How to protect your data from malicious developers? - General Questions and Answers

When someone posts a rom they developed here, does the community check for malicious code? For example, the developer could insert a code that sends him all the user's keyboard clicks (keylogging). How do the security practices on this forum site ensure that users are protected from those kind of things? What are things to know for users to protect their data and privacy from malicious developers?

Thread locked. Duplicate of https://forum.xda-developers.com/t/...ld-steal-our-important-personal-data.4256949/

Related

[Q] Is privacy enforced for apps in Marketplace?

Hi!
Tried finding the answer for this. both in Marketplace privacy terms, development guidelines etc. No luck other then very vague descriptions and guidelines.
So, hoping there might be som WP developers here, I'm wondering this:
Lets say I download and install a smart dialing app.
It has the permissions for Data services, Phone and Owner identity aswell as accessing the contacts.
Now, what stops this app from uploading all my contacts to unwanted destinations?
For example stealing information in purpose of spamming or marketing.
Is there any review of apps, behaviour or code when publishing to Marketplace?
Can I be as convinced that my privacy is respected by app developers?
All apps are reviewed (by real people, as well as by automated tools) before they are accepted to the marketplace. It's basically the same thing that Apple does, and although the list of what is and is not permitted varies a little, you can be sure that the kind of spyware you describe is firmly in the "not permitted" camp.
That said, mistakes can be made in reviewing, or things can be missed. Malware certainly could sneak past the Marketplace reviewers sometimes. Overall, though, it's rare.
Thanks for the reply! I suspected this and it's nice knowing that there are protections in place.
Of course, when one thinks twice, distribution of mal- and spyware through Marketplace would be very contraproductive to the plattform and harm it.
At the same time it would be nice finding some official info how this is enforced...

Can you help, please?

My 2 apps got removal with same reason
REASON FOR REMOVAL:Violation of section 4.4 of the Developer Distribution Agreement.
After a regular review we have determined that your app interferes with or accesses another service or product in an unauthorized manner. This violates the provision of your agreement with Google referred to above.
All removals are tracked. Repeated removals will result in app suspension, at which point this app will count as a strike against the good standing of your developer account and no longer be available on Google Play.
Can some one please share what is happening ?
Please describe what your app does

Serious, unpatched vulnerabilities

Before I begin, I'm not here to flame tbe devs as I would love this app if these issues weren't present and do hope this problem is resolved as a result of bringing it to the attention of the community and hopefully this app's devs.
This application has serious vulnerabilities, some of which should be quite easily patched yet have not been for months to a year or so of them having been made public by a reputable security researcher working for Zimperium.
Login information via the browser is not utilizing a secure form of encryption for both web.airdroid.com or when accessing via local IP despite their SSL cert being valid for *.airdroid.com. The key for the DES encryption being used to hash the password and e-mail being hardcoded into the application despite having a POC for an attack on their users is inexcusable and shows a blatant disregard for their application's level of access as well as their user's safety and security.
My finding (as a security noob) has also deeply disturbed me following no response to bug reports or email contact. While attempting to check out their Windows desktop client, my antivirus discovered the installer attempting to download a variant of adware which monitored the user's activities and provides monetary incentives to developers which include it within their programs and applications. I do understand that if something is free, the product is you. However, I am a paying customer of this service as I'm sure many who use xda would be in an effort to support development of software and applications we enjoy. This adware was ran through and confirmed with VirusTotal and certainly is not a false positive. This desktop client also does not use SSL for communication.
Due to discovering these problems, I immediately discontinued use (the same day I renewed my yearly subscription). However, I was unable to remove the application from my phone without a full factory reset even after both application updates and upgrading android versions. With it set as a device administrator, it's access must first be revoked before uninstalling. However, across multiple devices and versions of android, attempting to remove it from device administrators causes a crash of the android settings app.
I had planned to do a POC for what I feel is an extremely likely scenario based off both public vulnerabilities as well as what I had discovered myself, but I have been far too busy with a few other projects as well as work to complete it yet. I had just stumbled across this section of the xda forums while looking for something else and hoped to get a response from the devs of this app.
I would love to be able to utilize an app with this functionality. However, there needs to be far more focus on security in its design before I would ever feel comfortable utilizing it again.
In theory, it would be entirely possible for an unstable, technically inclined person at a local coffee shop (or other public location with unsecured an wireless network) to hijack a user's login information with minimal skill level required then giving them full, unadulterated access to the application's functions such as forcing gps or camera on to track or watch someone without their consent as all connections aren't even requiring the user to accept the incoming connection on their phone to perform these actions. That is not a farfetched scenario and presents a possible threat to someone's physical safety.
Link to said researcher's findings can be found on his blog by searching Zimperium airdroid multiple vulnerabilities as I just created this account for this post and can not yet post outside links.
Thanks a lot for all this information. I really appreciate it.
Why hasn't this been addressed yet?
I remember reading this a while ago, realizing that it is a serious issue, and just how little the devs care about security on their app.
This is mainly because most end-users don't dive this deep into an app, and don't fully comprehend the severity of such vulnerabilities until it is too late.
We should make a bigger fuss about these things!
I've always been very careful with RAT-type apps and so I was when checking out AirDroid. I've uninstalled it after 30 minutes of using, just because I didn't like the fact, there's a chance some undesirable person could start spying on me. As I read this thread, I'm realising how right I was that time.

REQUEST for info related to privacy and security.

Good day!
I have a page for online privacy ( www.4yourprivacy.com) and want to add more information regarding smart phones and personal privacy and anonymity to that site.
Anyone who can offer insight to these questions as well as suggest additional questions I may not have thought of I will be most appreciative.
It is understood that using mobile networks data, tower triangulation can still provide coarse location information that is saved as part of your phone record. Assume that location services and GPS are disabled
1. Using cell data how much privacy is afforded by having an active VPN connection with regard to third party apps or with carrier provided SMS?
With no mobile data but using WiFi only with VPN.
2. Does VPN offer any actual privacy to the user of standard SMS messages? I realize that alternative means such as "Signal app" provide end-2-end privacy even without VPN.
3. Do some, all, most third party apps obtain and transmit the specific device ID such as phone number and IMEI etc back to a server some where? This is a technical/software question not related to developers privacy practice. Is this totally dependent upon permissions you can control per-app?
4. App tagging. I read that when a user downloads an app from PlayStore that app is tagged to your device to permit developers to monitor accounts for such things as billing etc to be able to disable apps where user either has not paid or has violated some TOS...also by Google to register it to your phone for updates etc.
But what about the same app obtained and manually installed as an APK file without going through PlayStore?
Any thoughts, links to authority or additional questions I failed to ask please let me here what you have to say. ( Yes this may appear on more than one forum! )
Again thanks in advance for any thoughts or info that you believe should make their way to a discussion about privacy and security when using a mobile device. ( Android in this case...will address iPhone elsewhere )
Paul
paulckruger said:
Good day!
I have a page for online privacy ( www.4yourprivacy.com) and want to add more information regarding smart phones and personal privacy and anonymity to that site.
...
Click to expand...
Click to collapse
Interesting... Just had a look to your site regarding privacy and anonymity by Webbkoll and got interesting results: https://webbkoll.dataskydd.net/en/results?url=http://www.4yourprivacy.com/
Do you agree that having Google and Linkin cookies already contradicts privacy etc.?
Well for starters there is no information on this page that Google does not already index. I am not concerned about the privacy of this web site simply because if the site itself is too "private" people searching for this kind of info won't be able to find me in Google...kinda defeats the purpose of such a site in the first place!
The actual "privacy" aspect is the responsibility of the user not this web site which by definition must be findable for people to access the information. The assumption should be that a first visit will be by someone already exposing their tracks online seeking info on how to avoid just that.
Second...not a response to my question!
But thanks.

What could cause a “Violation of Usage of Android Advertising ID policy”?

I received a notification from Google Play telling me that my app has been removed because of some violation regarding the collection of Advertising IDs.
My app, however, only fetches some publicly available data from the Internet and uses firebase to deliver push notifications to devices which install the app and subscribe to specific FCM topics.
My question is: how could I be leaking Advertising IDs? Are those IDs sent in the HTTP requests made by the app? (e.g. in the headers?) Or maybe it's because of the FCM subscriptions?
The full text of the email I received follows.
Hi developers at REDACTED,
After review, REDACTED, has been removed from Google Play due to a policy violation. This app won’t be available to users until you submit a compliant update.
Issue: Violation of Usage of Android Advertising ID policy and section 4.8 of the Developer Distribution Agreement
Google Play requires developers to provide a valid privacy policy when the app requests or handles sensitive user or device information. We’ve identified that your app collects and transmits the Android advertising identifier, which is subject to a privacy policy requirement. If your app collects the Android advertising ID, you must provide a valid privacy policy in both the designated field in the Play Console, and from within the app.
Next steps: Submit your app for another review
Read through the Usage of Android Advertising ID and User Data policies, as well as the Developer Distribution Agreement, and make appropriate changes to your app. If you decide to collect sensitive user information, be sure to abide by the above policies, and include a link to a valid privacy policy on your app's store listing page and within your app.
Make sure that your app is compliant with all other Developer Program Policies. Additional enforcement could occur if there are further policy violations.
Sign in to your Play Console and submit the update to your app. Alternatively, you may opt-out of this requirement by removing any requests for sensitive permissions or user data.
Alternatively, you may opt-out of this requirement by removing any requests for sensitive permissions or user data.
If approved, your app will again be available with all installs, ratings, and reviews intact.
If you’ve reviewed the policy and feel this removal may have been in error, please reach out to our policy support team. One of my colleagues will get back to you within 2 business days.
Thanks for helping us provide a clear and transparent experience for Google Play users.
Regards,
The Google Play Team
Click to expand...
Click to collapse

Categories

Resources