Related
Read full article here
What is your opinion?
Dont like it. I want my phone to be MY phone. My phone should work for me not google and not some mysterious random company. My private life should not be reduced to some advertising opportunity for a business. Why people accept this I do not know. It dosent matter if an XDA developer will find a way to stop it. It shouldn't be happening in the first place.
OK, so I'm a WM developer, not Android, but if the program turns on the GPS receiver, surely the GPS LED would givaway the fact that it has been triggered. On a Kaiser the right LED flashes orange every other GSM connection flash.
Alternatively, it could just grab the CellID from the GSM connection. Not as accurate, but it can still be used as a crude location pointer. In cities it is probably accurate to a couple of hundred metres.
As the article mentions, Google have a pretty strict policy on what apps can do with users data, but whether they are adhered to is another matter.
It would be quite difficult to stop it, if the Android equivalent of WM's 'GPSAPI.DLL' exists in ROM, as you can't modify it to overide any calls to the functions within it.
On android, it is not possible for a user application to ENABLE GPS (if it was turned off in settings). The only apps that can do so are those in /system, which requires root to write to, or the app to be installed on the ROM itself.
I personally leave GPS off all the time, and do actually read all permissions used before installing an app. In the past, I have actually decompiled applications and removed their GPS/location permissions and "spy code", but now I just use another app that doesn't need excessive permissions.
In Android, permissions do block access to both network location and GPS location, using separate permissions, so it's possible for an app to use network location, but not get access to gps. But I see no need for it, when IP address gives a country/very rough location (enough for a dev to know his/her user base's nationality demographics)
Really don't like that.
I pay for the phone, the bandwidth and the calls.
I do not to be harassed by people trying to sell me stuff on my own telephone, and I especially not want to give an anonymous company my own private data!
stephj said:
OK, so I'm a WM developer, not Android, but if the program turns on the GPS receiver, surely the GPS LED would givaway the fact that it has been triggered. On a Kaiser the right LED flashes orange every other GSM connection flash.
Alternatively, it could just grab the CellID from the GSM connection. Not as accurate, but it can still be used as a crude location pointer. In cities it is probably accurate to a couple of hundred metres.
As the article mentions, Google have a pretty strict policy on what apps can do with users data, but whether they are adhered to is another matter.
It would be quite difficult to stop it, if the Android equivalent of WM's 'GPSAPI.DLL' exists in ROM, as you can't modify it to overide any calls to the functions within it.
Click to expand...
Click to collapse
Unfortunately, on most Android devices you don't get the amber LED to indicate GPS usage. But as pulser_g2 has said, if you have GPS turnt off then only /system apps or root apps will be able to use it.
Pulser, what app do you use to check them out for malicious code?
incredulous said:
Unfortunately, on most Android devices you don't get the amber LED to indicate GPS usage. But as pulser_g2 has said, if you have GPS turnt off then only /system apps or root apps will be able to use it.
Pulser, what app do you use to check them out for malicious code?
Click to expand...
Click to collapse
I use apktool to disassemble the APK, then check the permissions inside AndroidManifest.xml.
Notepad2 used to view the smali code, and AstroGrep (windows) or just a recursive grep on linux, and I look for "http" and "location", since you'd be amazed what you find when recursively grepping the code for "http"
Let's just say I have found pages containing lists of authorised IMEIs for applications, I've found callback code to give a remote server information etc...
I tend to notify the developer if there is anything at issue like IMEIs... But often they do nothing
Get familiar with apktool, and learn to read smali, which is like intermediate java code, slightly more like machine code, but mainly like java...
As for what you do once identifying such an app, I suggest just not using it. It is possible to remove such callback code, but it's complex and much easier to use an alternative.
As the-equinoxe said, I own the phone, and therefore anything going on it has to obey MY rules. So regardless of what an app's license agreement says, my device has its own licence agreement, saying that "pushing an APK to this device via the market/gtalk service hereby provides consent for it to be disassembled and decompiled, and scrutinsed by geeks before installation..."
HTH
If you don't like it, then don't install the fart app that needs access to your GPS.
Any app that needs access to your location but doesn't have an obvious reason to do so is using it for advertising purposes.
Don't like it, don't use the apps. It really is pretty simple and it doesn't require you to decompile the app!
If your personal information is so private, don't give it away to someone who EXPLICITLY asks for it.
Any app that needs access to your location but doesn't have an obvious reason
Click to expand...
Click to collapse
Main problems are other types of apps. Apps that need access and then exploit it. For example a weather app needs internet to download weather and at the same time it can send bunch of personal data to it's developer, without user knowing it.
AFAIK there is no effective way to get rid of that problem, other than manually analyzing each application at the market.
Maybe solution would be a policy in Market that will require application to ask user before sending any personal data or else application gets banned from the market. But again it will require someone to check application manually if it's sending data.
I can see a solution that would work.
Android would need to use a UAC style prompt, saying "allow once or always", and same for deny. Like SuperUser apk does.
If an app couldn't use the permission without express approval, controlled by the individual intent or method/subroutine in use, you could easily see when an app was actually using a permission, and allow it one individual GPS reading.
The only problem with this? It would be really annoying for 99.9% of users, and ultimately there would be ways to cheat the system.
The above suggestion where apps request permission would work in an ideal world where every developer can be trusted implicitly.
But this is no ideal world, and even if it were on the scale of xda (few hundred apps), there would be no way to check it happened. And then it would be unenforced, and in my view, and unenforced rule is worse than no rule, since users would be led to believe it was enforced, and thus protecting them.
Bottom line? Trust nobody, write your own apps, and apktool everything. Until then, just be careful what apps you install and give GPS access to... don't use that third party weather app if you don't trust it...
Currently looking for a suitable Phone Tracker/Locators in case phone gets misplaced.
For those interested in your options, this sums it up well: http://www.androidpolice.com/2011/11/28/mobile-security-app-shootout-final-roundup-out-of-a-sea-of-apps-just-one-emerges-as-a-clear-winner-in-keeping-your-device-safe/
My questions is, how safe in terms of privacy are the trackers that also provide a centralized web interfaces?
Think about it, you are essentially installing an agent that allows the developer (if they so choose) to track where ever it is you are at and control your phone at anytime.
Sure YOU require a password to access your account, but surely the developer could have full access to all accounts using this software.
I used to use Tasker for remote SMS tracking, but the added features of these web integrated trackers are appealing since they also have remote picture taking, remote erase, locking, etc.
How would you weight on privacy vs feature trade off?
klau1 said:
Currently looking for a suitable Phone Tracker/Locators in case phone gets misplaced.
My questions is, how safe in terms of privacy are the trackers that also provide a centralized web interfaces?
Think about it, you are essentially installing an agent that allows the developer (if they so choose) to track where ever it is you are at and control your phone at anytime.
Sure YOU require a password to access your account, but surely the developer could have full access to all accounts using this software.
How would you weight on privacy vs feature trade off?
Click to expand...
Click to collapse
In my opinion it's really a matter of trust. First and foremost, do some research on the developer and app you're considering, look at the feedback, reputation, etc. then make a decision on how safe you feel about the service. It's similar to deciding if you feel safe signing up with a company like LIfeLock. In order for them to protect your sensitive data, you must freely give them all of your sensitive data. How safe would you feel about that? Would you trust them enough not to be malicious?
But then again, aren't you putting the same amount of trust and taking the same risks with the developer of ANY app you install on your phone?
As far as the apps themselves, I have used Find My Droid, the one Best Buy offers, and I can't remember the name of the third one and I found that all three are not as useful as I originally thought.
1. The gps feature was nice but did not pinpoint an exact address, just a general area. How useful is that?
2. I did a "stolen phone" test with the apps and it took them all between 5 and 15 minutes to lockdown the phone and one just plain failed.
3. The remote picture taking feature didn't work and if you plan on using an ICS rom, since the front facing camera doesn't work, the picture taking feature doesn't do much good.
4. The apps are useless if a perp pulls the battery which renders the gps completely useless.
So in summary, I personally wouldn't use one of those phone tracker apps. If you misplace your phone, just call it from someone else's and if you accidently left your phone at a bar or someplace public, call your provider for a replacement because you probably won't see that old one ever again.
Okay, so i was wondering for a while why we need to remember strong passwords!?
I mean a long time ago i learned that a password has to be as cryptic (and unrememberable) as possible to increase security. A not so long time ago i learned that passwords dont have to be cryptic, but should be as long as possible.
For me, long passwords are okay if im in front of my computer, but since i have to enter them on my phone or tablet it gets really troublesome and annoying to enter long passwords.
So my idea was that it would be much nice if servers (or whoever demands passwords) would do more to prevent password attacks. For example, if your account has entered a wrong password for example 10 times than lock it for 5 Minutes. If there are 10 more attempts lock it for another hour. If there are 10 more failed attempts shut it down for a day.
By that approach you only get 30 attempts in one day. Even an ridiculously easy password would be enough to withstand password breakers.
So why isnt this done more often? Why do i need a strong password?
Another possibilty would be just to shutdown any account with more than 50 attempts and you need to reset your password.
So am i missing something?
Check out "KeePass" and other password storage systems.
I use KeePass and KeePass Droid and sync between devices. The database file is encrypted and unlocked with a master password - one that while long, is easy to remember - the passwords for individual accounts are random strings.
One disadvantage I can think of as to locking down accounts with incorrect guesses is that it would give people who want to annoy/troll/et cetera a way to lock people out and have them keep resetting their password - or, if you suggest locking the account down - lock the real user out indefinitely by continuing to spam passwords they know are wrong. This kind of assault could continue even after the password has been reset - rendering the account unusable.
Lutziver said:
Okay, so i was wondering for a while why we need to remember strong passwords!?
I mean a long time ago i learned that a password has to be as cryptic (and unrememberable) as possible to increase security. A not so long time ago i learned that passwords dont have to be cryptic, but should be as long as possible.
For me, long passwords are okay if im in front of my computer, but since i have to enter them on my phone or tablet it gets really troublesome and annoying to enter long passwords.
So my idea was that it would be much nice if servers (or whoever demands passwords) would do more to prevent password attacks. For example, if your account has entered a wrong password for example 10 times than lock it for 5 Minutes. If there are 10 more attempts lock it for another hour. If there are 10 more failed attempts shut it down for a day.
By that approach you only get 30 attempts in one day. Even an ridiculously easy password would be enough to withstand password breakers.
So why isnt this done more often? Why do i need a strong password?
Another possibilty would be just to shutdown any account with more than 50 attempts and you need to reset your password.
So am i missing something?
Click to expand...
Click to collapse
Passwords are normally not stored on a webserver, just a password hash, which is a code made form your password for example the md5 hash could be used.
So when you create an account the hash is stored (so the webserver never knows your password) and then when you come to login you enter your password, the hash is created and check agaisnt the stored hash.
Passwords are hacked by someone gaining access to the password database then downloading its contents, from there own machine they can then run a brute force attack moving through possible passwords, generating there hash and checking against the hashs downloaded.
They will normally start by using some form of dedicatory of known used passwords (things like 1234, qwerty etc etc) and then go into generating random strings until the right one is found.
professional hackers will use hardware like this http://www.gizmodo.co.uk/2012/12/the-hardware-hackers-use-to-crack-your-passwords/ to brute force which is able to work through billions of hashs a second.
Thus the longer and more random your password strength the better but then again if the attacker wanted to and had enough time they will get your password.
The only thing webservers can do is try and keep databases secure enough that an attack to grab the data isnt possible, but we all known this often is not the case
Pennycake said:
Check out "KeePass" and other password storage systems.
I use KeePass and KeePass Droid and sync between devices. The database file is encrypted and unlocked with a master password - one that while long, is easy to remember - the passwords for individual accounts are random strings.
One disadvantage I can think of as to locking down accounts with incorrect guesses is that it would give people who want to annoy/troll/et cetera a way to lock people out and have them keep resetting their password - or, if you suggest locking the account down - lock the real user out indefinitely by continuing to spam passwords they know are wrong. This kind of assault could continue even after the password has been reset - rendering the account unusable.
Click to expand...
Click to collapse
I would also recommend taking a look at LastPass, along these lines. A long master password and individual passwords is really rather safe.
Funny thing, after setting up KeePass, I had a few accounts compromised - the ones I forgot I had and didn't switch over. The its a good thing I did switch over, or something important could have been gotten into.
Sent from my SGH-T999 using xda app-developers app
Also I would like to suggest Dashlane for password security. It's the only form of password management software I've ever used but I've been very happy with it. It's definitely worth checking out
In terms of password security, the most important factor is the length of the password: with each character added, the time taken to brute force the password increases dramatically, following a power law model.
That said, you also want your password to not be easily guessable: so don't use something that relates to personal information about you, or about what the password is for (i.e. don't make your XDA password 'xda-developers').
This XKCD is relevant, in case someone in the universe hasn't seen it already...
Password storage programs like KeePass are a great way of solving the security vs. memorability problem: your passwords can be as long and random as you want, you only need a strong master password to be secure.
Not even passwords, we need strong security. Check out these thread:
http://forum.xda-developers.com/showthread.php?t=1931627
[Suggestions & Discussions] Why mobile security matters
Sent from my GT-I9103 using xda premium
With iOS I used 1password to generate 20 character passwords so I don't remember any of my passwords since it's kept in the app. Hopefully they update the Android version soon.
Sent from my Nexus 4
Another one for Keepass here. The array of devices it is available for is impressive. I am trying to convince everyone I know to use some sort of password management since more and more of our lives are on the net now, particulary bank and government accounts.
You don't need a really strong password if you're protecting your device from people who don't know you (not your friends, or your kids). If you're only worried about your device getting stolen by someone you don't know (who doesn't know you) you can make your password easy to remember and enter by making it your first born child's name or pet's name, or first born child's birth date. But if you're trying to protect the device from your kids (or other people who know you), you better make it something a little harder for them to guess.
Lutziver said:
Okay, so i was wondering for a while why we need to remember strong passwords!?
I mean a long time ago i learned that a password has to be as cryptic (and unrememberable) as possible to increase security. A not so long time ago i learned that passwords dont have to be cryptic, but should be as long as possible.
For me, long passwords are okay if im in front of my computer, but since i have to enter them on my phone or tablet it gets really troublesome and annoying to enter long passwords.
So my idea was that it would be much nice if servers (or whoever demands passwords) would do more to prevent password attacks. For example, if your account has entered a wrong password for example 10 times than lock it for 5 Minutes. If there are 10 more attempts lock it for another hour. If there are 10 more failed attempts shut it down for a day.
By that approach you only get 30 attempts in one day. Even an ridiculously easy password would be enough to withstand password breakers.
So why isnt this done more often? Why do i need a strong password?
Another possibilty would be just to shutdown any account with more than 50 attempts and you need to reset your password.
So am i missing something?
Click to expand...
Click to collapse
No u r write but thn it is easy for our frnds r closed ones to know our pswds
Sent from my Micromax A50 using xda app-developers app
---------- Post added at 08:02 PM ---------- Previous post was at 08:00 PM ----------
Sry its right nt write
Sent from my Micromax A50 using xda developers app
I would be very careful about using "apps" to manage stored passwords. Hopefully the database is encrypted. (There is e.g. a bitcoin wallet app that doen't encrypt stored data!) It is sometimes trivial to decompile the app to get the java sources with the decryption algorithm. If it was a native app, decompilation would be harder.
You have to assume the attacker can get the db and the algorithm, and therefore only has to guess the key. Therefore, the password you choose must be as difficult to guess as possible. (This goes double for people using software they can't build themselves, such as linux distros and roms. There is a reason Debian devs cryptographically sign their contributions (packages) which are then built and distributed by other machines; it is near impossible to inject malware, in such a way that others can't discover who did it.)
The real problem is that malware on e.g. a desktop os can install keyloggers and grab the contents of copy/paste buffers. So the mechanism to move the password from the db to the app that needs it must also be secure. Passwords must be salted, and correct algorithms chosen for each part of the software (E.g. MD5, mentioned above, is considered insufficient for password hashes and most other uses, and should not be used).
A lot of people think that encrypting things or hashing them multiple times or with 2 or 3 different algorithms will improve security; this can actually decrease the amount of work for an attacker, so must not be done.
Ask yourself if the developer of such an app is aware of these issues, and also of the specific API and other features of Android that provide (some) security in the face of an attack. Ask yourself if such a developer would be compensated more by writing such an app, or by doing other work.
Then make your decision about how much you can trust the app that you have.
Sent from my SGH-I317M using xda app-developers app
Just have a long passward or any cryptic 1,
Remember on your web and use a masterpassward in firefox if shared system,
And just save it in an app called msecure in android just sync with Dropbox and tjen when ever you need to enter a password just copy from msecure and paste it where you want.
Ty:thumbup::sly::beer:
----------------Read If You Have Time----------------
Send From My Samsung Galaxy Note 2 N7100,
HIT thanks if I did Helped you.
LIFE! It's what you make out of it!
rselthn slight
KeePass or 1Password instantly springs to mind as others have already mentioned.
One way to keep secure passwords easy to remember is by taking the websitename, domain, or some other criteria (5th word on the homepage) and applying a couple of rules on that. E.g. take the word phonetically in reverse order, shift all vowels one place in the alphabet, append an exclamation mark, prepend a fixed number (e.g. 5), and add the length as a number to the end. XDA would become exdeeaa -> aaeedxe -> bbffdxf ->5bbffdxf! ->5bbffdxf!9 ... still quite difficult to guess, but easy to remember, because you just have to remember the rules.
Obviously those rules aren't the actual rules I use, but I do use something like this...
First of - I'm just an everyday user of Android device, never interested in hacking or any other "advanced" use of computers and likes. My greatest achievements so far are jailbreaking Iphone, rooting an Android phone and installing stock ROM on it. You can call me a noob. However - I like to improve things I use and I also value my privacy. That's why I installed a software that locks access to certain apps on my phone. I recently found this app actually made an opposite - it made my device vulnerable to identity theft and potential financial loss. I wouldn't really bother telling my story if developers didn't delete my one-star-rating with a brief description of the problem right after I posted it in Play store.
So, to the point. I installed CM Security and app lock app (nearly 14 millions of users and 4,7 rating) and locked some of the "sensitive" apps with it. One evening I was bored enough to try and play "a hacker" who "found my phone" and see what such person could do. Considering "a hacker" somehow managed to unlock the device he'd now encounter my second line of the defense - the mighty app locker. And now, in a few short steps I'll show you how much damage you can do with it:
1. First it obviously asks you for an unlocking password/pattern, but -as you don't know it - you hit in-app menu button and choose "forgot password?" option.
2. It asks you to log in to your Google account in order to reset the password (YES, you can access Google password recovery from inside the app, so even if you lock your device's Settings, your mail client and so on, you can still access the most vulnerable option of your account from "security" app).
3. As you don't know a Google password you hit the "forgot password" link that starts Google password reset process.
4. It will ask you for the "last password you remember", but you can just say you don't know it and then it gives you an option to get a verification code by SMS - chances are it will be sent to the device you're just holding in your hands. And these chances are big.
5. After you get a verification code you're in. You can now set a new Google account password and reset app locker password/pattern.
It's that easy. You not only unlocked an app locker but also got access to Google account which gives you pretty much endless possibilities, including purchase of some apps in the Play Store as it stores your card details and you only need an account password to authenticate the purchase. You can also try to restore Ebay or Paypal passwords or even try to get directly into bank accounts via banking apps. Sky is the limit.
I already deleted CM "security" app and looked for some replacement. I wasn't really surprised it's kind of a standard that when you install them, security apps ask you to give your Google account details just in case you need to recover your password in a future. And they often make you think that giving these details is an integral part of installation process, a must-do that is necessary for an app to install and work. Some apps, like CM "security" don't even ask - they just use your Google account details and don't give you a chance to give up such option.
After all - here's some advice I can give:
1. Don't install any security software that connects to your Google account and gives "password reset" options;
2. Don't give Google your mobile number, even if it seems convinient;
3. Don't use your Google account address as your contact information in "owner info" option of your device.
If you have any other suggestions that may improve security, please share.
Cheers
Question is why you didn't lock your device in the first place.
I think you are misappling this feature 's benefit/use. It is not there, IMO, to secure your phone from an advesary that has even brief access to your phone.
That is what a combination of a lock screen pwd,short for convenience, and full encryption using a separate and longer pwd of high entropy/randomness is for. Even with that its important to understand how it works and its limitations. Such as it does not encrypt.the ext sd card data. So if you put apps or privledged data there you either should not or using other means to encrypt it. One such way would be to use truecrypt to encrypt it using a pc, being the easiest and then use one of the apks that gives suports accessing those types of partitions/files.
The function you are speaking of is ther to prevent people you have a large degree of trust in such as a family member or close.friend possibly that you may allow to use your phone but do not want them to be able to access private data. Think of a parent allowing their child to use the phone to play a game but does not want them scewing up email or going into their bank app and randoming clicking around etc...
I hope you get the idea. Its not there to prevent someone that means to do you direct intentional harm.
I also want to point out my comments are only directed at the most basic level and only deal with physical secure of data on the phone and not the phone itself nor from remote access or privacy.
Also want to point out that a screen lock pwd is nothing but a inconvenience at best to someone wanting access to your data. A quick reboot into recovery and a bkup to a sd card will get them all your data and any weakly secured credentials there in. Its only one part of physical security, of which, is only itself one part in over all data security, which itself, is only a part of data privacy. Its a large house of cards and removing one or putting one little piece in just slightly the wrong place and collapse the whole house.
Its hard to do just the small piece of each of these parts correctly and exrremely hard to.combine all the small and large parts together for a total protection scheme. It takes considerable research and learning to do these things especially if your goals are for higher levles of security and privacy.
As an example someone that really wants their phone data ue on android to be private from commerical.data collection which via proxy means all gov access to said data would never install goggle play store or any google app on their device. That is just one glaring example of many.
http://ad.cmcm.com/en/?f=home-en-top
Cheetah Mobile is spyware. watch the video on their website
I would suggest using the built-in encryption on Android. I don't use it myself, but have the Avira app installed. I like their PC software, and gave it a try.
It can be used to track a lost phone or lock it remotely. Since I have rooted my Huawei G300 it complains a bit, but still scans all apps being installed.
bigeasy911 said:
I think you are misappling this feature 's benefit/use. It is not there, IMO, to secure your phone from an advesary that has even brief access to your phone.
Click to expand...
Click to collapse
Fact is still that this app claims it provides certain security, yet it doesn't. Not everyone will realize this. So it's always good that people keep pointing this out.
Nearly a year gone since I posted this and now I returned to "AppLockers" during my mobile security research. This is such a bad thing I can't believe apps of this kind are accepted by PlayStore and not banned eternally as the most fake security solution that ever existed. What surprised me even more, "serious" companies, eg. Norton are also in this business... anyway
I checked this one first - Best App Lock - it's "best", right? And it's got 4.5 stars rating with 1,000,000 - 5,000,000 downloads.
I set it up, set the PIN, locked test app - everything seems fine.. as long as you don't go to Settings > Apps and don't force stop Best App Lock, because then - your protection is gone. But OK, you can also lock Settings and prevent such tricks and it works... as long as you don't use Activity Launcher to call App Lock's pin reset activity... Yes, you can reset the PIN without even opening the app itself.
Now, Best App Lock was clearly made by some amateur, so let's see what pros got for us, the big ones. I checked mentioned Norton App Lock, with 4.6 rating and surprisingly not as popular, with "only" 500,000 - 1,000,000 downloads. It's a bit better, it only contains one activity, so you can't bypass it easily, because the app itself is protected with a pattern, but here's another trick - reboot device in Safe Mode and you can disable Norton's permission to draw over other apps to make it helpless as a baby. Or you can just uninstall it in SM. I didn't check anything else, because what more you can do to prevent such workaround, than Norton already did?
If someone is aware of a way to disable power menu, or at least the ability to disable Safe Mode on unrooted Android please share. Until then I call all the App Lock apps the biggest scam in mobile security.
minimale_ldz said:
Nearly a year gone since I posted this and now I returned to "AppLockers" during my mobile security research. This is such a bad thing I can't believe apps of this kind are accepted by PlayStore and not banned eternally as the most fake security solution that ever existed. What surprised me even more, "serious" companies, eg. Norton are also in this business... anyway
I checked this one first - Best App Lock - it's "best", right? And it's got 4.5 stars rating with 1,000,000 - 5,000,000 downloads.
I set it up, set the PIN, locked test app - everything seems fine.. as long as you don't go to Settings > Apps and don't force stop Best App Lock, because then - your protection is gone. But OK, you can also lock Settings and prevent such tricks and it works... as long as you don't use Activity Launcher to call App Lock's pin reset activity... Yes, you can reset the PIN without even opening the app itself.
Now, Best App Lock was clearly made by some amateur, so let's see what pros got for us, the big ones. I checked mentioned Norton App Lock, with 4.6 rating and surprisingly not as popular, with "only" 500,000 - 1,000,000 downloads. It's a bit better, it only contains one activity, so you can't bypass it easily, because the app itself is protected with a pattern, but here's another trick - reboot device in Safe Mode and you can disable Norton's permission to draw over other apps to make it helpless as a baby. Or you can just uninstall it in SM. I didn't check anything else, because what more you can do to prevent such workaround, than Norton already did?
If someone is aware of a way to disable power menu, or at least the ability to disable Safe Mode on unrooted Android please share. Until then I call all the App Lock apps the biggest scam in mobile security.
Click to expand...
Click to collapse
The first step to real security is removing all Googleapps and Google account. There is no other way around this. Next, don't install any app that is not open source. Also, don't use any recovery. And finally, either epoxy your entire usb port, if you have let's say a magnetic charging port or cut all usb port pins except for 2 for charging. In addition, you should open the phone and epoxy usb port and contacts from inside, so that it can't be replaced. Or even better: epoxy your entire motherboard. That would take care of UART socket or any other way of entering CPU/GPU/RAM from inside. Encrypt your phone. After that, your phone couldn't be penetrated (other than through the air/baseband, which is a whole different level of sophistication). If someone targets you over the baseband, throw your phone and run for your freedom...
Seriously, in the above scenario, no one can have access to your data: no fastboot, no adb, no recovery. They wouldn't be able to replace kernel, recovery, system or use any OEM official flashing method... . I welcome any suggestion to hack such a device...
minimale_ldz said:
Nearly a year gone since I posted this and now I returned to "AppLockers" during my mobile security research. This is such a bad thing I can't believe apps of this kind are accepted by PlayStore and not banned eternally as the most fake security solution that ever existed. What surprised me even more, "serious" companies, eg. Norton are also in this business... anyway
I checked this one first - Best App Lock - it's "best", right? And it's got 4.5 stars rating with 1,000,000 - 5,000,000 downloads.
I set it up, set the PIN, locked test app - everything seems fine.. as long as you don't go to Settings > Apps and don't force stop Best App Lock, because then - your protection is gone. But OK, you can also lock Settings and prevent such tricks and it works... as long as you don't use Activity Launcher to call App Lock's pin reset activity... Yes, you can reset the PIN without even opening the app itself.
Now, Best App Lock was clearly made by some amateur, so let's see what pros got for us, the big ones. I checked mentioned Norton App Lock, with 4.6 rating and surprisingly not as popular, with "only" 500,000 - 1,000,000 downloads. It's a bit better, it only contains one activity, so you can't bypass it easily, because the app itself is protected with a pattern, but here's another trick - reboot device in Safe Mode and you can disable Norton's permission to draw over other apps to make it helpless as a baby. Or you can just uninstall it in SM. I didn't check anything else, because what more you can do to prevent such workaround, than Norton already did?
If someone is aware of a way to disable power menu, or at least the ability to disable Safe Mode on unrooted Android please share. Until then I call all the App Lock apps the biggest scam in mobile security.
Click to expand...
Click to collapse
Reviews or star ratings are not always very reliable, just use as a rough guide .... (In my opinion SOME of those Chinese apps seem to be amongst the worst offenders)
https://techcrunch.com/2014/05/27/f...unes-but-google-play-has-the-worst-offenders/
optimumpro said:
The first step to real security is removing all Googleapps and Google account. There is no other way around this. Next, don't install any app that is not open source. Also, don't use any recovery. And finally, either epoxy your entire usb port, if you have let's say a magnetic charging port or cut all usb port pins except for 2 for charging. In addition, you should open the phone and epoxy usb port and contacts from inside, so that it can't be replaced. Or even better: epoxy your entire motherboard. That would take care of UART socket or any other way of entering CPU/GPU/RAM from inside. Encrypt your phone. After that, your phone couldn't be penetrated (other than through the air/baseband, which is a whole different level of sophistication). If someone targets you over the baseband, throw your phone and run for your freedom...
Seriously, in the above scenario, no one can have access to your data: no fastboot, no adb, no recovery. They wouldn't be able to replace kernel, recovery, system or use any OEM official flashing method... . I welcome any suggestion to hack such a device...
Click to expand...
Click to collapse
Well you forgot SD card, unless you encrypt that as well, which for a user who uses the card for transferring files across different devices is not such a bright idea.
using epoxy could slow down the hack, and seriously give more trouble to the user than the hacker.
that being said your idea of securing the data is somewhat clear but really a secured device? cause epoxy can be penetrated as well, lock screen can also be bypassed, even without Google and a recovery.
it might take more time than hacking an average device, but still it can be done and most probably the hacker would be the same owner. cause he forgot the damn password and is looking to get back the data.
the more we try to secure, the more we make our lives tough.
billysam said:
Well you forgot SD card, unless you encrypt that as well, which for a user who uses the card for transferring files across different devices is not such a bright idea.
using epoxy could slow down the hack, and seriously give more trouble to the user than the hacker.
that being said your idea of securing the data is somewhat clear but really a secured device? cause epoxy can be penetrated as well, lock screen can also be bypassed, even without Google and a recovery.
it might take more time than hacking an average device, but still it can be done and most probably the hacker would be the same owner. cause he forgot the d
amn password and is looking to get back the data.
the more we try to secure, the more we make our lives tough.
Click to expand...
Click to collapse
Epoxy: Knowing how small and fragile phone motherboards are, I think you will most likely damage the board while trying to penetrate epoxy... Maybe you shouldn't epoxy the usb port on the ouside, but cut the data pins and epoxy on the inside to not give a hint to an attacker. Anyway, I wish an attacker fun time trying to remove epoxy...
The point of encryption is to protect data when the phone is off. So, it makes sense that for someone without a password, the phone turns into a brick. And if you tend to forget the password, then write it down somewhere other than the phone...
Mobile security is a myth. At best it is a door knit lock. Will keep honest People honest but won't stop someone from. Really trying and doing it.
I see lots of talk from people about security and yet these same people use Facebook which has enough holes in it that anyone could hack someone else pc. I use it all the time to mess with people. The looks on their faces are priceless.
So upon a fresh factory reset you'll notice the very first screen of Setup Wizard (the screen with the little dudes painting and whatnot). If you tap the middle of the screen 7 times then you actually are sent into a different "hidden" QR Code Setup. It will ask to connect to the internet and then download the Camera app or QR Scanner app and then put you into camera mode and wait for you to scan a business QR code. Just curious if anybody else ever found this or know how to use it. I'm guessing that it's probably something like MDM (Mobile Device Management) for corporate iPhones/iPads but I have no idea.
Anybody got a spare QR code that I can use to mess around with that part of Setup?? (No, normal QR codes do not work and yes, I understand these QR codes are for businesses so please don't just reprimand me for asking.)
have no idea about what you are talking
Try this:
https://chrome.google.com/webstore/...erator/gcmhlmapohffdglflokbgknlknnmogbb?hl=en
This is what I'm talking about.
I've never used it, but this is a cool find! The QR code it's looking for probably points to a custom "image" used for setting up new devices - that way the IT department doesn't have to manually configure every setting.
I could see it being used to automatically disable features, set up VPN, corporate email etc.
mine does the same thing but keeps showing couldnt install qr reader. need help urgently.....
This is for usage with Mobile Device Management, and won't work if you don't have that set up with your company or have a managed device.
This isn't for end user usage.