Prevent your data from remote wiping by the company

Prevent your data from remote wiping by the company - General Topics

As more and more companies require their employees using business apps or store relevant information on their devices, how to protect the data becomes a hard nut to crack. Under this circumstance, some of them involved the "remote wipe permission". By signing BYOD (Bring Your Own Device) agreement, employees should give companies access to wipe the data on their phone for business purpose. Actually, a recent survey by Acronis showed that around 21% of companies "perform remote wipes when an employee quits or is terminated."
Although this is considered to be an efficient way of protecting the interest of companies, a growing number of employees felt to be kind of "offended" by their employers. "It's just like a loaded gun pointing to my personal data," said by one of the employees. Another one of them lost all the photos of a relative who had passed away.
In order to avoid the risks, what should we do? Actually, there should be lots of methods. Some companies have a timely reminder to let their employees back up the data. Some employees delete the apps or files for wiping data before resign. These sort of ways are helpful, but they just partially resolved the issue, as the data could still be wiped at any time.
How could we get the risk totally settled? Is it the only way of owning another device for business? The answer is, no. Owning another device is certainly a perfect way to resolve the issue, but it's lack of cost-performance and convenience. What's more, there's even another risk for losing one of the devices. By adding another virtual system to store all the business stuff, and give the company wiping permission for it should be a brilliant way.
Hard to find one? VMOS could help you out. With the VM (virtual machine) technology, VMOS contained a whole Android system inside the app, which allows you to install/delete/run apps just like normal. With the root access equipped, you can put anything you like into the virtual system, and will not affect your physical device. The message penetration function also prevents you from missing any information.
In this way, we could put all the business apps inside the virtual system. Whenever the companies would like to delete them, it would happen only in VMOS, the data in your phone will be stored safe and sound.

Direct copy/paste from here:
https://medium.com/@ckzhao9112/prevent-your-data-from-remote-wiping-by-the-company-25df7a3abdc9
Thread closed.

Related

Marketplace "advanced" "copy protection" cracked

This is a continuation of this thread: http://forum.xda-developers.com/showthread.php?t=567870, which covered cracking the original "basic" copy protection of Marketplace.
---
I have now cracked the "advanced" copy protection used by Marketplace. As you may know, this is a "better" protection than the original "CAB copy protection" Marketplace offered. This "advanced" protection uses license keys that are verified when you run the application, and given out and controlled by Microsoft.
Several developers are annoyed that Microsoft does not allow us to use our own licensing schemes, and are forced to use "no protection" (the original CAB copy protection) or use Microsoft's scheme which is essentially a single point of failure for all Marketplace protected apps.
This new "advanced" protection was released today by Microsoft, and as far as I know no app available already uses it at the time of this writing.
So I got the code snippets you are supposed to put in your app and it was simply jawdroppingly WTF. While it was not exactly easy to beat, it took me less than two hours to devise a "generic" hack, without modifying any files on the device. (Well hey, at least it's better than the 5 minutes it took for the "basic" protection, right?)
A "generic" hack? Yes, by this I mean that this single hack (actually, running an EXE in the background) will completely bypass the entire code snippet provided by Microsoft that is supposed to check and validate your license code, for all Marketplace apps that use this "advanced" protection.
I will not publish the code that performs this hack, so don't ask. My goal is not to crack Marketplace apps, my goal is to get MS off their ass and allow us to use our own licensing systems, like the good little resellers they're supposed to be. I will tell you that it has to do with runtime patching the crypto API, but that's it. All in all, I don't think it will take long for the warez people to duplicate this hack.
---
Some further reasoning about anti-piracy, solutions, etc can be found in post 13 on page 2.

if there are no apps that use it yet, how do u know your hack works?

Because the Marketplace portal provides code ("code snippet") you have to compile in your EXE, and that takes care of the whole licensing thing.
So you look at that source, spot the weak points, devise a hack. Then compile a program using said "code snippet" and try the hack on it.
If developers simply copy/paste the snippet they are given by the Marketplace portal, this hack will work.

Chainfire said:
This is a continuation of this thread: http://forum.xda-developers.com/showthread.php?t=567870, which covered cracking the original "basic" copy protection of Marketplace.
---
I have now cracked the "advanced" copy protection used by Marketplace. As you may know, this is a "better" protection than the original "CAB copy protection" Marketplace offered. This "advanced" protection uses license keys that are verified when you run the application, and given out and controlled by Microsoft.
Several developers are annoyed that Microsoft does not allow us to use our own licensing schemes, and are forced to use "no protection" (the original CAB copy protection) or use Microsoft's scheme which is essentially a single point of failure for all Marketplace protected apps.
This new "advanced" protection was released today by Microsoft, and as far as I know no app available already uses it at the time of this writing.
So I got the code snippets you are supposed to put in your app and it was simply jawdroppingly WTF. While it was not exactly easy to beat, it took me less than two hours to devise a "generic" hack, without modifying any files on the device. (Well hey, at least it's better than the 5 minutes it took for the "basic" protection, right?)
A "generic" hack? Yes, by this I mean that this single hack (actually, running an EXE in the background) will completely bypass the entire code snippet provided by Microsoft that is supposed to check and validate your license code, for all Marketplace apps that use this "advanced" protection.
I will not publish the code that performs this hack, so don't ask. My goal is not to crack Marketplace apps, my goal is to get MS off their ass and allow us to use our own licensing systems, like the good little resellers they're supposed to be. I will tell you that it has to do with runtime patching the crypto API, but that's it. All in all, I don't think it will take long for the warez people to duplicate this hack.
Click to expand...
Click to collapse
amen
hallelujah
hit me now
YEAH

have given the issue some press : http://www.1800pocketpc.com/2009/11/13/marketplace-advanced-copy-protection-cracked-in-less-than-2-hours.html

anti-piracy protection is intended to stop ordinary users from transferring cabs between devices and it is successful at that. there is no protection that will stop apps from being pirated, certainly not for handheld devices. the new advanced protection is adequate and any further techniques are redundant and a waste of time, because no matter how 'strong' they are, they WILL be cracked.

Slightly if not totally off-topic: A mainstream consumer's view
mnet said:
anti-piracy protection is intended to stop ordinary users from transferring cabs between devices and it is successful at that. there is no protection that will stop apps from being pirated, certainly not for handheld devices. the new advanced protection is adequate and any further techniques are redundant and a waste of time, because no matter how 'strong' they are, they WILL be cracked.
Click to expand...
Click to collapse
I agree with you and your premise. Now a quick story.
I consider myself a mainstream consumer... but I have been a member of XDA for, what, i think 4 years, using 2 WM phones, first the T-Mobile MDA, then the Wing (HTC Herald), and I am about to switch to Android with the HTC Hero. I am reasonably savvy about tech, just not a coder. But I've done all the hard SPL, flashing ROMS, using beta software, and supporting developers here with pretty significant donations. I am also a User Experience / Usability designer for web as a profession. THAT'S MY BACKGROUND.
To date, my experience buying WM apps has been universally AWFUL. Whether it was, just recently, Resco Picture Viewer from PocketGear, or WM Defrag from Wizcode, or PocketPlayer from Conduits. I am more than happy to buy excellent software that works, and has a decent UI. But in each case, the process of buying the app and getting it onto my phone has been absurd, and frustrating beyond belief. Each provider makes all sorts of assumptions -- often wrong -- including "you must be downloading this from a PC, so we will download for you an executable that runs on a desktop PC then installs via active sync onto your device."
Whatever the percentage is, doesn't matter: A lot of people, like me, download all my cab files, and purchase apps, on my Mac... and either email myself the .cab file or .zip files, or place my microSD card from my phone into a USB reader. Thus, what a frikkin headache to end up getting PocketPlayer on my phone... but because i didn't download it from a Windows PC, I was screwed.
This stuff is archaic. This past week it has taken 5 days to get Resco Picture Viewer on my phone after purchasing from PocketGear.com . They have a completely retarded transactional process, a terrible UI, broken software in terms of user recognition and resetting username and password, and a completely phone-UNFRIENDLY site, with most sub-level menus not even accessible from browsers like Opera Mobile, Netfront, Iris ... They are dumbass pull downs using god knows what -- flash or javascript, whatever. But fact is: a simple navigation process to access the products on the phone itself can't even be achieved by these clowns -- yet everyone is in overdrive now trying to get their version of "THE" WindowsMobile app store online, while Microsoft stumbles.
The fact is: I would LIKE to see a uniform transaction process which is designed professionally, and supports great usability design, and once I buy the app, quit making me go through absurd backflips just to get access to the cab file. Stop requiring me to use a Windows PC. And stop all the "special OUR way" authentication processes. Because if they were so good, there wouldn't be the kind of problems I have described. I'll even grant anyone who wants to -- to say "well you're just a dumb**** user who doesn't understand their particular process"... I'll grant you that, and my answer would be:
If you plan to sell a lot of apps -- ie, make money via VOLUME transactions vs pricey apps -- a la iphone -- then it makes a hell of a lot of sense to make a uniform system of delivery if you're buying it through an app store, and for god's sake, cut the crap and figure it out. It's not so hard to send an authentication code via email or text message. But it's exactly WRONG to be having 1000 developers using 1000 special "our way" authentication processes, because the odds of 1000 app developers having a great, simple, effective UI and safe authentication system that prevents priacy of their app is pretty low, based on the experiences I have had to date with MAINSTREAM products for WM.
That's my view. But I see a whole lot of clumsiness from the Windows Mobile side of the fence pertaining to this whole new way of monetizing apps. There's a reason apple succeeds in that department -- even with their bloated catalog and draconian approval processes. They understand how to deliver products to consumers -- vs repelling them from a dumbass process, no matter how good that process may be in theory.

quicksite said:
I agree with you and your premise. Now a quick story.
I consider myself a mainstream consumer... but I have been a member of XDA for, what, i think 4 years, using 2 WM phones, first the T-Mobile MDA, then the Wing (HTC Herald), and I am about to switch to Android with the HTC Hero. I am reasonably savvy about tech, just not a coder. But I've done all the hard SPL, flashing ROMS, using beta software, and supporting developers here with pretty significant donations. I am also a User Experience / Usability designer for web as a profession. THAT'S MY BACKGROUND.
To date, my experience buying WM apps has been universally AWFUL. Whether it was, just recently, Resco Picture Viewer from PocketGear, or WM Defrag from Wizcode, or PocketPlayer from Conduits. I am more than happy to buy excellent software that works, and has a decent UI. But in each case, the process of buying the app and getting it onto my phone has been absurd, and frustrating beyond belief. Each provider makes all sorts of assumptions -- often wrong -- including "you must be downloading this from a PC, so we will download for you an executable that runs on a desktop PC then installs via active sync onto your device."
Whatever the percentage is, doesn't matter: A lot of people, like me, download all my cab files, and purchase apps, on my Mac... and either email myself the .cab file or .zip files, or place my microSD card from my phone into a USB reader. Thus, what a frikkin headache to end up getting PocketPlayer on my phone... but because i didn't download it from a Windows PC, I was screwed.
This stuff is archaic. This past week it has taken 5 days to get Resco Picture Viewer on my phone after purchasing from PocketGear.com . They have a completely retarded transactional process, a terrible UI, broken software in terms of user recognition and resetting username and password, and a completely phone-UNFRIENDLY site, with most sub-level menus not even accessible from browsers like Opera Mobile, Netfront, Iris ... They are dumbass pull downs using god knows what -- flash or javascript, whatever. But fact is: a simple navigation process to access the products on the phone itself can't even be achieved by these clowns -- yet everyone is in overdrive now trying to get their version of "THE" WindowsMobile app store online, while Microsoft stumbles.
The fact is: I would LIKE to see a uniform transaction process which is designed professionally, and supports great usability design, and once I buy the app, quit making me go through absurd backflips just to get access to the cab file. Stop requiring me to use a Windows PC. And stop all the "special OUR way" authentication processes. Because if they were so good, there wouldn't be the kind of problems I have described. I'll even grant anyone who wants to -- to say "well you're just a dumb**** user who doesn't understand their particular process"... I'll grant you that, and my answer would be:
If you plan to sell a lot of apps -- ie, make money via VOLUME transactions vs pricey apps -- a la iphone -- then it makes a hell of a lot of sense to make a uniform system of delivery if you're buying it through an app store, and for god's sake, cut the crap and figure it out. It's not so hard to send an authentication code via email or text message. But it's exactly WRONG to be having 1000 developers using 1000 special "our way" authentication processes, because the odds of 1000 app developers having a great, simple, effective UI and safe authentication system that prevents priacy of their app is pretty low, based on the experiences I have had to date with MAINSTREAM products for WM.
That's my view. But I see a whole lot of clumsiness from the Windows Mobile side of the fence pertaining to this whole new way of monetizing apps. There's a reason apple succeeds in that department -- even with their bloated catalog and draconian approval processes. They understand how to deliver products to consumers -- vs repelling them from a dumbass process, no matter how good that process may be in theory.
Click to expand...
Click to collapse
Couldn't agree more!
I'll add one more reason I wrap my head in ductape every time I download/install an app.
Think it's bad with every developer having their own authentication method? How about when each developer has a DIFFERENT authentication scheme for every app they make?

I like a rant - thanks for doing it for me as I agree with you 100%.
The top of my annoyance list (which you did include) are sites selling mobile software which are NOT mobile browser friendly, WTF is that all about?

Big Up, I still don't think anyone else would have done it in two hours.
Hey you warned them didn't you.

Haha Chainfire is there anything you cant do?

More in the Dutch press:
http://tweakers.net/nieuws/63713/nederlander-kraakt-nieuwe-beveiliging-windows-marketplace.html

While I do appreciate the "rant", I think you're missing my point - or perhaps I just don't agree. (Edit: that is in response to this post http://forum.xda-developers.com/showpost.php?p=4936479&postcount=7)
When I say "use our own licensing schemes", I do not mean codes sent back and forth through websites, screen you have to type stuff in etc. This is exactly not needed because Marketplace is also the delivery mechanism. In other words, the license code can be installed by Marketplace directly without the user ever seeing or hearing about it.
This is partly how the new system works, actually. However, if Microsoft supported license codes you give them things would be more secure (though granted, for a large part by obscurity).
Some authors will not care and simply not use it all, for example with the cheap apps it may not be worth their while. Others may wish to track license key usage, so that if suddenly 10.000 users start using the same key instead of the 1 who bought it, that key can be disabled, etc. Some may want the app to call home, some will not. Imagine that developers that do employ such anti-piracy measures will write their own verification / communication code, this beats the single point of failure we currently have. The crackers are back to having to crack each app independently and even then have a much lower chance of success.
Marketplace is the perfect opportunity to implement such a system that does provide some piracy security for the authors while for once it does not unnecessarily annoy the user.
To make the obligatory bad car analogy that fails in many ways, take you car keys. Everyone thinks it's normal to have a car key, so people can't just take your car. Of course, in line with some of the arguments against anti-piracy measures, car keys aren't really that useful, as there's always a brick - the universal key, and a car thief that really wants your car will get it. (You also lock the doors on your house, right?)
Now, the current situation is pretty much that everyone has the same car key. How useful is a car key in that situation? They way I see it (and I'm sure I'm not alone in that), is more like the actual car key situation. Some car keys are laser etched, or have something RFID-like in them and a receive in the car, or simply use different shapes, etc. That's a lot more useful than everyone having the same car key.
Sure, no matter what you do, eventually things will get cracked and it is a cat and mouse game. One of the reasons this is easily doable is because of the open nature and the very few restrictions of Windows Mobile. This is a good thing. No developer in their right mind would want to get to a restrictive system like is the case on the iPhone or other mobile OS's. That is not the point. That doesn't mean anti-piracy measures are useless though, far from it. The longer you can keep a release from being warez'd, the less you lose.
There are two arguments I hear coming back in various places by various people:
(1) If the normal users can't just copy it, then that is enough (even MS says this)
(2) Piracy works as advertising, you get more eventual sales, etc. etc
Both of these, are from my own experience, completely untrue. The thing is if one person cracks it, it usually spreads on those warez sites pretty quickly.
The big thing here is, the average user is apparently tech-savvy enough to search the warez sites first before buying, and that is just how it is:
We have played the game with that one warez site, monitoring sales when (apparent) cracks were listed and when they weren't (they do remove releases on request). This made a 30-50% difference in sales (with the number being highest during the weekends, and lowest during weekdays). For me that is enough data to know that both (1) and (2) are complete nonsense in the case of mobile apps. No matter all the pretty reasons and perhaps seemingly logical reasons you may come up with for (1) and (2), the numbers don't lie.
So, how would you like to get a 30-50% paycut? It's not like us developers are getting rich here, you know. Can we be blamed for trying to prevent this?
Now, here we have the chance to implement a system that is completely transparent for the user and can be made reasonably safe (and updatable), an obvious win-win situation for everyone involved except the warez people. Why exactly shouldn't we be aiming for this?
What is also painfully apparent here, as Microsoft themselves claim reason (1), that they have no idea what they are talking about.

i am no programmer so excuse my ignorance but doesnt everything eventually get cracked. Is there any mobile platform which hasnt a non cracked market place or sites where you can download paid apps for free?

Well done Chainfire

Hello Chainfire,
I am the webmaster of the Tamoggemon Content network, and just covered you:
http://tamsppc.tamoggemon.com/2009/11/13/advanced-marketplace-drm-broken/
http://tamswms.tamoggemon.com/2009/11/13/advanced-marketplace-drm-broken/
Furthermore, an email went out to MSFT asking for a statement. but this is not the reason why I registered here (!!!) - I am instead here to vent a bit being a Symbian dev myself.
While I fully understand your frustration, I think that allowing every developer to run his own DRM is not gonna do the store good. The reason is that the store was made to make purchasing apps simple - and by allowing everyone to run his own DRM I dont see much of a venue to do this anymore.
Whenever some kind of backend gets involved, there is a single point of failure - the only trhing I can think off now would be a very complet system based on servers.
Or, of course, platform security like on S60. But trust me - we wont want that!

Thanks! However, if you read my other post carefully you'd see it wouldn't make any difference to the ease of using the store (it wouldn't make any difference for the user at all), just to a part of the backend. And of course, each DRM system has a single point of failure, but the difference is in my case there is a point of failure per app, while in the current case it's a single point of failure for everything. There is no perfect solution, but there are better solutions than the current one.
I've been contacted by a handful of big WM devs by now who are of somewhat the same opinion.

microsoft.... when it comes to security, they are clueless as usual.
only apple is worse.
I find they windows-7 VPN and "encryption" funny , is there anybody that would trust it ? - even if it was not for the backdoors ?

Just wondering, is anyone else having problems accessing the windows marketplace from the phone? I was able to download a couple of apps yesterday after I installed a custom ROM (TPC Pro Series V3.2), but today I get a message saying there is an update, it installs the update but then I get the following message:
"Windows Marketplace for Mobile cannot connect right now. Try again later."
Is this because of the custom ROM and the latest update to the marketplace, or is this something other people are experiencing?

Remember the days when purchased mp3s were DRM protected and some companies like Sony even put rootkits on music CDs? Did that stop piracy?
Hopefully Microsoft will not repeat these mistakes... There is no need for any further 'protection' for marketplace apps. If a developer isn't satisfied with this mechanism then he/she doesn't have to publish their apps on the marketplace. There's no point in having a centralized app store if every developer uses his/her own licensing scheme.

[Q] extent to which google tracking built in to Os

Hi, I am wondering to what extent Google has built into the android OS, ways of collecting data on the user, even when the user does not open a google account and uses only side loaded apps. ? Does anyone know the answer to this?

jaifora said:
Hi, I am wondering to what extent Google has built into the android OS, ways of collecting data on the user, even when the user does not open a google account and uses only side loaded apps. ? Does anyone know the answer to this?
Click to expand...
Click to collapse
Read this thread, even if it's about Xiaomi, on the 2nd page you will find your answer!

setmov said:
Read this thread, even if it's about Xiaomi, on the 2nd page you will find your answer!
Click to expand...
Click to collapse
I've read trough the second page and couldn't find what you're aiming at. So far as I can see it's only about xiaomi ROMs and their proprietary apps, that cause the security holes.

nerotNS said:
I've read trough the second page and couldn't find what you're aiming at. So far as I can see it's only about xiaomi ROMs and their proprietary apps, that cause the security holes.
Click to expand...
Click to collapse
What you were asking is actually just the same! Short answer: Google is in your phone at a API level, and there is no way to get rid of it!

setmov said:
What you were asking is actually just the same! Short answer: Google is in your phone at a API level, and there is no way to get rid of it!
Click to expand...
Click to collapse
It's not the same as the API itself is not the thing that sends the data. The apps that USE those APIs are the ones that route the data.
The apps on the thread
* AntHalService
* XiaomiServiceFramework
* Cleanmaster
* com.xiaomi.gamecenter.adk.service
* com.duokan.airkan.phone
Click to expand...
Click to collapse
None of them are Google apps. All of them are 3rd party. For example, my nexus 4 with stock Android doesn't have these apps, therefore no data is sent.

nerotNS said:
It's not the same as the API itself is not the thing that sends the data. The apps that USE those APIs are the ones that route the data.
The apps on the thread
None of them are Google apps. All of them are 3rd party.
Click to expand...
Click to collapse
An app has not to be Google proprietary. Android is!!! Are you aware of what info are sent out of your android phone without you will be able to intercept them? You are right, apps are sending info, as also Google per se are collecting info, all the time. Please, don't believe me, actually I'm suggesting you not to believe me, but sooner or later, you'll see! There is no firewall, root, or any other trick able to stop them or control them! The only way is to strip Android apart, and recreate a new API, but then, bye bye functionality!

setmov said:
An app has not to be Google proprietary. Android is!!! Are you aware of what info are sent out of your android phone without you will be able to intercept them? You are right, apps are sending info, as also Google per se are collecting info, all the time. Please, don't believe me, actually I'm suggesting you not to believe me, but sooner or later, you'll see! There is no firewall, root, or any other trick able to stop them or control them! The only way is to strip Android apart, and recreate a new API, but then, bye bye functionality!
Click to expand...
Click to collapse
Android is open source, if there were serious security exploits they would have already been found and patched out. If not by Google itself, then by 3rd party developers. It's true that Google collects data like your location, but ONLY if you allow it. Also, even if you're correct, disabling the internet will help anyone who's paranoid enough. Besides, the xiaomi thread deals in stuff a lot more serious (eg. money) than the misc data such as the % of time you spent playing a game. All in all, while it's possible to exploit Android and steal data from incautious users, Android as a system doesn't sell or give your key info (user, pass, card no etc.) to anyone.

nerotNS said:
Android is open source, if there were serious security exploits they would have already been found and patched out. If not by Google itself, then by 3rd party developers. It's true that Google collects data like your location, but ONLY if you allow it. Also, even if you're correct, disabling the internet will help anyone who's paranoid enough. Besides, the xiaomi thread deals in stuff a lot more serious (eg. money) than the misc data such as the % of time you spent playing a game. All in all, while it's possible to exploit Android and steal data from incautious users, Android as a system doesn't sell or give your key info (user, pass, card no etc.) to anyone.
Click to expand...
Click to collapse
That's right, we don't have to be afraid of Google to use our data like Xiaomi, but....here is what I know for sure:
(copied from Xiaomi thread)
The point is that is not important what OS you are using, or what is the phone manufacturer. All of them send your data to their "masters". Said that, let's take a look at google. The first time you boot your precious phone, and you connect to the net, Google will receive your IMEI, your phone number, your location (based on network or gps, depends) an all the data you have on your phone. Ok, I know, I know, they are the owners of the Android OS, and they can do whatever they want, and you will never know what they are doing if you have a stock rom, You will not know what they are doing as a power user with highly customized rom as well. Why? Well, because their API. To be clear, the API, also known as "application programming interface (API) specifies a software component in terms of its operations, their inputs and outputs and underlying types. Its main purpose is to define a set of functionalities that are independent of their respective implementation, allowing both definition and implementation to vary without compromising each other.(as per wikipedia)" in not always an "open source project" and the Android core platform API is not "open source" at all, even in the "AOSP" project. The point is that when you use an android platform, if you want it or not, Google receive your data. Let me go further....a month or so ago, Google has implemented their Gmail policy, and started a new monitoring program against pedophilia, and at my point of view, this is a good thing, but, you have to know what's going on. actually they scan every email in your inbox and to or from their Gmail service searching for clues. If they find something, then you're screwed, because they know who you are. Believe me, they know! But this is not the point, so, where they store all the infos on you, and your Gmail account, when they find nothing? Oh, of course on their servers in the US!!! Based on the Patriot Act, the "Agencies" do not need any kind of "court order" to take a peek inside your life. They can do whatever they want, and actually they are doing it. Google will never say NO, and it's obvious why. Based on what is above mentioned, all the US based companies do the same. Unfortunately, the most of the world use Android, even if the manufacturer is Chinese or Vietnamese or whatever else. If you strip Android apart because all of that and you want your privacy back, you will find an interesting thing, that your Android will no more work correctly, and you will find it unusable. This is exactly because the core functionalities that spy on us. We can discuss this as much as we want, but these are facts. To be completely sure that no one is spying on you, someone would have to rebuild the whole Android system, but without a lot of money and the right "crew" this will never happen. Same thing you can expect from Apple (no need to mention the leakage of their cloud system) or Microsoft. Xiaomi, also use services that need your personal data...cloud, sms, mms, whatever, and by buying their product you agreed with them. They will not stole your credit card, but their "agencies" will know who you are, and what you do. But, to be honest, they will do you nothing if you are a non-Chinese citizen. I have never seen Chinese Agencies doing something to the rest of the world, but I have seen US agencies doing bad things to their citizens and the rest of the world. So, let's be honest and admit it, as much as we talk about laws, no one is protected by them. If you are gonna buy a phone, you have to face the fact that you will be under surveillance and monitored. If you have the luck and you live in Switzerland, then you're ok, if not, well....face it, you are SOL. You have just to understand that no provider, manufacturer or OS developer will never solve this issue, because there is no interest.
About AOSP: (from their site!!!)
- First, the software gets built into a system image for a device, and put through various forms of certification, including government regulatory certification for the regions the phones will be deployed. It also goes through operator testing. -really? YES!
- Once the release is approved by the regulators and operators, the manufacturer begins mass producing devices, and we turn to releasing the source code. hmm....
- In some releases, core platform APIs will be ready far enough in advance that we can push the source code out for an early look in advance of the device's release; however in others, this isn't possible. - hahahaha, ask yourself why!!!
And this is just for start. This is not an app-related issue, we are talking about Android CORE! I love Android, I am using it actively and I am happy with it, it's just that sometimes I feel that this is not fair, but hey, who am I to told them what is or it's not fair? Is not a matter of OS, nor device. All have the same core functionality! NO PRIVACY for them! Accept it or not, these are facts.

I'll start with this:
First, the software gets built into a system image for a device, and put through various forms of certification, including government regulatory certification for the regions the phones will be deployed. It also goes through operator testing. Once the release is approved by the regulators and operators, the manufacturer begins mass producing devices.
Click to expand...
Click to collapse
Government regulatory certification means that the device being certified is built in compliance with the laws of a specific country. That includes building materials, but is mostly focused on radio frequencies. This is to ensure that you don't get a "wild" device with random frequencies (since it has various radios for ex. GSM, GPS, Wi-Fi etc.) which can disrupt the normal functionality of a GSM tower for example. It also ensures that the device is safe (that's what we need FCC for), in terms of radio waves radiation. Operator testing means that when the device is being sold via a carrier like Verizon, AT&T etc., it is compliant with their proprietary software (more commonly known as bloatware) as well as that the device will work properly on their frequency bands. This is the main reason OTAs for Carrier devices are usually quite late compared to the "stock" or OEM devices.
Now about that Gmail scanning service, it doesn't mean that they STORE the results of the scan, they could be read only, meaning that their bot goes over the contents, but doesn't save anything on their servers (this was an issue earlier, but due to lawsuits, Google had to stop saving data, and delete the data already saved).
Next, it's true that Google receives your IMEI, but only AFTER you log in to your Google account. And this is not that they can sell it to someone, but to help identify that particular device on your account for uses of Google services (for example the Google Play web interface; if you had two same device models on your account how would you know which is which?), and IMEI is easy to get and since it's unique it fits the purpose. Your location is used for the same purpose, and even that is not pinpointed exact location but approximate location (which serves the purpose, but isn't intrusive). There is also the use of services such as the Android Device Manager which is a good thing, since it helps find and lock lost/stolen devices. Again, for this you need a unique identifier, and location (in this case precise).
Also, depending on your country of residence they DO have to get at least a court order with reasons for the investigation in order to access your files.
Further down the road, an API can't do anything by itself, it's sort of something that enables an APP to do something. Now that's a big difference, because you can't say "That API sent my data". It' the app that USES the specific API that transmits the data to a 3rd party. That's two worlds apart, because an app we can easily block via a firewall or even delete it completely if we find the need to.
Finally, agencies such as the NSA, FBI, or any other state agency don't have much interest in an ordinary person. There just isn't much to find about a regular citizen, as they don't really care about your every day life (setting up private meetings, sending pics to each other etc.).

nerotNS said:
I'll start with this:
Government regulatory certification means that the device being certified is build and in compliance with the laws of the specific country. That includes building materials, but is mostly focused on radio frequencies. This is to ensure that you don't get a "wild" device with random frequencies (since it has various radios for ex. GSM, GPS, Wi-Fi etc.) which can disrupt the normal functionality of a GSM tower for example. It also ensures that the device is safe (that's what we need FCC for), in terms of radio waves radiation. Operator testing means that when the device is being sold via a carrier like Verizon, AT&T etc., it is compliant with their proprietary software (more commonly known as bloatware) as well as that the device will work properly on their frequency bands. This is the main reason OTAs for Carrier devices are usually quite late compared to the "stock" or OEM devices.
Now about that Gmail scanning service, it doesn't mean that they STORE the results of the scan, they could be read only, meaning that their bot goes over the contents, but doesn't save anything on their servers (this was an issue earlier, but due to lawsuits, Google had to stop saving data, and delete the data already saved).
Next, it's true that Google receives your IMEI, but only AFTER you log in to your Google account. And this is not that they can sell it to someone, but to help identify that particular device on your account for uses of Google services (for example the Google Play web interface; if you had two same device models on your account how would you know which is which?), and IMEI is easy to get and since it's unique it fits the purpose. Your location is used for the same purpose, and even that is not pinpointed exact location but approximate location (which serves the purpose, but isn't intrusive). There is also the use of services such as the Android Device Manager which is a good thing, since it helps find and lock lost/stolen devices. Again, for this you need a unique identifier, and location (in this case precise).
Also, depending on your country of residence they DO have to get at least a court order with reasons for the investigation in order to access your files.
Further down the road, an API can't do anything by itself, it's sort of something that enables an APP to do something. Now that's a big difference, because you can't say "That API sent my data". It' the app that USES the specific API that transmits the data to a 3rd party. That's two worlds apart, because an app we can easily block via a firewall or even delete it completely if we find the need to.
Finally, agencies such as the NSA, FBI, or any other state agency don't have much interest in an ordinary person. There just isn't much to find about a regular citizen, as they don't really care about your every day life (setting up private meetings, sending pics to each other etc.).
Click to expand...
Click to collapse
@nerotNS I am not going to make a discussion with you, on some points you are right, on others, you're very wrong! I would love to be like you!

So, between you, you seem to be saying that an android phone can definitely send info to Google via an app, but you disagree on whether there is anything built into the API which sends info to Google independently of any app which can be clearly seen in the OS. I am wondering if there is anyone who actually knows the answer to this, through being involved in the development of the OS, other than a Google employee who may not be free to tell the truth, if the answer would be unpopular. I wonder if a user can be free of their snooping simply by not opening an account or using any of their products, or whether the only solution is to wait for a truly independent developer to produce a stable, quality device?
QUOTE=nerotNS;56965212]I'll start with this:
Government regulatory certification means that the device being certified is built in compliance with the laws of a specific country. That includes building materials, but is mostly focused on radio frequencies. This is to ensure that you don't get a "wild" device with random frequencies (since it has various radios for ex. GSM, GPS, Wi-Fi etc.) which can disrupt the normal functionality of a GSM tower for example. It also ensures that the device is safe (that's what we need FCC for), in terms of radio waves radiation. Operator testing means that when the device is being sold via a carrier like Verizon, AT&T etc., it is compliant with their proprietary software (more commonly known as bloatware) as well as that the device will work properly on their frequency bands. This is the main reason OTAs for Carrier devices are usually quite late compared to the "stock" or OEM devices.
Now about that Gmail scanning service, it doesn't mean that they STORE the results of the scan, they could be read only, meaning that their bot goes over the contents, but doesn't save anything on their servers (this was an issue earlier, but due to lawsuits, Google had to stop saving data, and delete the data already saved).
Next, it's true that Google receives your IMEI, but only AFTER you log in to your Google account. And this is not that they can sell it to someone, but to help identify that particular device on your account for uses of Google services (for example the Google Play web interface; if you had two same device models on your account how would you know which is which?), and IMEI is easy to get and since it's unique it fits the purpose. Your location is used for the same purpose, and even that is not pinpointed exact location but approximate location (which serves the purpose, but isn't intrusive). There is also the use of services such as the Android Device Manager which is a good thing, since it helps find and lock lost/stolen devices. Again, for this you need a unique identifier, and location (in this case precise).
Also, depending on your country of residence they DO have to get at least a court order with reasons for the investigation in order to access your files.
Further down the road, an API can't do anything by itself, it's sort of something that enables an APP to do something. Now that's a big difference, because you can't say "That API sent my data". It' the app that USES the specific API that transmits the data to a 3rd party. That's two worlds apart, because an app we can easily block via a firewall or even delete it completely if we find the need to.
Finally, agencies such as the NSA, FBI, or any other state agency don't have much interest in an ordinary person. There just isn't much to find about a regular citizen, as they don't really care about your every day life (setting up private meetings, sending pics to each other etc.).[/QUOTE]
So, between you, you seem to be saying that an android phone can definitely send info to Google via an app, but you disagree on whether there is anything built into the API which sends info to Google independently of any app which can be clearly seen in the OS. I am wondering if there is anyone who actually knows the answer to this, through being involved in the development of the OS, other than a Google employee who may not be free to tell the truth, if the answer would be unpopular. I wonder if a user can be free of their snooping simply by not opening an account or using any of their products, or whether the only solution is to wait for a truly independent developer to produce a stable, quality device?

It's not about API, it's about what data apps can access and what is sent over the internet, and it actually goes much further than what most people think.
Use apps like Network Log or Network Connections and give Wire Shark a try, and track which IPs apps connect to.
You'll be surprised...
On my Samsung, after I had removed all the google spyware (erggghhh, I mean google apps) and about 150 stock apps, I saw that the kernel was connecting to some google related IPs and to google's DNS, eventhough I had set the phone to use Open DNS in the resolv.conf file, and that the android system was calling home (read "at google's central office in mountain view, California") everytime I connected (note that my phone had never been linked to any google account whatsoever).
Some of the IPs could easily be blocked by using a firewall script, but for some others and for the DNS leaks I had to patch some jars in /system/framework.
One thing is that it differs from phone to phone, I've checked on a Lenovo and there is much less of such unwanted connections.
Is it embedded in the AOSP code? Maybe, I don't use AOSP or CM based roms so I can't tell, but what I can tell is that it's funny to see people screaming about Xiamoi when it's the same elsewhere.
Anyway, if one wants to protect oneself it's possible albeit a bit involved.
First is first, root.
Second, use Xprivacy and a good firewall like AF+.
Then, make a script to block inbound and outbound disturbing IPs.
So, am I good to go now?
Not yet, let's get a step further...
You need now to decompile some of your system apps and some of your jars, and track lines refering to specific websites and DNS.
- Note that if you really are privacy concerned you should uninstall as many system apps as you can (only 11 left on my phone) and replace them with third part apps that are much easier to restrict and have less privileges. Forget about google spyware (erggghhh and sorry again, I mean google apps), facebook spyware-apk, what's app etc... -
That's it?
Still not, there's more!
Xprivacy is a fantastic tool, but due to android limitations it can't restrict ids for the android system.
Have tou ever heard of android.id, build.serial, ro.boot.serialno, ro.serialno etc.? And what about the serial_no and the mac in the efs folder? And the cpu info in proc? And the serial_number in sys?
- I'll deliberately stay vague on those matters, only people that know what they are doing should mess with that kind of stuff. -
Those are ids specific to your device and of course they identify you, that's what they are meant for!
An example, have a look at the wpa_supplicant.conf localised in data/misc/wifi. You'll see that it has your serial_number which means, and experts please correct me if I am wrong, that everytime you connect on the wifi your serial_number gets sent.
You want to change it manually?
Yeah sure, edit it directly from the file. Now start you wifi and check again the serial_number, you are back to the original value.:cyclops:
I'm not sure whether, if your firewall script is well done and if Xprivacy has been well configured (read "VERY restrictively configured"), those ids leaks or not, but since I like to have more than one protection layer I've edited all of them.
Some ids are easily changed using setpropex or an init script, some are harder and require boot.img editing, but I won't explain any further since as written above only people knowing what they do should play with that stuff.
If all of the above has been done I don't think that anyone can get much data from your phone, but I'm not a security expert and I'd like to hear what you guys think.
Note 1
Trust no one.
I found that apps I had created for testing purposes were requesting my serial, my MCC and my MNC upon installation, eventhough I hadn't given them access to that data neither in the code nor in the android manifest), and then I found that nearly all apps request the same.
Does it come from the IDEs (I have tried with two different brands and it was the same) or does it come from the android OS itself?
I have risen the issue here but nobody seemed interested and nobody blessed me with any relevant answer. Was it that they thought I was unworthy of their attention, or was it that they just didn't know? Or both? Who knows but once more I tell you, TRUST NOONE!!!!
Note 2
Someone said that the NSA and other agencies don't have much interest in a regular person which is true, but they nevertheless gather as much info as they can about as many people as they can, just in case.
In the 50's it was illegal to be a communist in the USA, if cell phones had existed at that time Mac Carthy would have found his job greatly eased.
During the Bush era it was either one was with him or one was against him and was dubbed a bad american (even if one wasn't a terrorist but simply agains Bush's policies), with Guantanamo around the corner if one was suspected of too much empathy with the arab victims.
What's next?
They decide what is subversive and what isn't, and maybe one day you could be subversive because you are against capitalism, or against globalisation, or sympathetic to the people that defend their land agains US invasions and US backed puppet governments.
Or because you rooted your phone?
Keep your eyes open and stay aware guys...

Well, you can always turn on Androids built in Device Encryption (if you don't mind slower r/w speeds). Combine that with a firewall and what you mentioned above and I think you're good.

"I completely agree with you. I have also tried to rise some awareness, but I keep seeing answers like "agencies don't have much interest in a regular person" and those are the first that are wrong (or are working for "someone")! "
Yeah, I've noticed the same, and they sometimes remain suspiciously silent on other subjects (like the questions I asked in my previous post or the issue I rose about illegitimate perms in home made apps), so I start to think the same than you.
Which means that we re back to the:
TRUST NOONE!
"when you first start your phone, and connect to the internet, in that very first moment, Google will receive your data, no matter what you did to restrict the leakage!"
True, that's why before to connect for the first time one should do the things I mentionned in post #12, plus some other settings that I will explain about in a soon to come tutorial on how to secure one's phone.
"You don't connect to internet? No problem, your operator will receive the same thing when you put their sim into your device!"
True again, but there's an easy way to bypass that.
First, don't give your real name when you buy a phone (sounds obvious but most people don't even think about it).
Second, don't give your real name when you buy a sim (same remark as above).
Third, with Xprivacy, AF+ Firewall, AppSettings, a firewall script, some init.d scripts etc. I don't think one's operator can get much in terms of private data out of the phone, apart from the sim imsi, the phone number and how many credits left there are.
To secure the internet connection use Tor, your operator will know that you use it but it won't know anything else.
It still knows who we are calling, for how long etc. when we use the phone functions and AFAIK there's no way to prevent that, except maybe by using those apps that encrypt communications (I can't comment on that since I don't use my phone to phone or to text, and anyway I don't believe in encryption, see below).
But then comes common sense and the TRUST NOONE concept, if you call mum for her birthday you can use your phone, if you want to make a sensitive call use a public phone.
"Are you "people" aware that Google has a direct line (yes a "red phone" connect directly with the gov.?"
Yep, the same applies to Microsoft and Skype, Facebook, Twitter, Apple etc.
It's true that they don't really care about us for now but still, they gather as much data as possible in case one day they need to chase people like you and me because of a new anti subversion law.
"And just to be fully clear, encryption will help you with the local thief, any gov. agency will break it in no time"
I agree with you, and I even think that encryption is dangerous cuz it gives people a false sense of security. I don't think there's any encryption that can resist a two storeys computer, and there probably are anyway backdoors everywhere regardless of what their devs claim.
The same applies to Linux, it has been compromised by the NSA since 2003.
Open source, the code can be reviewed blah blah, yeah, sure, and who reviews it?
Who has weeks to spend reading boring lines of code?
The schema is simple, as soon as you have an app, a website or an operating system, or whatever that becomes relatively popular, the men in black come knocking at your door.
Unless you have been clever enough to hide properly, but most of the time that's not the case (see how easily they caught silk road, how easily they trace anonymous hackers, the list goes endless).
You want another example?
After Snowden's revelation many so called secure emails have popped out here and there. I've tried quite a few and guess what?
You can't use most of them if you are on Tor with java script disabled. The funny thing being that you still can use gmail or yahoo without java script, interesting isn't it?
Now back to encryption, instead of using it once more one has to use one's common sense:
DO NOT store sensitive data in your phone, that's it.
If you have sensitive data keep it on an usb stick, or a hard disk, the idea is to have it on a support that is not web connected.
"do you think this is the work of some hacker: http://www.symantec.com/connect/blogs/regin-top-tier-espionage-tool-enables-stealthy-surveillance"
Hehehe, the only question is which men in black agency made it.
The US? China? Russia? The zionist? India?

unclefab said:
"I completely agree with you. I have also tried to rise some awareness, but I keep seeing answers like "agencies don't have much interest in a regular person" and those are the first that are wrong (or are working for "someone")! "
Yeah, I've noticed the same, and they sometimes remain suspiciously silent on other subjects (like the questions I asked in my previous post or the issue I rose about illegitimate perms in home made apps), so I start to think the same than you.
Which means that we re back to the:
TRUST NOONE!
"when you first start your phone, and connect to the internet, in that very first moment, Google will receive your data, no matter what you did to restrict the leakage!"
True, that's why before to connect for the first time one should do the things I mentionned in post #12, plus some other settings that I will explain about in a soon to come tutorial on how to secure one's phone.
"You don't connect to internet? No problem, your operator will receive the same thing when you put their sim into your device!"
True again, but there's an easy way to bypass that.
First, don't give your real name when you buy a phone (sounds obvious but most people don't even think about it).
Second, don't give your real name when you buy a sim (same remark as above).
Third, with Xprivacy, AF+ Firewall, AppSettings, a firewall script, some init.d scripts etc. I don't think one's operator can get much in terms of private data out of the phone, apart from the sim imsi, the phone number and how many credits left there are.
To secure the internet connection use Tor, your operator will know that you use it but it won't know anything else.
It still knows who we are calling, for how long etc. when we use the phone functions and AFAIK there's no way to prevent that, except maybe by using those apps that encrypt communications (I can't comment on that since I don't use my phone to phone or to text, and anyway I don't believe in encryption, see below).
But then comes common sense and the TRUST NOONE concept, if you call mum for her birthday you can use your phone, if you want to make a sensitive call use a public phone.
"Are you "people" aware that Google has a direct line (yes a "red phone" connect directly with the gov.?"
Yep, the same applies to Microsoft and Skype, Facebook, Twitter, Apple etc.
It's true that they don't really care about us for now but still, they gather as much data as possible in case one day they need to chase people like you and me because of a new anti subversion law.
"And just to be fully clear, encryption will help you with the local thief, any gov. agency will break it in no time"
I agree with you, and I even think that encryption is dangerous cuz it gives people a false sense of security. I don't think there's any encryption that can resist a two storeys computer, and there probably are anyway backdoors everywhere regardless of what their devs claim.
The same applies to Linux, it has been compromised by the NSA since 2003.
Open source, the code can be reviewed blah blah, yeah, sure, and who reviews it?
Who has weeks to spend reading boring lines of code?
The schema is simple, as soon as you have an app, a website or an operating system, or whatever that becomes relatively popular, the men in black come knocking at your door.
Unless you have been clever enough to hide properly, but most of the time that's not the case (see how easily they caught silk road, how easily they trace anonymous hackers, the list goes endless).
You want another example?
After Snowden's revelation many so called secure emails have popped out here and there. I've tried quite a few and guess what?
You can't use most of them if you are on Tor with java script disabled. The funny thing being that you still can use gmail or yahoo without java script, interesting isn't it?
Now back to encryption, instead of using it once more one has to use one's common sense:
DO NOT store sensitive data in your phone, that's it.
If you have sensitive data keep it on an usb stick, or a hard disk, the idea is to have it on a support that is not web connected.
"do you think this is the work of some hacker: http://www.symantec.com/connect/blogs/regin-top-tier-espionage-tool-enables-stealthy-surveillance"
Hehehe, the only question is which men in black agency made it.
The US? China? Russia? The zionist? India?
Click to expand...
Click to collapse
@unclefab finally someone with some common sense!!! BRAVO!!!!
I am really glad you have elaborated my post! Probably the most will not even see what we wrote here, but hey, someone maybe will be able to learn something new!
Again...BRAVO!!!!

unclefab said:
It's not about API, it's about what data apps can access and what is sent over the internet, and it actually goes much further than what most people think.
Use apps like Network Log or Network Connections and give Wire Shark a try, and track which IPs apps connect to.
You'll be surprised...
On my Samsung, after I had removed all the google spyware (erggghhh, I mean google apps) and about 150 stock apps, I saw that the kernel was connecting to some google related IPs and to google's DNS, eventhough I had set the phone to use Open DNS in the resolv.conf file, and that the android system was calling home (read "at google's central office in mountain view, California") everytime I connected (note that my phone had never been linked to any google account whatsoever).
Some of the IPs could easily be blocked by using a firewall script, but for some others and for the DNS leaks I had to patch some jars in /system/framework.
One thing is that it differs from phone to phone, I've checked on a Lenovo and there is much less of such unwanted connections.
Is it embedded in the AOSP code? Maybe, I don't use AOSP or CM based roms so I can't tell, but what I can tell is that it's funny to see people screaming about Xiamoi when it's the same elsewhere.
Anyway, if one wants to protect oneself it's possible albeit a bit involved.
First is first, root.
Second, use Xprivacy and a good firewall like AF+.
Then, make a script to block inbound and outbound disturbing IPs.
So, am I good to go now?
Not yet, let's get a step further...
You need now to decompile some of your system apps and some of your jars, and track lines refering to specific websites and DNS.
- Note that if you really are privacy concerned you should uninstall as many system apps as you can (only 11 left on my phone) and replace them with third part apps that are much easier to restrict and have less privileges. Forget about google spyware (erggghhh and sorry again, I mean google apps), facebook spyware-apk, what's app etc... -
That's it?
Still not, there's more!
Xprivacy is a fantastic tool, but due to android limitations it can't restrict ids for the android system.
Have tou ever heard of android.id, build.serial, ro.boot.serialno, ro.serialno etc.? And what about the serial_no and the mac in the efs folder? And the cpu info in proc? And the serial_number in sys?
- I'll deliberately stay vague on those matters, only people that know what they are doing should mess with that kind of stuff. -
Those are ids specific to your device and of course they identify you, that's what they are meant for!
An example, have a look at the wpa_supplicant.conf localised in data/misc/wifi. You'll see that it has your serial_number which means, and experts please correct me if I am wrong, that everytime you connect on the wifi your serial_number gets sent.
You want to change it manually?
Yeah sure, edit it directly from the file. Now start you wifi and check again the serial_number, you are back to the original value.:cyclops:
I'm not sure whether, if your firewall script is well done and if Xprivacy has been well configured (read "VERY restrictively configured"), those ids leaks or not, but since I like to have more than one protection layer I've edited all of them.
Some ids are easily changed using setpropex or an init script, some are harder and require boot.img editing, but I won't explain any further since as written above only people knowing what they do should play with that stuff.
If all of the above has been done I don't think that anyone can get much data from your phone, but I'm not a security expert and I'd like to hear what you guys think.
Note 1
Trust no one.
I found that apps I had created for testing purposes were requesting my serial, my MCC and my MNC upon installation, eventhough I hadn't given them access to that data neither in the code nor in the android manifest), and then I found that nearly all apps request the same.
Does it come from the IDEs (I have tried with two different brands and it was the same) or does it come from the android OS itself?
I have risen the issue here but nobody seemed interested and nobody blessed me with any relevant answer. Was it that they thought I was unworthy of their attention, or was it that they just didn't know? Or both? Who knows but once more I tell you, TRUST NOONE!!!!
Note 2
Someone said that the NSA and other agencies don't have much interest in a regular person which is true, but they nevertheless gather as much info as they can about as many people as they can, just in case.
In the 50's it was illegal to be a communist in the USA, if cell phones had existed at that time Mac Carthy would have found his job greatly eased.
During the Bush era it was either one was with him or one was against him and was dubbed a bad american (even if one wasn't a terrorist but simply agains Bush's policies), with Guantanamo around the corner if one was suspected of too much empathy with the arab victims.
What's next?
They decide what is subversive and what isn't, and maybe one day you could be subversive because you are against capitalism, or against globalisation, or sympathetic to the people that defend their land agains US invasions and US backed puppet governments.
Or because you rooted your phone?
Keep your eyes open and stay aware guys...
Click to expand...
Click to collapse
setmov said:
@unclefab - well said!!!
I completely agree with you. I have also tried to rise some awareness, but I keep seeing answers like "agencies don't have much interest in a regular person" and those are the first that are wrong (or are working for "someone")! Yes guys, when you first start your phone, and connect to the internet, in that very first moment, Google will receive your data, no matter what you did to restrict the leakage! You don't connect to internet? No problem, your operator will receive the same thing when you put their sim into your device! I am no developer, and I am not calling myself as such, but I know what I am talking from a security stand point! I am not a conspiracy theorist, and I will not tell you what I am doing for living, but definitely I know what I am talking about! Some times people are definitely dumb! Are you "people" aware that Google has a direct line (yes a "red phone" connect directly with the gov.?Are you aware what a little cookie can do? Are you aware why they use fake cell towers? Are you aware why they collect your data? Ads improvement? Service Improvement? Court orders? Really? Google isn't storing your data? Or Facebook even worse? Can't you really see what is going on? You can think I am an idiot, but as @unclefab said, trust no one! I am telling you this as a fairy tale, you can or can't believe me, but check for yourself and you'll see!
No you're not good to go! Not if you're trying to avoid gov. agencies! And just to be fully clear, encryption will help you with the local thief, any gov. agency will break it in no time (at this time only Lollipop is causing issues to decrypt) !!! But hey, you have any right to believe otherwise!
Just a little off topic example....do you think this is the work of some hacker: http://www.symantec.com/connect/blogs/regin-top-tier-espionage-tool-enables-stealthy-surveillance
Click to expand...
Click to collapse
unclefab said:
"I completely agree with you. I have also tried to rise some awareness, but I keep seeing answers like "agencies don't have much interest in a regular person" and those are the first that are wrong (or are working for "someone")! "
Yeah, I've noticed the same, and they sometimes remain suspiciously silent on other subjects (like the questions I asked in my previous post or the issue I rose about illegitimate perms in home made apps), so I start to think the same than you.
Which means that we re back to the:
TRUST NOONE!
"when you first start your phone, and connect to the internet, in that very first moment, Google will receive your data, no matter what you did to restrict the leakage!"
True, that's why before to connect for the first time one should do the things I mentionned in post #12, plus some other settings that I will explain about in a soon to come tutorial on how to secure one's phone.
"You don't connect to internet? No problem, your operator will receive the same thing when you put their sim into your device!"
True again, but there's an easy way to bypass that.
First, don't give your real name when you buy a phone (sounds obvious but most people don't even think about it).
Second, don't give your real name when you buy a sim (same remark as above).
Third, with Xprivacy, AF+ Firewall, AppSettings, a firewall script, some init.d scripts etc. I don't think one's operator can get much in terms of private data out of the phone, apart from the sim imsi, the phone number and how many credits left there are.
To secure the internet connection use Tor, your operator will know that you use it but it won't know anything else.
It still knows who we are calling, for how long etc. when we use the phone functions and AFAIK there's no way to prevent that, except maybe by using those apps that encrypt communications (I can't comment on that since I don't use my phone to phone or to text, and anyway I don't believe in encryption, see below).
But then comes common sense and the TRUST NOONE concept, if you call mum for her birthday you can use your phone, if you want to make a sensitive call use a public phone.
"Are you "people" aware that Google has a direct line (yes a "red phone" connect directly with the gov.?"
Yep, the same applies to Microsoft and Skype, Facebook, Twitter, Apple etc.
It's true that they don't really care about us for now but still, they gather as much data as possible in case one day they need to chase people like you and me because of a new anti subversion law.
"And just to be fully clear, encryption will help you with the local thief, any gov. agency will break it in no time"
I agree with you, and I even think that encryption is dangerous cuz it gives people a false sense of security. I don't think there's any encryption that can resist a two storeys computer, and there probably are anyway backdoors everywhere regardless of what their devs claim.
The same applies to Linux, it has been compromised by the NSA since 2003.
Open source, the code can be reviewed blah blah, yeah, sure, and who reviews it?
Who has weeks to spend reading boring lines of code?
The schema is simple, as soon as you have an app, a website or an operating system, or whatever that becomes relatively popular, the men in black come knocking at your door.
Unless you have been clever enough to hide properly, but most of the time that's not the case (see how easily they caught silk road, how easily they trace anonymous hackers, the list goes endless).
You want another example?
After Snowden's revelation many so called secure emails have popped out here and there. I've tried quite a few and guess what?
You can't use most of them if you are on Tor with java script disabled. The funny thing being that you still can use gmail or yahoo without java script, interesting isn't it?
Now back to encryption, instead of using it once more one has to use one's common sense:
DO NOT store sensitive data in your phone, that's it.
If you have sensitive data keep it on an usb stick, or a hard disk, the idea is to have it on a support that is not web connected.
"do you think this is the work of some hacker: http://www.symantec.com/connect/blogs/regin-top-tier-espionage-tool-enables-stealthy-surveillance"
Hehehe, the only question is which men in black agency made it.
The US? China? Russia? The zionist? India?
Click to expand...
Click to collapse
You guys are way too paranoid. First off, if you're all into don't track us down, why are you using the Internet in the first place? Now for the technical part.
The kernel is trying to get the the DNS because guess what? DNS is needed for Internet connectivity. Android is a smartphone and many of its services rely on having an Internet connection. So it's rather normal that a system-level part is trying to establish a network connection. OEM kernels have more of this compared to AOSP because they use their proprietary services.
And sure, you can use 3rd party apps, but they too can contain tracking data, and prior to 4.4/5.0 core system apps were open source, and you still don't have to use gapps.
Next, you can't change hardware embedded data like serial numbers for a number of reasons, security being one of them. If it was that easy you could never track down stolen phones for example. Much like a motor engine serial number in a car. Same goes for IMEI. Then you spoke about the past. Things change over time, it's not the Cold War ETA anymore. Next yes, court orders. According to international law they DO NEED a court order to see your data. And even that is done only in high profile criminal cases. You can read quite a lot about privacy laws online.
Further, yes you ARE good to go. Androids built in encryption system is pretty tough. If your bootloader is locked down, you have no custom recovery, it ain't that easy to get to your data (excluding nexus devices, because of their development nature this can be relatively easily bypassed). Plus, they'd have to have physical access to your device.
They won't receive any of your "precious" data except your rough location and serial numbers as well as your IMEI that will be bound to your Google account. I've already explained why, plus it's for their statistics for example the number of active android devices, new Android device activations on a daily basis etc.
You say you don't use a real name when buying a phone? Well tell me then, what about ID cards? You fake them too when signing a contract? Buying a prepaid SIM card doesn't need a name anyway. And buying a phone? Same thing, unless bought on contract, in which case the ID card problem persists.
Calling encryption dangerous is ridiculous to say the least. And yes, even "two story computers" are gonna have a bad time cracking it. Ever heard of a 256-bit AES?
Finally saying that nobody reviews "boring source code" is ignorant if nothing else. There are tens of thousands of people PAID to do this. It's not a single guy doing it. Plus just because YOU find it boring, doesn't mean everybody else finds it boring too.
Conclusion: Yes, there are ways to compromise security and data. Yes you can block most of those ways. But this level of paranoia is ridiculous to say the least and sounds like something I'd see in a conspiracy TV commercial. Reading trough your posts here I half expected to see "The end is nigh. Hide your children!" kind of sentence. If you believe that we're all monitored, then throw your router trough the window, smash all your tech, and live in a candle lit room. But please don't spread unfounded fear on a public forum based purely on your assumptions, or on what you see on a TV.
Now setmov I'm speaking directly to you. Calling other people stupid because they don't agree with you is a direct violation of xda's rules. Please refrain from doing it again. Thanks in advance.

nerotNS said:
You guys are way too paranoid. First off, if you're all into don't track us down, why are you using the Internet in the first place? Now for the technical part.
The kernel is trying to get the the DNS because guess what? DNS is needed for Internet connectivity. Android is a smartphone and many of its services rely on having an Internet connection. So it's rather normal that a system-level part is trying to establish a network connection. OEM kernels have more of this compared to AOSP because they use their proprietary services.
And sure, you can use 3rd party apps, but they too can contain tracking data, and prior to 4.4/5.0 core system apps were open source, and you still don't have to use gapps.
Next, you can't change hardware embedded data like serial numbers for a number of reasons, security being one of them. If it was that easy you could never track down stolen phones for example. Much like a motor engine serial number in a car. Same goes for IMEI. Then you spoke about the past. Things change over time, it's not the Cold War ETA anymore. Next yes, court orders. According to international law they DO NEED a court order to see your data. And even that is done only in high profile criminal cases. You can read quite a lot about privacy laws online.
Further, yes you ARE good to go. Androids built in encryption system is pretty tough. If your bootloader is locked down, you have no custom recovery, it ain't that easy to get to your data (excluding nexus devices, because of their development nature this can be relatively easily bypassed). Plus, they'd have to have physical access to your device.
They won't receive any of your "precious" data except your rough location and serial numbers as well as your IMEI that will be bound to your Google account. I've already explained why, plus it's for their statistics for example the number of active android devices, new Android device activations on a daily basis etc.
You say you don't use a real name when buying a phone? Well tell me then, what about ID cards? You fake them too when signing a contract? Buying a prepaid SIM card doesn't need a name anyway. And buying a phone? Same thing, unless bought on contract, in which case the ID card problem persists.
Calling encryption dangerous is ridiculous to say the least. And yes, even "two story computers" are gonna have a bad time cracking it. Ever heard of a 256-bit AES?
Finally saying that nobody reviews "boring source code" is ignorant if nothing else. There are tens of thousands of people PAID to do this. It's not a single guy doing it. Plus just because YOU find it boring, doesn't mean everybody else finds it boring too.
Conclusion: Yes, there are ways to compromise security and data. Yes you can block most of those ways. But this level of paranoia is ridiculous to say the least and sounds like something I'd see in a conspiracy TV commercial. Reading trough your posts here I half expected to see "The end is nigh. Hide your children!" kind of sentence. If you believe that we're all monitored, then throw your router trough the window, smash all your tech, and live in a candle lit room. But please don't spread unfounded fear on a public forum based purely on your assumptions, or on what you see on a TV.
Now unclefab I'm speaking directly to you. Calling other people stupid because they don't agree with you is a direct violation of xda's rules. Please refrain from doing it again. Thanks in advance.
Click to expand...
Click to collapse
@nerotNS
- First thing, I've wrote "Some times people are definitely dumb!" not @unclefab! Please prove me that what I wrote is not right!
- Second, everything WE said is right! Why are you trying so hard prove it otherwise?
- Third, you can see what you have the ability to see! Maybe in your country the prosecutors, law enforcement agencies or else, need a court order, in the US they don't! You know why? Because of Patriot Act! Maybe you don't even know what this is, and you haven't seen the effect of it, but this doesn't mean it not exist!
- Fourth, you have your believes, and I have mine, so I will respect that and not try to change yours, and for me this discussion is over!
To the OP @jaifora, men, believe what you want, you have the right to!
Good luck

@neronS
"Things change over time, it's not the Cold War ETA anymore. Next yes, court orders. According to international law they DO NEED a court order to see your data. And even that is done only in high profile criminal cases. You can read quite a lot about privacy laws online. "
Saying that shows that you are either very young, or that you have never left your home town, or both.
It's not the cold war anymore, true, now it's the so called war on terror, the US allways need to have an ennemy (before that back in the 90's it was the war on narcotics, but you may have not heard about it).
International laws you said?
You think the States care about those laws?
Did they care about it when the UN said that the invasion in Iraq violates such international laws?
Have you heard about the Abou Ghaib jail? That was another nice example on how international laws are followed by the States.
Apart from that, have you heard about corrupted indian officials tracking indian facebook users that expose their scamms?
Have you heard about that indonesian atheist that got severely beaten up by an angry mob because he had declared on his facebook account that he doesn't believe in god, and that endded up in jail (the atheist, not the mob) for blasphemy?
Have you heard about that bangladeshi blogger that may be executed cuz he wrote on his blog that he's an atheist?
You want more examples?
Oh yeah, I almost forgot, the states, the country of freedom and democracy, the country where you need a court order.
What a joke!
Have you heard about all what the US did these last 200 years? And have you heard about what the US is currently doing in 2014?
I guess you didn't, hence your last reply...
But as for me I did, and that's why I can't trust such a country. That said, I can't trust the european, the chinese, the indian or the russian either, not to mention the middle eastern, as I already said I trust NOONE...
"They won't receive any of your "precious" data except your rough location and serial numbers as well as your IMEI that will be bound to your Google account."
Really?
What about permissions like access fine location (precise gps location), read sms, send sms without the user's knowledge, write sms, read bookmarks, write bookmarks, read contats, write contacts, read call log, write call log, read contact card, read user dictionary, get accounts on the device, perms that can be found in apps where such perms are not needed, you want more?
Have a look at all the data leakage when you connect to the internet, and you'll see that it's not only about a few digits...
"You say you don't use a real name when buying a phone? Well tell me then, what about ID cards? You fake them too when signing a contract? Buying a prepaid SIM card doesn't need a name anyway. And buying a phone? Same thing, unless bought on contract, in which case the ID card problem persists. "
You have just proved once more that you have never been away from home.
The vast majority of android users are people from emerging countries where one can buy a phone without giving one's name (so no need to fake anything) and the same applies for the sim.
Those people are not rich arrogant westerners, who think they know everything because mum and dad sent them to a good school, and they don't have any subscription cuz in most of those countries it doesn't exist or if it does it's very limited.Those people buy prepaid credits when they have money, that's it.
How many people in the States? 315 millions.
How many people in western Europe? About 300 millions.
Add Canada, 30, Australia, 20, how many is that?
India, 1.2 billion or even more.
China, 1.2 billion and counting.
Africa, nearly 1 billion.
Indonesia, 250 millions.
Maybe you should leave your hometown and travel a bit, the world doesn't end in the west's boundaries.
"Finally saying that nobody reviews "boring source code" is ignorant if nothing else. There are tens of thousands of people PAID to do this. It's not a single guy doing it. Plus just because YOU find it boring, doesn't mean everybody else finds it boring too. "
Do a search with "linux kernel nsa", you will learn a lot.
" don't spread unfounded fear on a public forum based purely on your assumptions, or on what you see on a TV. "
Well, I haven't seen it on the tv, I have seen it on the field and I know very well what human beings are capable of, which you obviously don't.
So please, don't spread unfounded reinsurance that everything goes fine, that google and the governments are ok, just because a guy talking on their behalf on the tv said they are.
Then, you can call me a conspirationist or whatever, I don't care, I didn't write those posts for people like you but for people that have their eyes open.
"Now unclefab I'm speaking directly to you. Calling other people stupid because they don't agree with you is a direct violation of xda's rules. Please refrain from doing it again. Thanks in advance"
Where did I call anyone "stupid?
You, on the contrary, said that:
"Finally saying that nobody reviews "boring source code" is ignorant if nothing else".
So son, instead of playing mister moderator maybe YOU should watch a bit your language.
Ah the kids of today...:silly:

unclefab said:
@neronS
"Things change over time, it's not the Cold War ETA anymore. Next yes, court orders. According to international law they DO NEED a court order to see your data. And even that is done only in high profile criminal cases. You can read quite a lot about privacy laws online. "
Saying that shows that you are either very young, or that you have never left your home town, or both.
It's not the cold war anymore, true, now it's the so called war on terror, the US allways need to have an ennemy (before that back in the 90's it was the war on narcotics, but you may have not heard about it).
International laws you said?
You think the States care about those laws?
Did they care about it when the UN said that the invasion in Iraq violates such international laws?
Have you heard about the Abou Ghaib jail? That was another nice example on how international laws are followed by the States.
Apart from that, have you heard about corrupted indian officials tracking indian facebook users that expose their scamms?
Have you heard about that indonesian atheist that got severely beaten up by an angry mob because he had declared on his facebook account that he doesn't believe in god, and that endded up in jail (the atheist, not the mob) for blasphemy?
Have you heard about that bangladeshi blogger that may be executed cuz he wrote on his blog that he's an atheist?
You want more examples?
Oh yeah, I almost forgot, the states, the country of freedom and democracy, the country where you need a court order.
What a joke!
Have you heard about all what the US did these last 200 years? And have you heard about what the US is currently doing in 2014?
I guess you didn't, hence your last reply...
But as for me I did, and that's why I can't trust such a country. That said, I can't trust the european, the chinese, the indian or the russian either, not to mention the middle eastern, as I already said I trust NOONE...
"They won't receive any of your "precious" data except your rough location and serial numbers as well as your IMEI that will be bound to your Google account."
Really?
What about permissions like access fine location (precise gps location), read sms, send sms without the user's knowledge, write sms, read bookmarks, write bookmarks, read contats, write contacts, read call log, write call log, read contact card, read user dictionary, get accounts on the device, perms that can be found in apps where such perms are not needed, you want more?
Have a look at all the data leakage when you connect to the internet, and you'll see that it's not only about a few digits...
"You say you don't use a real name when buying a phone? Well tell me then, what about ID cards? You fake them too when signing a contract? Buying a prepaid SIM card doesn't need a name anyway. And buying a phone? Same thing, unless bought on contract, in which case the ID card problem persists. "
You have just proved once more that you have never been away from home.
The vast majority of android users are people from emerging countries where one can buy a phone without giving one's name (so no need to fake anything) and the same applies for the sim.
Those people are not rich arrogant westerners, who think they know everything because mum and dad sent them to a good school, and they don't have any subscription cuz in most of those countries it doesn't exist or if it does it's very limited.Those people buy prepaid credits when they have money, that's it.
How many people in the States? 315 millions.
How many people in western Europe? About 300 millions.
Add Canada, 30, Australia, 20, how many is that?
India, 1.2 billion or even more.
China, 1.2 billion and counting.
Africa, nearly 1 billion.
Indonesia, 250 millions.
Maybe you should leave your hometown and travel a bit, the world doesn't end in the west's boundaries.
"Finally saying that nobody reviews "boring source code" is ignorant if nothing else. There are tens of thousands of people PAID to do this. It's not a single guy doing it. Plus just because YOU find it boring, doesn't mean everybody else finds it boring too. "
Do a search with "linux kernel nsa", you will learn a lot.
" don't spread unfounded fear on a public forum based purely on your assumptions, or on what you see on a TV. "
Well, I haven't seen it on the tv, I have seen it on the field and I know very well what human beings are capable of, which you obviously don't.
So please, don't spread unfounded reinsurance that everything goes fine, that google and the governments are ok, just because a guy talking on their behalf on the tv said they are.
Then, you can call me a conspirationist or whatever, I don't care, I didn't write those posts for people like you but for people that have their eyes open.
"Now unclefab I'm speaking directly to you. Calling other people stupid because they don't agree with you is a direct violation of xda's rules. Please refrain from doing it again. Thanks in advance"
Where did I call anyone "stupid?
You, on the contrary, said that:
"Finally saying that nobody reviews "boring source code" is ignorant if nothing else".
So son, instead of playing mister moderator maybe YOU should watch a bit your language.
Ah the kids of today...:silly:
Click to expand...
Click to collapse
setmov said:
@nerotNS
- First thing, I've wrote "Some times people are definitely dumb!" not @unclefab! Please prove me that what I wrote is not right!
- Second, everything WE said is right! Why are you trying so hard prove it otherwise?
- Third, you can see what you have the ability to see! Maybe in your country the prosecutors, law enforcement agencies or else, need a court order, in the US they don't! You know why? Because of Patriot Act! Maybe you don't even know what this is, and you haven't seen the effect of it, but this doesn't mean it not exist!
- Fourth, you have your believes, and I have mine, so I will respect that and not try to change yours, and for me this discussion is over!
To the OP @jaifora, men, believe what you want, you have the right to!
Good luck
Click to expand...
Click to collapse
I apologize for the mistype I didn't mean unclefab, I meant setmov with his "stupidity" remark.
As for you, I HAVE been around the world quite a lot more than you think. And in case you haven't noticed, I said that you need to give your name ONLY if on contract. I even said that using prepaid doesn't include this. And even according to the Patriot Act they still DO NEED at least a search warrant, otherwise it would be breaking the US Constitution. All the examples you gave above may be true, but you forgot to mention the fact that it was all placed PUBLICLY AND WILLINGLY. The aftermath is a completely unrelated thing. And yes, even though I am 18 I k of quite a lot of the matter as well as other things. Assuming something about someone based on age is immature to say the least. And finally you told me to search Linux kernel NSA. Mate, if you believe everything on Google, I hope you have anti alien cannons in your house. Also claiming that westerners are "rich and arrogant" is considered nationalism. Don't do it, it's bad. Plus everything I learned, I learned on my own. Not in a "good school". As setmov said, as far as I'm concerned the discussion is over, I don't want this to become a public fight. If you wish further talk, you can contact me in a PM.

[Q] How can i encrypt my calls and txt's?

hey guys so i live in australia where the have just passed insane metadata laws so that all data is being recorded for two years.. needles to say im not ok with this...
so what are my best options to get around this..when it comes to my phones metadata, calls and txt where should i be looking to find out how to properly obscure/mask my "digital footprint" as much as possible.. theres a phone "crackberry" which is supposed to be the benchmark for mobile anonymity but how have they achieved this? i have a rooted s5 and am running
alliance rom atm, is there a rom more tweaked towards anonymity? if anyone could shed some light point me in the right direction id appreciate it a lot, not up to anything to sinister haha i just find the laws disgusting and as they say "If a law is unjust, a man is not only right to disobey it, he is obligated to do so."
also i have tor and orbot on my phone to spoof my data and im going to get a vpn so the data is relatively covered unless someone knows of a better way, the calls and texts i could use some advice on though,
thanks heaps

It doesn't work like that...
When texting or calling someone data is passing through telecom servers. They can capture it even if it is encrypted locally.
The best way to aviod this is to use end-to-end encryption. This means that you are sending an unreadable message that, when arrives at the person you sent it to can decrypt and read it. I know an app that does this : Telegram.
I can't confirm how secure it is but the claim it uses AES 256-bit encryption and to put that into perspective if a computer can check for 50 bilion bilion (yes two times) passwords per second it would take it about 36122309325124079509781952686314812514160097941930872097731852458341261780105924117378890514373779296875 years to crack.

I believe Telegram encrypts everything EXCEPT phone calls - the arena Apple and the Feds are fighting in.
Unfortunately, Apple's iOS built-in encryption is a light-year ahead of Android encryption. This is primarily because it is a completely closed system and Apple only has to improve encryption in iOS and all new iPhones get it intact.. With Android, Google has to build encryption into it's new Android update. Then it sends it out to all of the myriad android phone builders, who modify it for their specific phones, many designed to run on only a single provider's network. Then each phone builder has to send their new Android updates to every service provider. They, in turn, add their own service provider changes (like Verizon and AT&T, who add bootloader locking in a futile attempt to prevent their users from rooting their phones and putting in custom roms - search SafeStrap on this site for an app that provides a work-around for Verizon, AT&T, and even Amazon Fire). We need to pressure Google or one of the custom ROM developers to create voice encryption that is as unbreakable as Apple's and can be applied by anybody who roots his or her phone. C'mon developers. Here's a challenge. It's not even that hard to create an encryption routine that is, for all intents and purposes, unbreakable.
I created one years ago - designed for text only - that takes up a page and a half of either C or Java code. It can take anything from a blank password to the entire ASCII text of War and Peace. And, since it uses the password to advance a state machine before encryption begins and doesn't apply it to the cleartext, it can't be backed out of an encrypted message. Add a 64-bit configuration number and a 16-bit salt number (which increments on each character, but can be set to vary by a user-specified value every n characters) and then encrypt your cleartext using one set of pwd/numbers and re-encrypt the encrypted text using different parameters, and, with all the computers on earth working on it, it will still take far beyond the end of the universe to break by brute force. In fact, once I had used this in a client bank's system, I was required to give the NSA the source code to the algorithm (which, fortunately, will not give them ANY help on decrpytion {grin} ). The NSA will have to try more passes on the encrypted text than there are atoms in the universe.

Verizon to Push AppFlash to gather all the datas!

What absolute [email protected]
So... how do we get around this?
The First Horseman of the Privacy Apocalypse Has Already Arrived: Verizon Announces Plans to Install Spyware on All Its Android Phones
Within days of Congress repealing online privacy protections, Verizon has announced new plans to install software on customers’ devices to track what apps customers have downloaded. With this spyware, Verizon will be able to sell ads to you across the Internet based on things like which bank you use and whether you’ve downloaded a fertility app.
Verizon’s use of “AppFlash”—an app launcher and web search utility that Verizon will be rolling out to their subscribers’ Android devices “in the coming weeks”—is just the latest display of wireless carriers’ stunning willingness to compromise the security and privacy of their customers by installing spyware on end devices.
The AppFlash Privacy Policy published by Verizon states that the app can be used to
“collect information about your device and your use of the AppFlash services. This information includes your mobile number, device identifiers, device type and operating system, and information about the AppFlash features and services you use and your interactions with them. We also access information about the list of apps you have on your device.”
Troubling as it may be to collect intimate details about what apps you have installed, the policy also illustrates Verizon’s intent to gather location and contact information:
“AppFlash also collects information about your device’s precise location from your device operating system as well as contact information you store on your device.”
And what will Verizon use all of this information for? Why, targeted advertising on third-party websites, of course:
“AppFlash information may be shared within the Verizon family of companies, including companies like AOL who may use it to help provide more relevant advertising within the AppFlash experiences and in other places, including non-Verizon sites, services and devices.”
In other words, our prediction that mobile Internet providers would start installing spyware on their customers’ phones has come true, less than 48 hours after Congress sold out your personal data to companies like Comcast and AT&T. With the announcement of AppFlash, Verizon has made clear that it intends to start monetizing its customers’ private data as soon as possible.
What are the ramifications? For one thing, this is yet another entity that will be collecting sensitive information about your mobile activity on your Android phone. It’s bad enough that Google collects much of this information already and blocks privacy-enhancing tools from being distributed through the Play Store. Adding another company that automatically tracks its customers doesn’t help matters any.
But our bigger concern is the increased attack surface an app like AppFlash creates. You can bet that with Verizon rolling this app out to such a large number of devices, hackers will be probing it for vulnerabilities, to see if they can use it as a backdoor they can break into. We sincerely hope Verizon has invested significant resources in ensuring that AppFlash is secure, because if it’s not, the damage to Americans’ cybersecurity could be disastrous.

AppFlash is just a custom bloated version of the Google Search Bar with intense focus on data mining. This is essentially a widget, which belongs to a package, which should be able to be disabled/uninstalled depending on its implementation. You may need a rooted phone to fully remove it from the system - but time will tell. Either way, this will end up in my pile of other Verizon 'Services/Apps' that are either uninstalled or frozen.
the_rev said:
But our bigger concern is the increased attack surface an app like AppFlash creates. You can bet that with Verizon rolling this app out to such a large number of devices, hackers will be probing it for vulnerabilities, to see if they can use it as a backdoor they can break into. We sincerely hope Verizon has invested significant resources in ensuring that AppFlash is secure, because if it’s not, the damage to Americans’ cybersecurity could be disastrous.
Click to expand...
Click to collapse
I find this comment amusing - eluding that 'hackers' don't probe every single aspect of a system and it's software, but now that this application is going to be pushed you better worry!

Calm down. The sky isn't falling yet.
"UPDATE: We have received additional information from Verizon and based on that information we are withdrawing this post while we investigate further. Here is the statement from Kelly Crummey, Director of Corporate Communications of Verizon: "As we said earlier this week, we are testing AppFlash to make app discovery better for consumers. The test is on a single phone – LG K20 V – and you have to opt-in to use the app. Or, you can easily disable the app. Nobody is required to use it. Verizon is committed to your privacy. Visit www.verizon.com/about/privacy to view our Privacy Policy.""
https://www.eff.org/deeplinks/2017/...e-has-already-arrived-verizon-announces-plans
Oh, and what can you do about it? You can vote every single individual in Congress that voted for repealing these protections out of office. Be vocal about this with friends and family. The general population does not understand this issue. I have answered so many questions like "So, if I clear my browser history this doesn't matter, right?" lately that it makes me sick to my stomach.

Averix said:
Oh, and what can you do about it? You can vote every single individual in Congress that voted for repealing these protections out of office. Be vocal about this with friends and family. The general population does not understand this issue. I have answered so many questions like "So, if I clear my browser history this doesn't matter, right?" lately that it makes me sick to my stomach.
Click to expand...
Click to collapse
This. Vote out every single person who voted to repeal what we've spent years fighting for. They let their own monetary gains guide their decisions and not what's best for the people, which is what their job is.
It's absolutely baffling to me how many people just don't give 2 fks about having companies mine personal and sensitive information about them. The classic "If you don't have anything to hide, then what does it matter" argument instantly enrages me.
Sent from my Samsung Galaxy S7 Edge using XDA Labs

just calm down.. I've been telling everyone about this for past 4 years.its not just this app.but hard bedded in every device..the only way to get rid of any of it is educate yourself on removing it. .as for the comment about hackers knowing the weaknesses.hes absolutely right...the good amd bad hackers.not all of us are bad.

All of this concern over potential "spyware" on our devices is laughable because some of you may be missing the big picture here. Regardless of carrier-introduced data capturing apps or malware, etc on the device itself, carriers already store all user data and wireless data transmissions, texts, etc. This data is accessed by whomever has the "authority" to access it. If you are a suspect in a homicide for example, the homicide detectives will get a quick signature from a judge to retrieve all of you phone records including gps, tower pings, internet, incoming & outgoing texts, etc. Who's to say who phone carriers share your regular data with? You can't prove if they do or don't.
Within the last few hours of Obama's presidency, he did the unthinkable by legalizing the sharing of intelligence and sensitive data between numerous intelligence agencies so they can all share sensitive data between one another at their whims. The obvious reason for this was to better mask the source of the information and blur the lines of responsibility for the data retrieved. Data not only from citizens, but from anyone in the government, FBI, CIA, NSA, etc is able to be retrieved at any time and used for legal purposes and even illegal purposes if you have been paying attention lately. We now get to enjoy complete invasion of privacy in our daily lives. Not just with our cell phones. I find this topic useless at this point. So I have to say... unless you're doing something illegal, you have nothing to be concerned about and electronic privacy is non-existent these days so don't let that fool you. Someone posted that my last sentence instantly infurates them... well this is the facts so be infurated my friend because it's the truth. Nobody is able to defeat the electronic data that is stored and accessed by those who have the "authority" to access it. Get over it.
As for defeating ads and stuff like that, well that's a different topic all together.

tx_dbs_tx said:
All of this concern over potential "spyware" on our devices is laughable because some of you may be missing the big picture here. Regardless of carrier-introduced data capturing apps or malware, etc on the device itself, carriers already store all user data and wireless data transmissions, texts, etc. This data is accessed by whomever has the "authority" to access it. If you are a suspect in a homicide for example, the homicide detectives will get a quick signature from a judge to retrieve all of you phone records including gps, tower pings, internet, incoming & outgoing texts, etc. Who's to say who phone carriers share your regular data with? You can't prove if they do or don't.
Within the last few hours of Obama's presidency, he did the unthinkable by legalizing the sharing of intelligence and sensitive data between numerous intelligence agencies so they can all share sensitive data between one another at their whims. The obvious reason for this was to better mask the source of the information and blur the lines of responsibility for the data retrieved. Data not only from citizens, but from anyone in the government, FBI, CIA, NSA, etc is able to be retrieved at any time and used for legal purposes and even illegal purposes if you have been paying attention lately. We now get to enjoy complete invasion of privacy in our daily lives. Not just with our cell phones. I find this topic useless at this point. So I have to say... unless you're doing something illegal, you have nothing to be concerned about and electronic privacy is non-existent these days so don't let that fool you. Someone posted that my last sentence instantly infurates them... well this is the facts so be infurated my friend because it's the truth. Nobody is able to defeat the electronic data that is stored and accessed by those who have the "authority" to access it. Get over it.
As for defeating ads and stuff like that, well that's a different topic all together.
Click to expand...
Click to collapse
The main issue is the blatant disregard by our government to even acknowledge the American people's privacy. Of course this all comes down to money and corruption as usual. For a simpler solution to a lot of these issues is remove all of the lobbyists, but I digress.

Look at it this way people. No one is pointing a gun at your head making you use cell phones social media, etc. If you don't want to be spied on buy a house in the mountains with no outside connections and enjoy life.

Is a hard reset on an iphone secure to delete a sophisticated government spyware

by sophisticated government attack i mean something with virtualization technologies, several masking and hiding capabilities like FinFishers solutions.
Does:
Updating to the newest version of ios
hard reset the phone
securely remove the spyware?
1) i see more as a bonus question that is not really needed, but might be interesting too.
I would thank you for a careful but practical answer, since this question relates to some "moving parts" like: "Is it possible to load a "real" update from an infected phone, or will a sophisticated attack redirect those requests" and if there is something you can do to prevent this etc. or the question whether a hard reset really deletes everything or if the spyware can somewhat hide in "blocked" or wrongly addressed areas of the storage and so on.
On the other hand i do know that there never is absolute certainty and would be more interested in a "probabilistic view".
Thanks to the Forum!

I think your question is pointing to widespread security problems with most technology. Manufacturers often use closed source software and the same goes for most of the hardware devices. This makes security very difficult and of course these weaknesses are now being exploited by state sponsors.
Stuxnet was a good example and well worth reading about.
https://en.m.wikipedia.org/wiki/Stuxnet
http://itmanager.blogs.com/notes/20...e-protected-the-iranians-against-stuxnet.html
It infects microcontroller chips that do memory management. The introduced code returns modified data, maybe not even on each read.
So if the phone internal memory uses these microcontroller chips then even loading a new rom wouldn't help. You have to be able to have access to the microcontroller firmware and introduce your own access certification. It is very difficult to do this at present as most of the hardware information is not available, both for phone and internal chips.
Unfortunately this means that state sponsors can take the devices apart, inspect chips with an electron microscope, thus obtain a lot of secret information for their hacks.
Having had stuxnet on a laptop I became interested in these problems.
Contaminated updates again depend on the resources available. These rely on https and code signing.
https://arstechnica.com/information...ate-authorities-conspire-to-spy-on-ssl-users/
http://www.crypto-it.net/eng/theory/software-signing.html
A contaminated update requires access to the certificates and a delivery method such as intercepting a request from a known ip address.
Many states have access to the certificates and the means to target downloads. Using tor for updating might give some protection, as would a system to compare your download with that obtained by other people. We don't have this working automatically yet as far as I know.
https://www.torproject.org/docs/verifying-signatures.html.en
Phones have a second operating system where code may not be secure.
http://www.osnews.com/story/27416/The_second_operating_system_hiding_in_every_mobile_phone
https://www.rsaconference.com/event...ile-apt-how-rogue-base-stations-can-root-your
You can minimize risk by keeping a device in airplane mode and using a separate mifi device.
If you consider yourself an innocent target or just want to minimise risk then perhaps regularly buy second hand or new devices from shops, keep them in airplane mode, keep the necessary software to send by bluetooth and check the md5 sums.
Web browsers could be another security problem if they can run exploits, but this is probably outside the scope of your question.
Secure communications apps will probably work fine as long as they don't require updates. Beyond that, keep it all locked up in a safe you built yourself.

Database Info

welcome