When the backup functionality is used, perhaps by human error, perhaps on demand, then Google knows every password you have. E.g: WLAN passwords. As stated by the german magacine heise.de the data is not deleted when the functionality is deactivated. (Suprise)
Is there a way to find out which data is being transferred so the passwords can be changed?
I imagine this could be done by using the restore functionailty. The passwords restored have to be saved somewhere on the phone.
Even if you find were the phone stores the passwords, it will be encrypted.
But you have a point: the password is stored, not only it's md5/hash as the most web-login-check, so in theory yes there is a way.
Besides the issues SplashData has with their SplashID v7 android upgrade losing many customers data, there is also a very worrying security issue which splashdata ignores = and actively censors, my messages regarding this on their FB page have been deleted and I am blocked from commenting our writing there)
Here is the issue:
The new SplashID version 7 had a cloud sync feature (30 day free trial, then for a fee). When first starting the upgraded version (which may have been installed automatically on Android if one allows auto upgrades!), one first has to again enter one's email address/username, and then the password (which is the one used to encrypt one's database containing all one's private, sensitive data!). Then the upgrade asks whether one wants to try the cloud sync feature.
Even if one declines and opts to stay with the existing Wi-Fi sync feature only(which does not need a cloud account), the upgrade goes ahead and automatically creates such a cloud account on splashdata's servers.*and it uses the same password* for this. (In fact as further part of the upgrade procedure one needs to log into those cloud servers using that password after receiving an activation link in email.
So, splashdata leaks the master password which one uses to secure one's most private data (credit card pins, login password etc) into their cloud, without telling that this will be fine, not asking permission.
There is no info whether the password is stored securely (doubt it), whether it is in ask cases transmitted securely (doubt that too) and anyhow, once this has happened one had lost control over that most important password. It's burnt.in the wild, out of one's own control
Note that changing the password on one's own copy of SplashID us a good idea after that, but any old copy of one's encrypted database that might still live on any old disk backup, cloud service (dropbox etc) or SD card somewhere, us now vulnerable.
And because splashdata in their 'wisdom' associated one's email address (and thus identity) with that password, it's easier for hackers to fund it.better companies than splashdata have lost password in the past.
It is even a very bad idea to user the same password for s cloud service as one uses for securing one's private data. Forcing this into users without permission or warning is almost criminal.
Sent from my GT-N7000 using Tapatalk 2
sejtam said:
Besides the issues SplashData has with their SplashID v7 android upgrade losing many customers data, there is also a very worrying security issue which splashdata ignores = and actively censors, my messages regarding this on their FB page have been deleted and I am blocked from commenting our writing there)
Here is the issue:
The new SplashID version 7 had a cloud sync feature (30 day free trial, then for a fee). When first starting the upgraded version (which may have been installed automatically on Android if one allows auto upgrades!), one first has to again enter one's email address/username, and then the password (which is the one used to encrypt one's database containing all one's private, sensitive data!). Then the upgrade asks whether one wants to try the cloud sync feature.
Even if one declines and opts to stay with the existing Wi-Fi sync feature only(which does not need a cloud account), the upgrade goes ahead and automatically creates such a cloud account on splashdata's servers.*and it uses the same password* for this. (In fact as further part of the upgrade procedure one needs to log into those cloud servers using that password after receiving an activation link in email.
So, splashdata leaks the master password which one uses to secure one's most private data (credit card pins, login password etc) into their cloud, without telling that this will be fine, not asking permission.
There is no info whether the password is stored securely (doubt it), whether it is in ask cases transmitted securely (doubt that too) and anyhow, once this has happened one had lost control over that most important password. It's burnt.in the wild, out of one's own control
Note that changing the password on one's own copy of SplashID us a good idea after that, but any old copy of one's encrypted database that might still live on any old disk backup, cloud service (dropbox etc) or SD card somewhere, us now vulnerable.
And because splashdata in their 'wisdom' associated one's email address (and thus identity) with that password, it's easier for hackers to fund it.better companies than splashdata have lost password in the past.
It is even a very bad idea to user the same password for s cloud service as one uses for securing one's private data. Forcing this into users without permission or warning is almost criminal.
Sent from my GT-N7000 using Tapatalk 2
Click to expand...
Click to collapse
Ouch, that sounds a bad idea. If the user doesn't want a remote account made, they should respect that. Can you give me any more details about this, I would like to contact them and request some proper response to this. While they might not be leaking the plaintext password, anything that can be "opened" with your password is a significant enough leak, as it would allow an attacker to verify they have the right password.
pulser_g2 said:
Ouch, that sounds a bad idea. If the user doesn't want a remote account made, they should respect that. Can you give me any more details about this, I would like to contact them and request some proper response to this. While they might not be leaking the plaintext password, anything that can be "opened" with your password is a significant enough leak, as it would allow an attacker to verify they have the right password.
Click to expand...
Click to collapse
Not much more that I already said. I am a long-time user of their SplashID (Mac) Desktop and Android app to store all my credit card, bank acount and yes, many systems passwords in.
The database they use is encrypted with a 'master password' which one has to enter on ones' Android (or iPhone, etc) or Desktop everytime to
unlock and decrypt (in memory), so that one access the data.
The same password is used on both the mobile and desktop of course.
A few days ago, an upgrade to SplashID v7 was made available on the Google Play store. I don't allow 'automatic' updates (though I am sure a lot of folks do!), but this time I also did not really check what the upgrade offered, and clicked 'UPDGRADE ALL' when it was offered along with a nunber of other upgrades. So it got installed.
When i subsequently opened SplashID again, it told me about all the shiny new features (cloud sync etc) and as normal asked me for my password (it also asked for my email address. I though that this was for them to check my purchase/license ans what features woudl be enabled)..
I thought that it would then show me my data. But wrong. Instead it offered me a selection whether I want to use the new 'cloud sync' feature (30 day free trial, later for $$), or stay with the normal 'wifi sync'.
I opeted for the latter (because I don't trust having my data sent to the cloud).
Anyway, the next thing I get is a message: (paraphrasing) "we have created your cloud account, you will get an email and will have to verify your email). Sure enough, I get an email:
Thank you for signing up for SplashID Safe Personal Edition!
To activate your account, please verify your email address by clicking the link below: Verify Email
Then check your email for our SplashID Safe Welcome message.{/QUOTE]
The link goes to: https://www.splashid.com/personal/webclient/login.php
I had to again ther enter my email address, and *the same password* that I entered before (which I thought would be for my private data-store).
Yes, that same password was used to create my account on their cloud server, even though I opted for the Wifi Sync *only* and never
asked for a cloud-sync.
Nor did the app tell me that the same password would be used to secure that aco****.
The issues with this are self-evident:
a) my most secure password, the one used to secure my data on my mobile and on my desktop is now 'leaked' to their cloud account
b) I have *no* idea how secuerly that password was transferred (in clear, encrypted, just a hash), nor how securely it is stored
c) it clearly is linked to my cloud-account on their website, so
- someone somehow learning that password could 'verify' it by accessing that account
- if someone hacked their system and accessed their database, that link would be apparent to them
d) I have nost *all control* over securing that password myself. It is 'burnt', 'in the wild'
e) Any pass backups of my secure SplashID database that may live on SD cards of mine, on backup disks, which may have
been copied to the cloud (dropbox, others) are now vulnerable. It is no use for me to change this password here now, as
old copies that may still exist somewhere are still encrypted with this password (and I cannot change them back).
Yes, I am trying to limit exposure for that password data file as much as possible, but eg Titatium Backup may have at some point in teh past backed it up and copied a backup to the cloud (yes, that is also encrypted, but once that featire failed).
More that that, of course users who are not as security conscious may have opeted for 'could sync'.
While I have not tried this feature myself, it sounds to me like thsi does copy the teh data to SplashID's cloud and
there secures it too only with that one single password.
So many users wh may not have thought all this out may have opted for the 'CloudSync' trial, and not only have their
password 'leaked'/'burnt' now, but also have all their data in the cloud, again secured only with a password that is no longer in their sole possession.
In fact, any secure, trustworthy system would have
a) been *very* upfront about what they are going to do with the password and the cloud account
b) used a separate password to secure the cloud account
c) only stored my encrypted copy of the database in their cloud, without *them* having the password for it
d) done any syncing on the client (ie, transfer the complerte encrypted password to the mobile or desktop where the comparisonupdates would happen) and then copied back again a secured file, that was encrypted on the mobile).
Click to expand...
Click to collapse
More discussion on SplashID's own site: http://forum.splashdata.com/showthr...ically-send-in-background-to-splash-id-server
I am looking for a secure & simple method to keep sensitive data on my phone that will survive wipes/rom flashes. I used to keep a password list in my Google Docs, but I misplaced my tablet at work (fortunately a coworker locked it up until I could retrieve it), so I nuked that idea.
I tried mSecure and spent half an hour saving all my personal info, and lost it the next time I flashed a rom (I also keep the info on my desktop computer, so no big deal). Maybe mSecure has an option to keep an encrypted file on external memory, I didn't play with it enough to see.
Cloud services are ok I suppose, but I really prefer having the info on the phone itself, for those rare times I don't have a data connection but need access to passwords, etc.
Some people use a method of encrypting/decrypting files on their device. That sounds pretty ideal to me ― just decrypt it when needed and encrypt when done. If you lose the device, hopefully the encryption is strong enough to prevent anyone from stealing your info.
How do YOU manage sensitive data?
KeePassDroid for passwords. You can sync database to cloud if you want. PC comatibile.
EDS Lite for data, it's truecrypt container compatibile(in specific settings), so you can mount it also on PC.
Use TrueCrypt on a PC to create a container sync'd to DropBox (or similar), but pay attention to the settings to make it accessible on Android using EDS Lite.
Sync the encrypted container Android device using DropBox/Dropsync.
Use EDS lite on Android to access the sensitive data, when needed.
Use some kind of backup system (e.g. CrashPlan) to back up the DropBox folder, just in case the secure container gets deleted on a device and the deletion gets mirrored by DropBox. (You can normally recover deleted files on DropBox, but there may be a one month limit for free accounts, and it's best to have a secondary backup system, just in case!).
Hi All,
What is the best app or way to backup and restore everything on Android phone - similar to the easy way iOS have with having the phone automatically maintain an iCloud security backup and then if getting a new device or factory resetting the current device, then simply restore the iPad or iPhone using the online iCloud security backup - nice and easy with all apps, settings, data, pictures, etc.
I never owned an iOS device myself, always been on Android, but every time I got a new phone or simply wanted to factory reset and create a fresh phone again, then I did all the apps installations manually and went in manually to configure email account, calendar and other personal settings and logins for each apps that I have, fingerprints etc.
How can I make this easy and in the best way to save days of time to configure a brand-new phone from scratch - like iCloud security backup does or like a Windows PC can have a mirror image created to restore everything back to how I want to start from?
Many thanks in advance!
Very often phone manufacturers provide an application to transfer everything from another device to a new one.
For example, the app from Samsung is:
Samsung Smart Switch Mobile - Apps on Google Play
If you can't download, you can open Smart Switch from device's Settings menu
play.google.com
I am confused about inconsistences between Device Backup on two different Pixel phones:
On my old Pixel phone, the Backup app says the backup will use Google One storage, so I do not have it turned on.
On my new Pixel phone, the Backup app doesn't mention Google One. In fact, it explicitly states that the device backup will not count towards "Drive" storage.
I'm not sure the new Pixel phone is fully patched (just took it out of the box) so it's possible the software hasn't been updated to reflect the Google One service.
I have the following questions:
Does the device backup count towards a Google storage quota or not?
Is there a difference between Google One and Google Drive?
On both devices, the device backup states that the information is encrypted before being uploaded, but it is not clear whether the backup is inaccessible by Google (can Google decrypt the backup)?
The device backup states that it will backup: apps, app data, call history, contacts, device settings (including Wifi passwords) and SMS & MMS messages. How do I restore these things on the new phone if I back them up on the old phone first?
Can I selectively restore apps and app data for only a few apps? There are some apps that are device-specific (e.g. Syncthing) where I don't want to necessarily restore the settings and app data associated with that app, because my shared folders will be located in a different place on the new phone. I would rather set up from scratch and establish my new folder locations, then allow the files to sync through Syncthing.
Thanks for any answers you can provide to these questions.
I would also welcome links to resources that explain how this works, especially vis-à-vis the new Google One branding.
With regards to "Is there a difference between Google One and Google Drive?" look inside here