Database Info

[Q] Info on Android bug 8219321 (Android Master Keys)?

Hi All,
Has anyone gotten any details of Android bug 8219321 being discussed in the media? That's the Android master key talk coming up at Black Hat. AOSP bugs reporter is not showing any information (http://code.google.com/p/android/issues/list).
I'm wondering if the platform builders are using the default keys. Marko Gargenta discusses the four default keys briefly in http://www.youtube.com/watch?v=NS46492qyJ8. (Excellent video, btw).
Are there any controls we can place to mitigate the possible threats (assuming they are threats)?
Jeff

noloader said:
Hi All,
Has anyone gotten any details of Android bug 8219321 being discussed in the media? That's the Android master key talk coming up at Black Hat. AOSP bugs reporter is not showing any information (http://code.google.com/p/android/issues/list).
I'm wondering if the platform builders are using the default keys. Marko Gargenta discusses the four default keys briefly in http://www.youtube.com/watch?v=NS46492qyJ8. (Excellent video, btw).
Are there any controls we can place to mitigate the possible threats (assuming they are threats)?
Jeff
Click to expand...
Click to collapse
From everything I have read, this 'bug' won't really affect anyone unless somebody manages to get malicious code onto your Android device. Therefore, the best way to limit the risk is to only install reputable apps from the Play Store - don't use other dubious sites or .apk copies, don't install brand new, unproven apps etc.

SimonTS said:
From everything I have read, this 'bug' won't really affect anyone unless somebody manages to get malicious code onto your Android device. Therefore, the best way to limit the risk is to only install reputable apps from the Play Store - don't use other dubious sites or .apk copies, don't install brand new, unproven apps etc.
Click to expand...
Click to collapse
Thanks, I've been reading that stuff too. From http://bluebox.com/corporate-blog/bluebox-uncovers-android-master-key/:
Device owners should be extra cautious in identifying the publisher of the app they want to download.
Enterprises with BYOD implementations should use this news to prompt all users to update their devices, and to highlight the importance of keeping their devices updated.
IT should see this vulnerability as another driver to move beyond just device management to focus on deep device integrity checking and securing corporate data.
This advice is useless. For example, "device owners should be extra cautious in identifying the publishers [sic]." The code signing model using self signed certificates does not lend itself to identifying anyone. The relationship that exists is between Google and the publisher; and does not extend to the user. The only thing self-signed certificates ensures is that an app can only be updated by the same author. Even Apple or Microsoft's PKI and code signing model do not make those guarantees (read their CPS'es some time).
Below is from Nikolay Elenkov in an off-list reply. Nikolay does excellent work with Android security (http://nelenkov.blogspot.com/), and can be often found hanging out on Android Security Discussions (https://groups.google.com/forum/#!forum/android-security-discuss).
They are using the 'master key' phrase to hype this up, but this has nothing to do with keys. This is related to the way Android verifies APK (JAR) signatures. A specially crafted APK can be repackaged without invalidating the original signature....
Click to expand...
Click to collapse
Jeff

A General Warning about flashing Unknown Roms

Hi.
I recently came across some chinese / asian websites which kang / modify and release a diversity of roms.
I'm not specifying sources / which roms are, this is a general announcement to be careful with what we download & flash into our devices, and why ?
I flashed in order to test some of these roms (not the sense 5 kang tho), since I work in network security, I had noticed on our firewall logs when my mobile connected through the wifi, a bunch of UDP requests / DNS queries to russian websites. This can be used to botnets, DoS, even malware / spam propagation (a diversity of not cool stuff, basically).
A colegue of mine which also has a 'droid had once an app which sent repeatedly ICMP requests in "not random" but specific hours / intervals, he asked me to test his rom which he downloaded and flashed from "another" website, and I confirmed the suspicious behavior. There was established connections to foreigner addresses through a diversity of protocols, data being sent / received and at times, a udp flood directed to specific addresses. This is bad, my friends.
We don't know what these roms have inside, what's their mechanism besides the standard transparent operations which most of us are familiar with, and they could be very well used to do illegal things which I guaranty we don't want to be part of.
Flashing a rom, connecting through 3G or Wifi, and then our mobile is now part of a botnet which participates without our knowledge on such illegal operations is just one of the things that could happen. Phishing is also very possible - in other hand, a lot of things are possible without our knowledge and consent. We don't want this do we ?
The last Rom which I have experienced this, the link was removed and is no longer online. So i'm not pointing URL's / Rom names because this is something that each one of us has to be careful about.
Fortunately we have ways to detect / avoid / remove and make sure our device is used only for us and does only what we "tell" it to do.
We can use this thread to report such roms (since they're not published on xda, we can only warn each other and be aware) and applications that have malicious content.
I'll also be updating this thread with methods, applications for android to detect malware / suspicious activities (I'm not going into depth like using a sniffer or protocol / packet analyzer (although we can) I'll try to keep as simple as possible.
Suggestions, reports are very welcome and should be reported here. We can use this thread to protect our droids and help each other making our devices secure.
This post has the intention of protecting ourselfs, but privacy tips / applications are also welcome. Be careful tho, would be ironic to suggest an app to protect user privacy and in the end the app itself sends private data to GodKnowsWhere.
To be continued / Updated Soon.
List of Applications to monitor / analyze traffic:
Netstat Professional - Allows you to see what connections your android has established. Allows whois info, Real time IP / Port and status information (pretty much like netstat -an), and what service is running / port information.
Wi.cap. Network Sniffer - Much like a network protocol analyzer / network sniffer. This neat app allows you to see what connections are estabilished / protocol / status / analyze packets. If there's a connection estabilished - it will be listed. [Root needed]
Shark for Root - Traffic sniffer for 3G & Wifi (supports FroYo tethered mode too). Records traffic which later you can open with WireShark. To preview you can use Shark Reader.
List of Applications fo scan for malware.
Coming Soon...
Procedures to discover / analyze / report malware / suspicious behaviours and such.
Coming Soon...

Post reserved for procedures which will include:
- Common Sense
- How a malware works (the term malware is used to include viruses, trojans, custom scripts and apps.
- What to look for / suspicious behavior which you should pay attention to (also included in Common Sense).
- Basic tools to detect / analyze / remove malware.
More to come.
Sent from my HTC Z710e using xda premium

Generally, i suggest to use ROMs from XDA only, except for CM/MIUI official website. The risk is real! Thanks to @MidnightDevil for his help and his time
I suggest to read this thread to all the users!

XxXPachaXxX said:
Generally, i suggest to use ROMs from XDA only, except for CM/MIUI official website. The risk is real! Thanks to @MidnightDevil for his help and his time
I suggest to read this thread to all the users!
Click to expand...
Click to collapse
Thank you for your support
If anyone has suggestions / knowledge about this sort of matter please share
There's a LOT of info that I tend to post on this thread in a way to educate / share knowledge with everyone.
Trusting the developers and sources is the first step for prevention. Be careful with dodgy websites and roms which you don't know about.
Scanning the rom zip file with a virus scanner is useless in this matter.

Unknown Rom
The threat is over when a secure rom is installed (after using a none xda rom) ??
MidnightDevil said:
Thank you for your support
If anyone has suggestions / knowledge about this sort of matter please share
There's a LOT of info that I tend to post on this thread in a way to educate / share knowledge with everyone.
Trusting the developers and sources is the first step for prevention. Be careful with dodgy websites and roms which you don't know about.
Scanning the rom zip file with a virus scanner is useless in this matter.
Click to expand...
Click to collapse

phearell said:
The threat is over when a secure rom is installed (after using a none xda rom) ??
Click to expand...
Click to collapse
So far there isn't malware which persists after full wipe. Can't speak of the contents of the sdcard tho. But usually yes. But then you have the apk's which can contain malicious code and so forth...
Those apps are usually banned from the PlayStore, but there's a short window between published / report / removed from Store which users can download it.
Unless I didn't understood your post

MidnightDevil said:
So far there isn't malware which persists after full wipe. Can't speak of the contents of the sdcard tho. But usually yes. But then you have the apk's which can contain malicious code and so forth...
Those apps are usually banned from the PlayStore, but there's a short window between published / report / removed from Store which users can download it.
Unless I didn't understood your post
Click to expand...
Click to collapse
AFAIK google also scan apps installed on the device. When installing a 3rd party app (not via Google Play), you get a prompt to allow google to scan it anyway for malicious content.
Also, there are a couple of anti-virus apps available from well known companies such Avast for android, and also from AVG.
I never really tried those, but they might help protecting your device. However I doubt if they scan system apps/services, for in most cases they are supposed to be safe (from the OEM itself).
It is well known that the biggest security hole is the user. So the best thing to do is to keep away from unknown ROMs/sources.

astar26 said:
AFAIK google also scan apps installed on the device. When installing a 3rd party app (not via Google Play), you get a prompt to allow google to scan it anyway for malicious content.
Also, there are a couple of anti-virus apps available from well known companies such Avast for android, and also from AVG.
I never really tried those, but they might help protecting your device. However I doubt if they scan system apps/services, for in most cases they are supposed to be safe (from the OEM itself).
It is well known that the biggest security hole is the user. So the best thing to do is to keep away from unknown ROMs/sources.
Click to expand...
Click to collapse
No doubt the biggest flaw usually comes from the end user.
But answering your statemente about anti viruses.
Usually anti viruses (specially in portable devices) act base upon a database of known signatures and suspicious behavior. They provide no protection against a custom developed script or code with a work-around for this behavior. Basically - avoids behaving like a malware.
A code is considered malicious when acts upon suspicious behavior (for example, on windows - when an app registers itself on registry autorun / startup folders / tries to load a file on temp directory / temporary internet files, hooks itself into a process / uses a windows process to deliver it's payload faking a signature, etc etc). Knowing this, any custom app / script that avoids suspicious behavior / does not have a present signature on a AV database and a few more details - all doors are "open" and is a highway to hell.
Google scan engine uses the same mechanism, in fact, I'm not even sure if it has any sort of protection against suspicious behavior as it only executes upon apk install.
Believe me, the biggest flaw is the user as the best protection is also a well educated user. It's a matter of knowing what can do and what should avoid. Fear or suspicion is an important thing these days, as they prevent us from making mistakes as installing an app from a dodgy site. We should know better.

MidnightDevil said:
No doubt the biggest flaw usually comes from the end user.
But answering your statemente about anti viruses.
Usually anti viruses (specially in portable devices) act base upon a database of known signatures and suspicious behavior. They provide no protection against a custom developed script or code with a work-around for this behavior. Basically - avoids behaving like a malware.
A code is considered malicious when acts upon suspicious behavior (for example, on windows - when an app registers itself on registry autorun / startup folders / tries to load a file on temp directory / temporary internet files, hooks itself into a process / uses a windows process to deliver it's payload faking a signature, etc etc). Knowing this, any custom app / script that avoids suspicious behavior / does not have a present signature on a AV database and a few more details - all doors are "open" and is a highway to hell.
Google scan engine uses the same mechanism, in fact, I'm not even sure if it has any sort of protection against suspicious behavior as it only executes upon apk install.
Believe me, the biggest flaw is the user as the best protection is also a well educated user. It's a matter of knowing what can do and what should avoid. Fear or suspicion is an important thing these days, as they prevent us from making mistakes as installing an app from a dodgy site. We should know better.
Click to expand...
Click to collapse
I just remembered of an app called "Who is tracking" (was featured on the portal a while ago), that also scans system files (bloatware) and tells you which app tracks you. tried using it a while ago, but didn'y really try to understand it, and it seems to have changed since. will try it myself.

Agreed with Patcha, unless you 100% trust the source (CM/MIUI are well known and if they did something untrustworthy a massive ****storm would ensue) then I would stick to ROM's posted on XDA (though frankly I avoid MIUI out of moral principle #SouceCodeMuch?). Anything untrustworthy that is posted on XDA is picked up very quickly and dealt with effectively.
More to come from me on this, I need to organize what I want to say so it doesn't sound like a mad persons ramblings
Edit: A thing to look out for in google play store is the permissions, READ THEM, read what they mean, read what permissions the app requests and if you don't know why an app needs that permission or if it looks dodgy (like the permission to send sms messages without the user knowing) then for God's sake don't use the app util you've found out what the app needs that permission for (quick google search or email to the developer). Don't just blindly agree to all the permissions without reading them.
These permissions are declared by the developer in the Android_manifest.xml file and pulled from there when publishing the app on play store. As far as I am aware, there is no way to fool this system - you can't edit the visible permissions through the developer panel of play store, only by editing the manifest - I have a developer account on play store so this I am 100% sure on.

Yup, very true. Something I forgot to mention earlier and is VERY important.
Always check the permissions and what for the permissions are used. Some good developers write what for they need the permissions. Some things are obvious, others not so quite.
Also reading the comments of an app helps as well. More experienced users tend to write a more complete review and sometimes they draw the attention to things that sometimes other users miss. About permissions or anything else.
Any user can write a review, so if you find something important, you can also write in the review. Just make sure you don't underrate an app because of a doubt
Usually developers also have their contact email in case of doubts, it can be used to to bring some things to light.

Privacy with Play Services

Hello all! I'm sure most of you are familiar with Google Play Services, the base of Google's Android framework and the brains behind all the Google things you do on your phone. Less of you, however, might also know that Play Services is notorious for being a beast of an application that no one truly knows the function of.
Below here is a rough explanation of Play Services from what I know about it. You can skip this if you already know and move on to the bread and butter of this post.
Play Services is proprietary software, meaning that its source code is not available to the public. All of Google's apps are proprietary like this as well. While developers like Chainfire have legitimate reasons to close off their app source code so others don't steal it, and so does Google, it is extra worrying from a company that makes a profit off of collecting userdata. Many people, including me, do not trust Google with our data, so we try to avoid their products as much as possible.
I thought that it would be nice to create a megathread of sorts with various users' suggestions on how to subvert the constant surveillance of Play Services, while also attempting to maintain the useful functionality of it. Below are some of the primary methods that I have thought of, and that I and some others have tried:
LineageOS/CyanogenMod Privacy Guard - If you are using LineageOS or any derivative thereof, you can go to Privacy Guard and deny certain permissions from Play Services. I and another user have denied permissions from Play Services without side effects, but your mileage may vary. @javelinanddart said on Reddit that Privacy Guard does indeed block permissions from Play Services and other system apps, so rest assured that Privacy Guard actually does something rather than being a placebo.
XPrivacyLua - This is an Xposed module that feeds false data to apps rather than blocking it entirely. I haven't tried this method myself, but the XDA post I linked above reports that XPrivacyLua works, even in tandem with Privacy Guard.
microG - microG is an open-source alternative to Play Services. It emulates many key functions of Play Services - push notifications, location services, etc - without the data collection running alongside such functionality. To clarify, this is a full replacement for Play Services, so you would flash a microG package instead of a GApps package. There are lots of bugs, though, even admitted by the developer. If you want to learn more, I suggest you visit the XDA thread for it, or view the implementation progress for various pieces of functionality.
There is nothing else that I know of, so if anybody knows of another viable method or can provide their own experiences with the above ones, your contributions would be appreciated by me and the rest of the privacy community.

Thanks for thread.
My only reason to use custom ROM is because they are GApps-free. In nearly every other aspect stock ROMs are better. Phones without good custom ROM I simply setup without Google account and install f-droid and yalp stores.
Another idea:
Imagine: Google is not as evil as we think: there are many privacy related settings in your Google account. You can login with a web browser and try through all these settings - and hope.

Device is a Samsung i9305 with RR-N-v5.8.5-final, Magisk v16.0, XPosed, XPrivacyLua, microG (via NanoDroid). No genuine Google services; Google Play Store is the one and only Google application installed.
I hope it suits into this thread (thanks very much for creating it!), and I'd like to share my settings. Please refer to the screenshots; I think it's self-explaining where they where taken from.
Actually no restrictions to microG, only to Play Store.
Remarks: µG has no restrictions in the firewall (AFWall+ Donation Beta); Play Store only granted internet access via WiFi and VPN. Just for completeness; running a RaspberryPi in the home network with Pi-Hole installed and acting as the DNS-server in the network. Unless using the home network i.e. using a foreign WiFi network or mobile data, ALWAYS establishing my own secure VPN to my RaspberryPi (with PiVPN installed) via OpenVPN and again the Pi acting as the DNS-server. If interested in further details please refer to this thread.

Thanks for this.
I was considering asking for a forum section here devoted to privacy, but it doesn't seem like a popular subject here. (After all, most of the people who have already picked the most snoopery OS in the world could be assumed to be not particularly worried about privacy. ? )
I come from a different motivation: the hope that by using a somewhat hackable OS, one can theoretically modify it in ways to achieve one's objectives, including privacy. But the last few years have made it rather clear that the Big G is working determinedly to foil such efforts.
Lately that seems to take the form of pushing more and more essential services into the Gplay frameworks, and deprecating perfectly working things like GCM in favor of intertwining it with Firebase, which may saddle us with that analytics data vacuum in order to get another essential service, push notifications.
Re: revoking permissions from Gplay frameworks, I feel like Google's determination to get their hands on data by hook or by crook (eg their ignoring of user preferences to disable various radios and enabling them in the background anyway, to track location and such) means they will quite possibly circumvent these preferences at some point as well.
As I mentioned in another thread I've experienced various problems in the past when I tried to aggressively restrict perms on the Gplay services using CM/LOS Privacy Guard, but perhaps some of that came from choosing interactive restriction prompts rather than blanket revoking. I do know that so many essential services are tied-into the Gplay frameworks these days that blocking tons of perms will inevitably cause breakage of some things depending how you use your device.

Jrhotrod said:
...
There is nothing else that I know of, so if anybody knows of another viable method or can provide their own experiences with the above ones, your contributions would be appreciated by me and the rest of the privacy community.
Click to expand...
Click to collapse
Due to your request above, please allow me to draw your attention to two threads by me. In these threads I tried about one and a half year ago to initially capture but also to update how I believe to have enhanced the battery duration, privacy and security of my GT-i9305 and how I went for a GApps-free device with microG.
Over the time until today, some of the described implementations, applications and measures became absolete or were replaced by others (e.g. using NanoDroid - or Nanomod as it was called in the beginning, since it has come out). Some changes occured due to the step from Marshmellow to Nougat or the non-availabilty of the official Xposed framework for Nougat in the very beginning. However, over all the time I've tried to maintain both threads updated and amended but currently not to much occuring on that frontline, probably because I've received a privacy status on our devices that obviously satisfies me in my personal opinion.

Oswald Boelcke said:
Due to your request above, please allow me to draw your attention to two threads by me. In these threads I tried about one and a half year ago to initially capture but also to update how I believe to have enhanced the battery duration, privacy and security of my GT-i9305 and how I went for a GApps-free device with microG.
Over the time until today, some of the described implementations, applications and measures became absolete or were replaced by others (e.g. using NanoDroid - or Nanomod as it was called in the beginning, since it has come out). Some changes occured due to the step from Marshmellow to Nougat or the non-availabilty of the official Xposed framework for Nougat in the very beginning. However, over all the time I've tried to maintain both threads updated and amended but currently not to much occuring on that frontline, probably because I've received a privacy status on our devices that obviously satisfies me in my personal opinion.
Click to expand...
Click to collapse
Wow, this is really great! Very high-quality thread.
Will add to OP later today

I apologise for the double post (original in my thread here) but I guess it also suits in this thread.
Found the below quoted post by @jawz101 in the XPrivacyLua thread here. Pretty interesting, and therefore I like to share:
Looking around on Data Transparency Lab website http://datatransparencylab.org/ - they fund grants for research in privacy stuff.
...I found an app called AntMonitor, an academic research project that does a MITM SSL cert + local VPN to look at sensitive traffic - even that which is encrypted. https://play.google.com/store/apps/d...it2.anteatermo
Anyways, it shows some apps trying to send my gps coordinates even though it doesn't have Android permission. Like, my coordinates are actually attempting to be sent encrypted to a destination. XPrivacyLUA doesn't trigger so I can only assume they grab my coordinates in a way that circumvents the traditional Android permission model.
To test, just try the app and open a few apps. I think it's apps with the Facebook graph API that is maybe doing it.
If you like ANTMonitor another app that does an SSL cert+ VPN is Lumen Privacy Monitor- a project by Berkely, but it doesn't seem to detect raw coordinates like ANTMonitor does.
Click to expand...
Click to collapse
However, I suggest to also follow the discussion/conversation between jawz101 and M66B, which has developed after this post.

Oswald Boelcke said:
Found the below quoted post by @jawz101 in the XPrivacyLua thread here. Pretty interesting, and therefore I like to share:
However, I suggest to also follow the discussion/conversation between jawz101 and M66B, which has developed after this post.
Click to expand...
Click to collapse
This is certainly an important discovery, thanks for the news.
Now for the sidenote that's 10x longer than the main comment. ?
One of the key issues I have with the various "privacy tools" is trying to figure out whether or not I trust all these entities that produce these diagnostic things to not be a solution worse than the problem when it comes to possessing and safeguarding my sensitive personal data.
It's getting to the point where I'm no longer enamored of giving *anyone* access to such stuff if I can help it, no matter *who* they are.
Even if they're not lying about their intentions and their commitment to security/privacy, there are still matters like carelessness/incompetence and targeted attacks to worry about.

@Exabyter: You're statement and expressed concerns are abolutely correct. Nothing to add except that I wouldn't limit it to "privacy tools" but especially include all applications that require root (and get it granted by the user) or all Magisk and Xposed modules. The latter should definitely concern.
My personal decision:
I'm not willing to trust anybody from the very beginning but I'm willing to trust single persons, groups or agencies. I've developed my own, private criteria, to which I stick but I've also admit the final decision isn't always based on rationality but also a lot on my feeling (in my stomage).
I don't held any confidential data on my device but privacy related ones, and I don't use my device for any kind of banking, shopping or payments.
I consider to use tools, modules and applications if their functionality rests within my defined specifications for the use of my device. Then I go for "the shopping tour" while I try to look into the details of the tools under closer examination, which includes where is it from, who's the developer etc.
I'll continue with the measures already described in one of my threads.

Oswald - I think we have largely similar stances on such things. In my case I will sometimes sway towards the pragmatic over the pedantic when the pedantic involves so many inconveniences that the tech becomes more of a burden than a help to me.
For example, I really don't like the idea of 3rd-parties keeping data pertaining to my daily geographic movements, but I also use several tools and services that by their nature rely on location data which could in some cases end up in the hands of parties I'd rather didn't have access to it. So I have to regularly weigh the apparent cost/benefit of such services and there are certainly some of them which have a high enough value to me that I willingly lower my default "protection level" in order to keep the other benefits of such tools/services.
Certainly microG is an important tool in that toolchest as it has a major disruptive impact on some of the most common ways Google and other parties snoop on users. But some of its imperfections also threaten to keep me from my ultimate goal of carrying a single phone which performs all the tasks I need to accomplish with it without undermining my privacy in a major way. (And ultimately, my freedom and agency as a citizen in a nominally and allegedly "free and democratic society", which is the actual "big picture" problem with privacy incursions in general IMHO)
I have spent several years now, with varying degrees of effort and success, trying to come up with a hardware/software solution to this problem, and I've never reached a point where I'm fully satisfied with the results. The fact that I am still carrying several mobile devices with me everyday is proof enough that I haven't achieved my objective in this regard and it gets tiring. As does all the time spent on venues such as XDA, researching, discussing and keeping-up with all the relevant issues, not to mention the large amount of time spent tinkering with HW/SW in order to keep all the special measures working. (And after we finally get things working more or less the way we want, we are faced with the particularly customized hardware wearing out, becoming unsupported, 3rd-party ROM and other compatible and necessary software being abandoned/deprecated, and so on and so forth.)
Truth to tell I'm a bit bitter about the amount of time/energy I have to spend to achieve something which should have been part of the mobile platforms in the first place. The current de-facto mobile platform duopoly certainly doesn't help matters.
---------- Post added at 03:39 PM ---------- Previous post was at 02:57 PM ----------
Now that I've gotten that philosophical rant out of the way ? ...
So as far as technical specifics:
microG of course is a big help as it either neuters or removes many troublesome anti-privacy vectors. For example, at the present time it does not support Firebase Analytics at all, which means (as far as I can tell) any app that expects to get telemetry on users via Firebase Analytics will not get anything if the app user's device is Gapps-free and using microG instead. (It remains to be seen if adding Firebase Cloud Messaging capability to microG will negate this presumed benefit. Cynics like myself are inclined to think one of Google's key objectives in deprecating Google Cloud Messaging and rolling push notification frameworks into Firebase instead was specifically to undermine the ability of users to avoid/circumvent Firebase Analytics)
XprivacyLUA looks interesting and is on my list to test. I found its predecessor Xprivacy to be an extremely tedious and labor-intensive option so I never seriously pursued it after my initial testing.
There are various tools I find handy to help get a sense of how dangerous certain apps may be to privacy. Here are a few:
AppBrain Ad Detector
https://play.google.com/store/apps/details?id=com.appspot.swisscodemonkeys.detector
Addons Detector
https://play.google.com/store/apps/details?id=com.denper.addonsdetector
Checkey (also on f-droid)
https://play.google.com/store/apps/details?id=info.guardianproject.checkey
Applications Info (also on f-droid)
https://play.google.com/store/apps/details?id=com.majeur.applicationsinfo
Permission Friendly Apps
https://play.google.com/store/apps/details?id=org.androidsoft.app.permission

Device id bypassing, faking a new device for every login

Hi all, I want to know a solution for a problem, there is an app called zipgo which allows two logins per device one after the other, when im on stock i used two accounts and when i try to login a new account, it says maximum number of logins per device exceeded, i thought the app is registering my mac address with the account, so i installed RR Rom and changed my mac address and after logging in with two accounts, when i try to login third new account, it says maximum logins allowed per device exceeded. I changed my mac address and tried too.
How did it allow me to login when i flashed RR Rom?
How to make the app believe that im on a new device everytime i login with a new account?
What will the app store other than mac address to uniquely identify my device and how to bypass it?
What is that change in a new ROM in the device that made it believe the app that my device is not the old one(stock) i logged in?
Any links or suggestions welcome. if this is violating forum rules, im sorry, suggest me a thread, ill post there.

How about asking the zipgo support? What has this tondo with an op6?

Circumventing an apps security measures (ie cracking or spoofing to gain a paid-for service without actually doing so) is against the rules of XDA.
Even worse, after a quick read, this can be used maliciously to use another users login when you're not supposed to and thereby take trips and transits on their cost

To identify your device, they could be using the actual serial numbers or other uniquely identifiable properties of your device (e.g. IMEI, MEID, ESN, SIM SUBSCRIBER ID, Wifi/BT MAC, Google Framework GSF ID, Android Device ID, SIM Serial, Serial Number).
As it's per device, they may be just using the model number from the build.prop and checking it against your account.
Anyway, I have not heard of this 'zipgo' and do not wish to know any further. If you have issues with them then contact their support, this sounds like abuse and you will likely get your services terminated anyway. And is a bus truly that expensive?

Try xposed and xprivacylua to change / hide these values from the app

efinityy said:
Circumventing an apps security measures (ie cracking or spoofing to gain a paid-for service without actually doing so) is against the rules of XDA.
Even worse, after a quick read, this can be used maliciously to use another users login when you're not supposed to and thereby take trips and transits on their cost
Click to expand...
Click to collapse
+1 on this. But if you really need the help, just change your build.prop to another device's fingerprint if it's that necessary. If it's not really necessary, then i advise you to ask their support for further help instead of a 3rd party website for advice.

what is Andr.Trojan.Fake Telegram ?

Hi
i live in iran and recently iranian government forcing teachers and students to install an app, this app is not in play store and users must sideload it. so i suspect to this app and checked it in VirusTotal.com and found it:
https://www.virustotal.com/gui/file...259f76b3df94b045abd50e88b9e1f980b5d/detection
now my Q is detection is valid ?

Mehrdad.A said:
Hi
i live in iran and recently iranian government forcing teachers and students to install an app, this app is not in play store and users must sideload it. so i suspect to this app and checked it in VirusTotal.com and found it:
https://www.virustotal.com/gui/file...259f76b3df94b045abd50e88b9e1f980b5d/detection
now my Q is detection is valid ?
Click to expand...
Click to collapse
I' no security expert but my opinion for what it's worth.
Probably a false positive as it's only one detection. That said the app uses Iranian DNS (so government could potentially track your activity), it checks for root, and also has the following (see 2nd page of report) which could be fine but could also leak info to authorities you'd maybe not want to, though all also have legitimate functions.
Function name Detail info
ContentResolver;->query Read database like contact or sms LocationManager;->getLastKnownLocation Get last known location
android/app/NotificationManager;->notify Send notification getRuntime Get runtime environment
java/net/URL;->openConnection Connect to URL
java/net/HttpURLConnection;->connect Connect to URL
Camera;->open Open camera
HttpClient;->execute Query for a remote server
Also keep in mind an app can pass these tests by Antivirus but still use quite legitimate functions to leak data you maybe don't want to the app developers. Or worse download other files later that could be malicious, at the end of the day you need to trust both phone manufacturer & app producers to a large degree.