to accept the incoming connection on their phone to perform these actions. That is not a farfetched scenario and presents a possible threat to someone's physical safety.
Link to said researcher's findings can be found on his blog by searching Zimperium airdroid multiple vulnerabilities as I just created this account for this post and can not yet post outside links.
Thanks a lot for all this information. I really appreciate it.
Why hasn't this been addressed yet?
I remember reading this a while ago, realizing that it is a serious issue, and just how little the devs care about security on their app.
This is mainly because most end-users don't dive this deep into an app, and don't fully comprehend the severity of such vulnerabilities until it is too late.
We should make a bigger fuss about these things!
I've always been very careful with RAT-type apps and so I was when checking out AirDroid. I've uninstalled it after 30 minutes of using, just because I didn't like the fact, there's a chance some undesirable person could start spying on me. As I read this thread, I'm realising how right I was that time.
Hi guys,
I'm starting this thread to discuss the "eelo" project and post news about it.
"eelo" is an initiative to release a global and appealing alternative to Apple, Google, ... with as much privacy as possible, with open-source as an ideal.
The eelo ROM is going to be forked form LineageOS and won't include anything from Google proprietary services.
eelo web-services will include email, search, online office... as a consistent, sustainable and global offering.
I've been thinking about this project for several years, and now I think most of the bricks for the project are available. They "just" need to be put together and polished as a consistent offer.
This is a non-profit project, in the public interest.
I'd love to read your your ideas/suggestions about eelo!
Cheers,
Gaël
Update: I'm posting here the "foundation" articles about eelo:
1/ Leaving Apple and Google : my “eelo odyssey” – Introduction
In 1998, I created Mandrake Linux, because I was both a Linux fan and didn’t like Windows on the desktop. It’s been a long time, and I’m very happy I’ve been one of the actors who contributed to make the Linux desktop possible, even though it didn’t completely succeed. Since then, the smartphone has emerged. And it’s now a “companion of life” for many of us. On my side, I’ve been using Apple iPhones exclusively, since 2007. The main reason behind this choice is that I like iOS. It covers my needs, it looks great and elegant, and I find it very intuitive to use.
Also, over the past years, I moved from my (Mandrake/Mandriva and then Ulteo) Linux desktop to MacOS. There has been a professionnal reason for that, since I often need XCode for building iOS applications. But also, it’s very convenient to use in conjunction with other Apple devices. I can get my text messages on MacOS, I can answer a call hand-free, I have my notes synced accross my devices.
But talking with friends this year, I realized that I had become lazy and that my data privacy had vanished.
Not only I wasn’t using Linux anymore as my main operating system, but I was also using a proprietary OS on my smartphone. And I was using Google more and more. Search of course, but also Google Mail, Google drive and Google docs. And Google Maps.
I’M DEFINITELY NOT HAPPY WITH THAT SITUATION.
I’m not happy of this situation because iOS is proprietary and I prefer Open Source Software. And Apple is getting crazy, with their latest products. Too expensive, not really exciting. It also has some design issues in my opinion. It has become a social act to buy an iPhone: “see, I can buy it”. Buying an iPhone has become a snob attitude and I hate that.
Also I’m not happy because Google has become too big and is tracking us by catching a lot of information about what we do. They want to know us as much as possible to sell advertizing.
Like millions others, I’VE BECOME A PRODUCT OF GOOGLE.
Last, I think that, in the long run, Apple, Google, Facebook etc. business models are harmful for our economical and social environments.
So I want to stop that. People are free to do what they want. They can choose to be volunteery slaves. But I do not want this situation for me anymore.
Reconquer my privacy
I want to reconquer my privacy. My data is MY data. And I want to use Open Source software as much as possible.
At the same time, what exists at the moment doesn’t exactly fit my needs: of course I don’t want to use stock Android. It’s Google everywhere and its default user interface is bad (my taste).
Also, I’d like to find good online tools such as office, email services etc. that don’t belong to Google.
And I’d like to have the same confort that I have with iOS and MacOS with synchronized services.
I know about a few initiatives, in particular “PureOS” is very interesting and appealing if you want a 100% pure-Free Software. But that is definitely not something I would use daily, at least not in its current state. I need something I could even recommend to my parents or my children. Something appealing, with guarantees for more privacy. Something that we could build in a reasonable amount of time, something that will get better and better over time.
So let’s build something new! “eelo”
My decision is taken: I’m going to build something new that will be open source (as much as possible) and very attractive. At least for me, but probably it could be attractive for a few others as well.
I’ve played with LineageOS for a few months and I think it’s the way to go. You can recompile it, improve it, fork it… and that’s what I’m going to do.
Some nice web services also seem to be viable alternatives to Google apps, so I’m going to explore that and possibly aggregate that into a single service. And offer guarantees to users of this new project.
This is an odyssey, this is a non-profit project
I call the project “eelo” because eels are small fish that can hide into the sea. That’s perfect for my quest of more privacy.
I want eelo to be a non-profit project “in the public interest”. I think operating systems and web services should be a common resource: as I explained a few year ago, this is infrastructure, like phone networks, rail tracks, roads…
Non-profit doesn’t mean nothing will be for sale. Probably some eelo smartphone will be for sale, and some premium services will be available for corporates. But profit won’t be the first focus of eelo.
Eelo will be for users first, for everyone who cares about their data privacy, for everyone who wants to use exciting products, for everyone who wants to join an exciting new project.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
So… starting from now, I will periodically post my progresses to release an appealing alternative for the mobile and for web services.
Next time, I’ll show how LineageOS can be hacked, rebuilt and improved for eelo!
If you are interested in that odyssey, as a potential user or contributor, you can register at the eelo.io website.
Next part in this thread:
- 2/ eelo: the mobile OS
- 3/ eelo: web services
New post about eelo web services: "Leaving Apple and Google: my “eelo odyssey”. Part2: web services"
(URL removed per request from this forum mods)
leaglavud said:
New post about eelo web services:
Leaving Apple and Google: my “eelo odyssey”. Part2: web services
Click to expand...
Click to collapse
You write about a new launcher. Can we see the sources?
kurtn said:
You write about a new launcher. Can we see the sources?
We will release sources on GitHun and APK builds of eelo's BlissLauncher on F-droid and APKPure once we think its stable enough and compatible with common screen resolutions.
Click to expand...
Click to collapse
Great!
Please don't use XDA as a way to make money. This includes posting links to crowdfunding campaigns
Thread Cleaned
mark manning said:
Please don't use XDA as a way to make money. This includes posting links to crowdfunding campaigns
Thread Cleaned
Click to expand...
Click to collapse
Hello, I don't see where XDA forbids to post links to crowdfunding campaigns. Can you point me to the correct place in your terms of use?
leaglavud said:
Hello, I don't see where XDA forbids to post links to crowdfunding campaigns. Can you point me to the correct place in your terms of use?
Click to expand...
Click to collapse
No problem mate
13. Advertising and Income Generation
Commercial advertising, advertising referral links, pay-per-click links, all forms of crypto-mining and other income generating methods are forbidden. Do not use XDA-Developers as a means to make money
Click to expand...
Click to collapse
We're not "making money", we have a kickstarter campaign to support eelo, which is non-profit. That's quite different.
leaglavud said:
We're not "making money", we have a kickstarter campaign to support eelo, which is non-profit. That's quite different.
Click to expand...
Click to collapse
https://forum.xda-developers.com/showthread.php?t=3725368
On the thread above I have briefly explained why the crowdfunding / kickstarter threads are not allowed, as you can see, another user opened it up on the same topic.
No one is directly accusing you of trying to make money, no one said you're selling something and we actually appreciate the project initiative but "donate to us to make this happen" is not allowed as per quoted rule.
The funding goal is the amount of money that a creator needs to complete their project. Funding on Kickstarter is all-or-nothing. ... A creator is the person or team behind the project idea, working to bring it to life. Backers are folks who pledge money to join creators in bringing projects to life.
Click to expand...
Click to collapse
I don't really feel happy with keeping this conversation here but as long as you're the OP I feel obliged to do it .
There are hundreds of developers and project initiators around, what if everyone will ask for funding in order to sustain their plans?
The rules says clearly, present / develop the project and if anyone wants to donate is free to do so by freely hitting the donate button, there's no restrictions.
all moderators are illuminati? just 4 gk
:v
Amar 721 said:
all moderators are illuminati? just 4 gk
:v
Click to expand...
Click to collapse
No... I'm on the Darkside
xanthrax said:
No... I'm on the Darkside
Click to expand...
Click to collapse
what does that mean
dark side of the brightness
:v
Leaving Apple and Google: my “eelo odyssey”: the mobile OS
2/ Leaving Apple and Google: my “eelo odyssey”. Part1: the mobile OS
So I came out about my decision to leave Apple and Google. It’s a lifestyle choice to escape the tech giants that make me a product by privatizing my personal data .And I don’t like what Apple is doing now, Apple’s attitude, new iPhone and their price… It’s also an act of freedom for my children and all the people who will care: I want them to have a choice, and also a clear and informed view on how their choices can impact their life and their economical ecosystem as well. That’s what eelo is all about: offering a viable and attractive alternative to users for their digital life.
In this new post I’m going to describe what I was able to do so far on the mobile to get rid of Google and Apple, and what remains to do (spoiler: there’s a lot). In the next part I will explain what how things will need to be adressed on web services and draw a whole picture of the eelo project.
What’s wrong with default AOSP/LineageOS?
Talking about LineageOS, you might think “why do you want to hack something that is already mostly open source and works well?”
The answer is easy: the core of AOSP/LineageOS is usable, and performing well, but it’s not good enough for my needs: the design is not very attractive and there are tons of micro-details that can be showstoppers for a regular user. Also, unless you are a geek, LineageOS is not realistically usable if you don’t want google inside.
The design point
Regarding design, I know that some Android users like it, but I really dislike the default graphical user interface. I find it ugly: icons don’t look good, colors are sad, and I don’t like the launcher ergonomy and behaviour.
So at least we need a new launcher, and better icons. Default notifications don’t look very good either, and I’m not a big fan of the settings part. Compared to the rest of the UI it could be worse, but it’s still quite sad, with a single green color in LineageOS. I’d like something more appealing, and probably better organized.
“Good news”: you can find hundreds of custom launchers and icon themes in the Google Play Store. But either you have to pay for them, or you get free stuff with lots of ads and possibly scams. So not for me.
Bad news, good news
The bad news is that I’m new to Android development and I don’t consider myself a great developer. I can hack things, I can recompile and integrate stuff, but I don’t have enough practise to program a new launcher from scratch without spending weeks on it.
The good news is that I have found a very talendted full-stack developer who is interested in the project. We have agreed, as a first collaboration, to release a new launcher, new notification system and new “control center”.
First successes
I’ve choosen to test custom builds of LineageOS/eelo on a LeEco Le2. It’s a nice 5.5″ smartphone with a 1080×1920 pixel screen, 3GB RAM, 32GB storage, finger sensor in the back, and a 4K camera. It costs about 130€. Yes, that’s about $150. Yes.
Also I’m waiting for a Xiaomi Mi 5S. It’s got a smaller screen and I prefer smaller devices for my own usage. And I’ll probably give a try to the LG G6. (Want to suggest a device? tell me!)
After several weeks of work, we now have a new launcher! It still lacks a few features (such as uninstalling an application), but it’s already fully functional. On this video, you can see the “icon group” feature, and swiping between several launcher pages:
eelo BlissLauncher 1 from eelo on Vimeo.
On this one you can see the “docking icon” feature:
eelo BlissLauncher 2 from eelo on Vimeo.
We call it the “BlissLauncher” just because it’s a great launcher. And we also have a first new notification system and a new unlock screen:
Next time will be to have all that integrated by default in a new fresh build. And at the time of finishing this post, I already succeeded to flash a fresh build with the new launcher and the new notification system.
Getting rid of Google stuff completely
Now we have a better launcher for eelo, and I’m working with a great and very professional designer. He contributed a lot to the Mandrake Linux interface icons in the past, when we redefined all the user interface and all icons. Later he also contributed to first releases of Ulteo, when it was still a cloud-operating system project, and not a Citrix-alternative. We’re working together to redesign default application icons, some wallpapers, splashscreens, and also a first real eelo logo. On the long term, we will have to redesign the full user interface.
But what we want is not only something good-looking, attractive and easy to use. We want more privacy! And Google services are not compatible with my idea of privacy.
Therefore, we don’t want Google Services. We don’t want Google play store. And we probably don’t want most of Google apps such as Calendar, Email etc.
Also, we probably don’t want Facebook either and some other so-called “free” services. This will be user’s choice to install them or not. I know that we cannot change the world in one iteration, this will be step by step.
Each of this point will need to be addressed in Eelo. We will need an independent application repository, an independent and secure email provider, an independent online drive, online office services… All that well integrated in eelo. In the user interest first.
First round without Google
The first time I was able to recompile and flash LineageOS, I soon had to install Google Play Store and Google Play Services to install common applications, or I could do pretty nothing.
But there are some alternative stores. For instance, F-Droid is a very successful APK application repository that provides only 100% open source software applications.
There are other alternative app stores for non-open source applications. For instance there is Aptoide. It provides most common applications such as Twitter, Waze etc. But unfortunately when I checked Aptoide APK packages signatures and sizes, I realized that they were not the same as on Google Play Store. I’m not sure to understand well the reasons behind this situation, at least for common applications, so I looked for other alternatives.
I found APKPure to be a great store for free applications. And trust me, a lot of applications are free! Actually, I realized that on my iPhone I had only free applications. And I know many people who are using only free applications. So APKPure is a great way to go if you don’t want to use Google Play Store and don’t need non-free applications. I checked many of their packages, and they are bit-to-bit identical to the ones available on Google Play Store. There are only official packages.
An alternative to APKPure is Yalp. Yalp is an open source application that is acting as a kind of anonymous proxy to Google Play Store, also providing only official APK packages.
So for applications, I’m now using both F-Droid and APKPure. That’s already very confortable, and I successfully tried dozens apps, including the most used apps (Facebook, Messenger, Twitter, Waze, Telegram, Skype, LinkedIn, Spotify…).
But I think we’d need an “eelo store” that would deliver both:
- official free applications like APKPure
- open source applications like in F-Droid
All that into a single, appealing and fast application, where users could check easily if an app is open source or not, where users could evaluate the application level of privacy, and where users could be able to report some scam issues. We definitely need to add this to the eelo roadmap.
Lovely Google Services
There is a feature that Google has created to jail users within their environment. That’s called “Google Services”. It’s a non-open source service that you have to install if you want to use Google Play Store, for instance. It’s also used by several applications. It provides services such as:
- analytics
- account authentication
- cloud messaging (notifications)
- drive
- geofancing
- maps API
- mobile ads
- games API
…
Developers of Android applications are not forced to use them, but obviously Google is doing their best effort to make them desirable as much as possible, if not mandatory for certain features.
The good news is that many common applications, the ones that everybody is using everyday, are not using Google Services, or they do not rely a lot on them. Probably a lot of developers don’t like to be jailed in a single ecosystem.
As far as I tried, the most problematic applications in this regard seem to be some games, such as Pokemon Go. This one doesn’t seem to be usable unless you have Google Play services installed.
The good news is that there is a nice project that is providing open-source alternatives to Google Services. It’s called MicroG, and eelo will probably integrate it.
Another “great idea” of Google is their SafetyNet Attestation API. It’s something that Android application developers can use to check if the user’s device is an official device that complies with Google’s environment. It examines the hardware, the software, checks wether the device is rooted or not. In the end this can be used to prevent to application to run if the environment doesn’t comply enough with Google’s rules. Fortunately, there is “Magisk” to circumvent this issue. We will probably need to integrate it by default in eelo as well.
What about web search?
Many parts of a modern operating system can lead to “Privacy indiscretions”. So far, I’ve talked about privacy issues that come from within the system.
But if you search for something on Google, it’s very likely that Google can determine that YOU are looking for something in particular. Even if you are not using a google account in you Chrome browser, they can track your IP for instance.
So we definitely need to provide a default search engine alternative to Google search. Probably that we don’t want Bing or Yahoo either, although it’s better to use various search engines so that each of them doesn’t know exactly everything about your searches and therefore cannot consolidate your private information efficiently. We have a few alternatives:
- the well-known DuckDuckGo: even though it heavily relies on Google Search results, it offers privacy guarantees that Google doesn’t offer.
- Qwant is a new search engine that is making big progresses and now has its own index and is offering guarantees on privacy
- there is also the fully open CommonSearch: project, but it’s not ready yet
So I’m considering offering both DuckDuckGo and Qwant as default search engines for eelo search and web browsers that will ship with eelo, while still offering Google (and others) as an option. It’s true that in some cases, it is still offering the best results.
And also…
There is a long list of Internet services that can track you, send and process your personal data in many ways. For instance, using a Gmail (or similar) email account is a great way for Google to learn a lot about you.
But also, some of you probably know about the very fast Google DNS resolver: 8.8.8.8 and 8.8.4.4. DNS resolvers are used all the time and by many applications. They convert domain names to IP addresses. And I say: DO NOT USE Google DNS resolvers. Each time your smartphone is looking for a domain name, Google knows about it and they can add this information to other information they know about you.
Instead, you can use 9.9.9.9 (or 2620:fe::fe IPv6) which is a fast public DNS resolver operated by a non-profit research institute that does not store your IP. And it be accessed throught a secure protocole (TLS).
Of course, it’s all the web-service ecosystem that we need to address. As I said earlier, eelo will provide a mobile system with better privacy, but also some web services such as an online office suite, some online storage etc. We will aggregate some existing web services, improve them if needed, or build new services if nothing is available.
Still, we will face one dark zone: low-level proprietary hardware drivers on smartphones. They are driving the camera, the GPS, various sensors… Hardware vendors do not provide source code for these drivers. And they are extremely difficult to rewrite unless doing some heavy and resource-consuming reverse-engineering. And of course, some of those “black box” drivers could possibly leak users’ private data.
Future options for eelo to address this issue will be to:
- partner with FairPhone or similar 100% open hardware projects
- audit low-level drivers to detect unappropriate behaviors
- design an eelo phone…
Join the eelo odyssey!
As you can see, eelo is a true odyssey. But I think that, maybe for the first time, all bricks are available to build a new, consistent, attractive, independent and mostly-free digital ecosystem that will be more respectful of users, and respect their privacy. And this could eventually challenge the advertizing model that is probably the source of this such bad and supposedly “free” model.
Again, eelo is a non-profit project, it’s a project in the public interest. Everyone who wants to join, please do!
There are many ways to contribute:
- say hello! ? having supporters help a lot
- contribute some ideas, some resources, what you are good at
- introduce us to people who can help
- talk about eelo, share eelo news and articles…
- offer a few mɃ to pay some servers
Also, I’ve started to work on a crowdfunding campaign for eelo, because some resources are needed to bootstrap this project correctly. I’m not sure exactly what this campaign will be able to offer in rewards, but I’m thinking about it. Anybody’s suggestions are welcome!
Next part: 3/ Leaving Apple and Google: my “eelo odyssey”: web services
Leaving Apple and Google: my “eelo odyssey”: web services
3/ Leaving Apple and Google: my “eelo odyssey”: web services
I’m leaving Apple and Google for those reasons and I’m putting this effort into a new project: “eelo“. For this project, one big part is the operating system, in particular the smartphone operating system. I started to work on this part with others, and had first results that make me feel that maybe my move to a better digital privacy is going to be easier than expected ?
But today, a smartphone without internet services would be like a car without gasoline. We need email, we need online storage, we need advanced online applications… Also people like to access our data from several places and devices. The operating system has turned global.
So eelo needs to provide tools that can be accessed from other places, such as a web browser, but probably also from other computers and operating systems: notes, messages, calendar… And of course, we want all this with full respect of the user’s privacy, and no ads.
Many services to address
We need to address a number of internet services and find good alternatives that we can put together into a consistent, intuitive, secure, sustainable and global eelo service.
Here is a scheme of the eelo global system as I have it in mind:
A web service review
– Email
Email means some postfix configuration on servers, with POP3 and IMAP, all with all access secured over TLS. Plus a webmail access (I’m considering to use Mailpile).
iRedMail can set up all that easily, with DKIM and SPF correct configuration, and will even make possible to offer custom domains for the eelo email service.
But if we want a private service, we’ll need security on servers, where emails are stored. That’s a key aspect and we need to apply the best practises for setting up a rock-solid secure server for storing email.
– Search / Maps
I’ve already talked a bit about search in my previous posts. DuckDuckGo and Qwant have become two excellent alternatives to Google/Bing/etc.
But I think we need to set up a generic wrapper for search, like search.eelo.io, and we’ll put whatever we consider to be good behind. That could be an aggregation service as well.
As for maps, there is an awesome and adorable project that is OpenStreetMaps. It’s growing and is catching more and more attention from users and medias as an real alternative to Google Maps.
It also now offers directions and there is a “street view” ongoing project.
We’ll have to integrate it as maps.eelo.io, probably with some customization and dedicated servers.
Of course, all these default settings will be integrated in the eelo ROM (the smartphone operating system).
– Office
We have two choices for a good and open-source Office alternative for online usage: LibreOffice/Collabora and OnlyOffice. My preference goes for OnlyOffice because it’s attractive, efficient and allows realtime online collaboration between several users on office documents.
I’ve used OnlyOffice on my servers for several weeks now, and beside a few glitches, it’s a fully viable alternative to Google Docs or Office365.
– Drive / notes / calendar
The “cloud storage” service is a big and key part of the project. It needs to be very carefully choosen and integrated because it’s going to be at the center of users’ digital life.
There are several projects that offer these features, such as cozy.io, OwnCloud and NextCloud. For now I have tested NextCloud successfully and I must say that it’s amazing!
You can easily set up a NextCloud client on your smartphone, and do the same on other PCs. Then you get all your content synchronized. Very convenient for pictures, documents, notes… I’ve tried on Linux (and Mac) and it works well.
The good news is that NextCloud can also serve a calendar that can be shared/accessed from various devices.
So for now, I’m going with NextCloud. I’m not sure about OwnCloud benefits over NextCloud. Any advice?
The first goal of eelo will be to offer a fully functional and secured implementation of OnlyOffice+NextCloud. As there is a debate about self-hosting, eelo will also provide the service as software instances that can be installed on a user’s server, in the cloud or at home, if they will so.
– Social / Messaging
Of course you are using Facebook. I do as well, not very often though. There is also Twitter. Facebook in particular is a real nightmare in term of users’ privacy. They know a lot about billions users. If you happened to do an advertizing campaign on Facebook, you probably noticed that you can target people categories. Age, gender, place of living, income, … There are dozens criterias that prove that they really know a lot about people.
So Facebook is something we should stop to use in favor of better alternatives. There is a good news: you can use Mastodon. It’s a decentralized social network. Without any central big brother who can use your data to fuel a business model.
The issue is that social networks have a greater value when you can find most of your friends/family there. Which is not the case yet on Mastodon, but in tech communities.
So we’ll keep an eye on Mastodon and see how eelo can interact with the project and possibly integrate it.
As for messaging, everyone will be able to use their messaging app of choice, but eelo will ship with Telegram by default. The reason is that Telegram is probably the most secure messaging app, and also the most respectful of user’s privacy. It also provides quality voice calls over IP. Last but not least, its client is open source (although the server infrastructure is not).
And also…
– ID / translations / …
We will need an identity provider at some point. It will be a central point for authentication. OpenID is an option, although it clearly lacks some momentum at the moment. Brainstorming is needed on this!
While it may be a more minor aspect we’ll also probably need a translation service, voice recognition service, speech service, video/voice streaming services… There are many initiatives in this field, but they are not a priority for now.
About eelo tokens
I’m thinking about releasing eelo tokens, based on Ethereum. It would be a way to get access to some eelo services, and also to thank contributors. Again, most eelo services will be free because it’s the only way to compete against the so-called “free” services from Google, etc., and it will remain in the public interest first. But selling some premium services, high-end eelo smartphones, consulting… will be part of the model to fuel the project and make possible the free services. I have the feeling that using eelo tokens could help a lot to ease service transactions between all the parties involved in eelo.
Next steps for eelo
As we’re continuing the work on the eelo custom ROM, new launcher, and integration of web services, I’m still listening to user’s suggestions about the project, ideas… Many people have already contacted me and hundreds have registered on the eelo landing page, that’s awesome ?
We’ll also probably have a separate eelo development branch for more advanced projects. Actually, I’ve been thinking a lot for a while to turn the smartphone into a conversational device – text or vocal – with conversational apps instead of legacy applications. But that’s cutting-edge development and won’t be available into eelo by default.
An eelo website is now available at eelo.io and we have a Kickstarter campaign that has already done more than 300% of its initial target. Watch the eelo campaign video.
We're recruiting developers!
- android developers
- LineageOS developers/ROM maintainers
- ...
Contact us at [email protected]
— Gaël (follow me on Twitter @gael_duval / on Mastodon @gael@mastodon.social)
This is old text. Where are the sources for the launcher?
A couple of random thoughts:
1: Eelo is an awful name. It sounds like something a baby would come out with, while learning to talk
2: As well as freeing yourself (ourselves) from the tentacles of Google and, if this is about privacy and freedom from tracking; it should aim to avoid using services based in any of the Five-Eyes Countries
Hence:
* Consider Wire (based in Switzerland) instead of Telegram.
* Quitter..no is a pretty full-featured replacement for Twitter. Running on GNUsocial and based in Norway
* Qwant in preference to DDG [France vs US -based]
* Jottacloud -also based in Norway, is a pretty good like-for-like replacement for Dropbox. Same kind of free/paid account tiers.
3: While we're being all 'European' about this (well, I am), can you make sure and use 'European English' in your documentation when you set up the website? Drives me mad when I see Europe-based companies using "color", "center", "...ize", etc.
4: In the same vein, make sure the website invites people to "Contact" you. There's a special place in hell reserved for anyone who uses that puke-inducing phrase 'Reach out"!
kurtn said:
Where are the sources for the launcher?
Click to expand...
Click to collapse
We will release sources on GitHub and APK builds of eelo's BlissLauncher on F-droid and APKPure once we think its stable enough and compatible with common screen resolutions.
xxxmadraxxx said:
A couple of random thoughts:
1: Eelo is an awful name. It sounds like something a baby would come out with, while learning to talk
Click to expand...
Click to collapse
That's not too bad for a just-born project.
2: As well as freeing yourself (ourselves) from the tentacles of Google and, if this is about privacy and freedom from tracking; it should aim to avoid using services based in any of the Five-Eyes Countries
Hence:
* Consider Wire (based in Switzerland) instead of Telegram.
* Quitter..no is a pretty full-featured replacement for Twitter. Running on GNUsocial and based in Norway
* Qwant in preference to DDG [France vs US -based]
* Jottacloud -also based in Norway, is a pretty good like-for-like replacement for Dropbox. Same kind of free/paid account tiers.
Click to expand...
Click to collapse
Thank you for your suggestions. Some of them were already considered actually!
3: While we're being all 'European' about this (well, I am), can you make sure and use 'European English' in your documentation when you set up the website? Drives me mad when I see Europe-based companies using "color", "center", "...ize", etc.
Click to expand...
Click to collapse
What would be your suggestion of wording for a project that is not specially "European" or "American", e.g. worldwide project?
4: In the same vein, make sure the website invites people to "Contact" you. There's a special place in hell reserved for anyone who uses that puke-inducing phrase 'Reach out"!
Click to expand...
Click to collapse
At eelo.io, we have "contact eelo" and "get in touch"
leaglavud said:
What would be your suggestion of wording for a project that is not specially "European" or "American", e.g. worldwide project?
Click to expand...
Click to collapse
Well. Call me a pedant if you like. But if you're offering a language option, you should use the official version of that language, not a regional dialect. As far as I can see, when people pick French, Spanish, Portuguese language options on a website, they're not then given Quebecoise, Mexican Spanish, Brasilian Portuguese... etc. But English speakers are nearly always served up American English --even on sites / by projects that are not based in the US. [Yes, I'm looking at you Ubuntu & Linux Mint!]
It may seem a trivially unimportant point. But, as well as the privacy and data-harvesting concerns, my interest in projects such as yours also stems from a wider worry about the Americanisation of the world, which is being driven by the overwhelming dominance of big American companies in the tech & media worlds. Not automatically defaulting to US English is just one more small gesture non-US-based projects can make towards offering an "alternate viewpoint".
Man, what an undertaking!
Personally, I think the main thing should be to focus on Power Users and Privacy Conscious users, not the masses. Not yet.
First make a 'beautiful' reliable OS according to your desires. Focus on making that the best & a real point of differentiation from what is out there already. Make it as useful and unique as possible. Make it run on the widest range of hardware possible, and as easily as possible. That should be enough of a challenge.
Don't worry about creating cloud services or bundling this-and-that yet. I think that is extremely unimportant to Power Users who will install what they prefer anyway, and use the hardware they prefer ( & can obtain easily or cheaply). It might be useful to sell one model with everything as you envisaged it but I think the main focus should be on testing with a wide variety of phone / tablet hardware available and making it work there.
My priorities go like this:
1. buy cheap Chinese hardware
2. root, remove as disable as much obvious spyware as possible
3. fulfil 95% of app needs from f-droid
4. fulfil 5% of app needs from Play Store using sites such as https://apps.evozi.com/apk-downloader/
5. use device
If you can make step 2 ( above) easy and painless on as much hardware as possible, then I think that would be the best focus of time and resources.