Related
New to the Android platform. It's surprising how 'connected' they are. Apologies if this is the wrong forum. I'll be happy to post elsewhere or see this post moved.
I have an Epic 4G Touch.
I've been pondering the security and privacy aspect of these Android phones, and it seems to me that precautions are prudent, but I’m not exactly sure what precautions are necessary and how to put them into practice. I’m really not even sure what questions to ask. I’m very computer literate, so I guess that gives me a head start of sorts.
I guess complete privacy, information safety and anonymity is impossible, but I hope there is some sort of method that will allow as much as is available.
The questions below are examples of some of the questions I have.
Is there some sort of primer that covers these and other details that should be known?
Questions that occur:
1. What is the most secure way to purchase apps? How do the ‘savvy’ users handle this? And should they be purchased online or via the phone? What method of payment are most comfortable with?
2. Is it a bad idea to access other online accounts from the phone, or is it better to establish some sort of new account with a ‘credit limit’ or a low limit credit card?
3. I’m using a few of my ‘anonymous’ Gmail accounts on the phone. I’m not sure how much privacy this provides, given that the phone is in my name?
4. Are there practices that should be avoided (i.e., emailing my 'non-mobile’ accounts)?
5. After getting up to speed, I’ll likely be rooting. Any extra security precautions required? I guess an app like LBE Privacy Guard is warranted?
I suppose a good primer will cover much more. Thanks for any help .
Sam
I can't really help with the purchasing of apps questions, as I don't invest much money into apps, but I would definitely recommend LBE. It helps get your app permissions under control.
Sam Sung;19111758]New to the Android platform. It's surprising how 'connected' they are. Apologies if this is the wrong forum. I'll be happy to post elsewhere or see this post moved.
I have an Epic 4G Touch.
I've been pondering the security and privacy aspect of these Android phones, and it seems to me that precautions are prudent, but I’m not exactly sure what precautions are necessary and how to put them into practice. I’m really not even sure what questions to ask. I’m very computer literate, so I guess that gives me a head start of sorts.
I guess complete privacy, information safety and anonymity is impossible, but I hope there is some sort of method that will allow as much as is available.
The questions below are examples of some of the questions I have.
Is there some sort of primer that covers these and other details that should be known?
Questions that occur:
1. What is the most secure way to purchase apps? How do the ‘savvy’ users handle this? And should they be purchased online or via the phone? What method of payment are most comfortable with?
I do it via phone and bill to my phone bill.
2. Is it a bad idea to access other online accounts from the phone, or is it better to establish some sort of new account with a ‘credit limit’ or a low limit credit card?
I check my info with the banks application.
3. I’m using a few of my ‘anonymous’ Gmail accounts on the phone. I’m not sure how much privacy this provides, given that the phone is in my name?
Probably not much.
4. Are there practices that should be avoided (i.e., emailing my 'non-mobile’ accounts)?
I can't think of any shouldn't make a difference.
5. After getting up to speed, I’ll likely be rooting. Any extra security precautions required? I guess an app like LBE Privacy Guard is warranted?
Only security precaution I suggest is read perms. Lol
I suppose a good primer will cover much more. Thanks for any help .
Sent from my PC36100 using xda premium
First you need to decide how private you want to be.
Hiding your activity from Sprint for example would be fairly difficult. The ET4G is setup to route all internet traffic through sprint's proxies, you can change this (search the ET4g forums to find out how) but I'm certain that sprint could still monitor your activity if they wanted to unless you setup some kind of VPN which I don't even know if we can do on our phones.
Next up would be google, they make money by gathering information about you... so yeah if you want to hide from them your a tad limited since this is android. I guess you could just not associate a gmail account with the phone, but then whats the point of running android?
Personally I'm not insanely worried about the above two entities. What concerns me is the tons of random apps people load onto phones that have every permission granted you could think of. This is where LBE Privacy Guard comes into play and should be used regardless of rooting. Safest place to get apps is the official market, downloading cracked apps opens you up to who knows what.
Anyway thats my spiel
Sam Sung said:
New to the Android platform. It's surprising how 'connected' they are. Apologies if this is the wrong forum. I'll be happy to post elsewhere or see this post moved.
I have an Epic 4G Touch.
I've been pondering the security and privacy aspect of these Android phones, and it seems to me that precautions are prudent, but I’m not exactly sure what precautions are necessary and how to put them into practice. I’m really not even sure what questions to ask. I’m very computer literate, so I guess that gives me a head start of sorts.
I guess complete privacy, information safety and anonymity is impossible, but I hope there is some sort of method that will allow as much as is available.
The questions below are examples of some of the questions I have.
Is there some sort of primer that covers these and other details that should be known?
Questions that occur:
1. What is the most secure way to purchase apps? How do the ‘savvy’ users handle this? And should they be purchased online or via the phone? What method of payment are most comfortable with?
2. Is it a bad idea to access other online accounts from the phone, or is it better to establish some sort of new account with a ‘credit limit’ or a low limit credit card?
3. I’m using a few of my ‘anonymous’ Gmail accounts on the phone. I’m not sure how much privacy this provides, given that the phone is in my name?
4. Are there practices that should be avoided (i.e., emailing my 'non-mobile’ accounts)?
5. After getting up to speed, I’ll likely be rooting. Any extra security precautions required? I guess an app like LBE Privacy Guard is warranted?
I suppose a good primer will cover much more. Thanks for any help .
Sam
Click to expand...
Click to collapse
.
Thread moved to Q&A due to it being a question. Would advise you to read forum rules and post in correct section.
Failure to comply with forum rules will result in an infraction and/or ban depending on severity of rule break.
Thanks to all for your comments.
R1ptide said:
First you need to decide how private you want to be.
Hiding your activity from Sprint for example would be fairly difficult. The ET4G is setup to route all internet traffic through sprint's proxies, you can change this (search the ET4g forums to find out how) but I'm certain that sprint could still monitor your activity if they wanted to unless you setup some kind of VPN which I don't even know if we can do on our phones.
Next up would be google, they make money by gathering information about you... so yeah if you want to hide from them your a tad limited since this is android. I guess you could just not associate a gmail account with the phone, but then whats the point of running android?
Click to expand...
Click to collapse
I agree. Although I've always been very 'privacy centered', I've come to accept the reality that there is a compromise required here. It never occurred to me that I should worry about Sprint. The 'Big Picture' where Google is concerned is somewhat disturbing, but I suppose the (unacceptable) alternative is to throw away my android and limit all of my online activity.
At this point, I can safely say that I won't be tossing my Android unless I become a fugitive of justice .
However, I'm only willing to give up what I have to. The problem is, at my current level of experience, I'm not quite sure what that is. And that is the question I should have included in my OP:
If I want to protect my privacy, data, acounts, and all else to the greatest degree possible without giving up my Android (and still retaining the lion's share of functionality and features), how would I best accomplish that?
I do understand that common sense plays a large role here, and I'm not looking to overide that, but whatever practices, software, some kind of anonymous payment methods or whatever else that can provide the greatest degree of protection, privacy and anonymity without shelving all functionality is what I'm after.
Personally I'm not insanely worried about the above two entities. What concerns me is the tons of random apps people load onto phones that have every permission granted you could think of. This is where LBE Privacy Guard comes into play and should be used regardless of rooting. Safest place to get apps is the official market, downloading cracked apps opens you up to who knows what.
Anyway thats my spiel
Click to expand...
Click to collapse
I appreciate your well thought out response. As far as cracked apps, I apply the same caution here as I do to my computers. No questionable software or sites. No 'off the beaten path' practices unless thoroughly researched.
Where LBE is concerned...the Market description (and a thread I read in these forums) states that Root is required. Is that not correct?
Again, thanks for your (and any other) responses.
Sam Sung said:
Where LBE is concerned...the Market description (and a thread I read in these forums) states that Root is required. Is that not correct?
Click to expand...
Click to collapse
That is correct, and if you're getting at what I think you are, then yes, some people have a problem with this. It's hard accepting that LBE protects you from bad apps, while LBE itself has full access to every inch of your phone. That being said, I don't believe anyone has come up with any solid evidence that the app itself is harmful; people, however, can still be skeptics.
Without it, when you come across an app with a questionable permission, your only option is to not use the app. Every other permission blocker I've come across does so forcefully, which leaves the apps useless (force closes, etc). LBE, on the other hand, maintains the usability of the apps while still preventing them those permissions. In my opinion, it's a wonderfully helpful app. Your decision to use it may be different though, depending on your paranoia.
upichie said:
That is correct, and if you're getting at what I think you are...
In my opinion, it's a wonderfully helpful app. Your decision to use it may be different though, depending on your paranoia.
Click to expand...
Click to collapse
Well, actually, my question was based on the reality that I would be running it now if my phone was rooted (and the supposition that it will be pointless to install to an unrooted phone). I will be rooting this phone (Epic 4G Touch) eventually. The only reasons I haven't are:
1) This is my first Android phone and therefore I have no experience with rooting (still reading different rooting threads). I tend to research before I leap into something new.
2) I just don't have the time right now to troubleshoot if something goes wrong. And this phone is so incredible, I'd rather not be without it for any extended length of time (I use it as an 'appliance' rather than a phone...I have other phones for such menial tasks)
But I'm definitely convinced of the virtues of rooting, largely due to the app functionality. I also want to be prepared for the caveats. I'm not sure what they may be right now, but there must be some security risks.
Thanks!
Apps can be purchased via PC web browser at AppStoreHQ.
Gapps are optional. After rooting you could remove them or just those you don't need. Market is a tough one to live without, IMO.
If you don't plan to use your device for email then create a new email account specifically for the phone. Don't give it out. This will allow you to use the Market, etc.
Install Shark for Root + SharkReader to look at network traffic, or do it via router. Use hosts file to block google analytics etc. Routinely wipe the cache.
If you root install busybox and a terminal emulator and you can control the apps and system yourself. Everything LBE does you can do manually. Compile/install a kernel with tun.ko module and connect to a VPN. Or change DNS if you want. It's Linux, always keep that in mind.
My BIGGEST problem with Android is the lack of timely updates which include security patches. For this reason these devices are a security nightmare. Turn off WiFi, data, gps, Bluetooth when not using them. Disable install from unknown sources and debugging when not in us. Follow blogs that report on security issues and understand where you're vulnerable.
I'm security conscious as well and don't purchase or do banking with my phone. Sure it's convenient but it can wait until I get home. If someone is sniffing my traffic or should my phone be stolen I'm not scurrying to cancel credit cards and change passwords. This gives me the piece of mind I need to enjoy my smartphone. It also limits it, but I'm ok with that.
Turducken said:
Apps can be purchased via PC web browser at AppStoreHQ.
Click to expand...
Click to collapse
Is there a more anonymous payment method than standard CC?
Gapps are optional. After rooting you could remove them or just those you don't need. Market is a tough one to live without, IMO.
If you don't plan to use your device for email then create a new email account specifically for the phone. Don't give it out. This will allow you to use the Market, etc.
Click to expand...
Click to collapse
Actually, I have 3 gmail accts on the phone. One for market, one for clients, one for logins.
Install Shark for Root + SharkReader to look at network traffic, or do it via router. Use hosts file to block google analytics etc. Routinely wipe the cache.
If you root install busybox and a terminal emulator and you can control the apps and system yourself. Everything LBE does you can do manually. Compile/install a kernel with tun.ko module and connect to a VPN. Or change DNS if you want. It's Linux, always keep that in mind.
My BIGGEST problem with Android is the lack of timely updates which include security patches. For this reason these devices are a security nightmare. Turn off WiFi, data, gps, Bluetooth when not using them. Disable install from unknown sources and debugging when not in us. Follow blogs that report on security issues and understand where you're vulnerable.
I'm security conscious as well and don't purchase or do banking with my phone. Sure it's convenient but it can wait until I get home. If someone is sniffing my traffic or should my phone be stolen I'm not scurrying to cancel credit cards and change passwords. This gives me the piece of mind I need to enjoy my smartphone. It also limits it, but I'm ok with that.
Click to expand...
Click to collapse
Thanks, Turducken. This is really good information. All the more reason I need to get up to speed w/rooting so that I can batten down the hatches. I'm not quite sure how to use some of this info yet, but time and educating myself will remedy that.
One app I just ran across looks interesting (which I can't use until I root) is Logging Test.
It was originally written for HTC phones, but the paid version will support more devices.
Please consider this thread ongoing. Any information and/or links pertinent to security, data and privacy protection is enthusiastically welcomed!
Hey there,
I saw a couple of posts on the Internet regarding this new Tasker plugin. I was wondering how it really works, but couldn't find any detailed explanation on how exactly this works.
I'm a bit sceptical installing a Tasker plugin which can be controlled by any browser. Sure you have to know the shortened URL and you can define a password, but I don't see myself handing over control of my phone to a Tasker login lying around in the cloud somewhere.
Any insights?
https://play.google.com/store/apps/details?id=com.joaomgcd.autoremote.lite
This is the lite version if anyone is interested.
How to from pocketables
http://www.pocketables.com/tag/autoremote
Sent from my GT-I9300 using Tapatalk 2
AutoRemote developer here
Hi.
I'm AutoRemote's developer.
What exactly are your concerns over AutoRemote's security?
The way it works is, like you said, you control your phone from your own personal URL. You give that that URL to other people or keep it to yourself. The probability of someone finding that URL by chance is extremely low, and even if they do, they would have to guess which commands you configured on your phone.
Feel free to ask any questions and I'll try to answer them.
Hi,
thanks for taking the time to answer my questions. And I have to admit, I was a bit vague in my first post.
How does the communication between my desktop browser and my phone work? Let's say I defined a message and send it from my browser at work to my phone, which is on the mobile network. How does this work? Will the message be send from the PC to the phone? I don't know how that would work, as the ip I got from my ISP is behind a firewall and there is no way to directly reach my phone. This leaves two possibilities:
1. the phone has a constant connection to the server, like an ssh tunnel (http://autoremotejoaomgcd.appspot.com/?key), or
2. the phone itself checks for new messages on the server in regular intervals (again, http://autoremotejoaomgcd.appspot.com/?key)
1. battery will drain a lot, judging from my experience with ssh or VPN. Phone won't go into deep sleep.
2. Messages will be stored on the server.
I guess 2 is more likely, but then again, I could be talking out of my a**
My main problem with it though: Everything done via http://autoremotejoaomgcd.appspot.com/ is a black box for me. You could save all messages, including passwords and messages and this is a big problem for me. Don't get me wrong, but why should I trust you with this data when you could do all kinds of nasty things with the devices. Let's assume I made a message to remotely wipe my phone, you could do same, couldn't you?
I'm not saying you do these things, but I don't know you
I guess my guestion is, any way to host the middleman goo.gl/12345 and http://autoremotejoaomgcd.appspot.com/ myself?
If I'm wrong about these things, please feel free to correct me and thanks again for taking the time
Greetings
Thanks for the friendly message.
About the first part, the way it works is, the autoremotejoaomgcd.appspot.com page sends a message to Google which in turn sends a push notification to your phone.
That doesn't drain any more battery than it would otherwise, the connection to Google's servers to receive push notifications is always open anyway.
This is the same way you receive new email alerts or instant messages on other apps.
About the second part, yes, it's true. If I wanted, I could keep all your messages and resend them. I certainly DON'T do that, but why would you trust me?
Well, what I always say is, use AutoRemote for fun and non-dangerous stuff if you don't feel like trusting me. If you feel I'm not a bad guy (I already have lots of positive reviews on Google Play that show that I haven't done anything wrong), that by all means create a remote-wipe profile in Tasker.
Hope this helps!
Hey man,
Thanks for the explanation and sorry for the delay, but the last couple of days were pretty busy. Anyway, I still have a follow up question
I'm curious about the Google push notification feature you mentioned and I'd like to know how that works. I hope there is some sort of mechanism to prevent people from sending notifications to my device without my consent. If you could point me in the right direction in terms of documentation I would be grateful (well, I already am for your response )
I think I will give it a try and use incoming email for wiping device. Being able to disable my xmpp account on the tablet when phone leaves home would be a great feature. So, thanks again for your effort and your answer.
Have a nice day.
Hillbicks
Sent from my ASUS Transformer Pad TF700T using Tapatalk 2
Hi,
I know this is an old thread but wanted to jump in since the developer seems to be on this thread.
From a security perspective, a couple of suggestions:
Make both the Google Short URL and the URL that the Google Short URL directs to HTTPS. This would keep people on the local network from sniffing both your URL query string and password. Certificates appear to already be in place, so it's as simple as adding a character, assuming AutoRemote would allow it.
Use the password as a hash to encrypt the data being passed over the Google Servers. Process would look something like the below, and would ensure total security of the data being transmitted.
Web form uses client-side JS to encrpyt any data based on password
Encrypted data is BASE64 encoded to plain text
This string is sent through the notification engine of Google
When received, the phone uncodes the BASE64, then decrpyts using the password
Thanks,
Ben
Fmstrat said:
Hi,
I know this is an old thread but wanted to jump in since the developer seems to be on this thread.
From a security perspective, a couple of suggestions:
Make both the Google Short URL and the URL that the Google Short URL directs to HTTPS. This would keep people on the local network from sniffing both your URL query string and password. Certificates appear to already be in place, so it's as simple as adding a character, assuming AutoRemote would allow it.
Use the password as a hash to encrypt the data being passed over the Google Servers. Process would look something like the below, and would ensure total security of the data being transmitted.
Web form uses client-side JS to encrpyt any data based on password
Encrypted data is BASE64 encoded to plain text
This string is sent through the notification engine of Google
When received, the phone uncodes the BASE64, then decrpyts using the password
Thanks,
Ben
Click to expand...
Click to collapse
I'm with Ben here. I just installed Autoremote for testing and tried adding my linux box as a registered device. That implies entering a valid username and password for the linux box, and I'm guessing that both username and password are sent on the clear when sending a message from Autoremote to the linux box. This is a major security risk, and perhaps Ben's solution could be easily implemented...
I think Autoremote is a great idea with a great execution so far, just lacking the security component for our peace of mind!
Ivan.
There's lots of stuff you can do with autoremote that requires no security. I used it, like the pocketables guy, to spread alarms between two android devices. Lowers the risk of one device's alarm failing to go off, and I'm hard to wake up, so the more alarms the better. All I passed through autoremote was the time and the command the client needed to know what to do with the time. Security for such a transmission just isn't necessary.
Not that I am opposed to you guys getting your security, but I'd imagine it'd be a pricier functionality, and what exists now is for applications where security would be unnecessary.
fortunz said:
There's lots of stuff you can do with autoremote that requires no security. I used it, like the pocketables guy, to spread alarms between two android devices. Lowers the risk of one device's alarm failing to go off, and I'm hard to wake up, so the more alarms the better. All I passed through autoremote was the time and the command the client needed to know what to do with the time. Security for such a transmission just isn't necessary.
Not that I am opposed to you guys getting your security, but I'd imagine it'd be a pricier functionality, and what exists now is for applications where security would be unnecessary.
Click to expand...
Click to collapse
Not sure if anyone is still monitoring this, but I still think it would be really awesome to be able to do this without the need to loop through someone else's server.
Does anyone know of something that is out there that would allow one to do that?
--Ironhead65
ironhead65 said:
Not sure if anyone is still monitoring this, but I still think it would be really awesome to be able to do this without the need to loop through someone else's server.
Does anyone know of something that is out there that would allow one to do that?
--Ironhead65
Click to expand...
Click to collapse
Hi, as long as your sending device and the reciever (that may be another phone or a PC) are in the same network, there is a possibility to send the messages directly via WiFi. Also, messages can be sent by using Bluetooth.
So, as long, as your connected to the same network (what you usually are as long as you´re at home), or your devices are in the same room there is no need for external servers
Greetings!
@joaomgcd
Any news on that matter?
C0qRouge said:
@joaomgcd
Any news on that matter?
Click to expand...
Click to collapse
What part exactly do you mean?
thanks for taking the time! there are many interesting ideas in this thread.
* HTTPS <-- seems to be already in place
* Encryption of communication
* no private server, only direct connection or google as a relay
and to add: it would be nice to have a bit of documentation "behind the scene" to understand whats going on how the devices are communicating with each other.
C0qRouge said:
thanks for taking the time! there are many interesting ideas in this thread.
* HTTPS <-- seems to be already in place
* Encryption of communication
* no private server, only direct connection or google as a relay
and to add: it would be nice to have a bit of documentation "behind the scene" to understand whats going on how the devices are communicating with each other.
Click to expand...
Click to collapse
+1 to direct communication, as in LAN communication ONLY
Two devices both running tasker/autoremote, able to communicate with one another on the same network, without being routed outside the network.....ever
Whether thats feasible, ....i dont know
I also like the encryption bit
Ladies and Gentlemen,
I am opening this discussion in order to not only receive some high-quality answers on the following questions, but also to learn what everyone does in order to ensure security and integrity of Apps on their phones (especially when working in environments where attacks are likely or possible due to intersting files on the phone or similar).
Here is my question: Let's suppose a phone is ROOTED, is locked with a Pattern, is updated daily, has TitaniumBackup installed, runs Trust as well as an Antivirus App and on top of that, installed Apps are monitored in a regular basis through TitaniumBackup. Is it even possible for law enforcements or hackers to install malware? If so, what would be necessary for them to do so? Physical access? Malformed Apps with matching signature? Other types of attacks (encouraging @He3556 the owner of Smartphone Attack Vector to chime in)?
Second question (hope @jcase can answer this): What would be the best way of preventing attacks of afforementioned groups and alike? What do YOU personally do?
SecUpwN said:
Ladies and Gentlemen,
I am opening this discussion in order to not only receive some high-quality answers on the following questions, but also to learn what everyone does in order to ensure security and integrity of Apps on their phones (especially when working in environments where attacks are likely or possible due to intersting files on the phone or similar).
Here is my question: Let's suppose a phone is ROOTED, is locked with a Pattern, is updated daily, has TitaniumBackup installed, runs Trust as well as an Antivirus App and on top of that, installed Apps are monitored in a regular basis through TitaniumBackup. Is it even possible for law enforcements or hackers to install malware? If so, what would be necessary for them to do so? Physical access? Malformed Apps with matching signature? Other types of attacks (encouraging @He3556 the owner of Smartphone Attack Vector to chime in)?
Second question (hope @jcase can answer this): What would be the best way of preventing attacks of afforementioned groups and alike? What do YOU personally do?
Click to expand...
Click to collapse
Pe rooted, with common rooted apps installed? Would be easy to compromise that phone, as you have already done it for them.
Use a stock firmware, chose a vendor with a recent history of good security (Samsung, nexus, motorola in that order imo), keep it up to date, reduce the number of apps you run, don't root it. Disabled usb debugging.
jcase said:
Pe rooted, with common rooted apps installed? Would be easy to compromise that phone, as you have already done it for them.
Use a stock firmware, chose a vendor with a recent history of good security (Samsung, nexus, motorola in that order imo), keep it up to date, reduce the number of apps you run, don't root it. Disabled usb debugging.
Click to expand...
Click to collapse
Thanks for answering. So that means, in short words, buy a phone and only update official stuff. How boring, I wouldn't be here on XDA then! But I get your point. I'm especially interested in the question of detection. If such agencies have installed anything that would leak data (and I'm sure it's fairly easy to do for them), how would they hide that specific App from the list of TitaniumBackup? Also, how would they trick the Trust Even Logger created by @Dark3n to not show any installation?
Most importantly though, is there some way of detecting such installations or manipulations afterwards?
There is growing so called "Zero-Day-Exploit" Industry, with names like vupen or FinFisher , the one who are working for the German Gov. but also for countries like Saudia Arabia and Iran. They know how to find exploits, nobody knows about (zero-day) and program trojans for all kinds of platforms. So antivirus software can't help here. And it is easy to bypass security if you know one of the bugs - and we know there are many of them in firmware, operating systems, plugins, frameworks and so on... Beside this "white" marked there is also a grey and black marked. So if you need to track your woman or steal information from other companies, you will find somebody with a tool for that, i suppose.
You would need a "Intrusion Detection Software" - sorry but this won't work for Smartphones, because there is a lot of calculation, data and energy needed - you find this special hardware in big data centers.
Do not root and do not install Apps you don't really need is still a good advice, specially when people don't know so much about all this.
Another way to sneak in is to compromise the users pc, that is (maybe) connected to the phone sometimes (work with iphone sync but also with android to change DNS and get SMS with e-tan's - you will find more info it in the media)
Or if you have the "power" you can can use the cloud services (iOS, Google, Windows or other 3rd party services) to steal user data (sms, pictures, GPS history...) or just let it sync the malware to the phone. So you don't have to break in directly.
What would be the best way of preventing attacks of afforementioned groups and alike?
Click to expand...
Click to collapse
tomorrow i will have time, there are to many possibilities
Thanks for clarifying, @He3556!
Now I know that phones in general are hard to lock down for such agencies. Time to quote myself:
SecUpwN said:
Most importantly though, is there some way of detecting such installations or manipulations afterwards?
Click to expand...
Click to collapse
Hey @He3556, if you've been following security news the past weeks, this topic here is becoming more relevant with each revelation. Since the trojan-coding company FinFisher has highly likely been hacked and some cool whisteblowers are publishing very sensitve data like price lists and handbooks on their Twitter account GammaGroupPR, more details of their secret software FinSpy Mobile is being revealed. And this is exactly the type of software that I am talking about here in this thread. I want to know how users can protect themselves from crap like that. According to the video that has been leaked, It is being installed through a fake update, or even through messages via E-Mail to "please" install this "very important update":
And just to make everyone more curious, FinSpy Mobile has been leaked on Twitter! It obviously works for all operating systems, including Android, Blackberry, Windows Mobile, and Symbian. Another trophy is source code of FinFly Web, which found its way the code hosting platform GitHub. It is designed to provide remote and covert infection of a Target System by using a wide range of web-based attacks. FinFly Web provides a point-and-click interface, enabling the Agent to easily create a custom infection code according to selected modules. Target Systems visiting a prepared website with the implemented infection code will be covertly infected with the configured software. Regarding FinSpy Mobile and similar software: How would law enforcements possibly attack a cautious member of XDA (or any other site)? I mean, people that have been in the field of flashing new ROMs, updating their firmware and recovery themselves, not installing strange APKs sent via E-Mail and controlling installed Apps through TitaniumBackup should be somewhat immune to such type of attacks, right?
It appears to me as if their software might work for the general masses, but highly-likely not on people like @jcase or other Android security-gurus. Since I linked you, I'd be very happy if you could expand on that a little. I am sure such companies might even have the possibility of messing with the baseband of a target phone through only knowing the phone number of a target. But I am really curious what their "standard procedure" is if they face a target with thorough Android knowledge, maybe even a security-enthusiastic Android developer. Wouldn't their only option be to manually manipulate the handset?
There are two methods to keep away all kinds of trojan and malware...
1. use a SIM with data connections only: There are SIM cards on the marked you can use in a USB Stick for Notebooks or tablets.
You won't have a cell phone number and can't receive SMS. You won't be able to use the circuit switched (GSM & UMTS-cs) part of your cell phone. For communication you have to use a VoIP provider - with Secure SIP and SRTP.
2. Web browser, Apps, e-mail client and all other connection must be use VPN.
But there is one more stepp to take.
The virtualization of all services and Apps you are using. This works like Team Viewer on a PC. The App is running on a cloud server while you only see the desktop of the remote controlled application. This technique is already used when you want to use flash with iOS device (photon, cloudbrowse, puffin and so on..)
More details about this you can find here: http://itwatch.info/Products/ReCAppS
But i am sure there are more projects about this out there...
He3556 said:
There are two methods to keep away all kinds of trojan and malware...
1. use a SIM with data connections only: There are SIM cards on the marked you can use in a USB Stick for Notebooks or tablets.
You won't have a cell phone number and can't receive SMS. You won't be able to use the circuit switched (GSM & UMTS-cs) part of your cell phone. For communication you have to use a VoIP provider - with Secure SIP and SRTP.
Click to expand...
Click to collapse
I know this works, but the only guy who is so insane and is already doing that is probably @InvaderX.
Honestly, what's the purpose of a phone if I can't receive SMS and call anyone without internet connection?
He3556 said:
2. Web browser, Apps, e-mail client and all other connection must be use VPN.
But there is one more stepp to take.
The virtualization of all services and Apps you are using. This works like Team Viewer on a PC. The App is running on a cloud server while you only see the desktop of the remote controlled application. This technique is already used when you want to use flash with iOS device (photon, cloudbrowse, puffin and so on..)
More details about this you can find here: http://itwatch.info/Products/ReCAppS
But i am sure there are more projects about this out there...
Click to expand...
Click to collapse
Better yet: Living under a rock should solve all these problems. Seriously though, can such law enforcement agencies silently update stuff on my phone (possibly baseband) that goes unnoticed even when using TitaniumBackup and flashing a fresh ROM every month? From the things you mentioned as for protection, I highly doubt that I'll move that way. And no matter how hard I try, the bad guys (or, to put it in the wording of those companies: the agencies that are "protecting our freedom") will likely always find a way in - even if that means tapping the phone through listining in on my calls or deploying an IMSI-Catcher. But talking about this makes me wonder: It seems as if the probability is high that most of the time they are selling a fake update to the target. Is there a convenient way of knowing that stuff like FinSpy Mobile has been installed, where such agencies can't possibly tinker with any records of what was happening on the phone? I especially check the Trust - Event Logger by @Dark3n very often. Could they change such records? Is there a better App to warn about unauthorizes access or (hidden) App installation?
Trust is not a security app!
If an attacker has root, you can just alter the database of apps like Trust, which would be the easiest way.
There are probably also ways to alter the system so it does not broadcast certain events(which is how Trust monitors most things).
It is just not build to withstand such attacks.
SecUpwN said:
Seriously though, can such law enforcement agencies silently update stuff on my phone (possibly baseband) that goes unnoticed
Click to expand...
Click to collapse
Maybe? But there are much easier ways if it is not desired to target specific persons.
I'll brain storm a bit for you:
I would divide the attack vectors into those that work with root and those that don't.
Without root apps can still do plenty of malicious actions, including tracking your position or uploading all files on your sdcard (INTERNET;SDCARD;LOCATION permissions) etc.
If an attacker gains root permission he could install rootkits, modify existing apps, inject malicious code into dex files of installed apps etc.
Basicly do what the hell he wants.
While not using a rooted device would certainly make it more difficult to do malicious things, it's doesn't prevent it.
A normal app you install could still root your phone through vulnerabilities. It works the same way apps such as TowelRoot or ZergRush root your phone.
Downloading new apps that request root is also very dangerous ofc, once you pressed "grant", it's too late, anything could have been done. So be wary when trying out new root apps of devs you don't know/trust?
Abusing trust in existing apps is probably the biggest danger.
The most obvious danger here is downloading apps you usually trust but from unknown sources.
Sure there could be signature issues when updating over your current app, but what if you don't have it installed? I could also think about a few ways to inject malicious code without altering the signature (did not try, just a thought, might be impossible).
The issue is that you probably wouldn't even notice, as the compromised app retains it's original functionality.
Want a botnet?
Inject malicious code into a popular root up that is paid, crack it and upload it somewhere.
While this more dangerous (or worth for an attacker) with root apps, it's still viable for non root apps, just pick one that already aquires many permissions.
It's way too easy, people constantly underestimate the danger of this. It's not all about piracy it's bad, it's a barn door sized security hole.
A bit more difficult variant would be abusing known security holes in existing apps that can be root or nonroot apps, such as modifying files the other apps uses, such that it executes your malicious code for you, so some type of code injection. First thought would be looking for root apps that use scripts or binary files and then check the permissions on those files to see whether they are writeable.
Now those are all ways to target a broad mass of users.
If a single user is the target, it would be more difficult, but there are still plenty of options:
- MITM attacks at public hotspots,
- Pressuring developers of apps you use. What dev wouldn't implement a security hole into an app of his, if a guy in a black suit comes up and points a gun to his head? Well that escalated quickly... But with "secret courts" and all the **** that happens secretly sanctioned or is just done by some agencies because they are above the law, is it really such an impossible scenario? The ends justify the means? Do they?
- My favorite plan yet, making a popular app themselves that they know you will try
It is usually never impossible, just a matter of resources and whether its unfeasible to spend so many resources on that goal.
edit: So the best course of action? Don't install anything you don't trust. Don't trust the manufactor either? Install a custom ROM, but as those often use binary blobs for certain parts of the software, it's not really a 100% solution... There could also be compromising hardware built in, but now I'm really climing up the tinfoil tree, but as recents new story suggest that the NSA is intercepting hardware packets from manufactors such as cisco to modify them, what's really impossible?
TL;DR Best course of action that is feasible to adhere to is probably to just not install stuff one doesn't know or trust.
edit2: More specific answers to your questions.
You might be able to monitor files changes on an a system level, but if your attacker gains highlevel priviledges, what keeps him from changing the monitoring system?
SecUpwN said:
Seriously though, can such law enforcement agencies silently update stuff on my phone (possibly baseband) that goes unnoticed even when using TitaniumBackup and flashing a fresh ROM every month?
Click to expand...
Click to collapse
How does TiBu help prevent such injection? Flashing a new ROM would probably undo such changes, but what prevents "them" from just doing it again.
SecUpwN said:
And no matter how hard I try, the bad guys (or, to put it in the wording of those companies: the agencies that are "protecting our freedom") will likely always find a way in - even if that means tapping the phone through listining in on my calls or deploying an IMSI-Catcher.
Click to expand...
Click to collapse
This is the thing, with enough resources, there is always a way.
SecUpwN said:
It seems as if the probability is high that most of the time they are selling a fake update to the target.
Click to expand...
Click to collapse
Exactly disguising as something legit is the cheapest way, "trojan horse".
SecUpwN said:
Is there a convenient way of knowing that stuff like FinSpy Mobile has been installed, where such agencies can't possibly tinker with any records of what was happening on the phone? I especially check the Trust - Event Logger by @Dark3n very often. Could they change such records? Is there a better App to warn about unauthorizes access or (hidden) App installation?
Click to expand...
Click to collapse
I don't know any surefire way to detect this. The issue is that with enough priviledges (which can be gained without authorization, zero day exploits are worth a lot money to "agencies" as well as criminal organisations, though I'm no longer sure where the difference is), you can just clean up your track of malicious behavior.
Whoa, this has to be the longest answer I've received since registering here. Huge thanks! Grab a coffee..
Dark3n said:
Trust is not a security app!
If an attacker has root, you can just alter the database of apps like Trust, which would be the easiest way.
There are probably also ways to alter the system so it does not broadcast certain events(which is how Trust monitors most things).
It is just not build to withstand such attacks.
Click to expand...
Click to collapse
Ok, fair. Will keep it anyhow.
Dark3n said:
Maybe? But there are much easier ways if it is not desired to target specific persons.
I'll brain storm a bit for you:
I would divide the attack vectors into those that work with root and those that don't.
Click to expand...
Click to collapse
Just to mention it here: An awesome site to see which attack vectors and vulnerabilities exist is Smartphone Attack Vektor by @He3556.
Dark3n said:
Without root apps can still do plenty of malicious actions, including tracking your position or uploading all files on your sdcard (INTERNET;SDCARD;LOCATION permissions) etc.
If an attacker gains root permission he could install rootkits, modify existing apps, inject malicious code into dex files of installed apps etc.
Basicly do what the hell he wants.
Click to expand...
Click to collapse
Ok, I get the point. Also like @jcase already pointed out: If we root, we pwn ourselves. And if we don't, too.
Dark3n said:
While not using a rooted device would certainly make it more difficult to do malicious things, it's doesn't prevent it.
A normal app you install could still root your phone through vulnerabilities. It works the same way apps such as TowelRoot or ZergRush root your phone.
Downloading new apps that request root is also very dangerous ofc, once you pressed "grant", it's too late, anything could have been done. So be wary when trying out new root apps of devs you don't know/trust?
Click to expand...
Click to collapse
I only install trusted Applications.
Dark3n said:
Abusing trust in existing apps is probably the biggest danger.
The most obvious danger here is downloading apps you usually trust but from unknown sources.
Sure there could be signature issues when updating over your current app, but what if you don't have it installed? I could also think about a few ways to inject malicious code without altering the signature (did not try, just a thought, might be impossible).
The issue is that you probably wouldn't even notice, as the compromised app retains it's original functionality.
Click to expand...
Click to collapse
Guess if I use the F-Droid Store I should be pretty safe, right? But don't worry, I don't rely on it - as for me, smartphones are huge bugs with touchscreens. That is why I also built a phone signal blocking pouch for myself and friends. Further good recommendations can be found on the bottom of my GitHub.
Dark3n said:
Want a botnet?
Inject malicious code into a popular root up that is paid, crack it and upload it somewhere.
While this more dangerous (or worth for an attacker) with root apps, it's still viable for non root apps, just pick one that already aquires many permissions.
It's way too easy, people constantly underestimate the danger of this. It's not all about piracy it's bad, it's a barn door sized security hole.
Click to expand...
Click to collapse
Actually, no. I already have two or three. Or maybe even four?
Dark3n said:
A bit more difficult variant would be abusing known security holes in existing apps that can be root or nonroot apps, such as modifying files the other apps uses, such that it executes your malicious code for you, so some type of code injection. First thought would be looking for root apps that use scripts or binary files and then check the permissions on those files to see whether they are writeable.
Now those are all ways to target a broad mass of users.
Click to expand...
Click to collapse
Good to know we've come to an end here. Reading all this makes me want to throw my phone out of the window.
Dark3n said:
If a single user is the target, it would be more difficult, but there are still plenty of options:
- MITM attacks at public hotspots,
Click to expand...
Click to collapse
I DON'T use public hotspots. Why? Because you can be almost certain that stuff will be logged and analyzed once you use that. Over here in my town, we've got a HUGE Apple Store. And guess what - FREE WIFI for everyone! Yeyyy... not.
- Pressuring developers of apps you use. What dev wouldn't implement a security hole into an app of his, if a guy in a black suit comes up and points a gun to his head? Well that escalated quickly... But with "secret courts" and all the **** that happens secretly sanctioned or is just done by some agencies because they are above the law, is it really such an impossible scenario? The ends justify the means? Do they?
You are right, threats against family, friends and relatives are a no-go. If I remember correctly, something similar had happened to my beloved XDA developer @idcrisis who invented CrossBreeder. He left development of his toolset because starnge things occured in his life which he linked to his development. Shortly after leaving his project, he proposed a new license: The Aware License. Hope this guy is still living a happy life, though. Added to the above security-issues: Trust NOONE! How come? Well, just read this stunning story I discovered yesterday where a US critical infrastructure company last year revealed that its star developer had outsourced his own job to a Chinese subcontractor and was spending all his work time playing around on the internet adn surfing cat videos. ^^
Dark3n said:
- My favorite plan yet, making a popular app themselves that they know you will try
Click to expand...
Click to collapse
I don't quite get what you meanb by that. Please clarify, it sounds interesting.
Dark3n said:
It is usually never impossible, just a matter of resources and whether its unfeasible to spend so many resources on that goal.
Click to expand...
Click to collapse
The way I see it: The only thing that we have no real access to, is the baseband. I am sure that these are full of backdoors and switches for agencies that they just need to trigger - just like the Samsung Galaxy Backdoor discovered by Replicant.
Dark3n said:
edit: So the best course of action? Don't install anything you don't trust. Don't trust the manufactor either? Install a custom ROM, but as those often use binary blobs for certain parts of the software, it's not really a 100% solution...
Click to expand...
Click to collapse
Nope, I don't trust the manufacturer either. And I am SICK of bloatware! hence, I am a happy user of AOKP since several years - but regarding the binary blobs, I would certainly love to try out Replicant (sadly not yet available for the HTC One).
Dark3n said:
There could also be compromising hardware built in, but now I'm really climing up the tinfoil tree, but as recents new story suggest that the NSA is intercepting hardware packets from manufactors such as cisco to modify them, what's really impossible?
Click to expand...
Click to collapse
Nothing is impossible, everything can be done. A wise man once said: Everything you can imagine, will happen.
Dark3n said:
TL;DR Best course of action that is feasible to adhere to is probably to just not install stuff one doesn't know or trust.
Click to expand...
Click to collapse
Good advice, I already do follow that one. As already said, if I were a spy company, I'd just team up with manufacturers of basebands..
Dark3n said:
You might be able to monitor files changes on an a system level, but if your attacker gains highlevel priviledges, what keeps him from changing the monitoring system?
Click to expand...
Click to collapse
Highly-likely nothing. I already know that there is not much I can do to prevent them to get in, but at least I do want to detect them - and having such a detection mechanism raises the bar in disguising their actions even further - and who knows, maybe they're not interested anymore then?
Dark3n said:
How does TiBu help prevent such injection? Flashing a new ROM would probably undo such changes, but what prevents "them" from just doing it again.
Click to expand...
Click to collapse
Not much.
Dark3n said:
This is the thing, with enough resources, there is always a way.
Exactly disguising as something legit is the cheapest way, "trojan horse".
Click to expand...
Click to collapse
Absolutely right. But what I am really curious of: How do people from the security-community really protect their phones? Do you have friends that are using their phones to just communicate via VPN and VOIP, not sending SMS and never calling people? Perfect place for @InvaderX to chime in, he told me before to really do a combination of that approach.
Dark3n said:
I don't know any surefire way to detect this. The issue is that with enough priviledges (which can be gained without authorization, zero day exploits are worth a lot money to "agencies" as well as criminal organisations, though I'm no longer sure where the difference is), you can just clean up your track of malicious behavior.
Click to expand...
Click to collapse
Sigh.. mobile phones are a total threat to humanity, I get it..
At least I am not the only one paranoid about this kind of thing. LOL
lostangelintx said:
At least I am not the only one paranoid about this kind of thing. LOL
Click to expand...
Click to collapse
It doesn't have much to do with "Paranoia". The very reason you started to care about this, is because phones are in fact very insecure devices - most people just don't realize or care about it. Another very interesting thread I found lately: Android Security for Conscious Mind.
a tool against 0-day exploits
don't freak out to early - this tool is only for windows desktops.
But at least it shows how it could work for mobile devices, too.
It is called Enhanced Mitigation Experience Toolkit (EMET 5.0) ...is a utility that helps prevent vulnerabilities in software from being successfully exploited.
These technologies function as special protections and obstacles that an exploit author must defeat to exploit software vulnerabilities. These security mitigation technologies do not guarantee that vulnerabilities cannot be exploited. However, they work to make exploitation as difficult as possible to perform.
SSL/TLS certificate pinning - This feature is intended to detect (and stop, with EMET 5.0) man-in-the-middle attacks that are leveraging the public key infrastructure (PKI).
Ok, they do not guarantee 100% security - but who could? Even this software comes from Microsoft, it's still a good solution and closes the gap between anti-virus, firewall and keeping your software updated.
Here is a test from 2010 (EMET 2.0) http://www.rationallyparanoid.com/articles/emet-testing.html
And one of 2014 http://www.offensive-security.com/vulndev/disarming-enhanced-mitigation-experience-toolkit-emet/
Does anybody know a APP for Android, iOS, WP8 or BB?
Just a small side note:
In regard to device security vs. rooting.
There are essentially 2 schools of thought. On the one side we have those who believe we should trust the device manufacturers experience and knowledge to keep malware out of AOS, and you phone from spilling your data when stolen, which also means keeping users from rooting their devices, simply because they know security better, than the average user. (I think @jcase may be one of those, but he'd have to answer for himself.) On the other hand we have people like me, who firmly believe that the best way to keep your device secure is by being rooted, since we cannot trust anyone, especially large companies who scream "TRUST US". For us, we own the device and everything it does, and that your phone should not be able to send a single photon of radiation, without your permission. Then at least we have the choice to provide our own security by Firewalls, open source baseband, and encrypted phone calls etc. So no, this is not part of the majority of phone owners. But we think it should be. So who's right? Well, we're both right of course. What we need is to be able to make this choice at the time of purchase, and independent of the device you like. To be able to choose if you have a fully open device that you can secure on your own or if you like one that is claimed as secure, but you will never be able to check or control on your own. But unfortunately, this is not possible in most circumstances.
I trust neither the ODMs, nor the custom roms. However I KNOW the average custom rom is just as if not MORE vulnerable than current stock roms, add su into the mix and it is without a doubt more vulnerable. Show me a custom rom dev that claims he ships a secure firmware, and I'll show you someone ignorant of the facts. Ask most of them what CTS is, and they will look at you like you are referencing 18th century medical terms.
That is my stance. In regards to root making a device more vulnerable, I can back that statement time and time again. From key compromises of the superuser apps, to vulnerabilities in the app, to vulns in the su binaries, to vulns in apps that typical make su requests, to stupid users who will grant it to anyone. Having any access point to "root" makes turning a small vuln to a complete compromise relatively easy.
E:V:A said:
Just a small side note:
In regard to device security vs. rooting.
There are essentially 2 schools of thought. On the one side we have those who believe we should trust the device manufacturers experience and knowledge to keep malware out of AOS, and you phone from spilling your data when stolen, which also means keeping users from rooting their devices, simply because they know security better, than the average user. (I think @jcase may be one of those, but he'd have to answer for himself.) On the other hand we have people like me, who firmly believe that the best way to keep your device secure is by being rooted, since we cannot trust anyone, especially large companies who scream "TRUST US". For us, we own the device and everything it does, and that your phone should not be able to send a single photon of radiation, without your permission. Then at least we have the choice to provide our own security by Firewalls, open source baseband, and encrypted phone calls etc. So no, this is not part of the majority of phone owners. But we think it should be. So who's right? Well, we're both right of course. What we need is to be able to make this choice at the time of purchase, and independent of the device you like. To be able to choose if you have a fully open device that you can secure on your own or if you like one that is claimed as secure, but you will never be able to check or control on your own. But unfortunately, this is not possible in most circumstances.
Click to expand...
Click to collapse
@jcase : So I think we agree on that what you say, but from another perspective, we can ask ourselves whether or not a stupid user with root, can possibly endanger a smart user with root? I think this is not generally possible, apart from some automated DDOS attack, which would ultimately originate from a smart user with root, using the stupid user as a transport.
To what extent should ODM's be able to decide who is a smart root user and stupid root user? (And regardless their decision, why should we believe them?) There may not be an answer here, but the discussion is interesting also from a political point of view. How much should the "government" be responsible for a certain individual's action, regardless of their intelligence? Personally I think they're not, and should only provide security to prevent individuals from directly hurting each other, and not preventing them from hurting themselves, if they choose to do so.
Reading all this, it makes me wonder if the antivirus apps help at all..
stefeman said:
Reading all this, it makes me wonder if the antivirus apps help at all..
Click to expand...
Click to collapse
Let's put it this way.
In 6 years of heavy 24/7 PC use, my anti-virus have prevented me from a "possible" remote exploit exactly once, while having annoyed me with lengthy uninterruptible scans and ignoring my ignore settings about a 1000 times, due to adware and various other false positives. Then only god knows how many different countries governments are already present in my PC. Go figure. And yes, I have tweaked every possible setting and tried multiple well know AV's.
Forget AV's and get a good FW and with a well tuned host file, and well tuned common sense.
E:V:A said:
@jcase : So I think we agree on that what you say, but from another perspective, we can ask ourselves whether or not a stupid user with root, can possibly endanger a smart user with root? I think this is not generally possible, apart from some automated DDOS attack, which would ultimately originate from a smart user with root, using the stupid user as a transport.
To what extent should ODM's be able to decide who is a smart root user and stupid root user? (And regardless their decision, why should we believe them?) There may not be an answer here, but the discussion is interesting also from a political point of view. How much should the "government" be responsible for a certain individual's action, regardless of their intelligence? Personally I think they're not, and should only provide security to prevent individuals from directly hurting each other, and not preventing them from hurting themselves, if they choose to do so.
Click to expand...
Click to collapse
Really, I dont want to do this again, this conversation.
Most stupid people don't realize they are stupid, they assume they are smart. (We are all stupid in some regards).
I think I could endanger a user from root, pretty sure I can either screw the phone up, or possibly catch it on fire. If it had a sim in it, and was on the network I am certain I could make them regret ever rooting their device.
Here is a question, how many of you understand how these unlocks/exploits work?
I sometimes leave messages hidden in mine, and have only had ONE person reply to the hidden message, out of 100,000s of runs. People don't even know what they are running to gain root, let alone any idea what these "rom devs" do.
Open source is the answer right? Everyone can read the code, and everyone does! Thats why no backdoors or vulns have ever been in open source projects. Every open source project gets a line by line audit by a team of security professionals.</sarcasm>
I'll join back in when someone shows me a custom rom/open device that has the same or better security precautions taken by leading ODMs. Until then, it is generally just as easy or (generally) easier to abuse and exploit one of these custom roms floating around.
stefeman said:
Reading all this, it makes me wonder if the antivirus apps help at all..
Click to expand...
Click to collapse
Won't help a lick for anything originating from a government.
Hello,
I'm looking for a tool that will allow me to control and observe my daughter's phone. I'm very worried about her since she is hanging out with very suspicious people who are also using drugs.
I want to be able to observe and control her phone remotely so that I'll be able to watch over her.
I'd prefer it if it wasn't something that could be deleted (or detected) after the phone will be wiped for some reason (though I doubt my daughter knows how to do it).
Maybe something that will use ROOT?
Thanks so much in advance.
First be very careful on what you are doing. There are laws protecting their privacy. Yes even from their parents. As a father I also looked into it more for location then anything else.
As for what you want. Not completely no. Monitor yes but not control. These tools are not available to the public and are illegal in most places in the world outside of government use.
^^This.
Thread closed.
I've search for information on this but have found nothing so I thought I'd post my findings here and see if anyone has anything to add/correct.
I've been setting up firewall blocking on my router using ASUSWRT-Merlin with Skynet firewall. I decided to block a whole bunch of countries that I deemed unnecessary/risky for security, including China.
Turns out, blocking China prevents AirDroid from working - it can't even log in.
Checking the log shows a bunch of domains that Skynet is blocking (stat.airdroid.com, stat3.airdroid.com, stat-push.airdroid.com, us-east-7-data.airdroid.com, us-east-8-data.airdroid.com, srv3-clb.airdroid.com, id4-clb.airdroid.com; possibly others). Telling Skynet to unblock these domains results in it responding with "Element cannot be deleted from the set: it's not added" (i.e. they're not blocked).
Removing China from the blocked countries list allows AirDroid to work.
Now this is where things get interesting, and how I figured out the China-wide blocking was causing this issue. In the log file that Skynet stores on the inserted USB drive, "skynet.log", it shows the IPs that these connections were trying to make. All of them are owned by Tencent (there were two prominent ones, but the entire range beginning with "49.51." is owned by them) - specifically, these are for TencentCloud (I assume those are their cloud services, like Azure or AWS or such).
Also, the three MAC addresses dealing with the Tencent IPs are my Note 9, Galaxy Tab A8 and my MacBook - the only three devices on which I run AirDroid.
I'm sure most people won't really care on what servers AirDroid are hosting, but personally, I'd rather not have any connections made to or from Tencent IPs if possible, especially considering how often AirDroid appears to be phoning home. This worries me, especially since this doesn't appear to be public knowledge. The only inconsistency is that a whois lookup shows AirDroid's host is GoDaddy, so how exactly Tencent is involved, I'm not sure... but they are.
If I'm mistaken about this, please feel free to correct me - I'd be happy to be wrong, frankly -, but based on what I'm seeing and the blocking/unblocking I've tried, it appears, at least for now, that this is true.
Guess I'll have to start looking for an AirDroid alternative, because this is unacceptable to me.
Attached are some screenshots of my logs with MAC addresses and personal IPs redacted in case anyone is curious. Yes, I realise the dates are different - I didn't realise I'd screencapped yesterday from the log until after I had edited the images, but the data is pretty much identical to the data from today.
Best I can tell, the Tencent IPs definitely coincide with AirDroid trying to log in and authenticate (and failing at the time because China was still blocked).
Thanks for this info, I was already having my doubts about Airdroid.
No problem. I'm glad someone found it useful. Nobody else seems to be talking about it, which bothers me.
If nothing else, Tencent's servers are being used for Airdroid's authentication servers.
Not sure why it is such an issue really? I mean it is not like other services that use servers tell me where they are routing anything. I would be more worried that there is basically no information about the company that runs the project.
wangdaning said:
Not sure why it is such an issue really? I mean it is not like other services that use servers tell me where they are routing anything. I would be more worried that there is basically no information about the company that runs the project.
Click to expand...
Click to collapse
Because not every company routes your information through Chinese servers which, in this case, could have a large amount of access to your linked devices. Tencent is not a trustworthy company. This could potentially mean that, if they wanted to, the Chinese government could access a lot of your data through AirDroid.
Now, obviously that's not guaranteed, but I still wouldn't trust it.
Then again, there's a reason I try to stick to FOSS software as much as possible. AirDroid was convenient for a while but I don't use it now.
Besides, your reasoning for this not being "such an issue" is "others are shady too". That... doesn't actually make it any better. Plus we know that companies like Google, for example, mine your data anyway, whereas this seemingly innocuous application that I've seen readily recommended by many people is a lot more obfuscated (probably because it's a smaller app).
That, and I haven't found many apps and sites from personal usage that my firewall setup blocks, so this one absolutely stood out like a sore thumb.
I don't want anything to do with Tencent and I know other people feel the same way as me. More importantly, I shared the information to hopefully learn more and, more importantly, let other people know in case they care.
TankedThomas said:
Because not every company routes your information through Chinese servers which, in this case, could have a large amount of access to your linked devices. Tencent is not a trustworthy company. This could potentially mean that, if they wanted to, the Chinese government could access a lot of your data through AirDroid.
Now, obviously that's not guaranteed, but I still wouldn't trust it.
Then again, there's a reason I try to stick to FOSS software as much as possible. AirDroid was convenient for a while but I don't use it now.
Besides, your reasoning for this not being "such an issue" is "others are shady too". That... doesn't actually make it any better. Plus we know that companies like Google, for example, mine your data anyway, whereas this seemingly innocuous application that I've seen readily recommended by many people is a lot more obfuscated (probably because it's a smaller app).
That, and I haven't found many apps and sites from personal usage that my firewall setup blocks, so this one absolutely stood out like a sore thumb.
I don't want anything to do with Tencent and I know other people feel the same way as me. More importantly, I shared the information to hopefully learn more and, more importantly, let other people know in case they care.
Click to expand...
Click to collapse
I would like to know what exactly makes tencent untrustworthy. I use them for banking daily, so would like to be informed.
wangdaning said:
I would like to know what exactly makes tencent untrustworthy. I use them for banking daily, so would like to be informed.
Click to expand...
Click to collapse
The fact that they give your data to the Chinese government should be all you need to know to deem them untrustworthy - Tencent and similar companies collect a lot of your data (often illegally).
If you don't believe me, look it up - most of (if not all, though that has yet to be conclusively proven, but it's not much of a stretch) the tech giants in mainland China are in the pocket of the Chinese government.
Frankly, I value my privacy too much to deal with such a company, and using them for banking sounds like a bad idea to me.
Here are some sources that I pulled up quickly, but there's plenty more of these around the web:
https://www.wsj.com/articles/chinas...ping-the-government-see-everything-1512056284
https://www.scmp.com/tech/article/2...-your-data-when-you-use-chinese-messaging-app
https://fossbytes.com/xiaomi-and-tencent-illegal-data-collection-china/
https://freedomhouse.org/blog/worried-about-huawei-take-closer-look-tencent
The best they get is a slap on the wrist (and sometimes only for the sake of publicity), then they continue on with these practices.
And that's to say nothing of the censorship in which they engage.
TankedThomas said:
The fact that they give your data to the Chinese government should be all you need to know to deem them untrustworthy - Tencent and similar companies collect a lot of your data (often illegally).
If you don't believe me, look it up - most of (if not all, though that has yet to be conclusively proven, but it's not much of a stretch) the tech giants in mainland China are in the pocket of the Chinese government.
Frankly, I value my privacy too much to deal with such a company, and using them for banking sounds like a bad idea to me.
Here are some sources that I pulled up quickly, but there's plenty more of these around the web:
https://www.wsj.com/articles/chinas...ping-the-government-see-everything-1512056284
https://www.scmp.com/tech/article/2...-your-data-when-you-use-chinese-messaging-app
https://fossbytes.com/xiaomi-and-tencent-illegal-data-collection-china/
https://freedomhouse.org/blog/worried-about-huawei-take-closer-look-tencent
The best they get is a slap on the wrist (and sometimes only for the sake of publicity), then they continue on with these practices.
And that's to say nothing of the censorship in which they engage.
Click to expand...
Click to collapse
If privacy was your main concern you would never use an app that routes your data through a third party without encryption. It is clear your goal is to take a shot at a company that is not even in control of the app you are complaining about. Lets see, your news list says, Xiaomi, Huawei, Tencent, and Chinese. How interesting.
By all means protect your privacy. I know I do and I use all three companies and many more products from the country. I hate that tencent knows when I get a latte though :silly:
wangdaning said:
If privacy was your main concern you would never use an app that routes your data through a third party without encryption. It is clear your goal is to take a shot at a company that is not even in control of the app you are complaining about. Lets see, your news list says, Xiaomi, Huawei, Tencent, and Chinese. How interesting.
By all means protect your privacy. I know I do and I use all three companies and many more products from the country. I hate that tencent knows when I get a latte though :silly:
Click to expand...
Click to collapse
It is clear your goal is to defend a bunch of Chinese companies known for handing data over to the Chinese government.
The fact that you are purposely trying to portray me in a specific way to fit your narrow-minded view instead of being concerned about how and where data goes (and for the record, I care about where my data goes in general, but most people around here are already well aware of where data for companies like Google and Apple goes, but not for an app like this) is frankly ridiculous.
If you don't care about this (which you clearly do not), then kindly leave this thread and don't return. I posted this thread to let people who despise Tencent and their business practices know about AirDroid's involvement, and to see if anyone had more information. I did NOT post this thread for you to come along and defend Tencent's honour. Enough garbage companies already do that, and they've added as much to the discussion of privacy as you have (i.e. absolutely nothing of value).
Great concerns, for sure. Thanks for your input.
I tried the app, quickly isolating it from the WAN, and running with Xprivacy of course. Luckily, HTTPS local connection only is possible. I wouldn't sign up in this type of app and i wouldnt use the barcode reader to connect to WAN. Rendered LAN web app contacts chinese servers on the PC, but reviewing content it looked fine in a quick check.
The app seems chinese, it's giving me one notification bar in chinese, and rest of translations are chinglish. I don't say it's neccessarily wrong, i just want to know if this is an open source app to trust it. Otherwise, i will keep running it in strict LAN mode.
Now about the functionality, I like Synology/Windows like UI. So cool!
Contacts/Call log/messages/ringtones/apps work.
Mirroring and Camera worked once. There's some strange checkbox "Don't show again" to click on (?) in Mirroring settings which doesn't work. Update: Camera worked again once switching back to HTTP.
Files/Music/Pictures/Videos don't work at all, even the android app cannot see files. No clue why.
Notifications are shown again on HTTP, however they're not displayed by the browser AND they simply disappear later. No actions also. So unless you 're currently in the tab, you won't notice anything.
I struggle to find a use case for this.
* Mirroring isn't interactive - so together with Camera it's a very infrequent function to use. I'd rather have an interactive mirroring like MobilEdit (if i remember correctly), what a great app it was. Or a Dex type of desktop where you can really interact with the android.
* Messages is showing "SMS", which is something obsolete for me, using alt messenger with secure repository (not the standard unsafe android one). SMS and calls are dead to me long time ago, but i'd have been happy about possibility to reply a decade ago, definitely!
* The last resort is notifications, that'd save some time if implemented well, with history. But it's not.
* One more thing on my mind is ability to send APK to phone, ok.. but it's again a rare task, i wouldn't run this background service for this purpose if i can send the APK via bluetooth...
I look for an app that let me get rid of USB cable for sharing photos or musik between PC and phone.
Sorry if I didn't understood the whole elaboration, but isn't this not just a point to point connection? I wouldn't like that others have access to it.
Or is it about other services?
is this the same Airdroid that has been around for like 10 years now?