Related
Worth reading http://www.theregister.co.uk/2011/05/16/android_impersonation_attacks/
and perhaps following http://forum.xda-developers.com/showthread.php?t=1086878 (ok -- maybe not -- that thread is pretty useless)
In brief:
The weakness stems from the improper implementation of an authentication protocol known as ClientLogin in Android versions 2.3.3 and earlier, the researchers from Germany's University of Ulm said. After a user submits valid credentials for Google Calendar, Contacts and possibly other accounts, the programming interface retrieves an authentication token that is sent in cleartext. Because the authToken can be used for up to 14 days in any subsequent requests on the service, attackers can exploit them to gain unauthorized access to accounts.
Announced today, apparently there will be silent OTA patches for Contacts and Calendar.
that is crazy!!!!
this made me feel a little at ease, just a little.
The attacks can only be carried out when the devices are using unsecured networks, such as those offered at Wi-Fi hotspots.
Click to expand...
Click to collapse
not sure what else to say about it.
Bloggers and media like to hype this stuff up.
Bottom line is this. Don't connect to a public wifi you don't trust, and always log in via SSL.
The issue here stems from using public wifi that allows people to sniff your traffic.
For instance:
You walk into starbucks, I'm already there and with my phone I create a mobile hotspot, I call it "StarbucksWifi" for the SSID. You're none the wiser and you connect with your phone (OR with your laptop, it's not just your phone but the media didn't share that).
I turn on Shark Mobile (Wireshark) and start capturing all those lovely packets. I then dissect them later to see your login info etc.
Again, don't connect to public wifi you don't trust or are unsure about. Starbucks uses ATT for hotspots and the wifi name is always ATT from what I remember.
fknfocused said:
that is crazy!!!!
this made me feel a little at ease, just a little.
not sure what else to say about it.
Click to expand...
Click to collapse
Not a real issue unless you're one to use unsecured wifi networks.
joedeveloper said:
Bloggers and media like to hype this stuff up.
Bottom line is this. Don't connect to a public wifi you don't trust, and always log in via SSL.
The issue here stems from using public wifi that allows people to sniff your traffic.
For instance:
You walk into starbucks, I'm already there and with my phone I create a mobile hotspot, I call it "StarbucksWifi" for the SSID. You're none the wiser and you connect with your phone (OR with your laptop, it's not just your phone but the media didn't share that).
I turn on Shark Mobile (Wireshark) and start capturing all those lovely packets. I then dissect them later to see your login info etc.
Again, don't connect to public wifi you don't trust or are unsure about. Starbucks uses ATT for hotspots and the wifi name is always ATT from what I remember.
Click to expand...
Click to collapse
Thanks.
I love hearing about this kind of stuff. It's good to keep current....now I know why they have that accept conditions page at wifi places like starbucks and mcdonalds. You couldn't create that with your hot spot...or could someone
Sent from my SGH-T959V using XDA Premium App
thanks for the info fellas. I rarely connect to wifi spots when Im out and about. Actually, the only time I do is when im home or at work. Looks like im good.
While "always log in via SSL" is a great suggestion, the Google services aren't going to go over a secure channel (unless you have VPN enabled).
The same warning should apply if you aren't using WPA2 -- the older WEP (and WPA) is still common on many "secure" wireless connections, especially home units, and takes not more than a few minutes to crack with widely available tools.
http://www.google.com/search?q=wep+crack
From http://en.wikipedia.org/wiki/Wi-Fi_Protected_Access
WPA2 has replaced WPA; WPA2 requires testing and certification by the Wi-Fi Alliance. WPA2 implements the mandatory elements of 802.11i. In particular, it introduces CCMP, a new AES-based encryption mode with strong security. Certification began in September, 2004; from March 13, 2006, WPA2 certification is mandatory for all new devices to bear the Wi-Fi trademark.
This is what I was asking about in another post. I like to vacation where I have 0-1 bars on the phone, and motel wifi is available. I would like my pet/house sitting service to be able to call me when I'm away.
Also kid moved to England. We use Skype, Skype on Android is wifi only.
Mostly do use home WPA encrypted, but there should be some kind of safety for those who do need the service. Do not use the phone for personal stuff like banking, etc. even on a network.
And there are areas here in the west where there is no service for any carrier. Canyons are not conducive to line of site.
SGS4G does have wifi calling built in.
It's extremely obvious to providers if you are using your phone to tether. First of all, a mobile phone sends different packet headers than a desktop. Also, desktops are constantly making connections to places mobile phones don't, whether it be to a Microsoft update server, Starcraft II connecting to a game server, your automatic java or chrome updates, or itunes sending back your play count info to apple.
So the question is, how can we tether without leaving a single trace?
All I can think of to do would be to disable all connections with a firewall, and then only allow those connections which arent suspicious, such as a browser(of course the browser would also need a custom mobile identifier that matched your phones identifier).
Is there anything I'm not thinking of? Any other way the provider might figure out?
I use a Samsung Focus (windows phone 7) on att&t. I have no need for a pricey tethering plan because I only very infrequently and sporadically feel the need to tether just a few times a year. I understand that I'm probably okay if I only do it infrequently, but I would rather not find out for peace of mind's sake.
I was wondering this too. I went into AT&T today and asked if any Androids could tether without having a tethering plan (I'm looking for a new phone). Ask expected, I was told I needed to have a tethering plan to use tethering. Although, I did a little research and PdaNet apparently has the feature to "hide tether usage." It says so on their site, just google PdaNet. I would post a link, but I'm new and can't. Try it out and let me know if it works, I would but I don't currently have an Android.
http://www.androidpolice.com/2011/0...unauthorized-android-tethering-and-may-never/
SOrry, didn't see you were WP7
As a new XDA user involved with development, but unable to post in the development boards because of minimum post restrictions, I am going to drop some general information here (getting my post count up). This is also an attempt to see how many people are frustrated with the VPN connectivity on Samsung Platforms and desire a kernel fix.
Behavior:
An inability to connect to a VPN concentrator, or a seemingly successful connection with a failure to pass traffic across the tunnel. You can observe the behavior by connecting to your VPN, having the interface report a successful connection, but when you attempt to access resources on the other side of the tunnel you will not be able to reach them. When you view the status of the VPN connection, you will see that no packets were encrypted and passed along the tunnel.
Cause:
While I cant rule out a configuration error in every case, I can in mine. Samsung was/is creating kernels for GB and ICS with a slimmed down version of ipsec-tools/racoon. Without getting to technical, this is the module responsible for negotiating the multiple phases necessary for a fully functional VPN tunnel. Because it is slimmed down, IPsec-Tools lacks its usual level of configuration necessary to support a wider range of VPN encryption types.
Solution:
Sorry, for all of you vanilla/non rooted users (really, who is that here anyway?) there is no fix. For everyone else, we need a kernel (the version depends on your rom) with a full version of IPSec-Tools baked in.
Let me know what you people think, the more responses the better my chances of getting this put together. Feel free to also give me a tl:dr
PS: I already tried and failed at compiling this myself, if anyone knows of any good places to start learning a bit more about kernel compiling please drop it here or PM me.
Thanks, I thought the problem was in my router. I am using a Linksys router with DD-WRT on it, and thought the problem was on that end.
Hawkeye9723 said:
Thanks, I thought the problem was in my router. I am using a Linksys router with DD-WRT on it, and thought the problem was on that end.
Click to expand...
Click to collapse
Could be, what version of android are you on? Were you experiencing the behavior above, successful connect and no packets transmitted? Usually dd-wrt wants you to setup the vpn as SSL IPsec (RSA Certificate). I have not yet given tried that implementation but have been attempting IPsec + xAuth PSK (3des encryption).
I have in the past configured dd-wrt to work successfully using the "VPN (the easy way)" on the dd-wrt site (sorry, I'm not allowed to post hyperlinks yet).
It would be great if we could get VPN running like it should. Would make my life a ton easier for work, I wouldn't need to carry around my laptop just to diagnose a tiny problem.
~PsyCl0ne
PsyCl0ne said:
It would be great if we could get VPN running like it should. Would make my life a ton easier for work, I wouldn't need to carry around my laptop just to diagnose a tiny problem.
~PsyCl0ne
Click to expand...
Click to collapse
As an IT professional, that's my motivation as well. Been following all of the leaks and releases, no fix yet. Looks like we'll have to take matters into our own hands.
I haven't tried in on ICS yet. I was running the stock GB. It would connect, bu could not access anything on my home network. I also could not access anything on the internet. Trying to access the router config page would just timeout. I had dd-wrt set up using PPTP.
Yeah, could be the same issue.
Don't mean to patronizing, if I am I apologize...
Did you try setting the advanced options? See attached image.
Leave the DNS settings alone. Try adding the forwarding route ie. If your router address is 192.168.1.1, put 192.168.1.0/24 in that field (192.0.0.0/8 or 192.168.0.0/16 should work too).
Sent from my SAMSUNG-SGH-I727 using xda premium
this issue exists on most samsung phones, from GB to ICS - not sure about JB.
ipsec is broken
So I have been looking for a way to say goodbye to AT&T's U-Verse and their terrible service/billing.
Now that I have a galaxy S3 and there is decent LTE coverage at home, I would like to use my Unlimited LTE as my main internet service.
This has worked out well tethering with FoxFi and I usually get around 15mb/s down / 6 mb/s up.
However I cannot figure out how to get incoming connections to uTorrent. I don't torrent very often but I like to maintain a good ratio and there are some things which I will seed forever, to make sure they are still available.
I haven't yet rooted my phone though I'm comfortable with it from prior experience. I wouldn't mind rooting it but if I can avoid it for the time being, why bother?
Has anyone had any trouble with Verizon and torrents on an unlimited plan? I don't use an exorbitant amount of data but I wonder about my privacy.
I would be very appreciative if someone could show me how to port-forward or otherwise open my phone to incoming connections from uTorrent through tethering. I have also considered using a VPN to increase my privacy, so if I could use that with my phone connection, I would be very happy.
Thank you to any who devote their time to my cause.
Sorry, I dont have a solution for you. but i would like to know the answer to this as well
i torrent just fine when tethering my Galaxy nexus on verizon (using PDAnet) i use about 20gigs a month or so and the max i ever went with it was 60gigs. but i have not torrent in a long time and have been using my tethering for WoW and L4D2 and downloading steam games
Whoa, you're on u-verse and having bad service and bill? Might want to shoot me a private message to talk about it and I can take a quick looksee of what's going on (I'm a tier 2 technical support agent for u-verse, and you wonder why I'm on Verizon Wireless )
Anyways, the only thing I've learned is that setting up utorrent on the phone is a pain in the ass but will work (been awhile since I've done it) but only when it's on 4G, if it's on the 3G network it won't let you do it (I can't point my figure on why).
scsa20 said:
Whoa, you're on u-verse and having bad service and bill? Might want to shoot me a private message to talk about it and I can take a quick looksee of what's going on (I'm a tier 2 technical support agent for u-verse, and you wonder why I'm on Verizon Wireless )
Anyways, the only thing I've learned is that setting up utorrent on the phone is a pain in the ass but will work (been awhile since I've done it) but only when it's on 4G, if it's on the 3G network it won't let you do it (I can't point my figure on why).
Click to expand...
Click to collapse
Thanks for the consideration. I'll be in touch.
I tried to use uTorrent on my S3, but the private tracker I use only allows supported clients. There is no Android option available. I am going to suggest they add one, but in the mean time, I'm wishing I could run a Linux client on my phone or figure out a way to enable incoming connections over a WiFi/USB tether. Don't know where to start with that, though.
You might want to look at your computer's built in firewall. From my understanding of port forwarding it allows certain traffic to bypass a firewall to a specific client. I don't recall foxfi having any built in firewall so anything connected to it should be in a DMZ
Sent from my SCH-I535 using xda app-developers app
Jarredw said:
You might want to look at your computer's built in firewall. From my understanding of port forwarding it allows certain traffic to bypass a firewall to a specific client. I don't recall foxfi having any built in firewall so anything connected to it should be in a DMZ
Sent from my SCH-I535 using xda app-developers app
Click to expand...
Click to collapse
The built in firewall doesn't block incoming connections when I am using my home wifi (I have set up port forwarding in the router). The only thing I change is that I connect to FoxFi and the port is no longer accessible from outside (no connections are being made to upload in uTorrent.)
BUMP?
Has Anyone gotten anywhere with this, I know its not a firewall somewhere down the line the port is getting blocked but all my firewalls are off....
Mike
androidkitty said:
Thanks for the consideration. I'll be in touch.
I tried to use uTorrent on my S3, but the private tracker I use only allows supported clients. There is no Android option available. I am going to suggest they add one, but in the mean time, I'm wishing I could run a Linux client on my phone or figure out a way to enable incoming connections over a WiFi/USB tether. Don't know where to start with that, though.
Click to expand...
Click to collapse
You should see if they support tixati. I have had nothing but problems with utorrent in the past couple years. Tixati may not look superior at first but it has all the same options plus more. Probably what really draws me to tixati is it allocates the files before download.
VPN Fixed it, Kinda
androidkitty said:
The built in firewall doesn't block incoming connections when I am using my home wifi (I have set up port forwarding in the router). The only thing I change is that I connect to FoxFi and the port is no longer accessible from outside (no connections are being made to upload in uTorrent.)
Click to expand...
Click to collapse
Hey I had the Idea to set up a VPN on the computer, and It did fix the connection problem, got the green, BUT my DL speeds went to crap, Which makes sense, So I guess if you wanna either find a decent VPN provider that can handle the through put could possibly solve the issue...I just jumped on the first free one I came across..
Hope It Helps
Mike
Which VPN did you use eventually mike ?
dumbledon said:
Which VPN did you use eventually mike ?
Click to expand...
Click to collapse
I Started with OpenVPN, which worked OK, But was a PITA to setup, I eventually went to a free VPN through a website, and client configuration, They'd change the password daily, you just jump to the site, log-in get the new Password and your good to go, Speeds where about the same...
And It's been awhile, but I found out the the Issue was AT&T blocking certain websites (Including at the time, My Free Host for my Forum which is now on a VPS..) and have since moved to T-mobile....
Been Awhile and memory isn't as great as it was, Hope this is what you are looking for,
Mike
So if you are walking around in public with wifi enabled - you are allowing stores to collect data such as how often and how long you are in their stores.
SOURCE
Wow that's kinda scary. Nice find, thank you.
Why is the right door always locked?
I don't find this nearly as unnerving as the NSA tracking me; if I don't like it, I can take my money elsewhere. We can't "opt out" from government tracking us. Retailers analyzing this data makes them more efficient; has the potential for reducing their advertising and marketing budgets, lowering their costs in one area, helps them lower prices in the long run.
erikoink said:
Retailers analyzing this data makes them more efficient; has the potential for reducing their advertising and marketing budgets, lowering their costs in one area, helps them lower prices in the long run.
Click to expand...
Click to collapse
I agree that to an extent this isn't really a big deal; so Dillards knows that you spend more time shopping for men's clothing than women's shoes.. Who cares right? Problem is, will they stop there? No, they wont. We don't know what information could be (easily) collected (and sold) in the future, that is the problem. Today its "customer 74593654 spent and hour in the store total, 20 minutes in refrigerated goods, 10 minutes in the deli, and 30 minutes in canned foods". But tomorrow, it could be "John Doe who visited our store for an hour today, mostly connects to these two wifi points; they must be his home and work locations. We sell his information to our partners in those areas."
I don't really think that they're tracking (or able to track) that type of information. They're just taking advantage of the way the 802.11 discovery process works.
When a WiFi device is on and not associated with an Access Point (AP), it announces it's presence and attempts to discover a nearby AP. APs respond to these queries with their BSSID and SSID which then gets listed in your device's list of connection options. If it's a "hidden" AP, it will only respond if the discovery query includes a specific SSID. Instead of responding, all it does is log the querying devices MAC Address and timestamps it. Other APs can compare the Rx signal strength and approximate the location of the device.
As far as I know, unless and until your device actually associates with (connects to) the AP, no other communication occurs. If there are any WiFI engineers in here that know of a way to force a device to associate to an AP remotely and request it send data that it isn't configured to send, I'm willing to be corrected.
WiredPirate said:
So if you are walking around in public with wifi enabled - you are allowing stores to collect data such as how often and how long you are in their stores.
SOURCE
Click to expand...
Click to collapse
I'd like to bump because im honestly curious if anyone knows what kind of info they could pull from our phones through this.
erikoink said:
I don't really think that they're tracking (or able to track) that type of information. They're just taking advantage of the way the 802.11 discovery process works.
When a WiFi device is on and not associated with an Access Point (AP), it announces it's presence and attempts to discover a nearby AP. APs respond to these queries with their BSSID and SSID which then gets listed in your device's list of connection options. If it's a "hidden" AP, it will only respond if the discovery query includes a specific SSID. Instead of responding, all it does is log the querying devices MAC Address and timestamps it. Other APs can compare the Rx signal strength and approximate the location of the device.
As far as I know, unless and until your device actually associates with (connects to) the AP, no other communication occurs. If there are any WiFI engineers in here that know of a way to force a device to associate to an AP remotely and request it send data that it isn't configured to send, I'm willing to be corrected.
Click to expand...
Click to collapse
Thank you for explaining that better.
Perhaps you connect to their free wifi, it's tempting if you want to save data or maybe you are in an area with bad reception.. Couldn't they then gather more personal information?
WiredPirate said:
Perhaps you connect to their free wifi, it's tempting if you want to save data or maybe you are in an area with bad reception.. Couldn't they then gather more personal information?
Click to expand...
Click to collapse
See, now if you associate with (connect to) their network, that changes things. But let's explore that hypothetical:
Have you ever heard of a "captive portal"? You see them in airports, hotels, anywhere with a so-called "guest wifi network", whereupon if you connect to their network and try to go to a website, it first redirects you to a page. And this page requires you to enter a password, or answer a survey, or agree to their terms and conditions. I'm sure we've all seen these.
Let's say that part of their terms are you must download their smart phone apps as a condition of connecting to their network and allowing you to be routed onto the global internet. Lets also say that in order to install the app, you have to grant the app certain permissions. Among these reading from areas of your phone, you might not want people reading from. As you suggested in a previous post, your list of saved WiFi networks, etc. Then yes, they could start gathering additional data. In this case, it's still your choice to use their resources, you still have the choice not to. Their network, their rules.
I will say this though.. be careful of how your device is configured. I think the setting is available that tells your device to connect to any available open (unsecured) WiFi network. I would advise anyone to disable this. Once your device connects to any network, and you an IP address on said network, then something could make a connection attempt to a vulnerable/compromised device (whether that be the network owner, or another compromised or rogue device) running some kind of Trojan service that responds to certain requests without you knowing. This of course, would be illegal and if they got caught doing this then they would face a huge backlash from their customers. I doubt they'd attempt something like this.
Mac address is worse enough.
Today's data is aggregated, ALWAYS.
You can buy it you can sell it... There isn't just one source.
Cameras in the shops running track analysis and soon facial recognition, mimics and so on.
Your mac address? Your router knows it.. And so your provider has access to it. He also has your ip.
Your ip? Most websites you visit and some more tracking / advertising sites.
So, as your mac is known, data sold, we assume your owned devices are well known.
Now we don't need anything else than a WLAN to track your GPS like location.. Beside.. This is how android WLAN location service works. Did I say android? Sorry, it is an exclusive google service.
You can:
Adapt your behavior .
Use tor or i2p.
Host your own services.
Encrypt everything.
And again, adapt your behavior... Elseway no onion routing brings any advantage.
So, if you are willing to go the painful road, opt out of most things.. You can't opt out of your phone providers data collection, if you still want a mobile phone.
But still... ANY data reduction is the right way.
The data is and will be more and more widely used, aggregated and abused.
It is time to realize that there won't be any freedom in the modern world - this IS the new world order.
Forgot one freedom: you are free to be a consumer and a product.
And for people arguing with laws... Laws can and will be changed... In the name of safety.
Sent from mobile.