What are the repercussions of removing contacts provider in Android? - Security Discussion

Personally I think the contacts provider (and other providers)in Android is a huge security risk. Every app and it's brother wants full access to your contacts so they can mine them for usable information. This can be just to add easy links to friends or to spam them with advertisements or offers to identity theft.
I've started using a pim manager that does not access Androids contact provider, calendar provider , tasks or other providers in it's operations.(And I really wish it was open source)
I have already removed the Google sync apks from my device and have removed contacts, calendar in the past. But not the providers.
It might cause some badly written apps to crash.
But I can't forsee any other serious problems.
Ideas? Thoughts?

Honestly sounds like a good idea..
Myself I decided to go for a while without any gapps and any other "store" installed on my phone.
My contacts are imported from a .vcf file which i update manually when needed.
I also have installed AFWall+ and i blocked the internet access to pretty much all the other apps including the system ones.. (everything i could get away with basically )
This could be a solution as well but it's rudimentary one at the moment.
nutpants said:
Personally I think the contacts provider (and other providers)in Android is a huge security risk. Every app and it's brother wants full access to your contacts so they can mine them for usable information. This can be just to add easy links to friends or to spam them with advertisements or offers to identity theft.
I've started using a pim manager that does not access Androids contact provider, calendar provider , tasks or other providers in it's operations.(And I really wish it was open source)
I have already removed the Google sync apks from my device and have removed contacts, calendar in the past. But not the providers.
It might cause some badly written apps to crash.
But I can't forsee any other serious problems.
Ideas? Thoughts?
Click to expand...
Click to collapse

I already don't have Google apps on my device.
Everything blocked with afwall+ using profiles so things only get net when I'm using them on the net.
Fdroid is where I get 90% of my software and from the internet for much of the other 10%
I have a old phone with nothing on it personal at all. Which has play store for the 3 or 4 paid apps I need, it does updates for them and a few free ones. I copy the apks over to my daily driver.
I constantly hound developers on play store to support offline devices and not to implement features that break the app when there is no internet. Even app I don't use lol.
(I have 2 tablets and far too many old phones.only two devices are online(some are local lan only))
Someone should start a offline foundation. But being online it might be ridiculous..

I too removed contacts by using /system/app mover from f-droid. It was unintended as I wanted them as a user application but they wouldn't work like this and the icon vanished, that was fine with me for a long time. The other day I wanted contacts for signal (and telegram also won't work without them). I restored the application files from a backup,
For reference in /system/app/ the missing files were
SecContacts.apk
SecContactsProvider.apk
Other contacts programs like Simple Contacts can't run without a system permission called com.android.contacts and without those files in /system/app the permission doesn't get created at boot. The result being that no contact creation is possible.
What I would really like is a modified version of the system app that passes contacts data to the calling program depending on individual contact entry permissions with regard to each calling app; one list for telegram, another for signal etc. I gather that recent android versions above 6.0.0 have functionality to check calling application certificates so something along these lines should be possible. For earlier versions it might be necessary to switch between multiple contacts databases before starting the messaging app and also removing it from the autoboot list.
https://developer.android.com/guide/topics/permissions/defining

Related

[Q] How to backup contacts, apps and settings?

Can someone tell me, or point me to a tutorial that explains how to:
1. Backup contacts to PC
2. Backup paid apps to PC(don't want to have to buy it twice...)
3. Backup app data/settings to PC.
Using appbrain will sync your apps with your account on appbrain.com
Sent from my SAMSUNG-SGH-I897 using XDA App
So, there is no way to backup to your SD card, or PC? For windows mobile, I use Sprite, which works great. I was looking for something like that.
Thanks
Never used WinMo, but Titanium Backup might be what you're looking for. You need root to use it though.
I don't mind rooting if that is what it takes, but I can't belive that there is not an easy way to at least backup your contacts.
Backing up Contacts, several ways:
Samsung Kies -- follow the sticky at the top of this forum, it will back them up to your PC.
Export to SD Card, then copy to your PC -- Enter the Contacts app, hit Menu, More, Import/Export, Export to SD Card.
Copy them to your SIM -- Enter the Contacts app, hit Menu, More, SIM Management.
Sync them to AT&T's servers, which will do it in real-time when you add/delete them, similar to if you synced to your Gmail contacts .. the other benefit here is that you can log on to your AT&T account via the web to manage your phone contacts and it will sync your changes. Useful if you're mass-adding and want to use a full keyboard for speed. -- Enter the Contacts app, hit Menu, More, Settings, AT&T Address Book, click Auto Sync contact with online Address Book.
Backing up paid apps: I have not used it, myself, but Titanium Backup might do what you need, as the previous poster said. You can find it in the Market and read up on it.
Backing up app/data settings to a PC. I'm guessing this would be more app-specific than anything, no? I don't think Google imposes or enforces any standards on data/setting storage for apps, so any single backup tool would have to support individual apps one-by-one. Please update this thread if you find anything, because it would be pretty convenient ....
UserNamer said:
Backing up Contacts, several ways:
Samsung Kies -- follow the sticky at the top of this forum, it will back them up to your PC.
Export to SD Card, then copy to your PC -- Enter the Contacts app, hit Menu, More, Import/Export, Export to SD Card.
Copy them to your SIM -- Enter the Contacts app, hit Menu, More, SIM Management.
Sync them to AT&T's servers, which will do it in real-time when you add/delete them, similar to if you synced to your Gmail contacts .. the other benefit here is that you can log on to your AT&T account via the web to manage your phone contacts and it will sync your changes. Useful if you're mass-adding and want to use a full keyboard for speed. -- Enter the Contacts app, hit Menu, More, Settings, AT&T Address Book, click Auto Sync contact with online Address Book.
Click to expand...
Click to collapse
Awesome. Sounds like backing up the contacts won't be a problem.
Backing up paid apps: I have not used it, myself, but Titanium Backup might do what you need, as the previous poster said. You can find it in the Market and read up on it.
Click to expand...
Click to collapse
Will look into it. What would really be nice would be if google would do this for us. Seems like it would be pretty easy for google to remember which apps I have purchased, and not charge me next time I try to download it. Perhaps the marketplace already does this? I just don't want to buy an app and then remove it to find out....actually I will not pay for any apps until I can figure out how to back them up. I don't mind spending $5 on an app, but I do mind spending $5 for each app every time the phone gets reset...
Backing up app/data settings to a PC. I'm guessing this would be more app-specific than anything, no? I don't think Google imposes or enforces any standards on data/setting storage for apps, so any single backup tool would have to support individual apps one-by-one. Please update this thread if you find anything, because it would be pretty convenient ....
Click to expand...
Click to collapse
Again, I don't know, this is my first android phone. But with Ubuntu Linux, pretty much all apps store their settings in a hidden folder in /home/{your-username}/ (i.e. firefox would store it's data in /home/{your-username}/.firefox/ ) All you have to do to backup all of your settings is to backup the /home/{your-username}/ folder. It is common for people to place /home/ on a different disk/partition, so that you can reinstall the OS and not loose any of your data/settings...
Android is also linux so I would think it would be similar...
cypho said:
Seems like it would be pretty easy for google to remember which apps I have purchased, and not charge me next time I try to download it. Perhaps the marketplace already does this?
Click to expand...
Click to collapse
I am not sure how most app developers currently handle this, but I think Google made it easier a few weeks ago with the announcement of their new "licensing service for android applications". Plug that into your favorite search site (minus the quotation marks) and a post from Eric Chu explaining it on the Android Developers Blog should be up top.
But with Ubuntu Linux, pretty much all apps store their settings in a hidden folder in /home/{your-username}/
Click to expand...
Click to collapse
Home directories are great. =) I haven't used Ubuntu in a long time, so I'm not sure if you're saying that the system enforces it or if it's still just up to the individual developers to follow convention and store their settings in /home/ ... but I'm looking through my internal SD card and it seems like most of the apps I have installed (including the Google ones) each created their own data directory at the root level. :\
Titanium also backs up your contacts, paid apps, and free apps. The pros of rooting outway the cons. You can always un root if you need to send your phone in. I am also a newb and I've been wondering if I had to return my phone and get a new one will my paid apps carry over to a new device. I have the my license key for Titanium so I am thinking that I will be good in the event of such emergency. All of my paid apps are backed up there and I wiped my phone to factory settings the other night, I didn't un root, I was trouble shooting an issue caused by AT&. I did a reinstall of Titanium and it recognized my device because it installed donated version and I restored everything with ease.
UserNamer said:
I haven't used Ubuntu in a long time, so I'm not sure if you're saying that the system enforces it or if it's still just up to the individual developers to follow convention and store their settings in /home/ ...
Click to expand...
Click to collapse
I don't know, as I'm not a developer. But I would think that it would cause problems if a program tried to save data outside of /home/ The user would probably be prompted for their password every time the app tried to write a file...since sudo is required to gain write access to anything outside of home.

[Q] CyanogenMod 12 browser can access contacts

I recently installed CM12 on my Moto G and haven't yet migrated my Outlook Contacts & Calendar items onto it yet. I am surfing the web to become familiar with the due diligence of apps permissions first. From a comment at http://www.androidcentral.com/android-permissions-privacy-security, I found that I can an apps entry in Settings allows me to see the permissions for an app. I haven't yet installed any apps, but the native browser has the permission to access my Contacts. Is this normal for browser? If I draw an analogy with my computer, I wouldn't expect Firefox to be able to delve into my Outlook contacts.
Then again, I was warned that people can freak out at permissions without understanding them. So maybe there are reasons for the browser to be able to access contacts?
my1stSmartPhone said:
I recently installed CM12 on my Moto G and haven't yet migrated my Outlook Contacts & Calendar items onto it yet. I am surfing the web to become familiar with the due diligence of apps permissions first. From a comment at http://www.androidcentral.com/android-permissions-privacy-security, I found that I can an apps entry in Settings allows me to see the permissions for an app. I haven't yet installed any apps, but the native browser has the permission to access my Contacts. Is this normal for browser? If I draw an analogy with my computer, I wouldn't expect Firefox to be able to delve into my Outlook contacts.
Then again, I was warned that people can freak out at permissions without understanding them. So maybe there are reasons for the browser to be able to access contacts?
Click to expand...
Click to collapse
This is why they "officially" need these permissions...
Read contact data – You can send a code using the built in share feature. This enables the program to get your contacts so you can share it.
Write contact data – When you send something, if you send it to someone that isn’t in your phonebook, it will save the data for you to insert later.
In CM12 you can block these permissions.

Marshmallow permission management - better for invasive apps like Wechat?

Hello,
I have lots of family who use Wechat, and it's a great app. I'd like to install it on my main phone. But I'm afraid of how invasive it is. The first time I did it it read my address book. It automatically contacts people who have my phone number in their address book. It's just really annoying. But also it's a great app with useful features.
Does the new Marshmallow Android app permission system make it easier to manage these types of invasive apps? For example, prevent it from using contact list? I haven't found a good way to setup wechat without giving it my phone number, so there's that issue that can't be solved.
Thanks.

What is the best offline phone dialer and contacts app (zero network access)

Since almost everything I do is on a tablet or desktop I had no idea when I was asked this question recently. So I started looking and found nothing that did not hook into Android contracts which sync online or the database is not protected from any app searching it.
So I'm asking the community. What is the best dialer and contacts app for Android.
Something that does not..
Connect to the internet for number lookup or sync
Does not use the Android contacts database or at least encrypts anything it saves there
Zero internet access preferred.
nutpants said:
Since almost everything I do is on a tablet or desktop I had no idea when I was asked this question recently. So I started looking and found nothing that did not hook into Android contracts which sync online or the database is not protected from any app searching it.
So I'm asking the community. What is the best dialer and contacts app for Android.
Something that does not..
Connect to the internet for number lookup or sync
Does not use the Android contacts database or at least encrypts anything it saves there
Zero internet access preferred.
Click to expand...
Click to collapse
it's not exactly what you were looking for but I used to use Flock Sync (from Open Whisper Sys) on my private phone, unfortunately they have stopped development but as it was open source you should be able to find the apk and as you can set up your own server it should still work, though don't know about new nougat ROM's.
Original press release
https://whispersystems.org/blog/flock/
There is also at least one alternative called Cucumber Sync or maybe consider Owncloud or similar?
However apps like Flock are not much use if you are trying to keep all your contacts private from the likes of Google or the state as most of your friends will just sync YOUR details to Google/Apple/etc, furthermore the likes of Google could quickly make a fairly accurate assumption that you would know some other contacts that did also use apps like Flock as they would be able to easily build a network of each of those Flock users contacts 99% of which did sync, pick out common contacts with you and make an assumption you probably know the other Flock user. And of course as soon as you make a phone call or send a msg, email etc your network provider and others would be able to tell you are in contact, so not much use if you are trying to hid from the big boys! That said it does offer another layer of security/privacy in normal scenarios ......

Disable standard Android 11 Contacts Provider and replace with alternate Contacts Provider?

With Android 11, Google seems to have taken yet another step in the "making Android increasingly painful to use" direction by disabling the ability for device-only contacts to be available via the standard Contacts Provider. Because of this, I have to use Google-stored contacts on my Android 11 device in order for these contacts to be available to my apps. Otherwise, my apps don't see any contacts.
I have a rooted Android 11 device, and I'm hoping that there is some way that I could disable the standard Contacts Provider service and that I could then install an alternate, custom Contacts Provider service which knows how to access device-only contacts, and which knows how to make these contacts available to all apps that need contacts ... and which never will try to store my contacts on any of Google's servers nor anywhere else in the cloud.
Is it possible to disable Android's standard Contacts Provider service? And does such a 3rd-party Contacts Provider service exist?
Thank you in advance for any thoughts and suggestions.
Well, I think I found a solution to the issue that I'm trying to solve. And it doesn't require any new Contacts Provider service to be installed, after all.
First of all, I made sure that contacts syncing is turned off.
Next, I installed the "True Phone" contacts and phone manager app from the play store and made it my default phone app.
Then, I used that program to make a local backup of my contacts, which is one of its capabilities.
Following that, I froze the Contacts app, but I kept the Contacts Storage app active. I checked the permissions for the Contacts Storage app, and I see now that it has no network-related permssions. So apparently, it just looks at the local contacts database, and some other piece of software is what actually syncs Google's cloud-based contacts data with the local database. And by turning off contacts sync-ing, it seems like I have indeed disabled that process.
Then, I went from my desktop computer to http://contacts.google.com with the same login credentials that are associated with my Android device. I then permanently deleted all of the contacts there.
(I rebooted my Android device between each of these steps and also after the final step.)
Now, my SMS and phone apps still see the contacts info in my local database. And I can manage the local contacts backup and restore via that True Phone app.
There are probably other phone/contacts apps which also could be used for this. But True Phone works well enough for me.
So ... it turns out that no OS surgery is needed to mess with the contacts nor to install an alternate Contacts Provider service.
PS: And I now have learned something. I was asking about a "Contacts Provider service", but I now realize that the standard Contacts Storage app itself seems to be the "Contacts Provider".
And because I found out that this app does not even have network permissions, it seems clear that this app simply gets contacts from the locally stored sqlite contacts database, and therefore, I don't need to replace this app with anything else.
And so all I needed to do was disable contacts sync-ing, because that is what would sync contacts between Google's cloud and the local contacts database.
How long were you playing with it to get to this point? Fun times...
Cloud apps can be little terrors, the only one I use is Gmail. It's never been breached by malware in over 15 years. Lol, Outlook not so much so.
blackhawk said:
How long were you playing with it to get to this point? Fun times...
Cloud apps can be little terrors, the only one I use is Gmail. It's never been breached by malware in over 15 years. Lol, Outlook not so much so.
Click to expand...
Click to collapse
It took me around a day of on-and-off playing around sessions to figure this all out ... with some input from a few other helpful souls.
I agree about cloud-based services. I don't even use gmail. I run my own email server, so I use that to manage all my email accounts. I manage my own web servers and my own DNS servers, as well.
It's more work for me to manage those things, but I don't mind, and I actually enjoy that work, most of the time.

Categories

Resources