Hi, I'm a noobie when it comes to Android. Actually, I will be buying my phone only tonight. I have been researching some apps, and I have become a little concerned about security. Using the Permission tab in the Android Market place to see what the app is up to, has raised some red flags. For example Winamp is accessing phone state/identity and sensitive logs. An other app was accessing the contact list. These apps have no reason to be touching that part of my phone, but yet they are. A music app does not need to know my phone's ESN. If the app needs to profile me, then I should have an account and log in.
Am I being paranoid or does any one else share these concerns?
You are absolutely right to be paranoid and kudos to you for actually checking the permissions page. If something raises a red flag with you then don't touch it. Even if the dev isn't hell bent on stealing your secrets, it will send a message that people don't want every app to have unlimited access to everything that's on their devices.
Security is starting to become an issue with Android so clearly people need to be paying attention to what they are installing.
Unless you are familiar with the programming, it's hard to say for sure...a music app may need to know phone state to pause and resume music when you get a call or to be able to assign songs as ringtones... just use your best judgement, or email the dev to ask why the permissions are required.
HTC incRedibly-reEngineered
Is there anywhere on the net that certifies an android app as non malware?
I can recommend https://www.mylookout.com/ it's free as well,there is also a premium paid service if you so wish.
Hi ppl in the xda hood
I just write to let you know that ChompSMS has now been flagged as malware, both on 2 phone here locally with Avast as scanner, and subsequently by upload to Virustotal, and flagged by some of the major names too.
This concerns both the 5.30 and the update from tonight to v5.31
As Im new, I cannot post urls, but you can dump the apk from both versions, upload for a scan, and have a look at the report yourself from virustotal dot com
XDA must decide if its worth it alarming the community, but better safe than sorry, right?
I guess it could be a false positive, and I do know things should not be rushed about accusations of malware developing, but seeing that several of the major scanners is flagging it both before and after the update, certainly raises my concerns.
I hope those of you who knows your way around decompiling and analyzing code will look into this, so that we can get more eyes on it than "just" the AV companies reports.
Sincerely, Omnius
After a bit of micro-investigating I have so far found these domains in the code, so if you do HAVE to use ChompSMS, (I do) you can ad them to your HOST file, just for the sake of it.
I dont know when or why they will be used but as they are in the code, there is a potential connection lurking in it. Decide for yourself, untill further ppl have a close look than mine.
Im not a dev of any sort, but I do know how to poke around to learn. Therfore please do not just take my words for granted until more competent ppl here have their say.
I do know that a few of these is for "normal" android app ads, and analytics and so on, but these are my finding so far, so filter our what you like it to connect to yourself. If you dont mind ads connections in-app, serve your wish, so to speak.
millennialmedia.com
gateway.textfreek.com
report.bitesms.com
nexage.com
inapp.chompsms.com
adserver.com
greystripe.com
smsgateway.chompsms.com
m.advc.us
cvt.mydas.mobi
rest.starttalking.com
mobileads.google.com
I used to love chompsms... now i guess I'm using GoSMS...
Sent from my Nexus S using XDA App
All of them appear to be valid to the program. Half are ad for ads, the other half are for functionality in ChompSMS.
I would be careful on using go SMS as well.
Antivirus apps will pick up any app that by passes any normal OS use. This always has been and always will be the case.
Anything with ads will always be flagged as it connects to an unknown server.
zelendel said:
I would be careful on using go SMS as well.
Antivirus apps will pick up any app that by passes any normal OS use. This always has been and always will be the case.
Anything with ads will always be flagged as it connects to an unknown server.
Click to expand...
Click to collapse
chomp was never flagged before the 5.30 update a few days ago...
really bothers me, i love chomp. i donated to remove the ads. i'm hoping they fixed it with 5.31 and the virus scanners are just still reporting it as a false positive. until it's sorted out though, i uninstalled...
Update : avg doesn't detect anything wrong with the newest version, 5.31.
Lemme tell you...
I noticed the new permissions requested in 5.30 (special access to browser history/bookmarks), and kinda shrugged it off. Dumb move on my part. Immediately upon launching 5.30, I get a notification from ADWLauncher that it cannot fit a new shortcut on my desktop (because the main page was full). So I'm naturally all like WTF... so I flip through my desktop pages to notice that ChompSMS had made itself a shortcut to searchmobileonline.com.
I also heard that it replaces your default browser home page and search method with the same. I use xScope exclusively, so I haven't been able to check that yet.
Delicious, Inc. has really crossed the line with this latest stunt. What were they thinking!? ChompSMS was the best Android messaging app IMHO. Why jeopardize such a great reputation? If it's money they were after, I'd imagine they could've raked in a nice bundle of cash for selling the product to another company.
Does anyone have a copy of this apk that I could take a look at?
kyokeun1234 said:
I used to love chompsms... now i guess I'm using GoSMS...
Sent from my Nexus S using XDA App
Click to expand...
Click to collapse
GoSMS is a security risk
Sent from Narnia
xHausx said:
Does anyone have a copy of this apk that I could take a look at?
Click to expand...
Click to collapse
I know this is a old thread but better than starting a new one.
I would like to ask if there is any news on this. I love chomp SMS, imo the best messanger for my taste. I have bought the pro version, to stay away from ads and unnecessary internet data. I have chomp on a brand new phone, no sim card, no messages, just activated chomp and my firewall instantly found chomp active on internet. I watched this for some time and really chomp was trying to do something even I did nothing with it.
important note: there is no data mining in any of their terms. Or at least I did not find anything.
So I contacted chomp about the behavior and they said that "they never seen this before" and suggested reinstall. I did, didn't help.
On the second try, they told me that it is connecting because of ads, but I had the pro version (and they knew it). So no luck.
After the third attempt, they said that chomp is sending once a day info that it is installed so they know how many installs they have.
This sucks a lot. Security concerns appears instantly.
I think it would be worthy to literally sniff a bit around this, since so many people is using chomp.
I am looking for a cheap, preferably free, app to spy on my wife. I saw her doing something the other day and want to know what she was looking at while she was doing it. At this point I would be happy with a remote screen shot that emails a coupel times a day or something like that. I know she uses go sms for texting and that she uses facebook chat, saw her sliding something around on the phone and she said it was the new facebook chat. I don't use facebook because of somethings that have happened in the past. I canhave no idea what else she uses it's "none of my business" what she does on her phone. The ap must be hidden, the way I will be able to install it is her phone is rooted and keeps promting for an update, so I can install something while I'm doing the update, but nothing very extensive at all to set it up. I want screen shots becuse I don't know if she is video chating, or looking at stuff on the internet or what, so the safest way the find out is screenshots, like every minute or five. Key logger might come in handy too. I appretiate any help you give.
Sent from my SPH-D710 using XDA
iluvdroid said:
I am looking for a cheap, preferably free, app to spy on my wife. I saw her doing something the other day and want to know what she was looking at while she was doing it. At this point I would be happy with a remote screen shot that emails a coupel times a day or something like that. I know she uses go sms for texting and that she uses facebook chat, saw her sliding something around on the phone and she said it was the new facebook chat. I don't use facebook because of somethings that have happened in the past. I canhave no idea what else she uses it's "none of my business" what she does on her phone. The ap must be hidden, the way I will be able to install it is her phone is rooted and keeps promting for an update, so I can install something while I'm doing the update, but nothing very extensive at all to set it up. I want screen shots becuse I don't know if she is video chating, or looking at stuff on the internet or what, so the safest way the find out is screenshots, like every minute or five. Key logger might come in handy too. I appretiate any help you give.
Sent from my SPH-D710 using XDA
Click to expand...
Click to collapse
Did you ever find anything??? I’m looking for something similar
Hi,
I've discovered the description of "Signal Private Messenger" app, but I don't know what thinking about it.
Its description seem's to indicate that you can communicate voice and text securely end to end with your smartphone, and that it's open source.
What is really securely ? I don't know and "I want to know"
Thanks in advance for your answers.
Hi, The short answer is Yes. Signal is by Open Whisper Systems & runs on iOS and Android. You can use it as a regular SMS/MMS app; as well as encrypted SMS/MMS/phone calls. To activate the encryption you need to exchange keys with the person you want to message.
Hope this helps!
equi_design said:
Hi, The short answer is Yes. Signal is by Open Whisper Systems & runs on iOS and Android. You can use it as a regular SMS/MMS app; as well as encrypted SMS/MMS/phone calls. To activate the encryption you need to exchange keys with the person you want to message.
Hope this helps!
Click to expand...
Click to collapse
Hi,
Thanks for your answer.
Your answer is a good summary of the app's features.
But what are you thinking about the word "securely" ?
Is it a dream or a reality ?
The app's editor highlights testimonies from known people who use it. Is it sufficient to trust this app ?
Has someone in this forum examined the code of this app ?
Nothing is completely secure.
In my opinion, & from my use, Signal is more secure than a normal messengering app - but less secure than a talk in real life.
If you are interested in security, please check out this XDA subforum; http://forum.xda-developers.com/general/security
And read up here: www.eff.org
Hm, nice to see a discussion going on. Have just heard Snowden recommend the app so I thought I'd check it out. BUT, there is a but ... I intentionally blocked the app from any internet usage whatsoever with AFWall+ donate. I've set up my AFW to show a toast whenever it blocks an app trying to use the internet so that I know which apps try to use the net in the background without my permission or intention. To my surprise my AFW blocks Signal all the time when I use Signal. And I mean ALL the time. How does this make sense? Why would a privacy app try to connect to the internet constantly? I've not got WiFi calling and I've not even enabled it in Signal's settings. Am I missing something here or is there sth wrong with the app? It's making me feel that it is constantly trying to leak data and that's why it attempts to use the internet. Good thing I have a robust thing on board such as AFWall... best firewall out there.
jonathansmith said:
Hm, nice to see a discussion going on. Have just heard Snowden recommend the app so I thought I'd check it out. BUT, there is a but ... I intentionally blocked the app from any internet usage whatsoever with AFWall+ donate. I've set up my AFW to show a toast whenever it blocks an app trying to use the internet so that I know which apps try to use the net in the background without my permission or intention. To my surprise my AFW blocks Signal all the time when I use Signal. And I mean ALL the time. How does this make sense? Why would a privacy app try to connect to the internet constantly? I've not got WiFi calling and I've not even enabled it in Signal's settings. Am I missing something here or is there sth wrong with the app? It's making me feel that it is constantly trying to leak data and that's why it attempts to use the internet. Good thing I have a robust thing on board such as AFWall... best firewall out there.
Click to expand...
Click to collapse
It's encrypted, end to end. It's not leaking anything. The code is opensource, you can go and review the code and build it yourself.
If you're blocking it from accessing the internet, then it's going to try again, probably because it can see that there is a network connection live.
@jonathansmith
Thanks for your detailed feedback.
It will be nice if someone in this forum could analyze the code of this open source app.
As for me, I am unfortunately not competent.
Were you able to identify with AFW the site the app was trying to connect ?
dtective said:
It's encrypted, end to end. It's not leaking anything. The code is opensource, you can go and review the code and build it yourself. If you're blocking it from accessing the internet, then it's going to try again, probably because it can see that there is a network connection live.
Click to expand...
Click to collapse
Thank you, that's exactly what I don't get. Why would it attempt to establish a connection. Ofc I'm blocking it. I'm blocking tons of others apps as well, but unlike Signal (and a few other suspicious apps) the other apps do not try to establish a connection.
As I said, when you block an app from accessing the net with AFWall you can tell AFWall to give you a toast showing you when every signle time when AFWall blocks a certain app trying to access the net. So, with 99% of my AFWall-blocked apps I don't get this toast, meaning that those apps don't even attempt to access the net (but better stay safe and have em blocked.) With some tricky apps though, AFwall shows that toast msg indicating that it successfully blocks a certain app from accessing the net. That's what I don't get - why would Signal be set up in a way that it would attempt to access the net. Prolly WiFi calling or sth but I'd rather use it for now only as a default SMS client.
Yes, you are right. Signal can see that there is a network connection live and that's why it constantly tries to connect to it. Just wish Signal would get it once and for all that it is blocked for good and stop trying to access the net.
If anyone knows which Services, Broadcast Receivers, or Activities from Signal should be disabled (using MyAndroidTools for example) please do share which ones they are so I can disable them and thus prevent Signal from constantly trying to establish a connection. The toast msg from AFW does become annoying when it is every second second
---------- Post added at 11:39 AM ---------- Previous post was at 11:33 AM ----------
iwanttoknow said:
Were you able to identify with AFW the site the app was trying to connect ?
Click to expand...
Click to collapse
Maybe gotta look into the log of AFW. The toast msg only shows the ip address which Signal ties to connect but AFwall prevents it form doing. But that's not the prob for me. Doesn't matter too much what it tries to access cos I know AFWall is good enough at preventing that. Just want to stop Signal from trying to access whatever it is trying to access! Will let you know if I figure it out!
---------- Post added at 12:00 PM ---------- Previous post was at 11:39 AM ----------
equi_design said:
Nothing is completely secure.
And read up here: www.eff.org
Click to expand...
Click to collapse
I second that. Nothing is, indeed! And thanks for reminding me about eff ... here's a good one - https://www.eff.org/https-everywhere @iwanttoknow check it out!
And here's a bit of a follow-up. Managed to catch the toast. Not sure if it is always the same ip that AFW blocks, but will try to pay attention. A reverse search reveals that the geo location of the ip is some place in Washington, US.
https://imgur.com/a/5fhIf
As I understood it
(And I could be wrong I left signal years ago when it was text secure)
Signal does NOT use sms to send messages
That functionality of the app was dropped a while back
It uses internet only to transmit encrypted messages
And it uses its own message server to host your messages.
It seems like decent software
I abandoned it because it uses your personal phone number as your identifier..
And it will not work with out a phone number..
Which for me is just crazy as every government in the world and most phone companies are selling /tracking your "meta" data based on your smart phone and it's phone number.
Think of it as any other encrypted internet message system
But it uses your phone number as an identifier...
Everyone gets my pubic email address now for communication.
Cops, government, hospital, work, stores,etc
It's the 21st century. Why use a phone number for anything anymore?
nutpants said:
As I understood it
(And I could be wrong I left signal years ago when it was text secure)
Signal does NOT use sms to send messages
That functionality of the app was dropped a while back
It uses internet only to transmit encrypted messages
And it uses its own message server to host your messages.
It seems like decent software
I abandoned it because it uses your personal phone number as your identifier..
And it will not work with out a phone number..
Which for me is just crazy as every government in the world and most phone companies are selling /tracking your "meta" data based on your smart phone and it's phone number.
Think of it as any other encrypted internet message system
But it uses your phone number as an identifier...
Everyone gets my pubic email address now for communication.
Cops, government, hospital, work, stores,etc
It's the 21st century. Why use a phone number for anything anymore?
Click to expand...
Click to collapse
You have to go back in time when the app was called Textsecure and it provided end to end encryption for SMS. The app was available on F-Droid until someone discovered that plain text sms were saved unencrypted on device. After that, the dev temporarily closed the source and also demanded that the app be removed from F-Droid, because in his view distribution on F-droid was "insecure." Well, that hole was fixed and the following versions worked pretty well. About the same, time, the dev started to be bothered by TSA every time he travelled by air. Then, within a few subsequent releases, google binaries and internet permission were included. Then, the app started to crash if internet service was restricted. In addition, you could only get the app from Googleplay, which means, you must have Gapps and Google Services Framework, which has total control over the phone and regularly "phones" home (obviously not your home). GSF can get your outgoing text before encryption and incoming text after.. Despite all of the above, one could still compile the app and use it without GSF. Then suddenly, the dev announced that he would no longer support encrypted SMS. About that time, he started receiving literally millions of $ from a US government's backed foundation. In addition, he was offered a lucrative contract to do encryption for What's UP, which later became Facebook. Quite a change after being harassed in airports So, encrypted sms were dropped and the app turned into an internet messenger. You must register with your phone number; your data goes through Google servers and Whisper System's servers. And by the way, neither the Signal servers nor Redphone servers are open source. You can't use the app unless you have Gapps and GSF and if you use the app, you are known to Whisper Systems, Google and all 3-letter agencies...
This is not the first time I am posting on Textsecure/Signal, just do a search on XDA and F-Droid forums and you will find more info with links. I would stay away from anything coming out of Whisper Systems. Use Silence, which is a fork of Textsecure with encrypted SMS. For over-the-internet services, use Conversations.
And by the way, never use an app where everything: encryption, encryption method, registration, servers are in the hands of one entity, which won't allow you to use other servers...
nutpants said:
As I understood it ...
Click to expand...
Click to collapse
You might be right but for normal unencrypted messages Signal uses simple SMS. Have tried it and without any WiFi or data it simply sends a msg as an SMS. So far so good but u might have a point. I'm yet to test with someone who also has the app installed and see how encrypted msgs are transferred. I'd imagine it NOT to be over the internet, but then again you might have a point? Why? Because as I said I've blocked Signal with AFWall and I get a toast showing that Signal CONSTANTLY tries to connect to the internet when there is currently a live connection to the internet, be it Data or Wifi. So yeah, you might be right, but I need to test it out. In the meantime someone who has already done this would do us a favour by telling us how it works.
Using my personal phone number as identifier does not sound cool indeed. If you are right about this: 'It uses internet only to transmit encrypted messages. And it uses its own message server to host your message' then I guess I'm ok with using the net for transmitting encr. msg since they are encrypted with E2EE. As to where the msgs are hosted. I guess I'm better off having them stored at Signal's server than at Verizon's cos from Verizon they end up DIRECTLY to the government. I guess with nuff persuasion and money though they'd also end up there from Signal. It's the way of the world, isn't it? Also, as I mentioned in my last post, the IP which Signal constantly tries to connect to is in Washington. That's already fishy enough .... very fishy!
optimumpro said:
Use Silence, which is a fork of Textsecure with encrypted SMS. For over-the-internet services, use Conversations.
Click to expand...
Click to collapse
How about apps like 'Wire' and 'Wickr - Top Secret Messenger'? Are they any good? Will give Silence and Conversations a try! 10x for bringing them up.
unknown404 said:
How about apps like 'Wire' and 'Wickr - Top Secret Messenger'? Are they any good? Will give Silence and Conversations a try! 10x for bringing them up.
Click to expand...
Click to collapse
Wickr is not open source. So, for me it is out of the question. Wire sounds good, although they say they can terminate your account at any time. Also, they say the company is based in Switzerland, but the location for dispute resolution is San Francisco. They also say they can require you to download/upgrade the app, which means that if you want to stay on older version, they won't let you...
Again, I am against models where everything is concentrated in the same hands...
optimumpro said:
Wickr is not open source. So, for me it is out of the question. Wire sounds good, although they say they can terminate your account at any time. Also, they say the company is based in Switzerland, but the location for dispute resolution is San Francisco. They also say they can require you to download/upgrade the app, which means that if you want to stay on older version, they won't let you...
Again, I am against models where everything is concentrated in the same hands...
Click to expand...
Click to collapse
I guess I'm ok with Wickr's being closed source (but then again what do I know ... the discussion about open vs closed source goes both ways so more opinions are welcome). Just don't get why I made an account there and now trying to log back in I'm told the credential are wrong. Weird!
Hi,
In my first post, I was asking your opinions about "Signal Private Messenger" app.
Thanks all for your answers.
In your answers, I have discovered the names of Silence and Conversations apps.
Which level of confidence for them and why ?
iwanttoknow said:
Hi,
In my first post, I was asking your opinions about "Signal Private Messenger" app.
Thanks all for your answers.
In your answers, I have discovered the names of Silence and Conversations apps.
Which level of confidence for them and why ?
Click to expand...
Click to collapse
I'll be happy to hear more opinions as well but as optimumpro said, Silence really seems solid and offers E2EE, which is what I need. Have tested it with other users and seems good so far. Can't say anything about Conversations cos I've not used it yet. I read good stuff about Wickr as well, but yeah ... closed source deters many.
unknown404 said:
I'll be happy to hear more opinions as well but as optimumpro said, Silence really seems solid and offers E2EE, which is what I need. Have tested it with other users and seems good so far. Can't say anything about Conversations cos I've not used it yet. I read good stuff about Wickr as well, but yeah ... closed source deters many.
Click to expand...
Click to collapse
Both Conversations and Silence are open source, unlike Signal, which contains prebuilt binaries and jar files. Also, neither Conversations nor Silence forces you to register or use their servers, which Signal does.
optimumpro said:
Both Conversations and Silence are open source, unlike Signal, which contains prebuilt binaries and jar files. Also, neither Conversations nor Silence forces you to register or use their servers, which Signal does.
Click to expand...
Click to collapse
That I do second and that I do like!
Hi,
After reading some articles, I discovered that it was "easy" to assure End-to-end encryption (E2EE) for our communications. I share my understanding here, knowing that it's well known by experts in the domain. So thank you for being kind to me.
In fact, there is a difficulty for communicating parties who wanted to communicate without anyone spying their voice or written messages. They have to use cryptographic protocols relying on a shared secret. But how to share a secret on unsecure communication channels ?
It's "easy", due to the Diffie-Hellman cryptographic protocol which permits to do that. There are a lot of explanations about it on the Net. But it could be defeated by the man-in-the-middle attack (MITM). To counter this attack, you have "simply" to sign the shared secret with asymetric keys (with your secret key to sign the shared secret, and with your public key permitting to the other part verify it). If you are interested, see more explanations on the Net about asymetric cryptographic protocols.
I sincerely hope that I didn't say too much nonsense.
Silence app is based on Diffie-Hellman protocol, like other apps in the domain.
In summary, after reading your answers to my initial post :
- Silence app permits to exchange SMS/MMS, using E2EE.
- Conversations app is an instant messaging (IM) client for Android, using E2EE.
Signal Private Menssenger is an E2EE IM and voice calling app.
I have noted what has been written about Signal Private Menssenger in this thread, so is there a "less intrusive" E2EE voice calling app, in the same way as Silence ?
Thanks for your participation.