Cab/Exe security - Windows Mobile Development and Hacking General

I'd like some guidance on ways to verify cab or exe files posted here and elsewhere for security purposes. Are they somehow verified by senior members here to ensure they are not malicious?
For example, the Facebook app being developed here obviously requires a username and password. So what is to stop the developer from redirecting that secure information elsewhere to be used for, say, distributing that Facebook virus or other mischief?
The question doesn't just apply to that one app so I'm not singling cornelha out. What is to stop someone from distributing a cab that provides some necessary or useful function, but also has a small hidden exe buried inside it that can intercept text messages or e-mails or record keystrokes in a browser? Does Windows Mobile itself guard against such behavior?
I'm not asking about viruses...I know the virus threat on Windows Mobile is nil. And I know each device owner has to exercise caution when installing anything and should only use trusted sources. I'm just wondering if there is any security beyond that? Thanks.

Any developer that follows up on his app is unlikely to be a fraudster. Having been a member for a while I can now recognise peoples names and I can see that there is a lot of trust in each other, that is what makes this a great and strong community.

Related

Application push on the device

Hi all,
Is it possile to send (via MMS, WAP,...) some application on the device
and run it absolutely silently for the user?
Preconditions: we know only device type (Windows Mobile based device)
and phone #. No additional software is preinstalled on the device.
Thanks!
-Andrew
if it was simple then i suspect we would see lots more virus's and malware on our devices
would say it would require a replacement of the sms recieve part of the device
You right. But may me if application is signed with (M2M) certificate, for example...
Doesn't matter.
There is no preexisting infrastructure for this kind of thing in WM OS.
Like Rudegar said that would be the best loophole for viruses. In fact I can't think of any other apllication for such feature. Even desktop windows doesn't update itself without warning.
Keep in mind that the user would have to pay for the data traffic, so if this is for a legitimite software, it would be one many people wouldn't by (unless you don't tell them what it does).

Flexis Mobile Security App

Here's a neat app to add into your cell, this I've just begun testing and may stay with it for awhile.
The idea of a security app for Windows Mobile was not a very convincing one in the past but when we hear about new security vulnerability on Windows Mobile devices, we have to give more priority for security related apps for Windows Mobile. Flexilis is one of our favorite in this category. They have responded to the new vulnerability very quickly, the latest version will detect and delete the ” Phone Creeper ” app which gave us Windows Mobile users a security. ( a fix for version 0.6 will be rolled out soon ).
Along with the Anti-Virus and Firewall app, Flexilis also provides a module for Backup , this module will let you back up your contacts and photos. You can also transfer your data to a new phone.
The Anti-Theft Module in Flexilis enables you to respond when your device is lost or stolen. Locate your device, sound an alarm, wipe your personal information, remotely from the web.
The best part of this is all of this is for FREE and if you find a new security flaw with your device you can also let the Flexilis team know about it.
Visit m.flexilis.com on your
mobile browser or https://beta.flexilis.com/ from your PC to create account

SMS-Sending Malware Found on Android Phones

An SMS-sending piece of malware has hit Android phones, according to a Tuesday note from antivirus vendor Kaspersky Labs.
The so-called "Trojan-SMS.AndroidOS.FakePlayer.a" appears as a "normal media player application," according to Kaspersky, but can send SMS text messages to premium numbers without the user's consent. It is the first such piece of malware to target Android devices, and it is already in the wild.
Kaspersky, however, did not name the innocuous media player application, although the firm did say that it is about 13 Kbytes in size.
Not surprisingly, Kaspersky has added it to its antivirus database, although the company does not currently offer an antivirus solution for the Android OS, just versions of Windows Mobile and the Symbian operating system. An Android version is on the way, however.
"The IT market research and analysis organization IDC has noted that those selling devices running Android are experiencing the highest growth in sales among smartphone manufacturers," said Denis Maslennikov, mobile research group manager at Kaspersky Lab, in a statement. "As a result, we can expect to see a corresponding rise in the amount of malware targeting that platform. Kaspersky Lab is actively developing technologies and solutions to protect this operating system and plans to release Kaspersky Mobile Security for Android in early 2011."
Maslennikov said that users should keep a close eye on what services an app says it will request before they install it, which implies that it will not spread without a user's permission
It should also be noted that it is received as an SMS requesting the user to install a small update (.apk). Therefore, in order to contract the virus, the user must open and install the apk. Just receiving the SMS will not infect your phone. Also updates are not sent via SMS. They are via the Market Place app.
It's like the email phishing schemes that provide a weblink to update some personal information on your Payal account for example. Never click on a link from an email involving personal info or logins, and never open an app or .exe from an SMS or email either.
Not really a new concept when you put it into perspective.
Sent from my PC36100 using XDA App

[Q] Booking system app for Android

Hey guys
I'm an entrepreneur from Brisbane, Australia. I'm looking into introducing a new product and am wondering if you guys would be able to help me clarify a few questions. I have to add I have no idea what so ever about programming languages or whats possible or not. I just going to post my vision of the application I will need and hope some of you guys can tell me what of that will be possible, what not and how much effort / money it would take to realise.
Firstly of all and most importantly I need the the Phone application to work with several other systems which would be at the moment : - Iphone, Windows Mobile, Blackberry Android, a Website interface, Windows Vista / 7 and Mac OS. I need this to work in two ways. One for the user to sync their data on different apps and secondly for the admin to receive and send data from the main system (that would be working on Windows or Mac)
On first interface the user would have to log in with a username and password, high security would be welcome, after the log in the general interface should be offering the user a booking request form with the ability to use a saved lists of items which have been previously use / prepared but also a interface for add one or editing
It also should offer a open bookings lists and the ability to edit this lists. This should also be able to be synced to the other systems. A third interface showing a history and updates should be also available.
If possible it should offer different accounts and groups where admins can edit the bookings of other users. If this is possible it also should offer a control for the admins which shows bookings and history of other group users.
I would like this obviously to be a professional looking app which offers a good service and is secure and bug free. If anyone has an idea if this is realisable or what parts of it would be difficult or have to be changed please do me the favour and comment.
Thank you for your help in advance.
JPM
Hello,
If you're looking for developers for your project, please contact [email protected]
Example of similar (ok, a bit different but technical approach is the same) web app and mobile clients for several smartphone platforms is in my signature.

[Q] security question regarding 'Trusted Credentials'

Is there any reason why I should have so many Trusted Certificates under the System tab in Credential Storage? I have probably close to 100 in there and most of them I don't recognize; they seem to have some gibberish with an expiration date of a few years in the future. To my knowledge these are baked into the ROM and are not installed by the user so I'm guessing most of them relate to a stock app of some kind (WatchOn, ChatOn, etc.) Because I haven't seen a lot of discussion about it, I am asking if these Certificates are safe( I know it's from android or Samsung blah blah)?
I'm in the tedious process of disabling them just to see what happens but can anyone else shed any light on the matter? Thank-yew...
http://support.google.com/android/bin/answer.py?hl=en&answer=1649774
I'd like to know about this as well.
Sent from my SAMSUNG-SGH-I337
These are all root certificates. The certificate authorities that issue cents to web sites have their root certificates loaded on the phone so the phone can verify that an sisal cert from a web site is legitimate.
This is a lucrative business so there are quite a few CAs around the world. And big banks have become CAs too.
Theoretically they are all legitimate as it is a huge process (or it used to be) to get your root cert included in an OS or browser by default.
Can you remove them? Yes, but be careful. If you only use USA websites then you can probably remove most non-USA CAs. But why do you care? Older versions of android didn't let you remove any, and the only time you need to is if a CA has been compromised.
If you do remove one you need, you will get SSL warnings about visiting an untrusted site, but you should be able to add the root cert back.
HTH
alphadog00, I realize your post is from 2013, but I've been searching for answers to this as well. Why do we need these certificates on our phones? I have 156 on mine, and some of them aren't even in English. Some have the country in the company name, like China, Turkey, and Germany. Some companies have more than one certificate. VeriSign, Inc. has 7, all with different issue dates going back to 1996 but all expiring between 2029 and 2036. A couple of them look sketchy to me, with 'certificate' spelled 'cirtificate', and 'global' spelled 'globel'. They remind me of emails that I get from my dear friend, the widow of a former bank president in Kenya, who needs my help getting her money out of the country. Why do I need 156 trusted credentials from half a dozen countries? How many do I really need? There is a grey item at the bottom of the security page that says “Clear Credentials,” but it’s un-clickable on my phone. Why would that be an option if these certificates are necessary? Would I be safe disabling all the ones from outside of the US and Canada? Are all these certificates taking up space on my phone? What is a ‘fingerprint’? Thanks in advance for any help and advice you can offer me.
27 July 2017. "Turned Off" all but two CAs. Result is could not access Play Store as well as several other sites. One screen stated "No internet connection. Make sure WIFI or cellular data is turned on, then try again." Needless to write, turning off all the CAs has repercussions.
I was helping a friend which I had no idea what was going on until I got there...it's a huge huge ring of I'm not sure what?? Now my phone, my parents phone, there desktop and laptop are all under attack! I downloaded over 20 antivirus apps and could not allow permissions, nor can I get any recovery codes to any email because it keeps changing the password. Plus I found strange apps just installed, settings changed that were not and all countries in the world chamber of commerce trusted certificates and so much more. I'm pretty sure we are under attack! I would GREATLY APPRECIATE and thoughts or ideas of what i should do to our info safe!!!!! Thank You!! p.s. I'm now living every second in fear like her and very scared!

Categories

Resources