I threw a thread in Android general to bring awareness of an article about a webkit vulnerability that will be/is being demo'd on the Android platform.
Thread:
http://forum.xda-developers.com/showthread.php?p=24154035#post24154035
Article:
http://news.cnet.com/8301-27080_3-57386319-245/researcher-to-demo-smartphone-attack-at-rsa/
Discuss?
Long as people practice the same rules as receiving fake facebook,banking ,etc emails than you should be ok. One advantage to desktops is you easily can hoover over the embedded link to see if its legit,report it as spam if not,& forward it to the actual company if they have department that handles phishing emails/fraud. Also from the article it doesnt say how the message was being faked as a carrier message. I normally save the short codes I use in my address book so I know whats what but I know from working customer service alotta people skip over the users manual that list the short codes & info for online saftey etc.
Yep, absolutely some common sense and safe browsing practices are important in something that is probably linked to your identity, and likely financial information.
What got me was the control over the real-time tracking ability of the device and recordings of audio (and video would not be a stretch I bet)
I haven't had a lot of time to look into it further yet, and it is a highly focused attack that is probably not of concern to the average user just yet - but given the scope of what this attack allows it's definitely something to be aware of.
Anything that lets joe-blow become a junior On-Star type peeping tom with my Android is something to worry about.
I never use the front-facing camera for anything, so it has a little piece of electrical tape cut to fit over it. No matter of software engineering can overcome that physical obstruction, but what of the microphone, gps and so on?
I'm eagerly awaiting the chance to look into this more after work tonight, meantime just wanted to throw it out there and try to get some awareness out and see what other people had to say.
I'm glad to see the first post in response here was a reminder about user-level security and explicitly cautioning people about clicking random links!
Also:
pimppoet said:
... Also from the article it doesnt say how the message was being faked as a carrier message...
Click to expand...
Click to collapse
This is the part where you get to be creative about it - you could make it anything, that was just the method they chose to get to the needed trigger, the user clicking the link.
I'm curious how they faked the carrier message too, but that doesn't mean that's the only method of injecting the desire to click into the users head.
Good points so far!
Edit:
To be honest, if it's not a click that's needed but just a visit to the website, an injection method could be to compromise an ad-serving machine that serves ads in apps and get an 'ad' that would take the user to the website inserted to what's already served to their device.
Heck, if that's viable, then you might even get them to accidentally go there with a stray touch and bam, you win.
Identification explicitly of the problem is step 1 on the path to a solution.
i am kind of in the habit that, whether an sms message is truly from the carrier or not, it's a scam either way **DELETE**
definitely worrisome, but i guess not surprising that stuff like this exists. good tho to bring it to light so that the race for patches can begin.
i'd be more worried if there was something that can attack your device without you clinking on a link or opening a message.... wait a minute, i guess a carrier could do that! tho it seems that their main interest is gathering data as research for how to sell more stuff, or to sell the data to others wanting to sell more stuff.
Blue6IX said:
Yep, absolutely some common sense and safe browsing practices are important in something that is probably linked to your identity, and likely financial information.
What got me was the control over the real-time tracking ability of the device and recordings of audio (and video would not be a stretch I bet)
I haven't had a lot of time to look into it further yet, and it is a highly focused attack that is probably not of concern to the average user just yet - but given the scope of what this attack allows it's definitely something to be aware of.
Anything that lets joe-blow become a junior On-Star type peeping tom with my Android is something to worry about.
I never use the front-facing camera for anything, so it has a little piece of electrical tape cut to fit over it. No matter of software engineering can overcome that physical obstruction, but what of the microphone, gps and so on?
I'm eagerly awaiting the chance to look into this more after work tonight, meantime just wanted to throw it out there and try to get some awareness out and see what other people had to say.
I'm glad to see the first post in response here was a reminder about user-level security and explicitly cautioning people about clicking random links!
Also:
This is the part where you get to be creative about it - you could make it anything, that was just the method they chose to get to the needed trigger, the user clicking the link.
I'm curious how they faked the carrier message too, but that doesn't mean that's the only method of injecting the desire to click into the users head.
Good points so far!
Edit:
To be honest, if it's not a click that's needed but just a visit to the website, an injection method could be to compromise an ad-serving machine that serves ads in apps and get an 'ad' that would take the user to the website inserted to what's already served to their device.
Heck, if that's viable, then you might even get them to accidentally go there with a stray touch and bam, you win.
Identification explicitly of the problem is step 1 on the path to a solution.
Click to expand...
Click to collapse
That too. I think tools like lbe,droidwall,adaway etc should come standard but I doubt it will ever since it would cut into google profits aswell.
One ad blocker I would love to see on smartphones is ad muncher since you can see the scripts,urls,etc being loaded,set your user agent for your browser to whatever you like etc.
Mozilla has lost its way. Technically it's not even a non-profit any longer, and it no longer behaves like it. Capriciousness and indifference to developer concerns is rampant.
For me, the change in the nature of the file browser is the straw which broke the camel's back. The file name now spills uncontrollably over the page, disfiguring any layout which surrounds it. Just as it does in Google's browser.
The direction Google is forcing the web into is contrary to the original vision of it as designed by Tim Berners-Lee. In response to user ire, the Mozilla team again and again blames Google, alleging that Google's design is "ultracompetitive" and that they "have to catch up" to them. Yet if you read their blogs they make no secret that the new standards and design choices are being made in collaboration with Google (HTML 5 is apparently the brainchild of a pair hailing from Google and Mozilla, respectively... or at least that's what they want you to think).
For me, the burden that the file browser now imposes is something that's just not practical from an implementation standpoint. With this change, web browser form design no longer even competitive to XWindow. The whole thing seems like it was dreamed up by one of the jerks on a reality talent contest... and a takeover by one of those very jerks seems to be the most probable cause of this particular miscarriage of philosophy, just as happened at Microsoft with XBox One last month. But I'm not about to clamor for a figurehead's head: just as at MS, something is rotten at Mozilla. We need a new seed to sprout that can take us into the future. A seed that will respect the intelligence of the people who have to now placed their faith in Mozilla, only to be told by the organization they exalted that they aren't as smart as it. This new organization, if it is not to suffer the same fate which hangs over Mozilla, will do right what Mozilla heedlessly does wrong, including:
respect for user freedom and competence.
avoids placing undue burdens on the designer
avoids obfusticating its code with impenetrable, bug-ridden COMs.
is open source.
In short, it'll be friendly and it'll actually listen to people who aren't ready to fork over their whole lives to an endless reinvention of the wheel like we are seeing at Mozilla.
Free browsers are nice and all, but they just aren't working out. We're getting what we deserve for letting Google take everything over and letting Mozilla get by without relying exclusively on user donations. The result is a corrupted organization and now, a faulty product. I'm prepared to pay a little for a good browser that respects common sense design practicalities. What about the rest of you, will you sacrifice the price of a couple large pizzas for a decent web browser minus the drama?
I've done my bit to try to change Mozilla's downward trajectory. I went on their forums and their chats and told them, this stuff doesn't work. They're making things hard. Their response was that they didn't really give two cents for the opinion of anyone who wasn't down in the trenches with them writing code in their incredibly complicated wrapper context. Like you, I've got other priorities. There are people out there with more experience and, quite frankly, better math skill that can do this job and get a lot more out of it. I want to give them the chance to do just that. Tired of the betrayals, just want to download my browser updates and be done with it... is that too much to ask? I don't think it is, and I hope you don't, either.
I've never tried to write code for a browser before, never even researched it. I'd be happy to help, but I'd like to see a mock GUI first to see how clean of a browser you're shooting for. Mock one up?
t3hcurs3 said:
I've never tried to write code for a browser before, never even researched it. I'd be happy to help, but I'd like to see a mock GUI first to see how clean of a browser you're shooting for. Mock one up?
Click to expand...
Click to collapse
Actually I was looking around and it seems like there is this browser called NetSurf which may be doing everything right. There's no build for Windows or for mobile, which is an issue, but its libraries are in C which offers little room for obfustication a la C++. Should be portable to Java... I think if there was a windows build this browser could take off.
Although I don't really need Windows anymore. I'd just as well settle for a mobile version. There's also Amaya, but it has a reputation for poor ease of use and excessive minimalism. And there's Dillo which is stuck in a timewarp.
There is a question of where they're getting their funding from. However, they seem to be far enough along that if they did start to pull crap it would be easy enough to fork, and really I don't think the web needs much more technology beyond what it already has at this point. I need more information though. What do you think?
Sewrizer said:
This is the best advice I can give as a humble user, and the point stated above makes me believe that this is how things should be created from the beginning. A new browser has the advantage of being based on the present ideas, and since the devs have nothing to lose they can introduce off the wall features, original ideas which others didn't dare to add for fear of losing users.
Click to expand...
Click to collapse
Yeah I agree with this. I asked Moz's JS engine people why they didn't program Firefox to use webworker technology to manage events, so as not to tie up the browser when waiting for file access, and they said it "wasn't in the spec" and "wasn't a priority". And when I requested that they program the canvas API to access multiple cores, they told me to take it up with W3C. Thinking like is not gonna move anybody forward.
I have no issues with Firefox's UI... it's its API which kills me.
EDIT: OK Netsurf is definitely not ready for prime time, but it certainly has potential. I think if it were combined with Mozilla's SpiderMonkey it would be able to handle Javascript alright... I don't really care it's slower than Chrome from the outset... could always be improved. Really dynamic recompilation is the state of the art. I like that it's written in C, and uses GTK and SDL. Gonna look into this...
Here's some evidence of how bad Mozilla has become.
Nevermind... due to new poster restrictions I can't post my links.
Your guide to desired future you.
This application helps you achieve life goals and maintain general happiness by actively encouraging you to think positive and questioning your beliefs through emotional evaluation.
The Theory
This application helps you achieve life goals and maintain general happiness by encouraging you to think positive and questioning your beliefs through emotional evaluation.
The theory behind this is based on the fact that we emotionally react to our reality constantly in everyday situations. But how we feel about it, is defined by held beliefs shaped through the years of our lifelong education.
The problem
Now, the problem with our belief system is that any belief we hold might conflict with another belief in any situation.
For instance: when someone wishes for more money (popular subject these days, hence the analogy) and subconsciously believes that money can destroy a person, those are two conflicting beliefs concerning the same matter that in combination cannot result in joyful emotion.
Consequently in this situation most likely money won’t happen and person failing tend to blame it on something or someone else without realizing that the problem is his own to start with. As well as the power to do something about it.
Another problem arises when people tend to focus on absence of wanted instead of what they want. Focusing on your problems not only will bring more problems
but will also shape your beliefs into more conflicts.
The solution
This application provides a solution by actively reminding you that you alone are responsible for your own reality and motivates you into believing in yourself.
It challenges you to question your own beliefs, identify conflicting ones, stay and think positive and in general move up the emotional scale.
But at the end of a day it’s still up to you to make it happen. As explained above – you alone are responsible for your own being,
and I hope this app will help you realize that this might be easier than you thought.
Click to expand...
Click to collapse
Major update:
- Get awarded for feeling good, see your progress.
- New functionalities on context evaluation. See the influences your actions have on certain activities.
- Better tagging
- Option to delete tags
- Choose notification sound
- Community pages
- Updated external libraries
- Tons of minor improvements and fixes
Recently wondered whether the cleaners for the smartphone really work?
At first, I began to look for information about this in other well-known forums, but even there I did not find a suitable explanation for the algorithms that are used for complex cleaning of caches. Not finding suitable topics on the Internet, I began to delve into the principles of operation of these technologies. For a start, I started wool play market in search of a suitable solution, but even there only a few applications can demonstrate their functionality in a progressive scale. From my investigation, I identified two more or less suitable candidates!
This is first: play maker package name = com.cache.cleaner.booster.ram.storage
And second app: play maker package name = com.cache.cleaner.cachecleaner.booster.storage
This is not an advertisement, but a purely personal conclusion about the functionality of applications. Perhaps many will disagree with me, but of all the huge selection of various applications, only these differ in really complete testing of the device, with the subsequent elimination of existing problems!
Thus, against the background of global advertising in the media, we are losing our worldview on truly technological applications and are selling for a beautiful design, but at the same time we forget about the benefits of the tools that we provide absolutely free, you just need to find it!
I hope my article will help any of you in choosing a good cleaner, and I advise everyone else not to sell for advertising!
Thank for this share this article very valid points useful data
You need a really working cleaner? Go for SD Maid Pro!
I've search for information on this but have found nothing so I thought I'd post my findings here and see if anyone has anything to add/correct.
I've been setting up firewall blocking on my router using ASUSWRT-Merlin with Skynet firewall. I decided to block a whole bunch of countries that I deemed unnecessary/risky for security, including China.
Turns out, blocking China prevents AirDroid from working - it can't even log in.
Checking the log shows a bunch of domains that Skynet is blocking (stat.airdroid.com, stat3.airdroid.com, stat-push.airdroid.com, us-east-7-data.airdroid.com, us-east-8-data.airdroid.com, srv3-clb.airdroid.com, id4-clb.airdroid.com; possibly others). Telling Skynet to unblock these domains results in it responding with "Element cannot be deleted from the set: it's not added" (i.e. they're not blocked).
Removing China from the blocked countries list allows AirDroid to work.
Now this is where things get interesting, and how I figured out the China-wide blocking was causing this issue. In the log file that Skynet stores on the inserted USB drive, "skynet.log", it shows the IPs that these connections were trying to make. All of them are owned by Tencent (there were two prominent ones, but the entire range beginning with "49.51." is owned by them) - specifically, these are for TencentCloud (I assume those are their cloud services, like Azure or AWS or such).
Also, the three MAC addresses dealing with the Tencent IPs are my Note 9, Galaxy Tab A8 and my MacBook - the only three devices on which I run AirDroid.
I'm sure most people won't really care on what servers AirDroid are hosting, but personally, I'd rather not have any connections made to or from Tencent IPs if possible, especially considering how often AirDroid appears to be phoning home. This worries me, especially since this doesn't appear to be public knowledge. The only inconsistency is that a whois lookup shows AirDroid's host is GoDaddy, so how exactly Tencent is involved, I'm not sure... but they are.
If I'm mistaken about this, please feel free to correct me - I'd be happy to be wrong, frankly -, but based on what I'm seeing and the blocking/unblocking I've tried, it appears, at least for now, that this is true.
Guess I'll have to start looking for an AirDroid alternative, because this is unacceptable to me.
Attached are some screenshots of my logs with MAC addresses and personal IPs redacted in case anyone is curious. Yes, I realise the dates are different - I didn't realise I'd screencapped yesterday from the log until after I had edited the images, but the data is pretty much identical to the data from today.
Best I can tell, the Tencent IPs definitely coincide with AirDroid trying to log in and authenticate (and failing at the time because China was still blocked).
Thanks for this info, I was already having my doubts about Airdroid.
No problem. I'm glad someone found it useful. Nobody else seems to be talking about it, which bothers me.
If nothing else, Tencent's servers are being used for Airdroid's authentication servers.
Not sure why it is such an issue really? I mean it is not like other services that use servers tell me where they are routing anything. I would be more worried that there is basically no information about the company that runs the project.
wangdaning said:
Not sure why it is such an issue really? I mean it is not like other services that use servers tell me where they are routing anything. I would be more worried that there is basically no information about the company that runs the project.
Click to expand...
Click to collapse
Because not every company routes your information through Chinese servers which, in this case, could have a large amount of access to your linked devices. Tencent is not a trustworthy company. This could potentially mean that, if they wanted to, the Chinese government could access a lot of your data through AirDroid.
Now, obviously that's not guaranteed, but I still wouldn't trust it.
Then again, there's a reason I try to stick to FOSS software as much as possible. AirDroid was convenient for a while but I don't use it now.
Besides, your reasoning for this not being "such an issue" is "others are shady too". That... doesn't actually make it any better. Plus we know that companies like Google, for example, mine your data anyway, whereas this seemingly innocuous application that I've seen readily recommended by many people is a lot more obfuscated (probably because it's a smaller app).
That, and I haven't found many apps and sites from personal usage that my firewall setup blocks, so this one absolutely stood out like a sore thumb.
I don't want anything to do with Tencent and I know other people feel the same way as me. More importantly, I shared the information to hopefully learn more and, more importantly, let other people know in case they care.
TankedThomas said:
Because not every company routes your information through Chinese servers which, in this case, could have a large amount of access to your linked devices. Tencent is not a trustworthy company. This could potentially mean that, if they wanted to, the Chinese government could access a lot of your data through AirDroid.
Now, obviously that's not guaranteed, but I still wouldn't trust it.
Then again, there's a reason I try to stick to FOSS software as much as possible. AirDroid was convenient for a while but I don't use it now.
Besides, your reasoning for this not being "such an issue" is "others are shady too". That... doesn't actually make it any better. Plus we know that companies like Google, for example, mine your data anyway, whereas this seemingly innocuous application that I've seen readily recommended by many people is a lot more obfuscated (probably because it's a smaller app).
That, and I haven't found many apps and sites from personal usage that my firewall setup blocks, so this one absolutely stood out like a sore thumb.
I don't want anything to do with Tencent and I know other people feel the same way as me. More importantly, I shared the information to hopefully learn more and, more importantly, let other people know in case they care.
Click to expand...
Click to collapse
I would like to know what exactly makes tencent untrustworthy. I use them for banking daily, so would like to be informed.
wangdaning said:
I would like to know what exactly makes tencent untrustworthy. I use them for banking daily, so would like to be informed.
Click to expand...
Click to collapse
The fact that they give your data to the Chinese government should be all you need to know to deem them untrustworthy - Tencent and similar companies collect a lot of your data (often illegally).
If you don't believe me, look it up - most of (if not all, though that has yet to be conclusively proven, but it's not much of a stretch) the tech giants in mainland China are in the pocket of the Chinese government.
Frankly, I value my privacy too much to deal with such a company, and using them for banking sounds like a bad idea to me.
Here are some sources that I pulled up quickly, but there's plenty more of these around the web:
https://www.wsj.com/articles/chinas...ping-the-government-see-everything-1512056284
https://www.scmp.com/tech/article/2...-your-data-when-you-use-chinese-messaging-app
https://fossbytes.com/xiaomi-and-tencent-illegal-data-collection-china/
https://freedomhouse.org/blog/worried-about-huawei-take-closer-look-tencent
The best they get is a slap on the wrist (and sometimes only for the sake of publicity), then they continue on with these practices.
And that's to say nothing of the censorship in which they engage.
TankedThomas said:
The fact that they give your data to the Chinese government should be all you need to know to deem them untrustworthy - Tencent and similar companies collect a lot of your data (often illegally).
If you don't believe me, look it up - most of (if not all, though that has yet to be conclusively proven, but it's not much of a stretch) the tech giants in mainland China are in the pocket of the Chinese government.
Frankly, I value my privacy too much to deal with such a company, and using them for banking sounds like a bad idea to me.
Here are some sources that I pulled up quickly, but there's plenty more of these around the web:
https://www.wsj.com/articles/chinas...ping-the-government-see-everything-1512056284
https://www.scmp.com/tech/article/2...-your-data-when-you-use-chinese-messaging-app
https://fossbytes.com/xiaomi-and-tencent-illegal-data-collection-china/
https://freedomhouse.org/blog/worried-about-huawei-take-closer-look-tencent
The best they get is a slap on the wrist (and sometimes only for the sake of publicity), then they continue on with these practices.
And that's to say nothing of the censorship in which they engage.
Click to expand...
Click to collapse
If privacy was your main concern you would never use an app that routes your data through a third party without encryption. It is clear your goal is to take a shot at a company that is not even in control of the app you are complaining about. Lets see, your news list says, Xiaomi, Huawei, Tencent, and Chinese. How interesting.
By all means protect your privacy. I know I do and I use all three companies and many more products from the country. I hate that tencent knows when I get a latte though :silly:
wangdaning said:
If privacy was your main concern you would never use an app that routes your data through a third party without encryption. It is clear your goal is to take a shot at a company that is not even in control of the app you are complaining about. Lets see, your news list says, Xiaomi, Huawei, Tencent, and Chinese. How interesting.
By all means protect your privacy. I know I do and I use all three companies and many more products from the country. I hate that tencent knows when I get a latte though :silly:
Click to expand...
Click to collapse
It is clear your goal is to defend a bunch of Chinese companies known for handing data over to the Chinese government.
The fact that you are purposely trying to portray me in a specific way to fit your narrow-minded view instead of being concerned about how and where data goes (and for the record, I care about where my data goes in general, but most people around here are already well aware of where data for companies like Google and Apple goes, but not for an app like this) is frankly ridiculous.
If you don't care about this (which you clearly do not), then kindly leave this thread and don't return. I posted this thread to let people who despise Tencent and their business practices know about AirDroid's involvement, and to see if anyone had more information. I did NOT post this thread for you to come along and defend Tencent's honour. Enough garbage companies already do that, and they've added as much to the discussion of privacy as you have (i.e. absolutely nothing of value).
Great concerns, for sure. Thanks for your input.
I tried the app, quickly isolating it from the WAN, and running with Xprivacy of course. Luckily, HTTPS local connection only is possible. I wouldn't sign up in this type of app and i wouldnt use the barcode reader to connect to WAN. Rendered LAN web app contacts chinese servers on the PC, but reviewing content it looked fine in a quick check.
The app seems chinese, it's giving me one notification bar in chinese, and rest of translations are chinglish. I don't say it's neccessarily wrong, i just want to know if this is an open source app to trust it. Otherwise, i will keep running it in strict LAN mode.
Now about the functionality, I like Synology/Windows like UI. So cool!
Contacts/Call log/messages/ringtones/apps work.
Mirroring and Camera worked once. There's some strange checkbox "Don't show again" to click on (?) in Mirroring settings which doesn't work. Update: Camera worked again once switching back to HTTP.
Files/Music/Pictures/Videos don't work at all, even the android app cannot see files. No clue why.
Notifications are shown again on HTTP, however they're not displayed by the browser AND they simply disappear later. No actions also. So unless you 're currently in the tab, you won't notice anything.
I struggle to find a use case for this.
* Mirroring isn't interactive - so together with Camera it's a very infrequent function to use. I'd rather have an interactive mirroring like MobilEdit (if i remember correctly), what a great app it was. Or a Dex type of desktop where you can really interact with the android.
* Messages is showing "SMS", which is something obsolete for me, using alt messenger with secure repository (not the standard unsafe android one). SMS and calls are dead to me long time ago, but i'd have been happy about possibility to reply a decade ago, definitely!
* The last resort is notifications, that'd save some time if implemented well, with history. But it's not.
* One more thing on my mind is ability to send APK to phone, ok.. but it's again a rare task, i wouldn't run this background service for this purpose if i can send the APK via bluetooth...
I look for an app that let me get rid of USB cable for sharing photos or musik between PC and phone.
Sorry if I didn't understood the whole elaboration, but isn't this not just a point to point connection? I wouldn't like that others have access to it.
Or is it about other services?
is this the same Airdroid that has been around for like 10 years now?