First off, sorry if this is the wrong section, I wasn't sure which one it belongs in. This is my first post on xda.
I may be totally missing something. Either way, I though I would share this and hopefully some developer can help me formulate a script to execute my idea.
I had an idea that I think would expose what I think is another snapchat privacy flaw, however this one may not be patchable without completely rethinking the way SnapChat functions. If I am correct, you could allow my script to run for a couple hours (or minutes depending on how well it is coded) and extract any snapchat user's phone number given their user name.
Here goes: When you add a user on snapchat, their user name will just appear as their username. However, once you add that person's number, snapchat locates their account and recognizes that you now have them added as a phone contact and as a snapchat contact, at that point it changes from displaying their name as their user name, to their name that you gave them as your contact list. (i.e. instead of "jnsmthr0x" it becomes "John Smith")
So. A script could allow you to enter the snapchat target's username, and given that snapchat is practically open source all it would need to do it keep entering a variation of numbers for a mock contact until snapchat change from displaying "jnsmthr0x" to "John Smith" and that would be the user's actual phone number. To simplify things a little bit, you could enter in which area codes the user may have. Assuming you know which area codes it could possibly be, you can run the program a few times trying each one, thus eliminating the first 3 digits and speeding up the process.
Again, I maybe totally off and this could be a stupid thought. But if not, and someone decides to help me code it (or codes it on their own), I kindly ask that I be given credit for the idea!
Related
Hi Everyone,
So Sony PSN join the ranks of Gizmod, Play.com, Facebook, Sky, Apple, AOL [there are many more] as leaker's of our information.
What are peoples thoughts on this?
It seems that more often than not our passwords and details are not safe with companies anymore, but how can we protect against this?
Although it is best practice to use different passwords for every site and to use secure passwords (i.e. mix of numbers and letters) surely this is not practical since our heads are only capable of remembering so much. I also try to avoid trying out multiple passwords when logins fail, afterall, what happens if that is logged!
What solutions exist to combat this issue? Are there any alternatives?
I think it is safe to say that if at least one of your passwords has not been leaked by now, then it is simply a matter of time. I just don't think passwords are good enough now, we need something better.
Do you mean the latest PSN Network problem? If you talking about that:
Sony will have to repay people for stolen account info such as credit card info! Its because sony security was so weak that this happened!!
Now i agree that passwords are not always the best protection for us. And never use public computers to check email and stuff since most have keyloggers!
For Password i use a real strong password using all sort of simbols and its meaning its not related to me nor family... Makes it hard to guess for people
xploz1on said:
Do you mean the latest PSN Network problem? If you talking about that:
Sony will have to repay people for stolen account info such as credit card info! Its because sony security was so weak that this happened!!
Now i agree that passwords are not always the best protection for us. And never use public computers to check email and stuff since most have keyloggers!
For Password i use a real strong password using all sort of simbols and its meaning its not related to me nor family... Makes it hard to guess for people
Click to expand...
Click to collapse
The problem is that not matter how strong the password is, once it is stolen it doesn't matter anymore unless you have strong passwords for each and every site and a Rain-Man brain to recall them all.
I agree about public computers, you can add to that Open Wifi connections and those people who think it is a great idea to keep their wifi unsecured!
I think as people have become aware of password security, they do use better passwords, but they still use them everywhere.
I know some people use apps to store their passwords, but not only is that inconvenient but what happens if you battery is flat?
For such a big problem, there must be some kind of answer.
Sony are a bit of a joke these days. To be fair, it's not definate that CC info was taken as they don't actually know, and to the best of my knowledge nobody has reported actually having been defrauded yet. Credit Cards are covered by fraud protection anyway so it would only be the inconvenience that it causes people rather than a loss of money.
PSN passwords and account info is another matter though. That should all be encrypted and if it's not they have a lot to answer for! Also, why did it take them a week to report this problem to the account holders?
Just read this: http://www.fudzilla.com/games/item/22562-sony-now-saying-there-was-no-leak
Hi! When I read about this Sony issue i shocked! I mean, if that happens to sony... i think i'm not buying anything else without a virtual credit card.
Regarding to the passwords... i found this article in a blog the other day that recommended to use long passwords, with different elements, one common and one specific for every site. For example:
p4ssw0rd_fBk for facebook, or p4ss_gM41L for gmail... i think thats an interesting idea!
neival said:
Hi! When I read about this Sony issue i shocked! I mean, if that happens to sony... i think i'm not buying anything else without a virtual credit card.
Regarding to the passwords... i found this article in a blog the other day that recommended to use long passwords, with different elements, one common and one specific for every site. For example:
p4ssw0rd_fBk for facebook, or p4ss_gM41L for gmail... i think thats an interesting idea!
Click to expand...
Click to collapse
yeah I was thinking of something along similar lines.
I guess you have to make it slightly more than a simple combo though or there is still a chance it could be used. It would stop most automated attacks though, which would be far better than using the same password.
A different take on using a combo of random letters/numbers is suggested here http://www.baekdal.com/tips/password-security-usability. Interesting that "It is 10 times more secure to use "this is fun" as your password, than "J4fS<2"" even though you are using common words and you are much more likely to remember it...makes sense I suppose, there are only 128 ascii chars but far more possible common words so even three is enough. It goes against what most password advice of using mixed case etc, but in fact it is right - although note that WAP2 talks about a pass-phrase rather than a password, you can see why now. Obviously unrelated words would be better, i.e. not using famous quotes etc , and you still have the problem of putting a unique bit in for the site itself which can't be used to access your other accounts, if they get your password from somewhere else.
I think if I did use such a system it would be worth keeping note of the codes you've used (somewhere nice and safe of course) or you could end up locking yourself out of a lot of places (or at least keep track of which places you've adopted the system on).
Could also having a system so you can change your passwords periodically but still remember them i.e. a year code or something, 1st letter of your car reg perhaps.
Another thing you could do is to protect your email address (since that is a prime target once your details have been lost...i.e. they now have a password (or variations to try) and related email account to try it on) is to use email aliases (like hotmail allows), so that the signed up email address does not even relate to an actual real account (hotmail just says the password is incorrect, even if you are using the correct one for the linked account!).
The only other issue is down to security questions and password reminders on sites, a password is useless if they just reset it due to a simple security question. (Does sony have that info as part of sign up or is it just your email address they use for reminders - I can't remember now).
After-all, if they just need you to supply your D-O-B or mothers maiden-name and it was stored on a site which has lost it's data, it is not something you can change (unless you lie of course from now on). What info would they use to verify you if you told them you've lost access to your email address, would that info also have been included in the "lost" data from these companies???
Trust no-one, that's the first amendment for privacy concerned people...
So can we trust the compilers, IDE's etc.?
I made some tests with Eclipse, and the results are not very encouraging.
I created a hello world app.
This app has no permissions and it's supposed to only display its "hello world" message, but when I checked with Xprivacy if it had tried to access data I found out that it had requested access to:
1-phone/Configuration.MNC (cell tower),
2-phone/Configuration.MCC (cell tower),
3-identification/serial (the phone's serial number)
4-storage/sdcard.
Not bad but wait, there's more!
Then, I passed the app through Privacy Blocker, and it said that helloworld wanted to know my network type code.
I decompiled the app, removed the whole /smali/android folder, recompiled and reinstalled the app, now it doesn't want to know my network type anymore (but it stills tries to access 1, 2, 3, 4).
That means that there's something in the smali/android folder that requests the network type.
Note that this folder is added covertly since one would never know it's there unless one decompiles the app with apktool, and that the app works without it (actually one can see it in the libs in the Eclipse project, but a newbie wouldn't know that it's added in the app's smalis since it's not in the src folder).
Then I added a simple "search" button in the layout and in the main activity, and now the app wants to access, on top of the 4 above mentioned fields, system/queryIntentActivities.
Note that the app works even with everything restricted in Xprivacy.
To my understanding part of the problem comes from Eclipse and part comes from the Android OS itself, but I'd like to know what other people with more knowledge than me think about it
http://developer.android.com/tools/support-library/index.html
unclefab said:
Trust no-one, that's the first amendment for privacy concerned people...
So can we trust the compilers, IDE's etc.?
I made some tests with Eclipse, and the results are not very encouraging.
I created a hello world app.
This app has no permissions and it's supposed to only display its "hello world" message, but when I checked with Xprivacy if it had tried to access data I found out that it had requested access to:
1-phone/Configuration.MNC (cell tower),
2-phone/Configuration.MCC (cell tower),
3-identification/serial (the phone's serial number)
4-storage/sdcard.
Not bad but wait, there's more!
Then, I passed the app through Privacy Blocker, and it said that helloworld wanted to know my network type code.
I decompiled the app, removed the whole /smali/android folder, recompiled and reinstalled the app, now it doesn't want to know my network type anymore (but it stills tries to access 1, 2, 3, 4).
That means that there's something in the smali/android folder that requests the network type.
Note that this folder is added covertly since one would never know it's there unless one decompiles the app with apktool, and that the app works without it (actually one can see it in the libs in the Eclipse project, but a newbie wouldn't know that it's added in the app's smalis since it's not in the src folder).
Then I added a simple "search" button in the layout and in the main activity, and now the app wants to access, on top of the 4 above mentioned fields, system/queryIntentActivities.
Note that the app works even with everything restricted in Xprivacy.
To my understanding part of the problem comes from Eclipse and part comes from the Android OS itself, but I'd like to know what other people with more knowledge than me think about it
Click to expand...
Click to collapse
Thank you very much for your time Sir, and thank you for this nice and personalised answer, but I already knew about libraries, and anyway you completely missed the point.
The point is:
1-why a very simple hello world app built on eclipse requires private data access?
2-why that lib, that requests access to some data behind my back, is added to the final app whereas it's not needed?
I add that I'm building other projects (and it's actually from there that I understood that something was wrong and that I decided to make a plain hello world app to check it out) and same story, data access is added without my consent.
Oh well, nobody seems to care about the matter, and I don't care if people don't care so just tell me if you want me to remove this thread and let's forget about it...
Found something new to me
https://prettyeasyprivacy.com/
Email encryption easy...
Found On fdroid under k9/p=p
Claims it works with your existing email account
But I have not found out how it works yet
Our how the foundation is set up.
And that's the kind of thing I like to know before I install
Anyone have any experience with them?
Personally, if you are looking for encrypted email... I'd choose Proton Mail any day of the week over p=p.
p=p just doesn't seem anywhere near the security of Proton. But that's just my opinion. Test it out and let us know how you like it. It's always nice to have options!
I'm just not at the point where I want my email provider to supply my email program.
Don't get me wrong it's not a bad idea..
(I like that it's open source, that's always good)
But I would much rather have encryption all on me and my device..
And I can pick and choose what provider I'm using.
I don't love the idea of being locked into anything...
nutpants said:
I'm just not at the point where I want my email provider to supply my email program.
Don't get me wrong it's not a bad idea..
(I like that it's open source, that's always good)
But I would much rather have encryption all on me and my device..
And I can pick and choose what provider I'm using.
I don't love the idea of being locked into anything...
Click to expand...
Click to collapse
hey @nutpants , i know you are more knowledgeable than me (and know how to search.lol) but i did find this link for p=p. you can email them i beleive.
https://prettyeasyprivacy.com/integrate/
"err on the side of kindness"
I found the instructions
https://www.prettyeasyprivacy.com/docs
I wish that people would stop hosting instructions online and include manuals with the installs.I mean seriously how much space will it take?
I will be doing some time reading everything carefully..
But would love opinions from everyone else.
Basically it appears to create extradition keys between users of the app automagiclly and then encrypt everything by default when possible.
Much like text secure was doing for text.
Hopefully things like this will become a standard for email.
(With a common method of encryption so no one it tied to just one particular email app)
And we will see more applications that can be used to encrypt mail.
I'm going to do some testing
Well ive done a little testing.
And honesty I'm looking what I see.
Sure this is in early stages and early days.
But it appears that it is as simple as they suggest.
I could even get my least technical buddies to use this email encryption.
I have not seen it try to contact anything except my mail server.
And it does not require contracts out other erroneous permissions (it asks but you can block it and no crashes(at least for me)
It's works automagiclly.
If you exchange emails with someone who is using pep (I think it's stupid that they have the three lines between the p's why not just have the E)
It figures that out and starts exchange of public pgp keys.
Art that point your messages title bar have a yellow background do you know encryption is taking place.
After you verify the "code words" with your correspondent (by voice so you verify who you are taking to is who you are really taking to(or any other method you desire)
Your messages get a green title bar do you know encryption is going on with a verified user..
So simple even a grandpa can understand it.
It uses pgp for encryption so you know it's good
Right now it's pretty basic and there are few encryption options
But they plan ad more features as time goes on
I'm liking what I'm seeing and I will do more testing and will keep an eye on this to see how fast it matures.
The only real con at the moment it that there is no way to secure the app from running with a password to keep any one who gets their hands on your device from reading everything.
But that's a little minor..
If someone had their hands on your device, you have already broken the golden rule.
This app is simply a fork of K9Mail with a few icons replaced...
It is definitely a fork.
But encryption had been built in, including auto key generation and key exchanges.
K9 is my daily driver.. And I love it.
But pEp makes encryption simple enough for anyone to use..
(As in my grandmother could use it)
When and if it matures to have all the encryption features most advanced users need
(Like easy key import, export, backup, manual key changes)
It may become my daily driver..
Sadly in the world today, encryption is almost mandatory.
And pep is on the way to make that easy for everyone.
recently received many mails from google for many of my apps.
The email content is:
Code:
Hi Developers ,
We reviewed your app, XXXXXXX, with package name XXXXXX, and noticed that it violates our developer terms.
REASON FOR WARNING: Violation of the Deceptive behavior policy
You must explain to users why you are requesting the ‘android.permission.BIND_DEVICE_ADMIN’ in your app. Apps must provide accurate disclosure of their functionality and should perform as reasonably expected by the user. Any changes to device settings must be made with the user's knowledge and consent and be easily reversible by the user.
Please complete the following actions within 7 days, or your app will be removed from Google Play: Read through the Deceptive Device Settings Changes policy for more details, and make sure your app complies with all policies listed in the Developer Program Policies. If you don't need the BIND_DEVICE_ADMIN permission in your app: Remove your request for this permission from your app's manifest. Sign in to your Play Console and upload your modified, policy compliant APK. Or, if you need the BIND_DEVICE_ADMIN permission in your app: Include the following snippet in your app’s store listing description: “This app uses the Device Administrator permission.” Provide prominent user facing disclosure of this usage before asking the user to enable this permission within your app. Your disclosure must meet each of the following requirements: Disclosure must be displayed in normal course of usage of your app. Your users should not be required to navigate into a menu or settings to view disclosure. Disclosure must describe the functionality Device Admin permission is enabling for your app. Each security policy used with the Device Admin request must be declared in your disclosure, and each policy must be accompanied with justification for the request. Disclosure cannot only be placed in your privacy policy, TOS or EULA. Alternatively, you can choose to unpublish the app.
All violations are tracked. Serious or repeated violations of any nature will result in the termination of your developer account, and investigation and possible termination of related Google accounts.
Regards,
The Google Play Team
its is enough to update the store listing and the privacy policy ?
I do not think so. You were clearly told that `` Disclosure must be displayed in normal course of usage of your app. Your users should not be required to navigate into a menu or settings to view disclosure.'' and ``Disclosure cannot only be placed in your privacy policy, TOS or EULA. ''
I received the same email regarding my app.
The instructions are quite clear at the first glance. On a closer look, however, it's not so clear, at least in my case:
in my app, the device administrator function is not strictly needed. It depends on what the user wants. The default is that it is not needed. If I would now push a notice and the handling to the main activity, I would hopelessly scare and annoy users who may never even get close to giving the app device admin permissions.
The process to request device admin rights includes a textual description by the app explaining why the permission is needed, and what sub-parts of the device admin rights. In my eyes this already fulfills the requirements in the email. Or does it not?
I'm in a very awkward position right now. The time they allow me to react is very short (7 days) and they don't even provide a reply address. I have now contacted the support team, but if I don't a reasonable response within a few days I might have to butcher this out over night and sure as hell will get bad reviews because of this.
For me it makes sense to remove this functionality for a while. And try to find out from Google what they mean by ``normal course of usage''. I'm afraid that you must show this disclosure in main activity every time regardless.
grfgames said:
For me it makes sense to remove this functionality for a while. And try to find out from Google what they mean by ``normal course of usage''. I'm afraid that you must show this disclosure in main activity every time regardless.
Click to expand...
Click to collapse
Yeah. Thing is that removing an integral part of an app on such short notice is likely to cause regression, let alone angry users that ask where the hell this has gone.
Google Play answered me now, twice, but only with the same lame text blocks. No real human interaction. I've now also posted to G+, let's see if anything happens there.
If I advertise this on the main page, I'm totally over-advertising an optional feature and even invite people to use it, which would be contrary to what Play want to archive. This sucks big time.
xrad said:
Yeah. Thing is that removing an integral part of an app on such short notice is likely to cause regression, let alone angry users that ask where the hell this has gone.
Google Play answered me now, twice, but only with the same lame text blocks. No real human interaction. I've now also posted to G+, let's see if anything happens there.
If I advertise this on the main page, I'm totally over-advertising an optional feature and even invite people to use it, which would be contrary to what Play want to archive. This sucks big time.
Click to expand...
Click to collapse
If you want your app to be available on PlayStore then what is so terrible about doing what they expect of developers that put their apps on PlayStore.
Everybody else must follow that rule, why shouldn't you?
It doesn't even matter what the circumstances are as to why you think it's unnecessary or unfair, all that matters is that is how it is to be done. Otherwise, no app on PlayStore, right?
grfgames said:
For me it makes sense to remove this functionality for a while. And try to find out from Google what they mean by ``normal course of usage''. I'm afraid that you must show this disclosure in main activity every time regardless.
Click to expand...
Click to collapse
I DO NOT PROVIDE HELP IN PM, KEEP IT IN THE THREADS WHERE EVERYONE CAN SHARE
@Droidriven: had you actually read my post, then you would understand that I'm in favor of the rule, but that I am criticizing the way they handle explain and enforce it. Essentially, their premise is that a the apps they are addressing with this current campaign always want to be devadmin. Mine only wants to be so if the users asks for it. But Google doesn't tell anything about such a scenario and only talks to me using bots and people using predefined text blocks. All on very short notice.
xrad said:
@Droidriven: had you actually read my post, then you would understand that I'm in favor of the rule, but that I am criticizing the way they handle explain and enforce it. Essentially, their premise is that a the apps they are addressing with this current campaign always want to be devadmin. Mine only wants to be so if the users asks for it. But Google doesn't tell anything about such a scenario and only talks to me using bots and people using predefined text blocks. All on very short notice.
Click to expand...
Click to collapse
I know. I was just saying that you're gonna have to do it their way in the end anyway. It's unfair but it is what it is.
I DO NOT PROVIDE HELP IN PM, KEEP IT IN THE THREADS WHERE EVERYONE CAN SHARE
my main issue is i lost my keystore during a hard drive problem so i cant update the application how ever if i updated my description and my privacy policy and say that i clearly use this permission it will solve this problem ??
any help will be appreciated
Hi all, I want to know a solution for a problem, there is an app called zipgo which allows two logins per device one after the other, when im on stock i used two accounts and when i try to login a new account, it says maximum number of logins per device exceeded, i thought the app is registering my mac address with the account, so i installed RR Rom and changed my mac address and after logging in with two accounts, when i try to login third new account, it says maximum logins allowed per device exceeded. I changed my mac address and tried too.
How did it allow me to login when i flashed RR Rom?
How to make the app believe that im on a new device everytime i login with a new account?
What will the app store other than mac address to uniquely identify my device and how to bypass it?
What is that change in a new ROM in the device that made it believe the app that my device is not the old one(stock) i logged in?
Any links or suggestions welcome. if this is violating forum rules, im sorry, suggest me a thread, ill post there.
How about asking the zipgo support? What has this tondo with an op6?
Circumventing an apps security measures (ie cracking or spoofing to gain a paid-for service without actually doing so) is against the rules of XDA.
Even worse, after a quick read, this can be used maliciously to use another users login when you're not supposed to and thereby take trips and transits on their cost
To identify your device, they could be using the actual serial numbers or other uniquely identifiable properties of your device (e.g. IMEI, MEID, ESN, SIM SUBSCRIBER ID, Wifi/BT MAC, Google Framework GSF ID, Android Device ID, SIM Serial, Serial Number).
As it's per device, they may be just using the model number from the build.prop and checking it against your account.
Anyway, I have not heard of this 'zipgo' and do not wish to know any further. If you have issues with them then contact their support, this sounds like abuse and you will likely get your services terminated anyway. And is a bus truly that expensive?
Try xposed and xprivacylua to change / hide these values from the app
efinityy said:
Circumventing an apps security measures (ie cracking or spoofing to gain a paid-for service without actually doing so) is against the rules of XDA.
Even worse, after a quick read, this can be used maliciously to use another users login when you're not supposed to and thereby take trips and transits on their cost
Click to expand...
Click to collapse
+1 on this. But if you really need the help, just change your build.prop to another device's fingerprint if it's that necessary. If it's not really necessary, then i advise you to ask their support for further help instead of a 3rd party website for advice.