Related
I wrote this On Xperia Neo General forum but it belongs to here much more.
Original thread at: http://forum.xda-developers.com/showthread.php?t=1447095
Click to expand...
Click to collapse
Introduction
I have not seen much talk about security in XDA.
First, here's just one informative link talking about using and developing apps and security risks involved.
http://www.technologyreview.com/comp...1/?mod=related
Any bug in software could potentially be used as a security loophole to gain access to private information, spy on you, get your credit card info(should you do such things on phone).
What is kind of unsettling is that everyone seems fine with modding, tweaking, developing and using those ROMs made in XDA without worrying if there could be that kind of bug in your made or used ROM.
You don't need a malicious app only to have risks. Most people use Windows so they should know that it is OP systems bugs and vulnerabilities that allow for unwanted access to your files, data, etc.
Android itself is having very non-foolproof security system. All apps on unrooted phone are in sandbox. That's no security measure at all. It doesn't limit app from stealing your private info at all, it only cant delete the whole ROM. That's just idiotic security system, for it is the only thing beside encrypting shut off phone on 3.0 and 4.0. So that means Android on it's own has no security measures while it's working. Even Windows has... some... but not too much... so you could pay for antivirus and antispyware software ofc.
It has always been the goal of big corporations to make money from insecurity, be they software developers, arms dealers and you name it. They all benefit from insecurities existing. Same is with Google and it's Android. But the good news is that we the users can modify Android. We could all say "Au revoir security bugs and loopholes!" if we would care about developing ROMs designed to make Android more secure... alas that's not happening yet!
Overview of Linux/Android security issues.
It's a short condensed description just to get you interested in the topic. There's lots of material on net, you only need to search, read, watch videos.
Linux becomes more vulnerable with more applications with different permissions installed. Same is true for Android.
Say your Phone Exporer has root access, that means it has root access to whole Android. To remove unnecessary risks, this app's root access should be limited to only most necessary functions it needs to operate.
Currently for Android there is no such solution. For Linux there is Apparmor.
http://en.wikipedia.org/wiki/AppArmor
Total root access is obvious vulnerability, but it is at least known one. Let's look at possibility of apps having hidden permissions and what that could mean to you.
Blade Buddy from Market.
On market it does not list permission to "Unique Device ID"(IMEI for GSM and MEID; ESN for CDMA) for free nor for paid version.
That means the author of BB has left the code from free version in paid one. This permission is used by ads to track you. It's not necessary code for ads, but it helps the dev know who clicked on the add and generated him some money. To see your money generating zombie empire stretch across the whole globe.... quite a thrill, isn't it?
So it's a latent code, with no benefit to user and an exploit only calling to be abused.
Unique Device ID allows you to be tracked on net and also where you are physically. GPS is just one way to find you, police for example have scanners to locate your devices physical location by the IMEI code. You can count on the "bad guys" having this technology as well, for it's quite a tool for burglars and other criminals.
The risks of your home being marked as the next dungeon to be looted by some raiders, I mean criminals(or perhaps WoW players sleepwalking and sleepraiding?) or getting your ID and bank details stolen by trojan/hacker is random. Yet the threat would not exist without apps having so flagrant hidden permissions.
Next app with ludicrous permissions
Brightest Flashlight
It does list many permissions, among them "Hardware controls - take pictures and videos ". No, it does not need a permission to take photos through cameras to operate the flashlight. But it's fun nonetheless for the dev to see his trusty peasants, or maybe he just likes to observe people like some watch fish in aquarium or hamsters in cage( "Look at that dork!", "You're one ugly m...f...er","ummm a couple kissing in dark with ma flashlight, what are they searching?", "what's that you eat, mr Korean, brains?" "hey show me that document again.")
You don't even need to run the app yourself. It can be triggered by hacker on background and take a snapshot of you.
On top of this little needless permission it has following hidden permissions:
1. Unique IMSI, read about here http://en.wikipedia.org/wiki/IMSI
2. MCC+MNC (CDMA)
3. Unique Devide ID
4. Cell Tower Name.
That's a lot of needless permissions for flashlight, these are there just to track you the app user and have nothing to do with your comfortable use of the app.
These are just 2 apps with totally needless permissions for their intended functioning. If you don't want your Windows and Linux have such security holes then why do you want your Android have them?! You don't want, that's the point and these apps would not be so popular if people would really know and care about their phone being secure.
It can be stated for sure that above exemplified permissions not listed on market are more useful for pranksters, criminals or someone plainly looking-down-on-all-the-dumb-sheep and not at all for any legitimate, user or customer friendly purposes.
There are very few tools to check for security and privacy problems in apps. That gives a sense that majority of devs do not want Android to be secure and private, because Android is another revenue generating platform through Google ads business of course. Were people more educated about the matter then Google ads business would shrink down as well. A private and secure Android can't be tracked or annoyed with ads. No ads, no profit. No security therefore means profit. Unfortunately this lack of security can be exploited by anyone with criminal or malignant intentions so very easily.
In my honest opinion. If someone keeps files like ccinfo they have to worry about being jacked then they deserve it. Should it happen. U shouldn't keep things on your phoney don't want the rest if the world to have
Sent from my Cyanocrack using Xparent Blue Tapatalk
You don't need to keep credit card info on phone, your using the credit card via Market or logging in to bank on phones browser is enough to intercept your credit card info. Your browser may show you xxxxxxxxxxxx+"last four digits only" but that doesn't mean the data to and from your device doesn't contain exact credit card number. It's encrypted, but that is merely a minor inconvenience for a hacker.
That is why being rooted is not advised to everyone. Mainly if they don't know what they are doing. Also customs roms are not for everyone. People flash them cause they think its cool and don't understand what they are doing. That is their problem. People should pay attention to the permissions that am app asks for. Common sense is the best protection. Main reason I don't do anything that deals with a bank on my phone.
Raoa said:
I have not seen much talk about security in XDA.
Click to expand...
Click to collapse
There's talk. It's just not on important yet, because the android device is not being marketed like an OS is with a personal computer.
However, the more we do on our phones, the more we'll realize it needs protection like firewalls. We catch a few like CIQ or the Wimax exploit, but it's going to get worse as we advance in our integration. We do need to start now before exploits get worse and stay ahead of the curve.
Until that time, 4G exploits and root kit programs will run freely on our devices that houses a lot of our personal information.
Plus, for some stupid reason, there are a lot of people who think Linux is immuned to viruses and security holes due to it's code transparency. Android is being mainstreamed. It will soon be a continuous target like other existing popular software programs and operating systems.
And that's why iOS is far superior even without widgets or live wallpapers.
Something to think about.thanks for posting.
Sent from my HTC Glacier using XDA App
alex2792 said:
And that's why iOS is far superior even without widgets or live wallpapers.
Click to expand...
Click to collapse
IOS and Mac are just as vulnerable, maybe even more so because of there popularity and the misconception that IOS is secure and does not need AntiVirus protection. Just last week i removed a nasty virus on a brand new Macbook Pro so that is not the way to think. You need to act as if there are security issues and just be really careful at what link you click and what email you open.
mattfox27 said:
IOS and Mac are just as vulnerable, maybe even more so because of there popularity and the misconception that IOS is secure and does not need AntiVirus protection. Just last week i removed a nasty virus on a brand new Macbook Pro so that is not the way to think. You need to act as if there are security issues and just be really careful at what link you click and what email you open.
Click to expand...
Click to collapse
I'll give you OS X,but I've never heard of an iPhone virus while there are loads of malware on Android market.
Sent from my Galaxy Nexus using Tapatalk
I am not an expert on iOS nor do I have any wish to even know or use it, because Apple buys from suppliers that emply child labor and sweatshops.
When Linux started spreading around people also thought it has no viruses.
Same story repeats with every software.
For each different OS it takes merely time before people start to notice that their OS has viruses/trojans/spyware too. That doesn't mean their OS is not targeted. You should expect all sorts of thieves to use any and all opportunities.
Secondly OS does not matter so much as the matter that your device is connected to wifi, data, bluetooth, et or not. IP addresses, MAC, IMEI, etc they all stay the same on every platform. No matter which OS, they all connect to wireless networks, cell network, data, bluetooth, etc which all have set standards.
So someone wanting to track, spy, get your private info simply has to intercept the data your device sends to any network. If you don't use strong encryption to send info via network then it is easy to "wiretap" you.
Why is there so much spam, viruses, spyware in internet today? It's because the software managing internet is not made to be so secure. If it were secure then it would also be more private and safer for people to chat over net.
So not only OS's need to be more secure, but the very internet itself needs to be reformed.
This relates to SOPA and PIPA. Had those two bills been passed the next step would have been logically to make changes to all networks so you'd be more easily trackable, hackable, "wiretappable". It's simply logical, cause SOPA, PIPA were so defunctly worded as if asking/preparing for a third bill to regulate the networks.
So we must make sure that internet will be reformed for the private users and not for greedy corporations. We would not need to buy anti-spyware, anti-virus software if the internet were truly engineered for the welfare of humanity.
You could use any OS, bugged or not and not be afraid of loosing your property or privacy if the internet would stop such acts before they could harm you, the individual who is supposed to truly and freely benefit from the services; either for free or for honest price, but now you are robbed and think it is good to pay the thieves.
Raoa said:
Android itself is having very non-foolproof security system. All apps on unrooted phone are in sandbox. That's no security measure at all. It doesn't limit app from stealing your private info at all, it only cant delete the whole ROM.
Click to expand...
Click to collapse
Please elaborate. The sandbox does prevent one app from reading the data of another, such as the CC info from the Market.
Also, are you sure Market sends the entire CC number? There's no reason for it to send it, the transaction is performed on Google's servers.
alex2792 said:
I'll give you OS X,but I've never heard of an iPhone virus while there are loads of malware on Android market.
Click to expand...
Click to collapse
Are you talking about viruses or malware? Please don't conflate the two.
Malware is easy to take care of - check the apps you're downloading for what permissions they want. It's as simple as that.
alex2792 said:
I'll give you OS X,but I've never heard of an iPhone virus while there are loads of malware on Android market.
Sent from my Galaxy Nexus using Tapatalk
Click to expand...
Click to collapse
Just before xmas an iphone developer admitted to deliberately uploading malware in his ios app to show malware can easily affect iphone.
http://m.intomobile.com/2011/11/08/security-expert-sneaks-malware-into-iphone-app-store/
That was for normal iphones. For jailbroken ones there are more malware apps.
Dave
Sent from my LG P920 using Tapatalk
Raoa, your absolutely right.
I've had the exact same thought recently
Its like the overall view of the Android landscape is ridden from real security apps, for the simple purpose of have the platform as open as possible. And while this is good for developers and users of this and other serious forums, its also open for the "dark" communities as well.
I often ask myself, if the ROM devs onboard have these thoughts themselves, as in, what is my source of this modded apk, is is straight from the Market or from another dubious, (do I dare say chinese forum, just an example)
And how clean is my code really?
And is all mods just legit just cuz they are from here?
I love that we have so many ppl having a desire to mess around with the OS, but I miss, as you say, the talk about having a go on security as well.
I dont know, but I do think that awareness, as you initial post direct us to, should be raised, as a natural step for any serious dev and users in general on XDA, to be more aware, of the code.
Im on my first year as an Android user, and ofcourse did have to gain root on my splendid Sensation. Why?, cuz I needed the security tools requiring root.
Ask again, why? Cuz I came from Winblows 7, and know what a jungle software is, and that is is indeed exploitable, like hell, you might say.
And Im gladd I did gain s-off and root, cuz its really really needed fo youre just a little concerned about your privacy in, mails, sms, location, usage pattern, netbanking, dropobox deposits of your ****, some might even be work related and therefore hold more than just your own privacy.
And then there is what you mentioned, our devices unique ID's, the intent "app install referrer" to "plug" you into admob/google analyzer and so on.
I love one guy here, Treve, who made the HTC tool for scanning for ****, Logging Test Tool, and in version 10, he made it aware of admob/mobclix/analytics, and my god it find a lot...
So Treve, please, if you read this, just go on, as every version you make is getting finer and finer.
We could learn from this guy, and others here that got more code-insight.
What we CAN do as a community at the very least, is to share our knowledge and tips for securing our phones.
HOST filtering, code scanning of apks and so on. using AV's and firewalls and so on.
Right from the start I noticed that Android is not a clean OS, nor is its app market, and I noticed this cuz I have another splendid little Linux system at hand, Smoothwall Express with url filtering and proxy enabled
and My god is Android and its aps LEAKING!
Have a look in your urlfilters on a standalone firewall the step after your wireless android phone, and watch how much **** is going on.
Well, I can tell you for a start that I have added atleast 100 new domains to my custom urlfilter, besides the casual downloadable HOST filters around the net, like the ones found in AdblockPlus and so on. But after android, heh, you need more than just advertising filtering, that much I can say.
Just as an example, like those you mentioned, I have one too, that I was made aware of by Avast on my phone tonight, that ChompSMS was being flagged as malware/trojan.
I thought, **** man, why this crap, Im quite fund of Chomp, really.
So I thought, no, imma let more that Avast on my phone have a go.
So I File Expert dump the full apk, and uploaded it for a scan on virustotal, just for the sake of it. And whatta'ya know, ClamAV, GData, Kaspersky, NOD32, and Sophos flagged it as that same Plankton.G variant as my on-phone Avast.
Great, I thought (sarkasm intended)
I thought a bit further and picked up APK Multi-Tool, had a decompile and a content-scan for just "http" in is readable code.
12 different domains is mentioned so far, and I didnt even poke in all of its xml's, just the smali's
I know android is by a far stretch advertising born, and ofcuz the app devs have a right to earn their money, no doubt about that, and I gladly pay for the good ****, like most ppl here believeably do, but.. 12 different .com's mentioned in its code is a no go for me.
I have earlier used Privacy Blocker, and Privacy Inspector from XEUDOXUS in the market, to make permission scanning, beside using LBE/HOST/Avast, and I like those two aps, the Inspector one is free but only can scan.
The paid Blocker can "repair" as a feature, but its not maintained enuff, so it often fails to make installable apks, so not really worth it for me anymore, but as a free too, it can tell you more about those permissions you mentioned.
But enuff said from me for now, lets just collect and share our tips and tricks, ALSO for security, not just developing ROM and mod's and hacks, as thou they are fine, if not to say, so cool and great, but, we need to be secure too.
Please do not polute the discussion with IOS vs Android and what not, cuz thats not the purpose of it, even thou it definitly concerns (g)A(r)pple products too.
Sincerely, Omnius
alex2792 said:
I'll give you OS X,but I've never heard of an iPhone virus while there are loads of malware on Android market.
Sent from my Galaxy Nexus using Tapatalk
Click to expand...
Click to collapse
Iphones can get viruses they come through SMS's and other sources not as bad as android apple keeps there market much more under control, but everything is vulnerable i work in a security team for a big corp and believe me nothing is safe.
Check these articles out i just found them on google.
I remember a while ago maybe a year or so there was a huge security hole in IOS5 and Mac waited a long time to tell the public and release a patch. The one major problem with Apple is when there are security threats they really try to keep it hush...Iphone's OS is tight but not totally secure. Its not viruses either its moslty just malware that charges you tons of money in texting i saw once an iphone that turned into a bot and at midnight it would dial a 900 number and just sit there all night at like $20 bucks a minunte then disconnect when it felt the phone move.
http://www.mactrast.com/2010/07/iphone-virus-discovered-be-vigilant-and-seek-advice/
http://techfragments.com/news/982/Software/Apple_iPhone_Virus_Spreads_By_SMS_Messages.html
I'm going to fanboy MIUI for a second.
When you install an app you are presented with a screen (separate from the market) that allows you to toggle all the permissions an app ask for between Allowed/Ask/Disabled.
More roms should adopt this.
NB: I haven't checked CM9 so it might be a CM9 feature that MIUI has polished or it might be native to MIUI.
weedy2887 said:
I'm going to fanboy MIUI for a second.
When you install an app you are presented with a screen (separate from the market) that allows you to toggle all the permissions an app ask for between Allowed/Ask/Disabled.
More roms should adopt this.
NB: I haven't checked CM9 so it might be a CM9 feature that MIUI has polished or it might be native to MIUI.
Click to expand...
Click to collapse
I wouldn't be so fast to praise MIUI.
weedy2887 said:
I'm going to fanboy MIUI for a second.
When you install an app you are presented with a screen (separate from the market) that allows you to toggle all the permissions an app ask for between Allowed/Ask/Disabled.
More roms should adopt this.
NB: I haven't checked CM9 so it might be a CM9 feature that MIUI has polished or it might be native to MIUI.
Click to expand...
Click to collapse
The problem is the "Average Joe" doesn't even look at those or doesn't know what they mean. I see so many viruses/malware/open security holes just because of user error its insane. Almost 90% of security breaches or problems originate from the end users not paying attention or just not knowing or caring. Also another thing i see so much when new clients call me with there servers melting down and all there banking info being stolen is they haven't installed any updates on there servers since they were set up 2-5 years ago. I worked for a large industrial supply company and all there servers running MS Server 2008 no updates had been installed and they were using AVG free on there main SQL server...INSANE LOL
Then theirs the users, "my computer was fine until my friend on facebook wanted my SS# and mothers maiden name and insisted i open his email attachment, now its acting weird what do you think is wrong?"
Brutal
what is the 4g exploit that you are talking about? And is it only with wimax or is lte part of it as well?
Oneiricl said:
Malware is easy to take care of - check the apps you're downloading for what permissions they want. It's as simple as that.
Click to expand...
Click to collapse
It's absolutely amazing that people are willing to put up with something so ridiculous.
Sent from my SGH-I897
is online shopping on android phones actually safe ...i am confused ..any views on this
That depends on what your security concerns are. For me, I think it is totally safe to buy things online with your phone. I would do just about anything but financial activities in this context. However, my answer is a bit loaded so now I need to explain that part a bit. Credit Cards have built in protections. If you check your statements and dispute all charges that you did not authorize, then shopping through your phone is completely safe. I have had tons of fraudulent activity on my credit cards and I haven't paid a single cent that wasn't my own charge. The catch here is that you run pretty much the same risk doing your shopping online through an ordinary computer. Granted, phones have terrible security. My real point here is that you should use your phone assuming you cannot trust it. In this case, I use my credit card fraud protection as my mitigation for an untrustable platform.
dipinv.2007 said:
is online shopping on android phones actually safe ...i am confused ..any views on this
Click to expand...
Click to collapse
It is risky, indeed. Luckily, you can do something to protect your safety online. Android has a lot of flaws and it's vulnerable to malware and viruses- more vulerable than your personal computer because it's an open system( in theory) with millions of unverified apps for Download.
My recommendations:
[Remember, there's no 100% guarantee/solution, but it's better than doing nothing at all!]
Avoid using open WiFi Hotspots( Starbucks, McDonalds, City Hotspots, etc.) if it's not an URGENT purchase.
However, sometimes you find yourself in a situation where you need to purchase something right away. When connected to public networks( again, Sturbucks, City Hotposts, etc) consider using a VPN service to encrypt your connection.
I don't want to start a war over which VPN provider is better, but PIA( Private Internet Access) is ultra cheap and reliable.
Why using a VPN? VPN connections, like L2tp IPsec PSK connections can encrypt your data, securing your connection from sniffing( Wireless network tapping/monitoring).
When shopping online use the shop's app rather than your Android browser. Using your browser can have catastrophic consequences. Your eyes can deceive you! Don't trust them.^ ^
When using your browser( Chrome, Android browser, etc) always check your connection to the shop's sing-in page - if it's unsecured( http websites) leave the page! The same goes for links. Make sure to check the URL address! Again, don't rely on your eyes, when using public hotspots. Why? In layman's terms: When you connect to the internet, your Android resolves IP's(URL's/websites) via DNS servers, which can be infected. If a Hotspot is infected and you search for, let's say, PayPal you might actually get somehwere else! Relying on URL's when shopping via Hotspots is a stupid idea! That's why, again, you should consider using a VPN, which encrypt's your traffic+ paid VPN's have a lower chance of getting infected since the folks working there regularly check their servers+ most VPN providers use secure DNS servers, which overide the Hotspot's default DNS settings.
When downloading apps verify the company's name and make sure it's an original app! Avoid using user-made apps to access your eBay/Amazon account! Stay away from unknown&unverified, hence untrusted Android markets.
Antivirus/anitmalware. Scan your phone frequently!
GOLDEN RULE: NOTHING IS BULLETPROOF!
I guess that's it for the average user. :cyclops:
The same applies for your personal computer.
Thanks guys !! great replies, sums it all up ...every one should follow this advice !! :good:
dipinv.2007 said:
Thanks guys !! great replies, sums it all up ...every one should follow this advice !! :good:
Click to expand...
Click to collapse
You're welcome. Have a good day/night/whatever! :silly:
Of course it is just make sure you are using https:// means secure server that encrypts your data
Of course it is just make sure if you install the official apps
One Question reagarding the apps: Are they using a safe connection to the server or might there be a securtiy problem?
Im talking about the "big player apps" like amazon, ebay, paypal etc.
VPN and Politics - how secure is it
===================================
VPN:
The miracle solution for corporate users on-the-go.
The solution for political disdents and street movements or "freedom fighters".
The solution for watching what Holywood bosses decided you may not see in Europe or somewhere else.
The solution for downloading what you are not allowed to.
And the fancy list continues.
But have you ever thought that everything has a price, nobody gives something for free without thinking of own profit and that physically, you connection and data must pass a certain server somewhere?
But ...who has access to that server?
Which land host it and how the policy and government of that country affects you?
Well... let's take few examples:
1. Chinese disidents in Hong Kong. Well, if they use F-Secure Freedom VPN, it could be quite good.
F-Secure is locate din Finland, it's a pro NATO and USA partner.
For the chinese disident does not matter if american NSA watches them.
2. Islamists in Europe or somewhere else.
Now F-Secure Freedom VPN could be their capital mistake and last program to use before NSA reacts and ...a ticket to Guantanamo is paid by the USA tax-payers.
3. Normal Europe citizen wanting to watch Country music... well, Nashville and Holliwood bosses are quite restrictive and aware of money losses. Now a good VPN program comes handy, but beware for BSA catching you if your VPN goes via an "ally" of USA. Perhaps vpn servers ouside Europe are better...
But beware of own personal data if VPN program comes from East or Far East and your traffic goes same way...
Conclusion: based on who you are, how you are politically situated in respect to major powers of the world, what you want to do..
Then choose you VPN program and with a good firewall and sniffer watch out what the VPN program wants to access more on your device.
Never trust a VPN program, based on its adverts from producer or comments from internet.
Investigate yourself first, and never trust without deep checking.
With respect,
Zeno Sloim
http://zenosloim.blogspot.com/2014/10/vpn-and-politics-how-secure-is-it.html
How secure are in fact VPN or Red Phone
Article inspired by a PM asking about my thoughts on VPN and Red Phone.
"Hello there! Finally someone who cares about security.
Quote:
Originally Posted by iunlock
Greetings, I've been reading some of your posts and all that info is right up my alley. It's hard to find someone who actually cares about this stuff like I do. Anyhow, I have some questions that you may be able to answer for me. A lot of people I've tried to run this by doesn't have any passion for security so I've only received half "" answers, which is not what I'm seeking.
What do you think about this set up.
1. I use a VPN that claims they don't keep logs on my phone. But who knows...better than nothing? Or are these companies compromised? See if I was the big bad wolf, I'd either create VPN companies to give people options to trick them into thinking they have security with a VPN (illusions) and/or pay VPN companies a dollar amount that they can't refuse for a backdoor...ie...easy access any time to the traffic and data. So what if VPN companies lie about their claims...who's going to tell right? $win-$win situation for big bad wolf and the VPN company that couldn't refuse the $ offered. Interesting eh?
2. Tor/Orweb. Hmm....slow as a dead turtle, but does it really work like they claim? I do see some truth to this though with its concept, but going back to what I said above. $ talks?
3. Password managers like last password, 1 Password etc... again if I was the big bad wolf, would I not be able to make $ talk? Make you think.
4. Secure apps...like jitsi, xabber, encrypted stuff...etc. ..
On the flip side of the coin, there are true security nuts who hate the big bad wolf and a lot of these people are the founders of some of these VPN companies and alike. So there's some comfort in knowing that I assume....also open source stuff is good because they are transparent. No messing around there. Anything funny or fishy would be known for any vulnerability in the app etc....
With all that stuff aside, assuming you did trust the VPN, tor etc....what's the best we can do security wise for our phones?
Well I think using a VPN is a must. Next using gpg to encrypt all emails along with encrypted chat clients. Then the use of tor to proxy your connections like mail, chat, fb, twitter etc....
What are your thoughts?
BTW, I don't use Facebook (Cia / prism) buffet....
I think gpg is the only sure way of true security.
In the real world, having the convenience for non important things makes the use of Gmail and other Google apps convenient.
Never do I ever use any real info for any of these accounts lol.
So the question is....will using a VPN, encrypted email, encrypted chat client, and tor do the trick?
How about the use of redphone app with Google voice on VPN since it uses data and not voice tunnel?
A lot of cool stuff....would love to hear your thoughts.
Cheers"
Hi sorry for so late answer.
Please read my posts on my security blog.
As a guide line:
There is no secure VPN or provider, all depends on your "enemies" or whom are you afraid of. It all depends on who "don't care about you".
And what you want to do.
Everything located on US territory will report in case to US authorities. Same goes for Germany, Russia, China.
Also for smaller countries: Canada, New Zealand, Australia - all will report to UK and USA.
Same for Austria, Finland, Sweden - all will report to USA, UK, Germany.
The closed ties in SIGINT cooperation are 100% same in so-called VPN providers/software.
IMHO it's money waste to pay for VPN. If you want to do something against law.
Respect the laws and ignore VPN.
All above is for private persons.
If enterprise, own physically the VPN server and never trust any 3rd part.
With kind regards
Zeno Sloim
Part 2
Red Phone - bogus for naive people
Any product (hardware or software) produced on German territory HAVE backdoor for German state authorities and Germany SIGINT close partners: USA, UK
Any product made on USA territory has back doors for US state authorities.
The whole Apple FBI encryption scandal was bogus for big public, all Apple products have backdoor.
It's a matter of time for how quickly will authorities know and decrypt your private data "travelling on internet".
Best solution is to try to keep it LOCALLY, as much as possible, by controlling anything going out of your phone.
It's not easy for a normal user.
But use only verified by you, apps.
With regards
Zeno Sloim
Greetings all and Happy Holidays.
Per some fellow XDA users request and also to compliment the great thread "[TUTO] How To Secure Your Phone," by: unclefab, I figured this would help...a thread on VPN.
I am also shocked to not see anything in the security forum about VPN! I did a search and NOTHING.
What is a VPN?
(Virtual Private Network)
A simple search on the web will give you the nitty gritty stuff on what a VPN is, but I'll just lay it out very simply.
A VPN takes your data connection and encrypts it so it protects your data from not only your ISP seeing your traffic, but also from middle man attacks. Say if you were at a cafe connected to their open (unsecured) public WiFi and you did some shopping online, which involved you entering in your credit card number, name, address, etc... Well, it doesn't take much for someone to intercept your sensitive data passing through the cafe's unsecured WiFi connection.
How it works:
Encrypts your Computer's/Phone's data ---> Connects it to your VPN's server (Exit Server) ---> Then it reaches the end destination (website). (Safe Passage)
ie...
Safely passes your Internet Data, through a ---> [TUNNEL] ---> ...that is encrypted so that all your data is not only anonymous, but also protected.
There are may VPN's service providers out there, however, they are not all created equal. I've spent a lot of time researching VPN's and have went to great lengths to find the best of the best. The criteria of what I was looking for is as follows:
Offshore Company. Something outside of the US.
Liked and approved by even the extreme private/security activists.
Reliability and Speed! Some VPN's can be very slow only allowing you to achieve 30-50% of your internet speed at best.
A wide choice of servers.
Able to pay anonymously.
A VPN THAT WORKS ON OUR ANDROID DEVICES!
Some VPN companies have their own Android VPN client, which makes things a breeze. Just launch, connect and violla....all your traffic is now safely tunneled.
For the companies that do not have their own Android VPN client, you'll have to use the app: OpenVPN, which can be a hit or a miss for those on KK 4.4. Let me explain...
When I was on my Note 3 on 4.3, OpenVPN worked flawlessly and my speeds were darn near 100% of my regular LTE speeds even connected to a VPN! Well, once KK 4.4 came around, it completely ruined everything in terms of being able to stay connected. KK 4.4 is and was a nightmare for OpenVPN users. Upgrading from 4.3 to 4.4 was the biggest mistake I have ever made in my Android world. Bottom line, KK 4.4 sucks.
The good news is, there are a few VPN companies that work flawlessly on KK 4.4. I'm using one at the moment and it stays connected just fine with awesome speeds!
Why you should use a VPN:
Well think about. You can go the whole nine yards in securing your phone, which is awesome, but then you'd still be tunneling all that traffic "unencrypted," over the internet .... this is counter-intuitive in every way that you look at it. It's like ordering a BIG MAC Extra value meal and getting a diet coke. I mean really? What's the point? Diet? No matter how you see it, you're going to get fat if you keep eating it and thinking a diet coke is going to take edge off of you getting fat. Sorry, it doesn't work that way....
Imagine a semi-trucks driving down the highway with some completely exposed and some locked and covered. Well you'll obviously be able to see the exposed cargo on all the trucks that are not contained yes? Whereas the ones that are covered and locked, you'd have no clue what's in there. This is how a VPN works....it covers your data/traffic so that no one can see or know what is inside of that container during transit...ie...it provides a safe passage of your data over the internet to the end destination.
Now a VPN will protect your data from point A to the end destination (website.) That website will only be able to see your "exit server," and not your ISP or your location, but of course your data.
Ex: You're in New York connected to the internet using a VPN ----> The VPN server you're connected to is in Texas ---> The website you're visiting is located and hosted in Canada.
In that example, your "encrypted" data/traffic is being routed through Texas and then to Canada where the website is hosted/located. Make sense?
Because you're connecting to a VPN server, this is why you have to know which ones to use so that you can trust your data routing through their servers. Not all VPN companies are created equal!
If you're interested to know which VPN's are best in general and for our Android devices, PM me and I'll share with you my research. I don't want to advertise anything on here to be in compliance with the forum rules.
I hope this helps!
To be continued....
You forgot to tell the data is not encrypted by the VPN between it's server and the website's server, you are only moving a problem from place A to place B. It may be better for you if this is what you are looking for but it doesn't add that much security.
How a VPN works : Your device data is encrypted FIRST, it leaves your device and goes to the VPN's server, it is DECRYPTED, and then it is relayed to the server you were trying to contact. Your data is less traceable but you're not anonymous, the VPN provider knows who you are and your DNS provider may still know what you are looking at if you the device leak DNS requests.
Your guide is missing details, anonymity and security is not easy and trying to simplify it too much you lost important parts users should not forget.
Regards
Magissia said:
You forgot to tell the data is not encrypted by the VPN between it's server and the website's server, you are only moving a problem from place A to place B. It may be better for you if this is what you are looking for but it doesn't add that much security.
How a VPN works : Your device data is encrypted FIRST, it leaves your device and goes to the VPN's server, it is DECRYPTED, and then it is relayed to the server you were trying to contact. Your data is less traceable but you're not anonymous, the VPN provider knows who you are and your DNS provider may still know what you are looking at if you the device leak DNS requests.
Your guide is missing details, anonymity and security is not easy and trying to simplify it too much you lost important parts users should not forget.
Regards
Click to expand...
Click to collapse
Misleading? I think you need to re-read the post. Here let me help you:
"A VPN takes your data connection and encrypts it so it protects your data from not only your ISP seeing your traffic, but also from middle man attacks. Say if you were at a cafe connected to their open (unsecured) public WiFi and you did some shopping online, which involved you entering in your credit card number, name, address, etc... Well, it doesn't take much for someone to intercept your sensitive data passing through the cafe's unsecured WiFi connection."
"Now a VPN will protect your data from point A to the end destination (website.) That website will only be able to see your "exit server," and not your ISP or your location, but of course your data."
"Ex: You're in New York connected to the internet using a VPN ----> The VPN server you're connected to is in Texas ---> The website you're visiting is located and hosted in Canada."
So you're going to argue the fact that a VPN wouldn't be affective in a cafe scenario like the example I've given in the post?
Any additional information is appreciated, but please don't come in here saying that it's misleading....
THE FACT IS...YOU'RE BETTER OFF WITH A VPN, than WITHOUT ONE. PERIOD.
It's about trust, the VPN server can do the middle man attack itself or one could do it somewhere between the VPN's server and the final destination.
Of course you're better with a VPN most of the time, but it's important to clearly state it's not captain america's shield neither. It's important to clearly tell at all cost that the data is encrypted only between you and the VPN's server.
Best regards.
The only way to ensure you are safe from MITM is to use end to end encryption, like SSL/TLS (https). Even if the MITM is using sslstrip, you'll be able to tell by the security popup in your browser when it asks you to trust the connection (which you shouldn't...)
VPN is useful for protecting you from someone sniffing the airwaves on an open network or for accessing services behind a firewalled network. (Like SMB/Windows File Sharing).
Like Magissa said, it isn't captain America's shield, and don't be fooled by a false sense of security. You have to trust the VPN provider, and it would be pretty easy for one to sniff your traffic or read logs...
iunlock said:
Greetings all and Happy Holidays.
Per some fellow XDA users request and also to compliment the great thread "[TUTO] How To Secure Your Phone," by: unclefab, I figured this would help...a thread on VPN.
I am also shocked to not see anything in the security forum about VPN! I did a search and NOTHING.
What is a VPN?
(Virtual Private Network)
A simple search on the web will give you the nitty gritty stuff on what a VPN is, but I'll just lay it out very simply.
A VPN takes your data connection and encrypts it so it protects your data from not only your ISP seeing your traffic, but also from middle man attacks. Say if you were at a cafe connected to their open (unsecured) public WiFi and you did some shopping online, which involved you entering in your credit card number, name, address, etc... Well, it doesn't take much for someone to intercept your sensitive data passing through the cafe's unsecured WiFi connection.
How it works:
Encrypts your Computer's/Phone's data ---> Connects it to your VPN's server (Exit Server) ---> Then it reaches the end destination (website). (Safe Passage)
ie...
Safely passes your Internet Data, through a ---> [TUNNEL] ---> ...that is encrypted so that all your data is not only anonymous, but also protected.
There are may VPN's service providers out there, however, they are not all created equal. I've spent a lot of time researching VPN's and have went to great lengths to find the best of the best. The criteria of what I was looking for is as follows:
Offshore Company. Something outside of the US.
Liked and approved by even the extreme private/security activists.
Reliability and Speed! Some VPN's can be very slow only allowing you to achieve 30-50% of your internet speed at best.
A wide choice of servers.
Able to pay anonymously.
A VPN THAT WORKS ON OUR ANDROID DEVICES!
Some VPN companies have their own Android VPN client, which makes things a breeze. Just launch, connect and violla....all your traffic is now safely tunneled.
For the companies that do not have their own Android VPN client, you'll have to use the app: OpenVPN, which can be a hit or a miss for those on KK 4.4. Let me explain...
When I was on my Note 3 on 4.3, OpenVPN worked flawlessly and my speeds were darn near 100% of my regular LTE speeds even connected to a VPN! Well, once KK 4.4 came around, it completely ruined everything in terms of being able to stay connected. KK 4.4 is and was a nightmare for OpenVPN users. Upgrading from 4.3 to 4.4 was the biggest mistake I have ever made in my Android world. Bottom line, KK 4.4 sucks.
The good news is, there are a few VPN companies that work flawlessly on KK 4.4. I'm using one at the moment and it stays connected just fine with awesome speeds!
Why you should use a VPN:
Well think about. You can go the whole nine yards in securing your phone, which is awesome, but then you'd still be tunneling all that traffic "unencrypted," over the internet .... this is counter-intuitive in every way that you look at it. It's like ordering a BIG MAC Extra value meal and getting a diet coke. I mean really? What's the point? Diet? No matter how you see it, you're going to get fat if you keep eating it and thinking a diet coke is going to take edge off of you getting fat. Sorry, it doesn't work that way....
Imagine a semi-trucks driving down the highway with some completely exposed and some locked and covered. Well you'll obviously be able to see the exposed cargo on all the trucks that are not contained yes? Whereas the ones that are covered and locked, you'd have no clue what's in there. This is how a VPN works....it covers your data/traffic so that no one can see or know what is inside of that container during transit...ie...it provides a safe passage of your data over the internet to the end destination.
Now a VPN will protect your data from point A to the end destination (website.) That website will only be able to see your "exit server," and not your ISP or your location, but of course your data.
Ex: You're in New York connected to the internet using a VPN ----> The VPN server you're connected to is in Texas ---> The website you're visiting is located and hosted in Canada.
In that example, your "encrypted" data/traffic is being routed through Texas and then to Canada where the website is hosted/located. Make sense?
Because you're connecting to a VPN server, this is why you have to know which ones to use so that you can trust your data routing through their servers. Not all VPN companies are created equal!
If you're interested to know which VPN's are best in general and for our Android devices, PM me and I'll share with you my research. I don't want to advertise anything on here to be in compliance with the forum rules.
I hope this helps!
To be continued....
Click to expand...
Click to collapse
which is the best VPN to use?
I've installed OpenVPN for Android and it works fine.
[VPN (Virtual Private Network) and why you should use it if you're serious ab...
TheMoroccan said:
which is the best VPN to use?
Click to expand...
Click to collapse
There's no concrete answer to that question. Your best bet is to use a VPN provider that's based outside of your country, preferably one that is less likely to corporate with your local law enforcement.
Agreed. Out of country, away from your government's reach... There are some offshore server farms in countries with lax laws... Those are usually tax havens also. Research
snapper.fishes said:
There's no concrete answer to that question. Your best bet is to use a VPN provider that's based outside of your country, preferably one with a less likely to corporate with your local law enforcement.
Click to expand...
Click to collapse
Thanks bro for the info.
I have always known that companies like google and facebook for example collect our data, web searches etc and sell this information for profit. Today, this has become an even bigger issue with what we see in the media with the nsa and other government organizations tapping into our devices and monitoring our usage. At the end of the day, most of us, myself included really dont have anything to hide, so it may not be a real issue. I have often thought that if anyone poked around in my pc or phone they would simply get bored as they are just full of geeky engineering files lol. The real thing for me is simply that it's an invasion of privacy and just not right. With that said, I find myself wanting to go the extra mile to make my pc and my phone completely private from outside sources taking my information, watching my web searches and seeing my data. My question is, is it possible to be 100% secure and private, and if not, how close can we get, and how? I have heard that VPN's can achieve this. Is this true? and if so are there any free secure VPN's for our android devices and or pc's that are really good? Do VPN's slow down our devices? Also, Is there a way when we delete android files to permanently delete them? I noticed when I flashed my rom, after doing the complete wipe that is still contains files from before the wipe.
(I know this isn't a pc forum, I only included the pc because it's relevant.)
Thank you all in advance.
There are no data retention laws in the United States. Meaning, if a data center does not want to hold any logs to their users' activity, they're not required by law to do so. Multiple countries are similar, which is why I recommend using Private Internet Access for your VPN. They have a client for PC and Android and they're really great. I've been using them for many years and have had no issues. And, if you're really wanting to remain "anonymous", you can pay for your VPN subscription using gift cards from popular outlets like Walmart, Starbucks, etc. And for search engines, I'd recommend DuckDuckGo, which doesn't log anything you search. For PC, I'd recommend disabling your IPv6 protocol in your router settings and getting uBlock Origin, HTTPS Everywhere, and PrivacyBadger. They're wonderful add-ons for Firefox or Chrome. uBlock Origin and PrivacyBadger can block WebRTC leaks which would leak your IP address and can be used to identify you. If you want more information, feel free to reply to my post and I'll help you out as much as I can.
Hoxic said:
There are no data retention laws in the United States. Meaning, if a data center does not want to hold any logs to their users' activity, they're not required by law to do so. Multiple countries are similar, which is why I recommend using Private Internet Access for your VPN. They have a client for PC and Android and they're really great. I've been using them for many years and have had no issues. And, if you're really wanting to remain "anonymous", you can pay for your VPN subscription using gift cards from popular outlets like Walmart, Starbucks, etc. And for search engines, I'd recommend DuckDuckGo, which doesn't log anything you search. For PC, I'd recommend disabling your IPv6 protocol in your router settings and getting uBlock Origin, HTTPS Everywhere, and PrivacyBadger. They're wonderful add-ons for Firefox or Chrome. uBlock Origin and PrivacyBadger can block WebRTC leaks which would leak your IP address and can be used to identify you. If you want more information, feel free to reply to my post and I'll help you out as much as I can.
Click to expand...
Click to collapse
Hoxic,
Thank you for all of the information. With the private internet access VPN on my PC and android, will that slow down anything like web surfing, uploads or downloads? I am limited to using Verizon's high speed DSL connection as they refer to it, (I refer to it as slowest speed connection lol) in my neighborhood and this is the only provider for me so it's already pretty slow compared to Fios and other broadband connections. I would hate to slow it down any more.
You mention to pay for these services using gift cards and such. Well as I mentioned, I do not have anything that I am actually worried about anyone seeing, this is simply my way of trying to protect my privacy so I wouldn't go that far but I am curious about that statement. Do you mean that using a VPN truly isn't private or is this just to remove any paper trail linking me to the use of a VPN provider? I have been using DuckDuckGo for several years already just to stop google from taking and selling my info. Weather it truly works or not I dont know but its a great search engine anyway so I figured why not use it.
Your advice to disabling IPv6 protocol in my router settings: I do not see anywhere in my router settings to do this so I googled it, and it looks like there's a way o do this in windows. Is that different that what you're advising? Also I read a windows blog on this and windows 10 says IPv6 is a mandatory part of Windows that they do not advise on disabling. Can you give me some more detail on this, and how to disable it, assuming the windows warning is bull.
Thanks for all of your help.