Signal Private Messenger - Security Discussion

Hi,
I've discovered the description of "Signal Private Messenger" app, but I don't know what thinking about it.
Its description seem's to indicate that you can communicate voice and text securely end to end with your smartphone, and that it's open source.
What is really securely ? I don't know and "I want to know"
Thanks in advance for your answers.

Hi, The short answer is Yes. Signal is by Open Whisper Systems & runs on iOS and Android. You can use it as a regular SMS/MMS app; as well as encrypted SMS/MMS/phone calls. To activate the encryption you need to exchange keys with the person you want to message.
Hope this helps!

equi_design said:
Hi, The short answer is Yes. Signal is by Open Whisper Systems & runs on iOS and Android. You can use it as a regular SMS/MMS app; as well as encrypted SMS/MMS/phone calls. To activate the encryption you need to exchange keys with the person you want to message.
Hope this helps!
Click to expand...
Click to collapse
Hi,
Thanks for your answer.
Your answer is a good summary of the app's features.
But what are you thinking about the word "securely" ?
Is it a dream or a reality ?
The app's editor highlights testimonies from known people who use it. Is it sufficient to trust this app ?
Has someone in this forum examined the code of this app ?

Nothing is completely secure.
In my opinion, & from my use, Signal is more secure than a normal messengering app - but less secure than a talk in real life.
If you are interested in security, please check out this XDA subforum; http://forum.xda-developers.com/general/security
And read up here: www.eff.org

Hm, nice to see a discussion going on. Have just heard Snowden recommend the app so I thought I'd check it out. BUT, there is a but ... I intentionally blocked the app from any internet usage whatsoever with AFWall+ donate. I've set up my AFW to show a toast whenever it blocks an app trying to use the internet so that I know which apps try to use the net in the background without my permission or intention. To my surprise my AFW blocks Signal all the time when I use Signal. And I mean ALL the time. How does this make sense? Why would a privacy app try to connect to the internet constantly? I've not got WiFi calling and I've not even enabled it in Signal's settings. Am I missing something here or is there sth wrong with the app? It's making me feel that it is constantly trying to leak data and that's why it attempts to use the internet. Good thing I have a robust thing on board such as AFWall... best firewall out there.

jonathansmith said:
Hm, nice to see a discussion going on. Have just heard Snowden recommend the app so I thought I'd check it out. BUT, there is a but ... I intentionally blocked the app from any internet usage whatsoever with AFWall+ donate. I've set up my AFW to show a toast whenever it blocks an app trying to use the internet so that I know which apps try to use the net in the background without my permission or intention. To my surprise my AFW blocks Signal all the time when I use Signal. And I mean ALL the time. How does this make sense? Why would a privacy app try to connect to the internet constantly? I've not got WiFi calling and I've not even enabled it in Signal's settings. Am I missing something here or is there sth wrong with the app? It's making me feel that it is constantly trying to leak data and that's why it attempts to use the internet. Good thing I have a robust thing on board such as AFWall... best firewall out there.
Click to expand...
Click to collapse
It's encrypted, end to end. It's not leaking anything. The code is opensource, you can go and review the code and build it yourself.
If you're blocking it from accessing the internet, then it's going to try again, probably because it can see that there is a network connection live.

@jonathansmith
Thanks for your detailed feedback.
It will be nice if someone in this forum could analyze the code of this open source app.
As for me, I am unfortunately not competent.
Were you able to identify with AFW the site the app was trying to connect ?

dtective said:
It's encrypted, end to end. It's not leaking anything. The code is opensource, you can go and review the code and build it yourself. If you're blocking it from accessing the internet, then it's going to try again, probably because it can see that there is a network connection live.
Click to expand...
Click to collapse
Thank you, that's exactly what I don't get. Why would it attempt to establish a connection. Ofc I'm blocking it. I'm blocking tons of others apps as well, but unlike Signal (and a few other suspicious apps) the other apps do not try to establish a connection.
As I said, when you block an app from accessing the net with AFWall you can tell AFWall to give you a toast showing you when every signle time when AFWall blocks a certain app trying to access the net. So, with 99% of my AFWall-blocked apps I don't get this toast, meaning that those apps don't even attempt to access the net (but better stay safe and have em blocked.) With some tricky apps though, AFwall shows that toast msg indicating that it successfully blocks a certain app from accessing the net. That's what I don't get - why would Signal be set up in a way that it would attempt to access the net. Prolly WiFi calling or sth but I'd rather use it for now only as a default SMS client.
Yes, you are right. Signal can see that there is a network connection live and that's why it constantly tries to connect to it. Just wish Signal would get it once and for all that it is blocked for good and stop trying to access the net.
If anyone knows which Services, Broadcast Receivers, or Activities from Signal should be disabled (using MyAndroidTools for example) please do share which ones they are so I can disable them and thus prevent Signal from constantly trying to establish a connection. The toast msg from AFW does become annoying when it is every second second
---------- Post added at 11:39 AM ---------- Previous post was at 11:33 AM ----------
iwanttoknow said:
Were you able to identify with AFW the site the app was trying to connect ?
Click to expand...
Click to collapse
Maybe gotta look into the log of AFW. The toast msg only shows the ip address which Signal ties to connect but AFwall prevents it form doing. But that's not the prob for me. Doesn't matter too much what it tries to access cos I know AFWall is good enough at preventing that. Just want to stop Signal from trying to access whatever it is trying to access! Will let you know if I figure it out!
---------- Post added at 12:00 PM ---------- Previous post was at 11:39 AM ----------
equi_design said:
Nothing is completely secure.
And read up here: www.eff.org
Click to expand...
Click to collapse
I second that. Nothing is, indeed! And thanks for reminding me about eff ... here's a good one - https://www.eff.org/https-everywhere @iwanttoknow check it out!

And here's a bit of a follow-up. Managed to catch the toast. Not sure if it is always the same ip that AFW blocks, but will try to pay attention. A reverse search reveals that the geo location of the ip is some place in Washington, US.
https://imgur.com/a/5fhIf

As I understood it
(And I could be wrong I left signal years ago when it was text secure)
Signal does NOT use sms to send messages
That functionality of the app was dropped a while back
It uses internet only to transmit encrypted messages
And it uses its own message server to host your messages.
It seems like decent software
I abandoned it because it uses your personal phone number as your identifier..
And it will not work with out a phone number..
Which for me is just crazy as every government in the world and most phone companies are selling /tracking your "meta" data based on your smart phone and it's phone number.
Think of it as any other encrypted internet message system
But it uses your phone number as an identifier...
Everyone gets my pubic email address now for communication.
Cops, government, hospital, work, stores,etc
It's the 21st century. Why use a phone number for anything anymore?

nutpants said:
As I understood it
(And I could be wrong I left signal years ago when it was text secure)
Signal does NOT use sms to send messages
That functionality of the app was dropped a while back
It uses internet only to transmit encrypted messages
And it uses its own message server to host your messages.
It seems like decent software
I abandoned it because it uses your personal phone number as your identifier..
And it will not work with out a phone number..
Which for me is just crazy as every government in the world and most phone companies are selling /tracking your "meta" data based on your smart phone and it's phone number.
Think of it as any other encrypted internet message system
But it uses your phone number as an identifier...
Everyone gets my pubic email address now for communication.
Cops, government, hospital, work, stores,etc
It's the 21st century. Why use a phone number for anything anymore?
Click to expand...
Click to collapse
You have to go back in time when the app was called Textsecure and it provided end to end encryption for SMS. The app was available on F-Droid until someone discovered that plain text sms were saved unencrypted on device. After that, the dev temporarily closed the source and also demanded that the app be removed from F-Droid, because in his view distribution on F-droid was "insecure." Well, that hole was fixed and the following versions worked pretty well. About the same, time, the dev started to be bothered by TSA every time he travelled by air. Then, within a few subsequent releases, google binaries and internet permission were included. Then, the app started to crash if internet service was restricted. In addition, you could only get the app from Googleplay, which means, you must have Gapps and Google Services Framework, which has total control over the phone and regularly "phones" home (obviously not your home). GSF can get your outgoing text before encryption and incoming text after.. Despite all of the above, one could still compile the app and use it without GSF. Then suddenly, the dev announced that he would no longer support encrypted SMS. About that time, he started receiving literally millions of $ from a US government's backed foundation. In addition, he was offered a lucrative contract to do encryption for What's UP, which later became Facebook. Quite a change after being harassed in airports So, encrypted sms were dropped and the app turned into an internet messenger. You must register with your phone number; your data goes through Google servers and Whisper System's servers. And by the way, neither the Signal servers nor Redphone servers are open source. You can't use the app unless you have Gapps and GSF and if you use the app, you are known to Whisper Systems, Google and all 3-letter agencies...
This is not the first time I am posting on Textsecure/Signal, just do a search on XDA and F-Droid forums and you will find more info with links. I would stay away from anything coming out of Whisper Systems. Use Silence, which is a fork of Textsecure with encrypted SMS. For over-the-internet services, use Conversations.
And by the way, never use an app where everything: encryption, encryption method, registration, servers are in the hands of one entity, which won't allow you to use other servers...

nutpants said:
As I understood it ...
Click to expand...
Click to collapse
You might be right but for normal unencrypted messages Signal uses simple SMS. Have tried it and without any WiFi or data it simply sends a msg as an SMS. So far so good but u might have a point. I'm yet to test with someone who also has the app installed and see how encrypted msgs are transferred. I'd imagine it NOT to be over the internet, but then again you might have a point? Why? Because as I said I've blocked Signal with AFWall and I get a toast showing that Signal CONSTANTLY tries to connect to the internet when there is currently a live connection to the internet, be it Data or Wifi. So yeah, you might be right, but I need to test it out. In the meantime someone who has already done this would do us a favour by telling us how it works.
Using my personal phone number as identifier does not sound cool indeed. If you are right about this: 'It uses internet only to transmit encrypted messages. And it uses its own message server to host your message' then I guess I'm ok with using the net for transmitting encr. msg since they are encrypted with E2EE. As to where the msgs are hosted. I guess I'm better off having them stored at Signal's server than at Verizon's cos from Verizon they end up DIRECTLY to the government. I guess with nuff persuasion and money though they'd also end up there from Signal. It's the way of the world, isn't it? Also, as I mentioned in my last post, the IP which Signal constantly tries to connect to is in Washington. That's already fishy enough .... very fishy!

optimumpro said:
Use Silence, which is a fork of Textsecure with encrypted SMS. For over-the-internet services, use Conversations.
Click to expand...
Click to collapse
How about apps like 'Wire' and 'Wickr - Top Secret Messenger'? Are they any good? Will give Silence and Conversations a try! 10x for bringing them up.

unknown404 said:
How about apps like 'Wire' and 'Wickr - Top Secret Messenger'? Are they any good? Will give Silence and Conversations a try! 10x for bringing them up.
Click to expand...
Click to collapse
Wickr is not open source. So, for me it is out of the question. Wire sounds good, although they say they can terminate your account at any time. Also, they say the company is based in Switzerland, but the location for dispute resolution is San Francisco. They also say they can require you to download/upgrade the app, which means that if you want to stay on older version, they won't let you...
Again, I am against models where everything is concentrated in the same hands...

optimumpro said:
Wickr is not open source. So, for me it is out of the question. Wire sounds good, although they say they can terminate your account at any time. Also, they say the company is based in Switzerland, but the location for dispute resolution is San Francisco. They also say they can require you to download/upgrade the app, which means that if you want to stay on older version, they won't let you...
Again, I am against models where everything is concentrated in the same hands...
Click to expand...
Click to collapse
I guess I'm ok with Wickr's being closed source (but then again what do I know ... the discussion about open vs closed source goes both ways so more opinions are welcome). Just don't get why I made an account there and now trying to log back in I'm told the credential are wrong. Weird!

Hi,
In my first post, I was asking your opinions about "Signal Private Messenger" app.
Thanks all for your answers.
In your answers, I have discovered the names of Silence and Conversations apps.
Which level of confidence for them and why ?

iwanttoknow said:
Hi,
In my first post, I was asking your opinions about "Signal Private Messenger" app.
Thanks all for your answers.
In your answers, I have discovered the names of Silence and Conversations apps.
Which level of confidence for them and why ?
Click to expand...
Click to collapse
I'll be happy to hear more opinions as well but as optimumpro said, Silence really seems solid and offers E2EE, which is what I need. Have tested it with other users and seems good so far. Can't say anything about Conversations cos I've not used it yet. I read good stuff about Wickr as well, but yeah ... closed source deters many.

unknown404 said:
I'll be happy to hear more opinions as well but as optimumpro said, Silence really seems solid and offers E2EE, which is what I need. Have tested it with other users and seems good so far. Can't say anything about Conversations cos I've not used it yet. I read good stuff about Wickr as well, but yeah ... closed source deters many.
Click to expand...
Click to collapse
Both Conversations and Silence are open source, unlike Signal, which contains prebuilt binaries and jar files. Also, neither Conversations nor Silence forces you to register or use their servers, which Signal does.

optimumpro said:
Both Conversations and Silence are open source, unlike Signal, which contains prebuilt binaries and jar files. Also, neither Conversations nor Silence forces you to register or use their servers, which Signal does.
Click to expand...
Click to collapse
That I do second and that I do like!

Hi,
After reading some articles, I discovered that it was "easy" to assure End-to-end encryption (E2EE) for our communications. I share my understanding here, knowing that it's well known by experts in the domain. So thank you for being kind to me.
In fact, there is a difficulty for communicating parties who wanted to communicate without anyone spying their voice or written messages. They have to use cryptographic protocols relying on a shared secret. But how to share a secret on unsecure communication channels ?
It's "easy", due to the Diffie-Hellman cryptographic protocol which permits to do that. There are a lot of explanations about it on the Net. But it could be defeated by the man-in-the-middle attack (MITM). To counter this attack, you have "simply" to sign the shared secret with asymetric keys (with your secret key to sign the shared secret, and with your public key permitting to the other part verify it). If you are interested, see more explanations on the Net about asymetric cryptographic protocols.
I sincerely hope that I didn't say too much nonsense.
Silence app is based on Diffie-Hellman protocol, like other apps in the domain.
In summary, after reading your answers to my initial post :
- Silence app permits to exchange SMS/MMS, using E2EE.
- Conversations app is an instant messaging (IM) client for Android, using E2EE.
Signal Private Menssenger is an E2EE IM and voice calling app.
I have noted what has been written about Signal Private Menssenger in this thread, so is there a "less intrusive" E2EE voice calling app, in the same way as Silence ?
Thanks for your participation.

Related

Taintdroid...android's duff security model

Worrying article on how apps are using personal information.
www.theregister.co.uk/2010/09/30/suspicious_android_apps/
I'm sick that they had to go too such lengths to find out. We need a better net architecture to enable a proper firewall to work.
Sent from my HTC Desire using XDA App
Also, app naming FAIL!
Well, since they only tested 30 apps and won't release the names of the ones they tested, only saying that they are "the most popular", personally I don't buy it.
And the information these apps are sending out is primarily geolocation. Well, no ****. If an app wants your location and you don't think it should have it, it's either using it for ads or you should decline to install the app and just send an email to the dev asking him why he needs that information.
tjhart85 said:
Well, since they only tested 30 apps and won't release the names of the ones they tested, only saying that they are "the most popular", personally I don't buy it.
And the information these apps are sending out is primarily geolocation. Well, no ****. If an app wants your location and you don't think it should have it, it's either using it for ads or you should decline to install the app and just send an email to the dev asking him why he needs that information.
Click to expand...
Click to collapse
Agreed... geolocation is pretty obviously straight forward. I don't know about the 'transmissing every 30 seconds' thing though.
Any thoughts ont he transmitting sim card and IMEI info?
http://www.youtube.com/watch?v=qnLujX1Dw4Y
Also discussed here:
http://forum.xda-developers.com/showthread.php?t=795702
With explanation where to get it from http://www.appanalysis.org/
A very well-written reply by "Steven Knox" on The Register, demonstrating how this 'research' is simply a pile of intentionally-misleading statistical rubbish:
By selecting only from applications that access both personal data and the internet, they're overstating the significance of their study by about 3x. Furthermore, their summaries blur this distinction unnecessarily.
Specifically, their FAQ says "We studied just over 8% of the top 50 popular free applications in each category that had access to privacy sensitive information in order to get a sense of the behaviors of these applications." Since there were 22 categories at the time they did the study, that would imply (22*50=1,100 * 8% =) 88 applications. However, they actually only tested 30, because of the 1,100 top 50 applications only (from the PDF) "roughly a third of the applications (358 of the 1,100 applications) require Internet permissions along with permissions to access
either location, camera, or audio data." -- meaning that the other 742 apps don't have the necessary permissions to play badly. The clause "..that had access to privacy sensitive information in order to get a sense of the behaviors of these applications." from the FAQ is grammatically ambiguous in this case (it may refer to "applications" or "category"), and not specific enough to indicate that over 2/3 of the applications are (relatively) safe by dint of not having the necessary permissions.
They also didn't include in their study apps from 10 of the 22 categories, but they don't explain whether that was due to a) there not being any or enough applications in those categories that required internet and personal data permissions, b) a conscious choice to focus on the other 12 categories, or c) the results of random selection (with an explanation of why they did not use a stratified sample).
Once you factor back in the applications they ignored, the numbers don't look quite so bad. Assuming their sample was representative, 2/3 of the 358, or about 239 applications of the top 1,100 of the time use personal data suspiciously. That's about 21.7% or just over 1 in 5 -- still significant, but a far cry from 2 out of 3. In fact, the worst case maximum is actually 358 of 1,100 or just under 1 in 3 (32.45%) because they are as mentioned above the only ones that actually acquire the permissions necessary to do anything "suspicious".
I understand why both the researchers and the reporter used the 2/3 figure -- you all believe you have to sell the point as hard as possible*. But the real story is that it's likely that at least 1 in 5 Android Apps use private data "suspiciously" -- and that number is still high enough to cause concern and to justify the further use of tools like TaintDroid. It's a pity you didn't trust the facts enough to avoid the unnecessary sensationalism.
*I am assuming, here, that Mr. Goodin did actually read and digest the paper as I did, rather than simply picking out the figures from the study, the FAQ, or a press release.
Click to expand...
Click to collapse
good spot. But one in ten woolf be too many. The point is we should have more fine grained control and transparency off what apps do over the net, and we can't, by design.
Sent from my HTC Desire using XDA App
We need to develop a shim that reports modified IMEI/SIM data for different apps. IMO, very few apps need that information. We may not be able to keep all those apps from sending our private information, but we can make that information useless if it appears that we all are using the same IMEI/SIM...
patp said:
...The point is we should have more fine grained control and transparency off what apps do over the net...
Click to expand...
Click to collapse
agreed....
if you are rooted. With Root Explorer go to /data/system/ and open accounts.db you might be surprised what you find in it... Some people it will be fine for but mine it shows my exchange email and password in plain text and a few others show up as plain text has well...Its not geo they are worried about (for the most part) and...this file has been known about for awhile
Don't worry though unless your downloaded android specific virus holding apps you wont have any problem. And if your getting all your apps legally through the market then its no big deal =) and if your pirating them...well I don't feel bad for you...
echoside said:
if you are rooted. With Root Explorer go to /data/system/ and open accounts.db you might be surprised what you find in it... Some people it will be fine for but mine it shows my exchange email and password in plain text and a few others show up as plain text has well...
Click to expand...
Click to collapse
Opened it, my accounts are there, but no passwords....
rori~ said:
Opened it, my accounts are there, but no passwords....
Click to expand...
Click to collapse
my gmail is somesort of encrypted but doesnt look that great.
Exchange shows up
facebook doesnt show anything at all aha
Thats why I said some might not have anything. Awhile back when I first heard about it one of my friends had two or three right there in plain English I didn't have a phone at the time to check...
Its been reported before but kind of just brushed over no biggy. To go real conspiracy theorist....I think apple is submitting all these articles...
ButtonBoy said:
We need to develop a shim that reports modified IMEI/SIM data for different apps.
Click to expand...
Click to collapse
Great idea
The source code/instructions for TaintDroid are now out:
http://appanalysis.org/download.html
Anybody found a (recent) kernel with built-in TaintDroid-support?

[Q] Why my application was removed from the market?

I hope this time it's the correct forum.
So long story short.
I've written an app that allows to hijack FaceBook profiles over the WiFi. So when you're connected to WiFi you can "hack" into other users profiles. It doesn't work for profiles using SSL (yes you have that option in FB). So it can be treated as a "bad app". BUT! it is not dangerous for the one using it. I am aware that this is "questionable" application, but is there any other way to tell people - "HEY! use secure connections, it is not safe to use public WIFI!". I'd bet that a lot of you don't use SSL now and after using/reading this app you will turn SSL on.
That could be the #1 reason for deleting my app.
The second one is that I've put a 'demo' app in the market with a limit to sniffing only 3 profiles. But you could buy it through paypal. And today I've found out that this also could lead to app deletion. However i've bought launcherpro through paypal so I don't see why my app was removed in less than 24 hours.
What is your opinion and what can I do to sell my app somehow (i need my 25$ back that I've paid to register in google wrr...). Is there an option I could do put it in market without google deleting it like putting a disclaimer or something? The app itself is safe for the user downloading it.
Edit: If I put a link to this app here will this thread be deleted? If so, is there an option to promote it here?
Per forum rules, link removed
bponury said:
I've written an app that allows to hijack FaceBook profiles over the WiFi
Click to expand...
Click to collapse
There's your answer.
JamesC_ said:
There's your answer.
Click to expand...
Click to collapse
+1 on that
if it allows you to hijack fb you can steal other information from the users account so why would they allow it and put themselves into a legal bind for doing so
JamesC_ said:
There's your answer.
Click to expand...
Click to collapse
So if it wasn't for this app you would be safe? No, facebook is ignoring users privacy and this app is nothing more then a good way to show people what could be the cost of not using secure connections. Of course this can be used in a bad way, a lot of apps can. Like sms bombing or phone number spoofing. But they are not removed from the marked do they?
Ethics
And even worse you want to get paid for it.
wdl1908 said:
Ethics
And even worse you want to get paid for it.
Click to expand...
Click to collapse
Yes, I know what ethic is however we're not living in a perfect world and just believing that everyone is good and ethical so I can just leave my door open when leaving the house is not going to protect me against the reality. I believe in http://en.wikipedia.org/wiki/Full_disclosure and this case is even better because FaceBook is aware of the problem and just ignore it. A few people are aware that there's an option to use SSL on facebook. In my opinion FB should just get it done right and force users to use it. It's not a problem these days right? And what is wrong in getting paid for my work. I've spent some time developing it. Security by obscurity is not working, really. Take my app for example it would take max 1h to crack it. It's not security it's just being to lazy to secure it. And hoping that no one would care to crack it.
sms bombing is not hacking someones account! you are just spamming someone with messages.
even if it is down to fb to let people know about security, the market owners can be sued for allowing such an app on the market. there are better ways of showing a person how unsecure a connection is without punishing them in such a way.
the secure connection is useful for public connections but some people may not want or need to use it at home so they have the ability to switch it on or off. apparently there are issues with some games on fb that are linked in with the use of the secure connection.
traumatism said:
sms bombing is not hacking someones account! you are just spamming someone with messages.
Click to expand...
Click to collapse
People are killed for spamming in russia (http://www.theregister.co.uk/2005/07/26/russian_spammer_killed/)
And what about spoofing caller id? AFAIK that things are valid in court cases in Poland.
traumatism said:
even if it is down to fb to let people know about security, the market owners can be sued for allowing such an app on the market. there are better ways of showing a person how unsecure a connection is without punishing them in such a way.
the secure connection is useful for public connections but some people may not want or need to use it at home so they have the ability to switch it on or off. apparently there are issues with some games on fb that are linked in with the use of the secure connection.
Click to expand...
Click to collapse
I don't know how to tell people - secure yourself any other way. I know i'm devils (myself) advocate right now, but really do you think that forgetting about insecurity is a good way? I don't force anyone to use it in a bad way. But after I showed how it works in my house all my room-mates turned SSL on instantly. And they were not mad about it, shocked a bit but now they are safer now. Sure you can just tell people - hey turn ssl on and 90% of them will ignore you. But when you show them - look! i can see your messages that easily if you don't do it. Then they would listen.
haha! So, if someone got a gun and went around shooting people in cars to proove that they should actually have bullet proof windows and burst-proof tyres, that it's all ok, and not in any way shape or form, illegal?
ha. ha.
infact op ip should be reported to facebook
By nature I wouldn't go near this app. If its collecting other peoples info I could be collecting my own. Thats how I see it logically ... people always get screwed when they are doing something they shouldn't be doing.
There is a place for all apps in this world be they good or bad. You could always host a site and put it on there. I wouldn't go near it cause once again I'd be afraid of whats laced on that site.
I was just providing another point of view to the convo.
MarkusPO said:
haha! So, if someone got a gun and went around shooting people in cars to proove that they should actually have bullet proof windows and burst-proof tyres, that it's all ok, and not in any way shape or form, illegal?
ha. ha.
infact op ip should be reported to facebook
Click to expand...
Click to collapse
So if you have a car that can be opened by someone who has a screwdriver wouldn't you want car manufacturer to secure your car. Buying a bulletproof car isn't exactly the same as pushing a button in a web browser isn't it? And you're comparing killing a man to posting "I'm a jackass on someones FB wall". But still, you can buy a gun right? Also pretending that there's no problem isn't fixing a problem.
And hey, this app isn't new you know, if it wasn't for this thread maybe you wouldn't know that people use this apps on PC's maybe one day you would find that all your mail is gone (yes, this app could be modified to work with other sites like this forum). And ask yourself wouldn't you be pissed if you've found out that anyone using your network could get into your bank account? Well I would. But most (all?) banks use SSL by default. Google does. Why FB doesn't?
hazard99 said:
By nature I wouldn't go near this app. If its collecting other peoples info I could be collecting my own. Thats how I see it logically ... people always get screwed when they are doing something they shouldn't be doing.
There is a place for all apps in this world be they good or bad. You could always host a site and put it on there. I wouldn't go near it cause once again I'd be afraid of whats laced on that site.
I was just providing another point of view to the convo.
Click to expand...
Click to collapse
Yes, in fact it needs root to modify iptables and send raw arp messages and I know people get scared when an app needs root. If someone is interested I could write here how it's done and anyone could write it. It's actually nothing magical.
I wrote this app as a project for my mobile programming class. In the first version it also sniffed for Gadu-Gadu messages (it's a polish messenger). But I sure hope that when and if this app let's loose than FB will react and enable ssl by default. Maybe other websites will use it too. It's just that easy to protect your users, I don't understand why they don't do it?
most people who do not want their details stolen, do not use public access internet. does FB take money transactions over their site?
google does and the banks do so they will have a secure section. fb may do this using paypal or google checkout or otherwise so may not need the ssl that the banks need. sure it still renders people vulnerable to attack and theft of other information but even so that information is very limited dependant on the user of the account.
traumatism said:
most people who do not want their details stolen, do not use public access internet.
Click to expand...
Click to collapse
Yes, so other people want their details stolen? You are aware of the problem 'cause your "into computers" but out of 500 milion fb users how many of them ever heard of SSL? How many know that they are unsafe?
well with the amount of messages being spread on fb already about this i think more people will know, but to let people know only by stealing their details is pathetic. sure you may have made this app for a project but why give other people the power to do this. all you are doing is providing more uses for those who like to make other peoples lives a misery. the best thing that could be done with this is to let the website provider know how unsecure their system is. especially if you are aware of the issue and are bothered by it. i know i'd do the same. if that didnt work, sure i'd tell people about it but i wouldnt sell an app on to others so they can make use of it. not even for free.
traumatism said:
well with the amount of messages being spread on fb already about this i think more people will know, but to let people know only by stealing their details is pathetic. sure you may have made this app for a project but why give other people the power to do this. all you are doing is providing more uses for those who like to make other peoples lives a misery. the best thing that could be done with this is to let the website provider know how unsecure their system is. especially if you are aware of the issue and are bothered by it. i know i'd do the same. if that didnt work, sure i'd tell people about it but i wouldnt sell an app on to others so they can make use of it. not even for free.
Click to expand...
Click to collapse
Sure I could write an e-mail to facebook, but this issue is known for years! http://en.wikipedia.org/wiki/Session_hijacking I am sure FaceBook is aware of it. In fact they've enabled SSL only a month ago (maybe two months) but why it isn't enabled by default?
who knows. perhaps issues with other applications on the website, or applications made to access facebook. they may have left it so they can cater for other applications for and on the site. only they can answer that question.
anyway, he just showed the spirit of a developer and created something new
he never told anyone "hey go hack facebook profiles" or "sniff those profiles, its fun"
he just showed the possibilites of android development and did nothing wrong in my opinion
it's not his fault if facebook is unable to close a security leak known for a long time
yeah dont get me wrong blezz i understand that completely. but the argument was as to why they would remove it. legality reasons would be tne main issue. to cover their own backs as they can in fact face legal action for allowing the app to become available in their market.
I don't see anything wrong with the app.
It shows the flaws of facebook, and the fact that no one in facebook cares enough to do anything about it. But then I understand whygoogle would remove it... If facebook decided to sue for this google would be sued not YOU.
so it would be best if you released it HERE on xda rather than the market

Using it at School, Want to Have Some Privacy

So my school just recently said we can use tablets and laptops in class and around the school. They are willing to allow us to connect to the school's WiFi, but we have to give the dean the MAC address for our device.
I'd like to be able to keep some privacy, even though they say we have to waive our right to privacy if we decide to use electronics. I guess I'm looking for a few apps that can help me achieve this. Maybe a browser with an incognito feature like Chrome, or something that can cover what I'm doing online.
I also wanna know if there would be any way for me to access thinks like Facebook, Twitter, Youtube, Google Music, etc. through their respective app if the website is blocked.
If push comes to shove, I guess I could just tether with my GNex, but that would require an extended battery, which I would like to not have to buy.
Have you tried using the incognito tab option on the stock honeycomb browser?
Unless you are using some sort of vpn connection or encryption you have no privacy. I'd suggest remoting into your home desktop using splashtop or teamviewer and doing all your browsing on your desktop if you are worried about privacy that much.
They can see everything you do since it's a shared connection and they have access to the gateway and internet logs.
They are probably running a transparent proxy with logging (I would be if I were the sysadmin), so the incognito tab won't help.
But
Konfuddle said:
Have you tried using the incognito tab option on the stock honeycomb browser?
Click to expand...
Click to collapse
That does not do anything with the connection. It just dont cache anything in your browser. So that noone borrowing your computer can see that you have been watching porn.
But to OP: Get a vpn connection. Only way to get privacy on a wifi system.
SwiftLegend said:
So my school just recently said we can use tablets and laptops in class and around the school. They are willing to allow us to connect to the school's WiFi, but we have to give the dean the MAC address for our device.
I'd like to be able to keep some privacy, even though they say we have to waive our right to privacy if we decide to use electronics. I guess I'm looking for a few apps that can help me achieve this. Maybe a browser with an incognito feature like Chrome, or something that can cover what I'm doing online.
I also wanna know if there would be any way for me to access thinks like Facebook, Twitter, Youtube, Google Music, etc. through their respective app if the website is blocked.
If push comes to shove, I guess I could just tether with my GNex, but that would require an extended battery, which I would like to not have to buy.
Click to expand...
Click to collapse
whoa whoa whoa man... "incognito" has nothing to do with what you transmit online. it only prevents them from seeing what you have already done if they took your device
what you need is a secure VPN like goldenfrog.com, or use a secure proxy server. anything that puts a layer of encryption between you and the server will block out any man in the middle
noobs these days... incognito has NOTHIGN TO DO WITH WHAT YOU TRANSMIT DAMMIT
if you want, use opera and turn on the "turbo" feature. that will create a link to the opera servers and deliver compressed content. meanwhile, it will make it impossible for the school to decrypt anything it intercepts.
chatch15117 said:
if you want, use opera and turn on the "turbo" feature. that will create a link to the opera servers and deliver compressed content. meanwhile, it will make it impossible for the school to decrypt anything it intercepts.
Click to expand...
Click to collapse
Nope, opera turbo is a plaintext connection so still can be viewed, the only option is https for everything or vpn/ssh tunnels
Ok thanks for all the replies. I guess the easiest thing would be to tether with my phone. (Hopefully Verizon doesn't freak )
I guess I can try setting up a VPN (no idea how). I think my friend tried to, since he owns a bunch of servers, but the school blocks almost every port.
Could using a vpn connection be considered
using Proxies, Caching Servers or any others means to circumvent restrictions placed on
the school’s IT network and internet access
Click to expand...
Click to collapse
DroidSheep anyone hahaha
unless websites like Facebook and such are blocked haha
Is there a way to spoof the MAC?
Scribed in blood using XDA Premium
Dan_Brutal said:
Is there a way to spoof the MAC?
Scribed in blood using XDA Premium
Click to expand...
Click to collapse
http://forum.xda-developers.com/showthread.php?t=1385577
Dan_Brutal said:
Is there a way to spoof the MAC?
Scribed in blood using XDA Premium
Click to expand...
Click to collapse
Yes but I would bet the reason why they want the MAC address is for WIFI access. You could spoof someone else's MAC but school's aren't known for having hard facts before disciplining students. If they think it is you, you will get in trouble.
I would recommend using TOR if you want to protect your privacy. Download Orbot from the market.
Cheers!
-M
Xda member since 2007
Considering the schools budgets these days, you probably have nothing to fear as far as privacy goes.
Sure they are logging your wifi usage, but no one is monitoring it! All the logging allows them to do, is to look at where you went and when AFTER they have a reason to start looking.
Unless they hired someone specifically to start monitoring students, no one is ever going to look at your logs.
Sure they could put in alerts to let them know when any user goes to site xyz, but odds are they simply have blocked it.
One of the main reasons they are logging things is if say perhaps a teachers online grades were 'hacked', and the IP was traced back to their own servers, they'd have a way to identify which user was using that connection.
Many ISPs already log your internet access as well, but it's at such a low level that no one looks at it (though there are privacy laws to prevent them from looking directly in those cases).
Bottom line.. is if you're not doing anything illegal (torrenting, sending nude pics of yourself, harassing other students via text/email) then you have nothing to worry about, and odds are you won't even be noticed.
DroidGnome said:
Bottom line.. is if you're not doing anything illegal (torrenting, sending nude pics of yourself, harassing other students via text/email) then you have nothing to worry about, and odds are you won't even be noticed.
Click to expand...
Click to collapse
I partially agree. If you use the schools network for normal stuff you shouldn't have anything to hide.
But Co-students are a great security risk. Both willingly and unwillingly. In these days with loads of malware floating around jumping from computer to computer via security flaws in networked devices. Students may also try to hack your device just for fun.
If you have sensitive data you really should encrypt your traffic in one way or another when connected to a network with unmanaged and unknown devices.
DroidGnome said:
Considering the schools budgets these days, you probably have nothing to fear as far as privacy goes.
Sure they are logging your wifi usage, but no one is monitoring it! All the logging allows them to do, is to look at where you went and when AFTER they have a reason to start looking.
Unless they hired someone specifically to start monitoring students, no one is ever going to look at your logs.
Sure they could put in alerts to let them know when any user goes to site xyz, but odds are they simply have blocked it.
One of the main reasons they are logging things is if say perhaps a teachers online grades were 'hacked', and the IP was traced back to their own servers, they'd have a way to identify which user was using that connection.
Many ISPs already log your internet access as well, but it's at such a low level that no one looks at it (though there are privacy laws to prevent them from looking directly in those cases).
Bottom line.. is if you're not doing anything illegal (torrenting, sending nude pics of yourself, harassing other students via text/email) then you have nothing to worry about, and odds are you won't even be noticed.
Click to expand...
Click to collapse
Bored teachers/faculty get up to practically anything and snooping on students is apparently a great sport. Everywhere that has a computer lab has someone doing IT and just think about that for a minute...someone doing IT at a high school, the personality of that person. You don't have to be doing anything illegal to get into trouble with your school. A casual google will reveal all the lawsuits students have brought against schools for violating their privacy. Do yourself a favour and use Orbot.
Cheers!
-M
Xda member since 2007
dragon_76 said:
Bored teachers/faculty get up to practically anything and snooping on students is apparently a great sport. Everywhere that has a computer lab has someone doing IT and just think about that for a minute...someone doing IT at a high school, the personality of that person. You don't have to be doing anything illegal to get into trouble with your school. A casual google will reveal all the lawsuits students have brought against schools for violating their privacy. Do yourself a favour and use Orbot.
Cheers!
-M
Xda member since 2007
Click to expand...
Click to collapse
it is great fun, but also remember that code of conduct that you and your parents sign at the start of the year states that we do have the right to make sure you are using the internet provided by the school for school purposes only
Can't you use 3G connection from your phone instead of the school WiFi?
As far as getting on facebook if it's blocked....
If you type httpS://facebook.com it will usually let you in. They have blocked several websites at my office, but I can still get into them using this trick. Sometimes, you will have to add the "S" after navigating through the websites, but still will let you get in. So, just use your web browser (not the facebook app), and type s. I believe most people don't block secure websites.
SwiftLegend said:
So my school just recently said we can use tablets and laptops in class and around the school. They are willing to allow us to connect to the school's WiFi, but we have to give the dean the MAC address for our device.
I'd like to be able to keep some privacy, even though they say we have to waive our right to privacy if we decide to use electronics. I guess I'm looking for a few apps that can help me achieve this. Maybe a browser with an incognito feature like Chrome, or something that can cover what I'm doing online.
I also wanna know if there would be any way for me to access thinks like Facebook, Twitter, Youtube, Google Music, etc. through their respective app if the website is blocked.
If push comes to shove, I guess I could just tether with my GNex, but that would require an extended battery, which I would like to not have to buy.
Click to expand...
Click to collapse
lilstevie said:
it is great fun, but also remember that code of conduct that you and your parents sign at the start of the year states that we do have the right to make sure you are using the internet provided by the school for school purposes only
Click to expand...
Click to collapse
The internet provided to the schools by tax payers and/or tuition you mean. You have a wretched problem that is rampant in American schools: you think you own the school's resources. They are owned by the community.
Cheers!
-M
Xda member since 2007
So the administration announced today the final policy and they won't be allowing WiFi access until next September because they want to expand the network. I'll probably just be tethering for the mean time.
Oh yeah, there's only 2 IT guys in my school (lol). One stays in a glass room in the back of the computer lab, and the other comes to classrooms to install projectors and crap.

[APP][2.3+] Awaaz - Free & Secure Calls 3.6

Awaaz is a "plugin" for your Android phone that enables it to make direct phone-to-phone calls without using the cellular network if both phones have the application installed and are accessible over WiFi. It effectively makes all phone calls free, even while roaming!
There is no user signup, you never need to give any details, and you never even need to start the application (except for the first time). Awaaz runs in the background and automatically takes over any phone calls that meet its requirements. You just need to install and run it once, and you're done!
Awaaz is completely free.
FEATURES:
Establishes a direct P2P connection between the two phones. Capable of punching a hole through NAT, or being used on the same internal network.
Uses the Opus codec for unmatched voice clarity.
Uses just 8 KB/s of bandwidth (upstream and downstream combined).
Uses a hybrid cryptographic system to exchange a 256-bit AES key using 2048-bit RSA. New public and private keys are generated every single time, thus theoretically making decryption impossible.
Uses GCM (Google Cloud Messaging) for push messages thus eliminating the need to run a service in the background.
Has the ability to use 3G / 4G as well. Please enable the option in the preferences if you want it.
All calls are logged in your regular call history.
HOW TO USE:
Install and run it once. The app will register itself on the server.
There is no Step 2! From here on, when you make an outgoing call the app will automatically check if the other person also has it installed, and if both phones are connected to WiFi. If so, Awaaz will automatically take over the call and you will see a slightly different calling screen. The same is true for incoming calls.
If you have any trouble with an ongoing call, hit the "X" button on the bottom-left to terminate the app and make a regular call.
As of version 3.00, you can see which of your contacts are currently online by running the app.
DOWNLOAD:
Play Store Link
BETA TESTING:
To stay current with the latest & greatest version of Awaaz, please sign up to be a beta tester using the following links -
First, join the Google+ community that has access to the beta
Second, agree to be a tester!
FEEDBACK:
I am highly dependent on feedback from users like you! Please share your opinion here, and if you have any suggestions or complaints just let me know. Also, do mention which phones are at both ends of the conversation, since a lot of issues are handset specific.
KNOWN ISSUES:
Speakerphone is noisy. Echo cancellation is required and pending.
VOTE FOR AWAAZ:
If you enjoy using Awaaz, please consider nominating it for an award using the link below!
Nominate it!
FAQ
1. It's not working! (outgoing or incoming calls are not getting routed over Awaaz)
There are multiple possibilities here. First and foremost, both phones must have the app installed. Second, both phones must be connected to WiFi, or 3G / 4G (if that has been enabled in the preferences). Also, check your phone number as mentioned in point 6 below.
2. I see a message "Callee is not on Awaaz", and then "Bypassing Awaaz".
This means that the person you are calling has Awaaz installed, but is currently not available on WiFi. Hence the app makes a regular outgoing call.
3. Voice is unclear.
Awaaz uses Opus, which is probably one of the best audio codecs currently available. Despite this, some phones may have issues with audio capturing. If this happens with you, please write an email to awaaz-feedback[at]jainanuj.com, and mention what phone is at the other end of the conversation (the one that is sending the unclear audio).
4. There is a persistent echo.
I am currently working on a AEC (acoustic echo canceler). Meanwhile, if you hear an echo it will help if the person at the other end of the conversation reduces the earpiece volume on their phone.
5. More info on the encryption?
Privacy is, and should be sacrosanct. Hence Awaaz deploys some very advanced encryption which should be unbreakable, unless some of the really wild conspiracy theories about the NSA are true! This does not create a very heavy burden on the CPU, but you can switch it off nevertheless if you so wish, either permanently through the app preferences, or through the encryption button while you are in a call. If you're really paranoid about eavesdropping, you should vocally confirm with the person you're speaking with that the app has displayed the same encryption hash on your screens.
It should be mentioned that by using Awaaz you won't be able to hide who you are talking to. Since it establishes a P2P connection, any agency sufficiently motivated can find out where the connection is terminating. Some metadata could also be gathered, like how long a conversation lasts. However, the encryption will ensure that what you said remains secret.
6. How do I change my phone number?
A common problem is that Awaaz picks up a wrong phone number. This can prevent it from working correctly. First, to check if it has the right number, open up the app preferences, scroll down to where it shows your phone number and see if it is correct. The phone number should be your complete number including the country code. For example, if you're in India and your number is 9810012345, then it should say 919810012345.
If the number shown is incorrect, please tap on it and a window will open up from where you can change it.
7. What is your privacy policy?
Since the architecture of Awaaz has been made with privacy in mind, it stores the absolute minimum data required. This basically means your phone number (for receiving calls), phone model (for debugging purposes) and your last IP address (of which no history is maintained). Nothing else is ever stored, including any and all information on calls made. From version 3, Awaaz "synchronizes" your contacts with its server, but this does not mean that your contacts are uploaded - instead, an MD5 hash of telephone numbers is stored. This means that we are unable to see any phone number of yours, but if somebody calls you on Awaaz we can hash their phone number to match to your contacts.
Quite a neat concept except for those us who have unlimited voice plans! Tried the app nevertheless, worked well.
Best of luck!
Very cool idea.
I'd like to see more secure encrypted apps. I'd like to try this out, but I've got to find another person to get the app first.
What is this app?
The calls goes directly through dialler, not even a toast message to indicate. I used the cellular data network. Uses lots of personal permissions
siliconeyes said:
Quite a neat concept except for those us who have unlimited voice plans! Tried the app nevertheless, worked well.
Best of luck!
Click to expand...
Click to collapse
Thanks.. trying to make the best app I can!
Xieon1 said:
Very cool idea.
I'd like to see more secure encrypted apps. I'd like to try this out, but I've got to find another person to get the app first.
Click to expand...
Click to collapse
Xieon, chicken and egg situation! Try the app and see if you like it. Personally, I have it installed on my wife's phone as we often end up calling each other even when we're both home (it's kinda large)
tariq2kn said:
What is this app?
The calls goes directly through dialler, not even a toast message to indicate. I used the cellular data network. Uses lots of personal permissions
Click to expand...
Click to collapse
My guess is that either the person you are calling does not have the app installed, or is not connected to WiFi.
Thanks for the feedback though. I'll put in small toasts to show what's happening as soon as you dial a number.
this is cool...ill try it out!!
abhirulz94 said:
this is cool...ill try it out!!
Click to expand...
Click to collapse
Thank you Abhi. Will look forward to your feedback!
Any possibility to make it compatible to gingerbread?
Sent from my Dell Streak using Tapatalk 2
Have you maintained a voip/gateway for p2p call?
The app sys u can make calls using 3G/4G networks..so the same can be done using 2G data plans as well??
Sent from my GT-I9001 using Tapatalk
I think it's provides good security for calls
what information are you taking from the device?
ammujee said:
Any possibility to make it compatible to gingerbread?
Sent from my Dell Streak using Tapatalk 2
Click to expand...
Click to collapse
Sorry ammujee, the app uses a few ICS APIs, and thus cannot be run on gingerbread. Also, chances are that if your device runs gingerbread then it probably doesn't have enough CPU power to run this app.
tariq2kn said:
Have you maintained a voip/gateway for p2p call?
Click to expand...
Click to collapse
Nope, there is no traditional gateway. It uses a completely custom protocol, and an intermediate server to set up the call.
bleed blue said:
The app sys u can make calls using 3G/4G networks..so the same can be done using 2G data plans as well??
Sent from my GT-I9001 using Tapatalk
Click to expand...
Click to collapse
Theoretically, yes. It uses very little bandwidth, so under ideal conditions you could run it over an EDGE network, for example. However, this is not something I would recommend. You will probably experience call drops, and / or bad voice quality.
Seems nice! Will try it out!
looks good, try it ASAP.
munchy_cool said:
what information are you taking from the device?
Click to expand...
Click to collapse
Absolutely bare minimum. Most apps of this nature will upload your entire contact list, but Awaaz does not. The only information that ever gets sent is your phone number (that would be an obvious requirement), and the phone number that you're calling. If you have any other specific concern, just ask!

Can you recommend an app for surveillance of another phone?

In an unfortunate set of circumstances I must put myself first and betray the trust of a person who I believe might have already done so to me.
I suspect my fiancee of having an affair. I have some partial evidence which might be circumstantial but my gut is telling me to pursuit it and uncover it all.
I know that there are generally apps that are keeping tabs on the phone: it's location, forwarding of facebook messenger, sms texts, call log and gps location, remote camera view snapshots and audio streaming of its surroundings and they operate while being in complete stealth mode.
I ask you if you can recommend such an app or a few so I could choose in order to snoop out what is really going on. :crying:
Please, can you recommend such apps?
Doubledeckler said:
In an unfortunate set of circumstances I must put myself first and betray the trust of a person who I believe might have already done so to me.
I suspect my fiancee of having an affair. I have some partial evidence which might be circumstantial but my gut is telling me to pursuit it and uncover it all.
I know that there are generally apps that are keeping tabs on the phone: it's location, forwarding of facebook messenger, sms texts, call log and gps location, remote camera view snapshots and audio streaming of its surroundings and they operate while being in complete stealth mode.
I ask you if you can recommend such an app or a few so I could choose in order to snoop out what is really going on. :crying:
Please, can you recommend such apps?
Click to expand...
Click to collapse
First of all.Wrong Forum bro.Thr forum rules doesn't allow such Discussion. Secondly don't be so specific while asking stuff.Thirdly it is very much Possible but on old phones like at most android 5.0 due to major changes in Security. Fourthly there is another way but it requires to some extent a higher level of understanding of linux and how an android device handles it's OS.Maybe you can build a backdoor in it.Fifthly the samsung account manager usually handles that.Go look it up.No root no bull**** straight last 15 sms and calls along with location.
Sent from my Pixel 3 XL using Tapatalk

Categories

Resources