Banking app: asking for new permissions - Security Discussion

My banking app stopped working 30mins ago and after I nuked the data/cache and got it working again. I caught the app asking for new permissions that I don't believe it asked for before
telephoneManager/getSimOperatorName - in my case o2
settings.Secure.getstring/android_id - same as asking for the serial, why does my bank need this.
PackageManager.getindstalledPackages - wtf does it need to know what apps are on my personal phone?
NetworkInfo.getextrainfo - why does it need to know who my data provider is?
AdvertisingClient$Info.getid - why the actual f*** does a banking app or my bank need my advertising id.
TelephonyManager/getNetworkOperatorName - asking who my operator again, why.
Fabric.with/Kits - not quite sure what this is, cant find anything beyond its something to do with android SDK.
I am emailing my bank app support to see if I can get some straight answers, but in the meantime can someone tell me what "Fabric.with/Kits" is and why the app would be asking for this permission?

b1k3rdude said:
My banking app stopped working 30mins ago and after I nuked the data/cache and got it working again. I caught the app asking for new permissions that I don't believe it asked for before
telephoneManager/getSimOperatorName - in my case o2
settings.Secure.getstring/android_id - same as asking for the serial, why does my bank need this.
PackageManager.getindstalledPackages - wtf does it need to know what apps are on my personal phone?
NetworkInfo.getextrainfo - why does it need to know who my data provider is?
AdvertisingClient$Info.getid - why the actual f*** does a banking app or my bank need my advertising id.
TelephonyManager/getNetworkOperatorName - asking who my operator again, why.
Fabric.with/Kits - not quite sure what this is, cant find anything beyond its something to do with android SDK.
I am emailing my bank app support to see if I can get some straight answers, but in the meantime can someone tell me what "Fabric.with/Kits" is and why the app would be asking for this permission?
Click to expand...
Click to collapse
Yes, seems like a lot of unnecessary permissions, I'd be suspicions also. Though they might be using those permissions to increase security by "fingerprinting" your phone, thus making it harder for someone to impersonate you, though you can change your advertisers ID on newer Android versions, so maybe not! Or app legitimately need that info for some other reason. Also app permission fall into 2 categories "normal" & "dangerous" you are not asked to approve normal ones only dangerous ones eg access to contacts, network access etc. I'm not a dev so not sure if they have been moved to a new category now & that is why you are seeing them now. Maybe permissions added by bank legitimately but on other hand seem excessive to me.
The Fabric one might be OK as fabric is a module framework that uses kits & is used by some developers to implement crashlytics etc, but guess some kits could be used maliciously. (Google are pushing devs form Fabric to Firebase)
But if suspicions give that app a scan with a good security app (not that this proves app is safe!) Try the Sophos security app, its free, might identify if malicious but also gives a nice summary of permissions granted to all your apps.

Related

[Q] Android app security

While I'm waiting for my GS2 (my first Android device) to be shipped I have been doing a little research into the apps and general security and was shocked to find that many apps actually leak private information and data back to ad servers. This scares me a little. I don't want my location, and other personal data being sent to places I haven't authorised.
Is there any way of being able to stop or block this or any way of identifying which apps do this? How can one know if a publisher of an app can be trusted?
I try to keep my PC locked down from this sort of thing and want to do so with my phone. I just want to be able to make an informed decision with Android.
There is a app called Permissions Denied that can do that.
When you download an app from the market, it tells you what permissions theapp has to have. Most of th time, the permissions aren't for what you think. Internet connection is usually cause it has ads. Also, see what the apps are rated, and read the comments to see if the app is trustworthy.
[sig]I'm close to root, im patiently waiting on those puzzles[sig]
First thing I downloaded when I bought my EVO was Lookout mobile. Very good AntiVirus app with free features that Sprint is trying to sell with their own junk. Try it out.
Thanks for the comments guys. The thing is how do you really know that the app is not maliciously harvesting your data?
Take the Lookout Mobile app triagetoday mentioned above. Now, I'm only using this app as an example and am not saying that there is anything wrong with the app as I've not used it. But it makes a good example.
The app wants permissions for everything. Most user comments are positive, there are a few that say that they cannot uninstall it which is worrying but generally the comments are favourable. But how can I be sure that this app wasn't written to harvest data on the pretence that it's protecting your phone? In fact there is even one comment suggesting just that. I can't see anywhere where I can look at the source code so is it a case of blind faith and hope the publisher is not malicious?
After reading many reports about huge increase in malware on Android and data leakage it's a real concern on how to protect your data.

found app that keeps location private from google

found an app called Location Cache Map in market and it seems from what it says that it prevents maps and other apps from setting location data on phone and clears map cache while still allowing full use of GPS functions. i tried it and it worked, though it takes an extra couple seconds to lock on.
seems to work. you can see your stored location data with it even if you dont want to block location cache. interested in hearing from others on if this seems to really be working.
Any aftermarket Rom do this.
Sent from my LG-P999 using XDA Premium App
sure if ya delete maps or something. mine always still saved location data on my phone. this lets you use the functions without phone saving cache data. ive never seen this function on any rom ive used. but if so id like to know how and save some time.
Has anyone else tried this?
Google has always kept this type of information---even before android. It's in their terms and conditions. Honestly, anyone who doesn't want to give Google access to this information, shouldn't use their phone.
aczarney said:
Google has always kept this type of information---even before android. It's in their terms and conditions. Honestly, anyone who doesn't want to give Google access to this information, shouldn't use their phone.
Click to expand...
Click to collapse
You should, at minimum, have the choice to turn it off and delete the data that is stored on your phone readily.
Let's get real, corporations have too much freedom when it comes to using us as pawns. It should be an option to opt out period. I use google stuff cause I like the way it works, they don't need my location for that.
Sent from my HTC Vision using XDA App
Google's been collecting information rather openly for years. I just don't get why people are surprised they are collecting it with their phones too. It was never really a secret. There's no option to turn it off simply because that's the terms and conditions for use of the phone--that Google is entitled to access to your location as well as other information regarding how you use your phone. It honestly is like they're watching your every move. If you don't want access given to Google for this information, don't use the phone. That's literally your only option, and legally, Google is completely backed up on that. Now apple, that's a different story. But Google has been doing these things ever since Google as a company was created, its actually part of what has allowed them to grow. To know how their services are used and how their users function more or less.
I could really care less. Ask yourself. What is Google going to do with your information besides direct ads based on you interest. As long as Google execs aren't going to come track me down, I could really care less what data they collect. If your worried about people collecting your data then don't ever buy anything off the internet or for that matter, don't ever use a credit card to make purchases.
read this. its a rant but its how it REALLY is.
Grammer and spelling errors warning!!!
its doesnt matter what they are going to do with it. i have a right to privacy. the more you look into your specfic settings for your google and gmail account, the more you'll see that a lot of what they ask for they don't tell you. they allow you to turn it off.... if you even know how to where to find it, or if you even know they are collecting it.
they keep much more than just location and basic data for ads. im not going to get into all of it because theres too much. go look for yourself.
basically these days to have a phone thats fun (smartphone) you are forced to choose iOS or Android. Both are bull**** when it comes to privacy. THATS WHY THEY ARE DEFENDING THERE ASSES IN COURT!!! Just the fact that it has gotten to the point of major national news shows that it isn't just nothing. $500 million lawsuits aren't to be taken lightly.
And it's not just my privacy. Many MANY apps and services including googles require access to many things that the app has absolutely no reason to have. theres a dev in the market called FREE WING go download his persmissions apps named after specific permissions example: READ_PHONE_STATE, it shows you some of what that permission pulls from your phone such as your name, device ID, phone number, contacts, and more. SMS permission had not just the ability to "tell if i get a text" but has, and records, everything that was said, who sent it, and their numbers. or go get an app called "Denied permissions" it will show you how many each app has and break them down and explain a little of how they work. then use it to look at Google Docs app permissions. it shouldn't have the ability to change,delete, modify my account passwords, and that's just one of its BS permissions.
any facebook app that uses facebook to as an alternative log in gives that app by DEFAULT the ability to read my contacts, status, my FRIENDS status and apps they are using, where they also go, their photos, mine, and more (go to the apps privacy settings on facebook to find this stuff). my friends apps one THEIR phone have access to MY personal information, just because we are associated in facebook. NOT COOL! Facebook just told its game devs a couple days ago that they had like a week or something to change their games to prevent 3rd party apps that are associated with their games from accessing or keeping their patrons information while they play their games.
basically it comes down to my information can be accessed by places i didn't give the OK to or even have heard of. google shares information with apps. try reading the privacy polices for apps sometime (go read AppPack's - Highlight app and T-mobile Mall's app privacy policies). its like the fine print that no one ever reads in contracts or car advertisements. its there but no one takes the time.
google used to be a damn search engine. now they own android, google, Google Chrome OS (just came out), admob, and more. im ok with ads. and them having info i know i asked them to hold on to. I can't imagine what dirt someone could find on someone running for president in 10 years. dirty pics from when someone texted them when they were 25, 18, 16. or their online diary they kept for some reason. things they said on a forum, damn i couldn't imagine my old myspace stuff. some of that could get me in to trouble. i was a party animal at the time. ya see where i'm going? wouldn't have posted that stuff 10 years ago if i had known what i know now.
theres enough info of ours unintentionally online and accessible. go google yourself. they don't need my location to boot
don't believe any of this then take some time to read what you are saying ok to. some privacy policies are like when in those cartoons (devil and daniel mouse) the devil asks you to sign a contract in your own blood, but you forgot their was stuff written on the back page.
But you don't have a right to privacy.....you agreed to the terms and conditions of Google's use when you began using your phone. You signed those rights to privacy away when you signed that Google account into your phone (which, in fact is where the agreement to the terms and conditions lie). You installed Google docs and said "yeah, its okay if this app has access to these things." You update your Google apps every release of a new version. Apple is having issues with this yes, but that's because it was never previously a part of their terms, and they were doing it without customers knowledge. Google is not having issues, will not have issues, and presented all that information to you upfront when you signed up for your Google account, well within your buyer's remorse. Likewise, they do have an option to opt out of "Location services" during most device's initial setup procedures. I bet if anyone sued Google, they wouldn't even prepare a case. They'd refer the judge to the terms of your Google account or those permissions you were okay with.
Bottom line, Yes you have your right to privacy. But you can't give away those rights away to Google or Facebook or whoever then complain about it. Those terms and conditions aren't just there for show, they create them for these specific reasons. It'd be like If I gave you my social security number, checking account number, and address and then was shocked when my identity was stolen and went to file a police report. Working for T-Mobile, I hear these types of arguments on a daily basis, but let me just say it hasn't once changed a thing. Once you agree to them, you can't change your mind until the terms are changed and presented to you again.
I've said it before and I'll say it again. If you like privacy, DO NOT USE A SMARTPHONE. You see, I use a smartphone because I could give two ****s less what Google has access to in my phone. There are only 9 numbers I don't want anyone having access to and lets be honest. I highly doubt Google is stealing our SS #'s.
A link to google and it's work it does for the NSA and CIA. They are more than a company pushing Internet mobile ads. Do not do anything with your phone that you do not want recorded and handed over to the government.
http://www.pcworld.com/article/188581/the_googlensa_alliance_questions_and_answers.html
Remember what google and others did to to people yearning for freedom in China.
http://www.nytimes.com/2006/02/15/technology/15cnd-internet.html

Question about android security

So i am just wondering, there are so much different apps for android on the market, and most of them has a lot of access to phone's functions. Now for example i am always logged in to Gmail, and theoretically can a random app scan and copy my gmail's data and send it trough internet? Really curious..
Kblavkalash said:
Now for example i am always logged in to Gmail, and theoretically can a random app scan and copy my gmail's data and send it trough internet? Really curious..
Click to expand...
Click to collapse
This question is not really an issue of Android security this is a question about general security. Can an app look at your gmail app directly and copy data and send it out...not exactly no, an app can't forcibly connect itself to another app to scan data.
However...
That question is actually not relevant because such a task is unnecessary for malicious apps. Lets say you install a malicious app that wants to copy your gmail data. What it will do is not watch the app itself but it will watch the network packets being sent to and from the app, logging and tracking those.
This is not the only way to get the data though because any data saved on your sdcard is accessible from an app if you give it permission to do so.
The MOST important thing to look at when installing an app is the permissions the app is requesting when it installs. This can be confusing as well because some apps will request full internet access because they need it but this can also be used by a malicious app to steal your data.
The important thing to do is research. The more you learn about the app the better off you are.
-------
Just to clarify, this applies to all apps of any kind on any platform including but not limited to Android, iPhones, Blackberry, Windows Phone, WebOS, Windows PC, Mac OSX, Linux or etc. - ALWAYS learn as much as you can and are comfortable with before installing anything...if you are not comfortable with a particular app or learning more about it then don't install it. That is not to say it may be malicous, it is just to say it could be a bad idea for other reasons. (for example, if it is a developer tool or a configuration tool that you don't understand or haven't researched enough to understand...then you could potentially damage your device with something that is a legitimate tool)
Kblavkalash said:
So i am just wondering, there are so much different apps for android on the market, and most of them has a lot of access to phone's functions. Now for example i am always logged in to Gmail, and theoretically can a random app scan and copy my gmail's data and send it trough internet? Really curious..
Click to expand...
Click to collapse
edit
MichaelTunnell said:
This question is not really an issue of Android security this is a question about general security. Can an app look at your gmail app directly and copy data and send it out...not exactly no, an app can't forcibly connect itself to another app to scan data.
However...
That question is actually not relevant because such a task is unnecessary for malicious apps. Lets say you install a malicious app that wants to copy your gmail data. What it will do is not watch the app itself but it will watch the network packets being sent to and from the app, logging and tracking those.
This is not the only way to get the data though because any data saved on your sdcard is accessible from an app if you give it permission to do so.
The MOST important thing to look at when installing an app is the permissions the app is requesting when it installs. This can be confusing as well because some apps will request full internet access because they need it but this can also be used by a malicious app to steal your data.
The important thing to do is research. The more you learn about the app the better off you are.
-------
Just to clarify, this applies to all apps of any kind on any platform including but not limited to Android, iPhones, Blackberry, Windows Phone, WebOS, Windows PC, Mac OSX, Linux or etc. - ALWAYS learn as much as you can and are comfortable with before installing anything...if you are not comfortable with a particular app or learning more about it then don't install it. That is not to say it may be malicous, it is just to say it could be a bad idea for other reasons. (for example, if it is a developer tool or a configuration tool that you don't understand or haven't researched enough to understand...then you could potentially damage your device with something that is a legitimate tool)
Click to expand...
Click to collapse
Good answer, you are right!, but you say do a research before installing, but it's not really possible unless you are a programmer and checking whole code The best rated apps still have many different permission requirement and i have no idea what they are doing.
For example app can request a new password change for example on paypal and steal packets which come to my gmail about new password.^^
Security Apps
Hi,
in my eyes the best way is to use programs like PDroid. You cann adjist the rights of every App regarding send SMS for example.
LBE Privacy Guard may be also an Option. (runs not on my Device - SGS+)
(i use Pdroid 2.0)
you should also read the comments in the store, and the needed rights from the app before install. The best Apps to trust are open source apps.
Kblavkalash said:
Good answer, you are right!, but you say do a research before installing, but it's not really possible unless you are a programmer and checking whole code The best rated apps still have many different permission requirement and i have no idea what they are doing.
For example app can request a new password change for example on paypal and steal packets which come to my gmail about new password.^^
Click to expand...
Click to collapse
Research generally involves a Google search...
Editor's Choice in the market are safe bets, you know, the blue icon.
But then there are the millions of other apps, and frankly, I tend to toe the app name plus xda for instance, Google will show you xda threads about the app, if the posts are normal, you can be sure it's not malicious.
Stuff like that...
Also, fake market comments are really easy to spot and are a dead giveaway
Sent from my GT-I9000 using xda premium

WTF subways

I downloaded the subway app today & when i opened it i got this message. Question is why would the app look to see if im rooted?
It's not uncommon for apps that allow pre-payment or NFC payments to disable that function or not work at all if you're rooted. If all you want to do is find a store or look at the menu, root obviously wouldn't allow anything nefarious, but anything involving payment could be suspect if you're rooted (at least in their eyes).
Because with root it's possible to hack the device to alter digital transactions and steal money from the account on the phone.
Not sure why you'd want to rob your own bank account, but alas.
It's there for the same reason they put "Don't put your baby or cat in the microwave" warning labels on microwave ovens. Someone, somewhere (we all know where) will no doubt find a way to sue them over it if they don't slap a warning on it.

Internet Security apps

Hey !!
Do Andriod phones need antivirus or internet security as a must? If so provide me some links..
Thankxxxx in advance
The Answer Has been moved to a thread dedicated to security question and other advices to modify safely our Android Devices
Here is the post
Raiz said:
It absolutely doesn't, please don't download them, those are mostly commercial sh*t apps full of ads that plays with the fears of users.
Android Security advice :
• Just don't install apps that you don't trust (apk files and weird looking Google play apps)
• Never share your passwords with somebody not trusted, use a different one for each of you accounts.
Find more here :
https://forum.xda-developers.com/general/security
General security and privacy:
• a VPN isn't a magic app that allows you to go completely invisible, even I can find who you are simply by using your latest Instagram post, the government doesn't have money to spend spying on you anyway
• Public WiFi internet browsing is like taking a bath naked around other people, everybody can see what you're doing and can interact with your browsing by sending you pop up messages on your browser. In that case the VPN is useful. But please don't use anything other than your WiFi network to pay online.
• Change password at least once a year
• For God sake be careful on what you share on social medias !
• If someone blackmails you, just ignore him even if he show you he has your real password/footage of you doing nasty things, most of the time they haven't and tries to scare you. But take action on your account, just don't answer them.
• Not having any of your IRL infos online is a good idea, but it tends to be more and more difficult because of Google assistant, and other Google services that are super intrusive (I mean even with your YouTube Google know your tastes better than your buds). But don't panic, if you're not a terrorist or a criminal you're not risking your life.
Keep in mind that your security is fine most of the time if you have solid password, and you don't give them away, but your privacy is not if you have a social media account of any type. If you post something on the internet, remember it'll stay forever out there, whatever you do !
App that I use to keep my Android phone in good health (install them sometimes to clean up/check on my phone's state then I uninstall them):
Google File Go (cleans files)
AccuBattery (check the battery health)
CPU-Z(has everything you want to know about your device)
When I need to backup an app's data or the entire app:
Titanium Backup
Here you go, I gave you very few the security advises, there are plenty more, don't hesitate to check the internet out for more !
Have a nice day
Click to expand...
Click to collapse
I have 2 edits to your suggestions
1. Change your passwords monthly, preferably using a password manager that suggests really hard random passwords
2. Swift backup is much newer and more efficient than titanium backup ever was.
Sent from my OnePlus7Pro using XDA Labs
spart0n said:
I have 2 edits to your suggestions
1. Change your passwords monthly, preferably using a password manager that suggests really hard random passwords
2. Swift backup is much newer and more efficient than titanium backup ever was.
Click to expand...
Click to collapse
I'll update my first post continuously with every recommendation that'll follow on this thread to create the sort of "Index of Android Security". I created a new thread for security questions
Didn't knew about swift backup, what a great app!
patricia123 said:
Hey !!
Do Andriod phones need antivirus or internet security as a must? If so provide me some links..
Thankxxxx in advance
Click to expand...
Click to collapse
Viruses don't really exist in android. You can be targeted with malicious code but that is only if you open, tap on or accept something without knowing what it is.
For instance, someone could send you a link or a photo that has malicious code embedded in it, when you open it or accept it, then the malicious code has access to your device and your data.
As long as you know that you are dealing with a trusted source, you should be fine. But, if you are the kind of user that goes all over the internet opening things without knowing what it is, you will quickly find yourself targeted by malicious code.
Become a responsible, informed user that is aware of the dangers and what kinds of things can be a problem and you should be fine.
Sent from my SM-S767VL using Tapatalk

Categories

Resources