In light of the seriousness of security, I want to keep this forum as clean as possible. I will be working harder in the future to do so.
What belongs:
Discussions of
~ of vulnerabilities & potential vulnerabilities, with detail.
~ of vulnerability research
~ of exploit development
~ of reverse engineering
~ of application security
~ of physical device security
~ of theoretical attacks/vulnerabilities, with detail.
~ any serious security matter
detailed guides on security matters
etc
What does NOT belong:
Copy pasted articles, with no linked source or citation
promotion of apps
promotion of services
simple how to guides (like how to use a VPN on Android)
Questions on how to unlock a device
etc
Absolutely no FUD, nor conspiracy theory posts will be allowed. Please include citations, or strong evidence when making a post that may appear to be FUD or a conspiracy theory type post.
If you have questions as to if a post is appropriate, please either ask in reply to this post, or PM me.
Bash bug
Hello, I just read this article on The Verge: http://www.theverge.com/2014/9/24/6...odays-bash-bug-could-be-breaking-security-for
What could be the implications for Android users?
For example, my phone appears to be vulnerable, according to the test from the article.
I'm using a Samsung Galaxy Express GT-I8730 running latest CyanogenMod 11 (September 21) from http://forum.xda-developers.com/showthread.php?p=53616202#post53616202
Hope this one transcends the conspiracy level as I've not done any background research. Just wanted to share as it seems legitimate. Somewhat older but I guess still valid. Shouldn't all developers move to Replicant or at least close the backdoor mentioned in this article?
https://www.fsf.org/blogs/community/replicant-developers-find-and-close-samsung-galaxy-backdoor
Would it be okay to cross-post an "I'm a dumbass, what do I do now" question here from http://forum.xda-developers.com/htc-one-m8/help/oops-potential-malware-root-privs-s-t2927813 ?
tl;dr- I ran something as root that smells of malware, how do I recover from this? (Good news is that only my system and recovery were unlocked, not the other firmware parts.)
jcase said:
In light of the seriousness of security, I want to keep this forum as clean as possible. I will be working harder in the future to do so.
What belongs:
Discussions of
~ of vulnerabilities & potential vulnerabilities, with detail.
~ of vulnerability research
~ of exploit development
~ of reverse engineering
~ of application security
~ of physical device security
~ of theoretical attacks/vulnerabilities, with detail.
~ any serious security matter
detailed guides on security matters
etc
What does NOT belong:
Copy pasted articles, with no linked source or citation
promotion of apps
promotion of services
simple how to guides (like how to use a VPN on Android)
Questions on how to unlock a device
etc
Absolutely no FUD, nor conspiracy theory posts will be allowed. Please include citations, or strong evidence when making a post that may appear to be FUD or a conspiracy theory type post.
If you have questions as to if a post is appropriate, please either ask in reply to this post, or PM me.
Click to expand...
Click to collapse
What about Security News related to Android?, Can we share here?
Is asking about security protocols allowed. Xfinity tv will not allow me to mirror to my tv through the app. Security protocols prevent it for some reason. Is there a way around this ? If not it's no big deal
jcase said:
In light of the seriousness of security, I want to keep this forum as clean as possible. I will be working harder in the future to do so.
What belongs:
Discussions of
~ of vulnerabilities & potential vulnerabilities, with detail.
~ of vulnerability research
~ of exploit development
~ of reverse engineering
~ of application security
~ of physical device security
~ of theoretical attacks/vulnerabilities, with detail.
~ any serious security matter
detailed guides on security matters
etc
What does NOT belong:
Copy pasted articles, with no linked source or citation
promotion of apps
promotion of services
simple how to guides (like how to use a VPN on Android)
Questions on how to unlock a device
etc
Absolutely no FUD, nor conspiracy theory posts will be allowed. Please include citations, or strong evidence when making a post that may appear to be FUD or a conspiracy theory type post.
If you have questions as to if a post is appropriate, please either ask in reply to this post, or PM me.
Click to expand...
Click to collapse
Hi jcase,
Could you please tell me if questions about unlocking bootloader are appropriate ?
With my SAMSUNG Galaxy A5 2016 smartphone it's easy to unlock bootloader. I have to click on the appropriate choice in the developper options menu. And you can do that without rooting your device.
With others devices it seems to be less easy. My question in this case is : do we have to root the device to unlock bootloader ?
I hope this question is appropriate in this forum and if not, feel free to clear my post.
Thanks.
iwanttoknow said:
Hi jcase,
Could you please tell me if questions about unlocking bootloader are appropriate ?
With my SAMSUNG Galaxy A5 2016 smartphone it's easy to unlock bootloader. I have to click on the appropriate choice in the developper options menu. And you can do that without rooting your device.
With others devices it seems to be less easy. My question in this case is : do we have to root the device to unlock bootloader ?
I hope this question is appropriate in this forum and if not, feel free to clear my post.
Thanks.
Click to expand...
Click to collapse
Yes they are appropriate, but the answer depends on the device, and firmware
Give it's clearly a fingerprinting issue... can I ask my GSFID questions here?
I have managed to change my supposedly permanent GSF ID (Google services framework ID) without needing to be rooted, specifically so that my phone is less vulnerable to malicious fingerprinting.
Given I realize almost nobody knows how to change the GSF-ID (it took me hours to figure it out but only minutes to perform), I can't really ask this in a general forum (as it's a deep-down security question for people who actually know how Android works and how apps work inside of Android with respect to tracking the user).
Specifically what I don't know is why this unique ID (which uniquely identifies your phone!) isn't supposed to be changed, nor do I know what apps are doing with it - but I do know that it's super freaking important to Android (I can give gory details what happens if/when you change it for example).
It seems only "some" apps (those linked with GSF API's perhaps?) use this supposedly permanent personal tracking ID to watch your activities; but maybe they all do for all I know (I'm not a developer).
I'd like to ask for MORE INFORMATION about how the GSF ID (and perhaps the Android ID too) are used by Android & by apps, but there's almost nothing out there on the Internet about them (ask me how I know this).
Give it's clearly a fingerprinting issue... can I ask my GSF_ID questions here?
I'm confused as I haven't seen an answer and I gave the query above almost a month, so I posted the question here, hoping it will both edify others in security issues (fingerprinting specifically) and help me get the answers.
Does a comprehensive and plain english list exist anywhere that tells who is who and why they have a security certificate installed on my android phone?
I've asked this before and never found an answer. I find it odd that it isn't questioned and recently when installing FoxFi, it was made more poignant when many became up in arms about the FoxFi cert and the notification that some unknown entity could be monitioring activity. FoxFi is pretty clear about why that cert is there and I can't say that for the factory installed ~200 certs.
Also, is there a comprehensive list anywhere that tells what factory installed and system apps do? Many have very obscure names and even names which are quite misleading upon actually discovering what they really do. I'm sure I can't be the only one that would like to know exactly which apps are safe to freeze, disable or uninstall and upon doing so, what functionality will be lost or what other apps will no longer work, if any.
I think Google needs to step things up in these two areas so people can actually know. The work in the area of app permissions is a step in that direction, but, still a long way from full and forthright disclosure aimed at educating all android device owners.
Thanks for any direction you can provide.
Hmmmmm.... its merely about the desire to know why every android I've owned for coming on ten years now has security certs installed belonging to the DOD, Japanese Government, Experia, Equifax and many more that I have no idea who they are unless I want to research each and everyone of them. Even doing so in most cases still doesn't reveal why those entities have a cert on my phone and what it actually means. I wonder what happens if they are removed and why they are there in the first place.
As far as the many pre-installed apps that I can't imagine many people having a clue as to why they are installed or what they actually do, well, that kinda speaks for itself as well.
Nobody else wonders or does everyone else but me already know?
However, in the mean time, I'll refine my quest to changing permissions and any insightful threads on that for dummies would be appreciated.
Thanks
Hi
Thanks for writing to us at XDA Assist. Unfortunately I can't find anything relating to your question on XDA, it's probably best to ask here:
Android Q&A, Help & Troubleshooting
No response in two days, thread closed.
hey guys can someone tell me is there any way to add play store time remaining feature to android 4.2.1 ?
And i request developers to please work on this feature it is very helpful feature....
XDA Visitor said:
hey guys can someone tell me is there any way to add play store time remaining feature to android 4.2.1 ?
And i request developers to please work on this feature it is very helpful feature....
Click to expand...
Click to collapse
Hello, and welcome to XDA!
I find those things inaccurate, as the notification area estimate (including percent complete) rarely matches (or comes close to) the Play Store app estimate. That also begs the question on responsibility...are you talking having time remaining within the app, or in the notification area?
Right now for either, it's a fight against time. With the former, you are dealing with an older version of Google Play and Google Play Services, the responsibility of Google and that version (guessing 6.x where current is 8.x) is critical security updates only (if any at all) - no feature requests allowed. The latter scenario, probably relies on the former for information, but if not, it would be the responsibility of your ROM developer (e.g. Samsung Touchwiz 4.2/CM10.1/et cetera). They are in the situation of getting only critical security updates (if any at all) as well. After all, Android 4.2.1 enters it's fourth year of existence in November, and the attitude of Google is once a new codename has been officially released, all attention goes towards the new version (so the older stuff quickly becomes "abandonware").
CyanogenMod has been good on keeping older Android versions alive. Not so much for themselves, but for the older ROM's that borrow their code. The recent StageFright problem (dubbed SF1.0 as there is now a new batch of vulnerabilities) CM went back as far as 10.1/4.2.2 to patch the problems. With latest SF2.0 and the recent release of Marshmallow/6.0 I don't know if CyanogenMod will go that far back for their fixes this time (I am watching, as I have some Android 4.4.4 stuff to patch and plan to base off of CM11).
That was the long. The short being, since 4.2.1 is no longer a priority, I don't see it happening. Sorry.
Hi all.
As I recently unlocked my smartphone and installed a custom ROM, I was wondering what were Google position about GApps. I read some quick news online about this but there's nothing clear. To me it's not "piracy" or "hacking" as most of us don't modify their apps. Actually I think we really enjoy Google's services and this is why we need those packages.
My point is we're customers of Google even we make some changes on our devices. As far as I know, this company is more or less in an "open source mood". Do you guys know if there's (somewhere) an official response to this ?
Thanks. :good:
(I hate to cross-post, but given the sheer number of readers on this part of the forum when compared to Security Discussion, I thought it was a better choice to post here too, and I hope the modos will be kind enough to either remove my original post in Security Discussion, or link it to this part of the forum and delete the present post.)
Hi everyone,
I can't find a satisfactory answer on my favorite search engines, so I thought I'd come here and ask. Sorry if this question has already been put on the table, carved, sliced and gobbled, I couldn't find trace of it in the forum's search engine either.
My phone's a Leagoo T5c that will forever be stuck on Android 7.0, it seems, because the OEM has already lost interest, and because its SoC makes it difficult, if not downright impossible, to find a suitable custom ROM.
The latest ROM I could find and install on this phone goes back to August of 2018 (no-no, no typos), and its Security Update is even one month older (July 2018).
My question is in the title: Is it possible to install Security Updates without reinstalling/updating/upgrading the firmware itself, like you would in, say, Windows or any other OS, I presume?