Hi all, I want to know a solution for a problem, there is an app called zipgo which allows two logins per device one after the other, when im on stock i used two accounts and when i try to login a new account, it says maximum number of logins per device exceeded, i thought the app is registering my mac address with the account, so i installed RR Rom and changed my mac address and after logging in with two accounts, when i try to login third new account, it says maximum logins allowed per device exceeded. I changed my mac address and tried too.
How did it allow me to login when i flashed RR Rom?
How to make the app believe that im on a new device everytime i login with a new account?
What will the app store other than mac address to uniquely identify my device and how to bypass it?
What is that change in a new ROM in the device that made it believe the app that my device is not the old one(stock) i logged in?
Any links or suggestions welcome. if this is violating forum rules, im sorry, suggest me a thread, ill post there.
How about asking the zipgo support? What has this tondo with an op6?
Circumventing an apps security measures (ie cracking or spoofing to gain a paid-for service without actually doing so) is against the rules of XDA.
Even worse, after a quick read, this can be used maliciously to use another users login when you're not supposed to and thereby take trips and transits on their cost
To identify your device, they could be using the actual serial numbers or other uniquely identifiable properties of your device (e.g. IMEI, MEID, ESN, SIM SUBSCRIBER ID, Wifi/BT MAC, Google Framework GSF ID, Android Device ID, SIM Serial, Serial Number).
As it's per device, they may be just using the model number from the build.prop and checking it against your account.
Anyway, I have not heard of this 'zipgo' and do not wish to know any further. If you have issues with them then contact their support, this sounds like abuse and you will likely get your services terminated anyway. And is a bus truly that expensive?
Try xposed and xprivacylua to change / hide these values from the app
efinityy said:
Circumventing an apps security measures (ie cracking or spoofing to gain a paid-for service without actually doing so) is against the rules of XDA.
Even worse, after a quick read, this can be used maliciously to use another users login when you're not supposed to and thereby take trips and transits on their cost
Click to expand...
Click to collapse
+1 on this. But if you really need the help, just change your build.prop to another device's fingerprint if it's that necessary. If it's not really necessary, then i advise you to ask their support for further help instead of a 3rd party website for advice.
Related
So after starting this thread it has raised a stir. And I wanted to point out why the data that Google collects from Android devices is in my own opinion not at all "anonymous" although it is claimed to be.
The WSJ article fully explains. Please read it in full but I'm just going to cite a short passage here and embolden a few words:
...an HTC Android phone collected its location every few seconds and transmitted the data to Google at least several times an hour. It also transmitted the name, location and signal strength of any nearby Wi-Fi networks, as well as a unique phone identifier.
Click to expand...
Click to collapse
Apple does not collect the unique phone identifier in the data that they collect.
So Google is collecting location, unique ID, and if you sign into Google services they have your full account information and all within it. This means, via your phone ID that Google could very easily associate YOU PERSONALLY with the location data if they so choose. I know, they say they don't but it's one heck of a data mining marketer's dream to do it!
So I stop Android from phoning home.
I agree i own both a iPhone and a Droid but the difference is the Unique Identifier being sent from some Droid phones ... The real question is what is this unique identifier that is being sent is it the IMEI or MAC address
Looks like Google claims it's not the IMEI, according to this article: Google Responds To Smartphone Location Tracking Uproar, Says Android Is Opt-In
From the article:
Google explains that when a phone transmits data back to its servers some location data is actually assigned a unique identification number, but it says that this number is in no way associated with the device’s IMEI, the user’s name, or other information. In other words, they’d have a hard time associating a user with that data.
Click to expand...
Click to collapse
That makes me wonder, why must they create this "unique identification number" at the device level in the first place? If they simply want a unique value in their database for incoming data, it's much cheaper and easier to assign the value inside Google within their own databases as each new report comes in. (RowID for example. You who do any database level programing know what I'm talking about.) Than to assign each device a "unique" identifier that is sent with other data each time. The fact the device is sending some sort of "unique" identifier is troubling. And it's the researchers that found the value sent is unique and could be used to identify a phone. So do I believe the researchers who first told us exactly what is being sent or Google, since Google didn't tell us exactly what was being sent till the researchers uncovered it? I suspect if anyone could overcome that "hard time associating", Google could, but that's that my opinion. They know what method they used to create the supposedly unique value and they know how "unique" it is in relation to a specific device. In all my years of software engineering, I can't see how it would be so "hard" for Google to associate all the data they're pulling in with a specific device and person.
I'll just keep my device from phoning such data to Google and leave it at that. I'm also finding my battery life and GPS lock times have improved since stopping Android from phoning home.
ROMs need to address this directly
Darnell_Chat_TN said:
So Google is collecting location, unique ID, and if you sign into Google services they have your full account information and all within it. This means, via your phone ID that Google could very easily associate YOU PERSONALLY with the location data if they so choose.
Click to expand...
Click to collapse
Thanks for starting this thread. This is definitely an issue that we should be concerned about. I wasn't aware that Google was collecting more data than Apple, and your above point is very worrying!
I've asked this on the previous thread too, but I'm keen to see if/how ROM developers can directly manipulate Android to remove this malicious transmission to Google. How can we pressure them to do so? Beyond that, Google themselves need to be held accountable for this,
It actually makes perfect sense; when you're collecting all of this data from random phones, you need a way to vet the quality of the data. If some joker starts having fun and injecting bogus data into the uploads, they can eventually identify which phone the bad data came from and remove it all from their database. If the data is purely anonymous, with no ID tag whatsoever, it's much more difficult to maintain the quality of the data.
highlandsun said:
It actually makes perfect sense; when you're collecting all of this data from random phones, you need a way to vet the quality of the data. If some joker starts having fun and injecting bogus data into the uploads, they can eventually identify which phone the bad data came from and remove it all from their database. If the data is purely anonymous, with no ID tag whatsoever, it's much more difficult to maintain the quality of the data.
Click to expand...
Click to collapse
So, is there a way of "injecting" bogus data deliberately by phones to degrade Google's database? I've also read a report from a NCSU research team creating an application called TISSA for turning off or deliberately feeding misleading info for apps that try to read and transmit personal data. It says with development, this app will be launched on the Android market. Can such methods be used to 'rein in' Google?
Sent from my HTC Incredible S
Of course there is. Just disable the phone-home connection while accumulating data in the cache (using iptables/DroidWall). Then edit the cache files, putting whatever you want in them, and then reenable the connection. The phone won't be able to send the data before you edit it, if you keep the connection locked down.
Sent from my TP2 using Tapatalk
Apple has banned certain hackers from their app store. I'm not trying to send any bogus data to Google, because that might be the tipping point for them to try and ban my device.
Interestingly enough, Steve Jobs himself has come out to proclaim Apple does not track anyone, but he claims Android does: Steve Jobs: Apple doesn't track anyone
Don't iPhones have IMEIs too? Apple have denied using it. So have Google. As far as Google services go, Apple have your info through their store. What's the difference?
deejaylobo said:
Don't iPhones have IMEIs too? Apple have denied using it. So have Google. As far as Google services go, Apple have your info through their store. What's the difference?
Click to expand...
Click to collapse
Read through the earlier posts for details.
Darnell_Chat_TN said:
Read through the earlier posts for details.
Click to expand...
Click to collapse
Yes, and despite Google denying using unique identifiers with their data you are of the opinion that they do. But, you believe that Apple does not use unique identifiers based on what? Them saying so?
Nexus SuperAosp
deejaylobo said:
Yes, and despite Google denying using unique identifiers with their data you are of the opinion that they do. But, you believe that Apple does not use unique identifiers based on what? Them saying so?
Nexus SuperAosp
Click to expand...
Click to collapse
Not based on them saying so at all. Please read in full the article that I've cited, which is the account of 3rd party researchers who looked into what the devices are actually sending. Read the article and view the video on that page as well. Both provide details into the research that was performed and the findings of that research.
Darnell_Chat_TN said:
Not based on them saying so at all. Please read in full the article that I've cited, which is the account of 3rd party researchers who looked into what the devices are actually sending. Read the article and view the video on that page as well. Both provide details into the research that was performed and the findings of that research.
Click to expand...
Click to collapse
Just a small update. Once again, Google deny using unique identifiers.
http://online.wsj.com/article/SB10001424052748703387904576279451001593760.html?mod=googlenews_wsj
I wonder what came of TISSA? I can't find any release information on it. Just the paper:
http://t.co/Rsuq4L2
Also TaintDroid code is still not widely available in custom kernels or as an add-on module, which is quite sad.
We all know the Android privacy and security are quite bad and all Google does is clean up after-the-fact.
Are there any new developments in this arena that users can deploy themselves?
thanks for this info and the iptables tip above. I think I'll add a log and check it after about a week. I'm real curious as to what info my device is sending out and how much.
Hi Everyone,
So Sony PSN join the ranks of Gizmod, Play.com, Facebook, Sky, Apple, AOL [there are many more] as leaker's of our information.
What are peoples thoughts on this?
It seems that more often than not our passwords and details are not safe with companies anymore, but how can we protect against this?
Although it is best practice to use different passwords for every site and to use secure passwords (i.e. mix of numbers and letters) surely this is not practical since our heads are only capable of remembering so much. I also try to avoid trying out multiple passwords when logins fail, afterall, what happens if that is logged!
What solutions exist to combat this issue? Are there any alternatives?
I think it is safe to say that if at least one of your passwords has not been leaked by now, then it is simply a matter of time. I just don't think passwords are good enough now, we need something better.
Do you mean the latest PSN Network problem? If you talking about that:
Sony will have to repay people for stolen account info such as credit card info! Its because sony security was so weak that this happened!!
Now i agree that passwords are not always the best protection for us. And never use public computers to check email and stuff since most have keyloggers!
For Password i use a real strong password using all sort of simbols and its meaning its not related to me nor family... Makes it hard to guess for people
xploz1on said:
Do you mean the latest PSN Network problem? If you talking about that:
Sony will have to repay people for stolen account info such as credit card info! Its because sony security was so weak that this happened!!
Now i agree that passwords are not always the best protection for us. And never use public computers to check email and stuff since most have keyloggers!
For Password i use a real strong password using all sort of simbols and its meaning its not related to me nor family... Makes it hard to guess for people
Click to expand...
Click to collapse
The problem is that not matter how strong the password is, once it is stolen it doesn't matter anymore unless you have strong passwords for each and every site and a Rain-Man brain to recall them all.
I agree about public computers, you can add to that Open Wifi connections and those people who think it is a great idea to keep their wifi unsecured!
I think as people have become aware of password security, they do use better passwords, but they still use them everywhere.
I know some people use apps to store their passwords, but not only is that inconvenient but what happens if you battery is flat?
For such a big problem, there must be some kind of answer.
Sony are a bit of a joke these days. To be fair, it's not definate that CC info was taken as they don't actually know, and to the best of my knowledge nobody has reported actually having been defrauded yet. Credit Cards are covered by fraud protection anyway so it would only be the inconvenience that it causes people rather than a loss of money.
PSN passwords and account info is another matter though. That should all be encrypted and if it's not they have a lot to answer for! Also, why did it take them a week to report this problem to the account holders?
Just read this: http://www.fudzilla.com/games/item/22562-sony-now-saying-there-was-no-leak
Hi! When I read about this Sony issue i shocked! I mean, if that happens to sony... i think i'm not buying anything else without a virtual credit card.
Regarding to the passwords... i found this article in a blog the other day that recommended to use long passwords, with different elements, one common and one specific for every site. For example:
p4ssw0rd_fBk for facebook, or p4ss_gM41L for gmail... i think thats an interesting idea!
neival said:
Hi! When I read about this Sony issue i shocked! I mean, if that happens to sony... i think i'm not buying anything else without a virtual credit card.
Regarding to the passwords... i found this article in a blog the other day that recommended to use long passwords, with different elements, one common and one specific for every site. For example:
p4ssw0rd_fBk for facebook, or p4ss_gM41L for gmail... i think thats an interesting idea!
Click to expand...
Click to collapse
yeah I was thinking of something along similar lines.
I guess you have to make it slightly more than a simple combo though or there is still a chance it could be used. It would stop most automated attacks though, which would be far better than using the same password.
A different take on using a combo of random letters/numbers is suggested here http://www.baekdal.com/tips/password-security-usability. Interesting that "It is 10 times more secure to use "this is fun" as your password, than "J4fS<2"" even though you are using common words and you are much more likely to remember it...makes sense I suppose, there are only 128 ascii chars but far more possible common words so even three is enough. It goes against what most password advice of using mixed case etc, but in fact it is right - although note that WAP2 talks about a pass-phrase rather than a password, you can see why now. Obviously unrelated words would be better, i.e. not using famous quotes etc , and you still have the problem of putting a unique bit in for the site itself which can't be used to access your other accounts, if they get your password from somewhere else.
I think if I did use such a system it would be worth keeping note of the codes you've used (somewhere nice and safe of course) or you could end up locking yourself out of a lot of places (or at least keep track of which places you've adopted the system on).
Could also having a system so you can change your passwords periodically but still remember them i.e. a year code or something, 1st letter of your car reg perhaps.
Another thing you could do is to protect your email address (since that is a prime target once your details have been lost...i.e. they now have a password (or variations to try) and related email account to try it on) is to use email aliases (like hotmail allows), so that the signed up email address does not even relate to an actual real account (hotmail just says the password is incorrect, even if you are using the correct one for the linked account!).
The only other issue is down to security questions and password reminders on sites, a password is useless if they just reset it due to a simple security question. (Does sony have that info as part of sign up or is it just your email address they use for reminders - I can't remember now).
After-all, if they just need you to supply your D-O-B or mothers maiden-name and it was stored on a site which has lost it's data, it is not something you can change (unless you lie of course from now on). What info would they use to verify you if you told them you've lost access to your email address, would that info also have been included in the "lost" data from these companies???
Good day!
I have a page for online privacy ( www.4yourprivacy.com) and want to add more information regarding smart phones and personal privacy and anonymity to that site.
Anyone who can offer insight to these questions as well as suggest additional questions I may not have thought of I will be most appreciative.
It is understood that using mobile networks data, tower triangulation can still provide coarse location information that is saved as part of your phone record. Assume that location services and GPS are disabled
1. Using cell data how much privacy is afforded by having an active VPN connection with regard to third party apps or with carrier provided SMS?
With no mobile data but using WiFi only with VPN.
2. Does VPN offer any actual privacy to the user of standard SMS messages? I realize that alternative means such as "Signal app" provide end-2-end privacy even without VPN.
3. Do some, all, most third party apps obtain and transmit the specific device ID such as phone number and IMEI etc back to a server some where? This is a technical/software question not related to developers privacy practice. Is this totally dependent upon permissions you can control per-app?
4. App tagging. I read that when a user downloads an app from PlayStore that app is tagged to your device to permit developers to monitor accounts for such things as billing etc to be able to disable apps where user either has not paid or has violated some TOS...also by Google to register it to your phone for updates etc.
But what about the same app obtained and manually installed as an APK file without going through PlayStore?
Any thoughts, links to authority or additional questions I failed to ask please let me here what you have to say. ( Yes this may appear on more than one forum! )
Again thanks in advance for any thoughts or info that you believe should make their way to a discussion about privacy and security when using a mobile device. ( Android in this case...will address iPhone elsewhere )
Paul
paulckruger said:
Good day!
I have a page for online privacy ( www.4yourprivacy.com) and want to add more information regarding smart phones and personal privacy and anonymity to that site.
...
Click to expand...
Click to collapse
Interesting... Just had a look to your site regarding privacy and anonymity by Webbkoll and got interesting results: https://webbkoll.dataskydd.net/en/results?url=http://www.4yourprivacy.com/
Do you agree that having Google and Linkin cookies already contradicts privacy etc.?
Well for starters there is no information on this page that Google does not already index. I am not concerned about the privacy of this web site simply because if the site itself is too "private" people searching for this kind of info won't be able to find me in Google...kinda defeats the purpose of such a site in the first place!
The actual "privacy" aspect is the responsibility of the user not this web site which by definition must be findable for people to access the information. The assumption should be that a first visit will be by someone already exposing their tracks online seeking info on how to avoid just that.
Second...not a response to my question!
But thanks.
Hi
i live in iran and recently iranian government forcing teachers and students to install an app, this app is not in play store and users must sideload it. so i suspect to this app and checked it in VirusTotal.com and found it:
https://www.virustotal.com/gui/file...259f76b3df94b045abd50e88b9e1f980b5d/detection
now my Q is detection is valid ?
Mehrdad.A said:
Hi
i live in iran and recently iranian government forcing teachers and students to install an app, this app is not in play store and users must sideload it. so i suspect to this app and checked it in VirusTotal.com and found it:
https://www.virustotal.com/gui/file...259f76b3df94b045abd50e88b9e1f980b5d/detection
now my Q is detection is valid ?
Click to expand...
Click to collapse
I' no security expert but my opinion for what it's worth.
Probably a false positive as it's only one detection. That said the app uses Iranian DNS (so government could potentially track your activity), it checks for root, and also has the following (see 2nd page of report) which could be fine but could also leak info to authorities you'd maybe not want to, though all also have legitimate functions.
Function name Detail info
ContentResolver;->query Read database like contact or sms LocationManager;->getLastKnownLocation Get last known location
android/app/NotificationManager;->notify Send notification getRuntime Get runtime environment
java/net/URL;->openConnection Connect to URL
java/net/HttpURLConnection;->connect Connect to URL
Camera;->open Open camera
HttpClient;->execute Query for a remote server
Also keep in mind an app can pass these tests by Antivirus but still use quite legitimate functions to leak data you maybe don't want to the app developers. Or worse download other files later that could be malicious, at the end of the day you need to trust both phone manufacturer & app producers to a large degree.
There is an app for a big coffee chain that offers a free coffee on first time use.
I'm wondering how to stop it from detecting I have previously used the app.
From their privacy policy they state:
Network, hardware and website. Information that we obtain from your device or browser (such as IP address, operating system, version and device identifiers. This also includes the use of cookies (for more information on cookies, please see our policy on cookies);
What's the best way to change device identifiers on a rooted phone?
Ishta said:
There is an app for a big coffee chain that offers a free coffee on first time use.
I'm wondering how to stop it from detecting I have previously used the app.
From their privacy policy they state:
Network, hardware and website. Information that we obtain from your device or browser (such as IP address, operating system, version and device identifiers. This also includes the use of cookies (for more information on cookies, please see our policy on cookies);
What's the best way to change device identifiers on a rooted phone?
Click to expand...
Click to collapse
I'm using XPrivacyLua [XPL] (including all non-free pro features) for this kind of requirement. However, the use of XPL not only requires the device to be rooted but also the use of Xposed or similar.
Thanks I got it installed.
So I understand XPrivacyLua would show the coffee chain app a fake device ID.
Is it possible to change the fake device ID shown to coffee app ?