Concerned about Security - apps sending private information - Nexus One General

After reading the article about TaintDroid (http://www.digitaltrends.com/comput...oid-apps-secretly-sharing-your-personal-data/), and how a significant portion of the apps were sending back data when not required to....I must admit, I am a bit concerned about security on my Nexus.
What are you all doing to be safe with your information on your phone? Is there a firewall that any of you are using to deny apps the ability to transmit data?
And please no responses like "don't log into anything or enter any passwords for anything on the phone" ...because then we might as well be rocking blackberries and not a phone like this with a capable browser.

"Name and shame" is the best way for an open system to eradicate this stuff

Damn alarmist journalism. Scare everybody into a corner, and then come out with a product that magically makes it all right.
Personally, I don't do anything different. I don't see why you should.

there's a firewall app that will let you block internet access to specific apps
i think it's called droidwall

Wallpapergate...
This whole issue is a joke, I agree something to monitor outgoing information would be great, I doubt however that someone who want to steal your info would sent it out unencrypted so catching this may not be easy at all..
As for this new episode of the WallPaperGate again, the info this application send is common on any platform, if you ever paid for an app on handhango or such site, the first thing they do is to ask your imei so that the app can be linked (ie DRM) to your phone… in this case the guy use imei as a cookie so that he can offer the correct screen resolution.
I would like to point out that one of the sponsor of this “studies” that target only android device is Intel who have interest into many thing including MeeGo and off course MeeGo is much safer than android…
My 2 cents…

Related

Exchange Server - Security policy

I'm finding a lot of threads about changing from pin/password to pattern unlock, but not having any luck in completely disabling the security feature BS...
Is it possible to completely eliminate the password lock required by my exchange server? I have tried lockpicker and no lock, neither of which worked.
I would like to keep syncing but am not going to deal with this unlocking all the time (they JUST started enforcing it)...any help would be appreciated.
BTW, running Calkulin's EViO 2 v 1.7 (sense, so HTC mail)
Nope, this is tightly integrated down to the OS in order to pass MS requirements, and it reports the control level back to exchange so it can make sure it's in compliance with their mobile device policy.
In theory you can make an app that proxies the API and lies about what the phone can do ... but it wont be done with a simple APK/market app ... it's integration goes much deeper.
Honestly your best best: this is clearly a new policy. complain repeatedly to your IT staff. You're probably not the only one upset ... and noise will result in policy change ... because reality: IT staff hate dealing with people. They want to deal with servers.
Option 2: if you have a buddy on the exchange team he can put you on the same policy he undoubtedly created for himself and his team, that's 10x as lenient so he can mess with his little pet projects he plays with on the side.
Justin.G11 said:
Nope, this is tightly integrated down to the OS in order to pass MS requirements, and it reports the control level back to exchange so it can make sure it's in compliance with their mobile device policy.
In theory you can make an app that proxies the API and lies about what the phone can do ... but it wont be done with a simple APK/market app ... it's integration goes much deeper.
Honestly your best best: this is clearly a new policy. complain repeatedly to your IT staff. You're probably not the only one upset ... and noise will result in policy change ... because reality: IT staff hate dealing with people. They want to deal with servers.
Option 2: if you have a buddy on the exchange team he can put you on the same policy he undoubtedly created for himself and his team, that's 10x as lenient so he can mess with his little pet projects he plays with on the side.
Click to expand...
Click to collapse
Thanks...I figured it wouldn't be that easy but I had to ask.
Justin.G11 said:
Honestly your best best: this is clearly a new policy. complain repeatedly to your IT staff. You're probably not the only one upset ... and noise will result in policy change ... because reality: IT staff hate dealing with people. They want to deal with servers.
Click to expand...
Click to collapse
I get complaints all the time about policies. 99.999% of the time, the policies are created/approved by steering committees, the legal department or executive management. There is usually nothing IT can do about it as the policies are put into place for legal reasons or company security.
Additionally, if IT departments are not compliant in company policies there could be legal ramifications if the company has to comply with certain government guidelines.
And IT staff don't hate dealing with people...it sounds like your work environment is not like others.
Check out this thread to see if it does what you are looking for.
http://forum.xda-developers.com/showthread.php?t=775007
They modified the actual email.apk app to remove the security requirement that was hardcoded in it.
It was taken from CM7 which is AOSP, so I cannot say whether or not it will work on sense.
EDIT: After searching some more, droidforums has a modified email.apk file that you can install, that you use instead of the HTC mail, which tricks your exchange server into thinking that you have your security enabeled.
http://www.droidforums.net/forum/dr...onal-froyo-bypass-exchange-server-policy.html
Just download the zip, and extract the apk from it, then place the apk on your SDCard and install it just like a regular app.
Khilbron said:
Check out this thread to see if it does what you are looking for.
http://forum.xda-developers.com/showthread.php?t=775007
They modified the actual email.apk app to remove the security requirement that was hardcoded in it.
It was taken from CM7 which is AOSP, so I cannot say whether or not it will work on sense.
EDIT: After searching some more, droidforums has a modified email.apk file that you can install, that you use instead of the HTC mail, which tricks your exchange server into thinking that you have your security enabeled.
http://www.droidforums.net/forum/dr...onal-froyo-bypass-exchange-server-policy.html
Just download the zip, and extract the apk from it, then place the apk on your SDCard and install it just like a regular app.
Click to expand...
Click to collapse
Will look into that. Thank you very much!
I ended up using the modified email.apk from CM7...works like a charm!!! The Droid forums version kept coming up with security errors. THANKS AGAIN Khilbron!!!
awenthol said:
I ended up using the modified email.apk from CM7...works like a charm!!! The Droid forums version kept coming up with security errors. THANKS AGAIN Khilbron!!!
Click to expand...
Click to collapse
Can you please post a link to the one you used?
Sent from my PC36100 using XDA App
Justin.G11 said:
Nope, this is tightly integrated down to the OS in order to pass MS requirements, and it reports the control level back to exchange so it can make sure it's in compliance with their mobile device policy.
In theory you can make an app that proxies the API and lies about what the phone can do ... but it wont be done with a simple APK/market app ... it's integration goes much deeper.
Honestly your best best: this is clearly a new policy. complain repeatedly to your IT staff. You're probably not the only one upset ... and noise will result in policy change ... because reality: IT staff hate dealing with people. They want to deal with servers.
Option 2: if you have a buddy on the exchange team he can put you on the same policy he undoubtedly created for himself and his team, that's 10x as lenient so he can mess with his little pet projects he plays with on the side.
Click to expand...
Click to collapse
Yes..this reply really isn't correct. There have been some sqlite modifications that can be made or using the mail.apk from this link (http://forum.xda-developers.com/showthread.php?t=775007) works perfect, even with the new CM7-RC2
Bypassing Exchange security
I had this same issue with my work email. My way of bypassing it and still using the stock Mail app is by installing widgetlocker. Unfortunately the newest version does not bypass your encryption, but the older version before the most recent update does. Also it allows you to fully customize your lockscreen and add widgets and what have you. All in all pretty cool app.
widgetlocker.teslacoilsw.com/general/widgetlocker-1-2-9/
(unfortunately because i have never posted before i cannot post links so pm if the link does not work)
Amazing! So you guys have a device in your pocket that has complete access to your work mail server (something you don't own), and you apparently don't care if that falls into the wrong hands?
I don't want to get preachy but this is serious stuff:
1. Are you aware of the damage that can fall on an organization, its IP and reputation if a hacker/spammer has access to a mail account?
2. Your company's mail server is an assett of the company. Gaining access and leaving it unlocked is like borrowing something from work and leaving it on the street.
I understand that IT policies are annoying to the end user, but they are there for good reason.
Would you leave the company vehicle unlocked because it is annoying to get the key out? No.
Oh, and by the way, you can be held directly liable for damages for disabling/ hacking around policies. I have seen employees get fired for it.
Sent from my device.
ramiss said:
Amazing! So you guys have a device in your pocket that has complete access to your work mail server (something you don't own), and you apparently don't care if that falls into the wrong hands?
I don't want to get preachy but this is serious stuff:
1. Are you aware of the damage that can fall on an organization, its IP and reputation if a hacker/spammer has access to a mail account?
2. Your company's mail server is an assett of the company. Gaining access and leaving it unlocked is like borrowing something from work and leaving it on the street.
I understand that IT policies are annoying to the end user, but they are there for good reason.
Would you leave the company vehicle unlocked because it is annoying to get the key out? No.
Oh, and by the way, you can be held directly liable for damages for disabling/ hacking around policies. I have seen employees get fired for it.
Sent from my device.
Click to expand...
Click to collapse
The issue I have is with the idea that the company gets to dictate how my entire device functions. Your points are valid, but why not just require a password on the email app, not on the whole phone? Why do I have to consent to allowing them to order a full device wipe, instead of just a wipe of the company data?
bkrodgers said:
The issue I have is with the idea that the company gets to dictate how my entire device functions. Your points are valid, but why not just require a password on the email app, not on the whole phone? Why do I have to consent to allowing them to order a full device wipe, instead of just a wipe of the company data?
Click to expand...
Click to collapse
Those are some good points and questions:
If you just locked the mail app then the app would need to encrypt/decrypt all data, which would make it MUCH slower. However, the main reason is that the app lock approach is much more hackable..one simple example would be to load a proxy on the phone to intercept communication before it could be encrypted.
The idea behind the device lock is that it happens on a deeper level and is the most secure answer.
The question about having a choice with your device is actually a simple one to answer...if you don't agree with the work policy then don't use your personal device for work email.
The other thing is that, besides not having a choice, the forced answer is beneficial for everyone....if I lose my device then I definitely don't want strangers crank calling my family or getting personal info. I have read about some horrible stories.
The real question is...If your phone is lost why would you NOT want it to be secure and erased asap??
Sent from my "locked" device.
ramiss said:
Those are some good points and questions:
If you just locked the mail app then the app would need to encrypt/decrypt all data, which would make it MUCH slower. However, the main reason is that the app lock approach is much more hackable..one simple example would be to load a proxy on the phone to intercept communication before it could be encrypted.
The idea behind the device lock is that it happens on a deeper level and is the most secure answer.
Click to expand...
Click to collapse
Yes and no. There are approaches that are easier if you aren't securing the whole device, but that doesn't mean it can't still be hacked.
The question about having a choice with your device is actually a simple one to answer...if you don't agree with the work policy then don't use your personal device for work email.
Click to expand...
Click to collapse
Overall I agree with that, although I think at a company that offers mobile email, there's a sort of "peer pressure" to use it. Not to say that's a good reason. I'd imagine that it'd be hard for a company to actually require you to use mobile email on your personal device -- if your job truly requires it, I'd think they'd have to provide you a device if you don't have a compatible device or aren't willing to use it that way. So yes, you're probably right that you have the choice. It doesn't mean that we can't complain though.
The other thing is that, besides not having a choice, the forced answer is beneficial for everyone....if I lose my device then I definitely don't want strangers crank calling my family or getting personal info. I have read about some horrible stories.
The real question is...If your phone is lost why would you NOT want it to be secure and erased asap??
Click to expand...
Click to collapse
If it's really lost forever, yes. But what if:
- The exchange admin sends the wipe command to the wrong phone. ("Hi, I'm John Smith and I've lost my phone.")
- The "wipe after X invalid passcode" policy is enabled. A friend or a kid picks up the phone and tries to play with it. Whoops.
- Something else goes wrong...bottom line is that the company should have no right to wipe anything other than their own data.
I understand the need for locking the device...I really do. But, if someone does happen to find my phone (knock on wood but HIGHLY, HIGHLY unlikely, as I've never even almost forgotten any phone, anywhere, ever) they aren't going to find ANYTHING of value in my emails. I'm pretty low on the totem pole.
If I had sensitive data on my phone...no questions asked, I would keep it p-word locked.
matt2053 said:
Can you please post a link to the one you used?
Sent from my PC36100 using XDA App
Click to expand...
Click to collapse
http://forum.xda-developers.com/showthread.php?t=775007
awenthol said:
I understand the need for locking the device...I really do. But, if someone does happen to find my phone (knock on wood but HIGHLY, HIGHLY unlikely, as I've never even almost forgotten any phone, anywhere, ever) they aren't going to find ANYTHING of value in my emails. I'm pretty low on the totem pole.
If I had sensitive data on my phone...no questions asked, I would keep it p-word locked.
Click to expand...
Click to collapse
Your Exchange Admin (or you depending on the version of Exchange you're using) has the ability to remotely wipe your device in the event it gets stolen/lost.
Could anyone give a brief possible explanation of why I can connect to my exchange server easily using Touchdown, but not using the Android integrated Exchange Account Sync?
Sent from my PC36100 using XDA App
Just found this thread as I've encountered the same issue on a HTC Sensation, just setup Exchange ActiveSync, and bam, have to set up the PIN lock on the phone.
However I've noticed that once you've done it, you can then go into Settings, Security and change the timeout before it locks up to 1 hour (I think that is dependent on your company setting). Mine was defaulting to every time the screen locked, but changing it to 1 hour I find I hardly ever have to unlock the phone now apart from first thing in the morning as I tend to use it regularly through the day.

Attention all Android fans - This is Important

We really need to rally and get Google to fix some major issues with the Android OS. If Android is going to be truly universal and be able to compete, and beat Apple, it needs to at least be able to do what it can do. Please read: http://claar.org/blog/?p=180 and call, email, post, blog, whatever you can to get Googles attention on these issues.
And thank you for your support.
P.S. Pass this url on to every android user you can.
http://claar.org/blog/?p=180
Sent from my ADR6300, not my wife's iPad...
You have a legitimate argument but those items you listed are never performed by me. =[ Sorry. Everything I need done, works. =]
[ Sent from an LG Optimus V ]
Android still has a way to go before being all things to all people. It has the potential though so i'm sure we'll see improvements in the areas where it's currently weak.
Nice write up though. I hope these issues are resolved for you soon.
Write your congressman. Attend your local PTA meeting.
Don't gey me wrong, I love my Android phone, just saying that Google is missing the boat on the Enterprise side of things. Used to have an iPod touch that worked flawlessly on our corporate intranet, can't say the same for my dinc. As the workforce continues to become more mobile, they'll be carrying iPads instead of Xooms or Galaxy tabs.
Sent from my ADR6300, not my wife's iPad.
are there really people who use android's and ipad's/iphone's for work???
o-o?
id rater use a PC or laptop. but yha.
think all the company's want to be cool?
i cant go suport this.because my android does what it needs to do.
remember. smartphones and tablets aren't pc's,so they shouldn't do the work of a pc.
ghost010 said:
are there really people who use android's and ipad's/iphone's for work???
o-o?
id rater use a PC or laptop. but yha.
think all the company's want to be cool?
i cant go suport this.because my android does what it needs to do.
remember. smartphones and tablets aren't pc's,so they shouldn't do the work of a pc.
Click to expand...
Click to collapse
Why shouldnt they? Why should they have limitations. I say the more capabilities the better!
Universally, I don't understand Googles LACK of contact and attention to it's customers. Like most people are aware that e-mailing google is a complete WASTE OF TIME. I'd love to meet someone who has yet to actually get a meaningful response from google. I understand that they are a HUGE company and can easily get overwhelmed by emails, but the complete lack of response in general is UNACCEPTABLE. Why do they act this way, ESPECIALLY to their customers? Eitherway, they should respond in some way to all emails, understandable for free products, but for PAYING customers like us Android users, should get a response.
Google is worse than Sprint when it comes to response. I don't get it or understand.
I'm an IT Director for a medium sized medical manufacturing company and I've been testing ipads as a laptop alternative for our salesforce, and I have to say, I would be absolutely pissed if I had to use an ipad(or any tablet for that matter) for work.
Don't get me wrong. They work. But do you want to do all your work on them? HELL NO.
I have a remote desktop app on my mytouch 4g and I use it every now and then when I need to fix something or get onto the server for any reason. That doesn't mean I'm going to ditch my computer because my phone is capable of doing something my laptop does. Tablets, smartphones, mobile devices in general...they should be used to supplement computers, not replace them.
And as far as google 'not listening to their customers', you obviously haven't been on any sort of development team before. Especially not one that had any sort of fast progress. I don't know if you've noticed, but chip manufacturers have released dual core mobile cpu's. So google can either work on your vpn problem and appease a small number of enterprise users(people who will actually use a vpn on their phones), or they can concentrate on optimizing their code so it will work well with the next generation of hardware. They're obviously going to concentrate their manpower(or womanpower) on development for next-gen hardware. If the support ticket exists, they'll work on it. But there are thousands of them, and people need to realize that just because it's important to you specifically, doesn't mean it's an important problem. VPN access doesn't effect the overall functionality of the os during normal use, so it's going be put on the back burner, that doesn't mean it won't be fixed.
And whoever said go to pta meetings, PTA = parent teachers association. Good luck getting heard there.
While on the subject of fixes, I'm more concerned about linked market data and being able to transfer purchases to different accounts. I.E. switching from a google apps account to a gmail account. Also, the 'master account' crap. There should be a way to change which login you use to connect to gtalk and the market without having to reset your device to factory. That just sucks.
LOL, I used to get those "wake-up" calls from the 3rd shift platform operators. I got my butt out of bed, got on my PC and fixed the problem or marked it "next day" and fixed it when I got to work.
I can't see using a phone's screen size to debug a couple hundred lines of JCL or batch COBOL program Not to mention, I was usually talking to the operator at the same time I needed to see something on the PC; very hard to do with a phone.
Can it connect to Microsoft's pptp? Yes - http://www.techrepublic.com/blog/smartphones/connect-to-a-pptp-vpn-from-your-android-phone/2145
problem 1. You can connect to a proxy (unless i'm not understanding your complaint) There's Proxy options under the settings menu.
Problem 2. I've noticed this but apparently some 3rd party browsers can do it.
Problem 3. Not sure about this one, but i connect to many different networks (public, domestic and at uni) and have never had a problem like this.
What you're saying is that you have various problems that the vast majority of people will never experience and you are wondering why Google aren't dropping everything to fix it immediately? These problems (to me at least) seem incredibly minor.
kccasey said:
Universally, I don't understand Googles LACK of contact and attention to it's customers. Like most people are aware that e-mailing google is a complete WASTE OF TIME. I'd love to meet someone who has yet to actually get a meaningful response from google. I understand that they are a HUGE company and can easily get overwhelmed by emails, but the complete lack of response in general is UNACCEPTABLE. Why do they act this way, ESPECIALLY to their customers? Eitherway, they should respond in some way to all emails, understandable for free products, but for PAYING customers like us Android users, should get a response.
Google is worse than Sprint when it comes to response. I don't get it or understand.
Click to expand...
Click to collapse
Because they already have your money, therefor they could care less. And they will continue to get your money, his money, her money etc because they make a product and provide a service that we all have come to rely on. They've got the hook set, you can't break free and they can let us dangle as long as they want.
But maybe the combination of google, samsung, and verizon has destroyed my outlook.
Samsung Fascinate
Frankenclean 2.8
EB16-ish Voodoo Kernel
Mob87's Honeycomb theme
Sent from XDA Premium App
I think many of these issues will take a long long time to see resolved.
You need to consider what motivates google RE Android. Hint: It is not paying customers.
Thing is, normal market forces are not at work in the Android space. This is
my BIGGEST issue with Android.
@andmiller
You don't think your needs are most important ones, do you? There are many, many things to do, not only these mentioned by you.
For me your "This is Important" bugs are minor. Actually I didn't know about them to this time. I care much more about NDK APIs, performance and UI improvements and this is exactly what Google does.
Also there is one good reason to focus on new APIs, standard libraries, developer tools, etc.: Google is only one who can improve them and sooner is better. They could fix bugs at any time, they could also port them to older versions of OS. But if they add new API, it will take some time for developers to use it, because new API won't be supported by most of devices. So it's much better to work on a new features first and fix minor bugs later.
BobPaul said:
I think many of these issues will take a long long time to see resolved.
You need to consider what motivates google RE Android. Hint: It is not paying customers.
Thing is, normal market forces are not at work in the Android space. This is
my BIGGEST issue with Android.
Click to expand...
Click to collapse
You have got that completely backwards. Iphone is not normal market space. Each manufacturer running android os have to set themselves apart from each other, hence skinning the os. If customers demand, need it, it will get fixed or innovated.
Apple controls all, What they say goes. Example: no flash, theming....
Amazon drops their android app store on tues. Why, market forces.
Sent from my SGH-T959 using Tapatalk
hey dude most of those issuses were fix sort of well i wouldnt say fix because google came out with a whole new O.S. most of ur issuses hav been resolved in the honeycomb os and greater but u dont need a fix u need a app that can handle what u need
> Can it connect to Microsoft's pptp? Yes - http://www.techrepublic.com/blog/sma...oid-phone/2145
No, or at least, not for several hundred people at least, some who have even provided logs of both sides of the conversation. Some bug comments are from companies, representing complaints from their customer base, so it is probably more. I could write an article that shows how to do it, too, but that doesn't mean that I've tested all combinations. If the author's VPN was not encrypted, he wouldn't have seen the problem, and--since his connection worked, and there's that encryption checkbox--he might have just assumed it worked. He might have even tried it: You can connect with encryption, you just can't stay connected for any length of time.
> problem 1. You can connect to a proxy (unless i'm not understanding your complaint) There's Proxy options under the settings menu.
I can manually set a proxy, although there are reports that this is not a standard part of android, but a value-add by the phone mfr. A third-party program could perhaps recognize which WAP I connect to and set values accordingly, but only if I want everything to go through the proxy, and not just some things. That would have worked at HP, but my ulterior motive is to proxy a specific blocked port so that I can pop my email to my wifi tab. OK, I'll admit, my actual reason isn't a compelling case for Google! ;-)
> Problem 2. I've noticed this but apparently some 3rd party browsers can do it.
I'm not surprised that some clever programmer patched around the breakage, but it needs to be solved generally. Really, this and VPN are the most important issues for me.
> Problem 3. Not sure about this one, but i connect to many different networks (public, domestic and at uni) and have never had a problem like this.
You have never had a problem like this that you know of! Most folks have been bitten by this when the run into a place with short leases, and only find out--if they do--by accident, since most places don't check for violators.
Other comments
For the person who asserted that these are fixed in the latest release, that doesn't appear to be the case, according to the bug reports.
Are there really people who use their portable device for work? Not if it is android-based! (I know, cheap shot, but--for many of us--a true statement).
I have a galaxy tab. With working VPN and ssh, I could login and do a simple database change "echo blah blah blah|mysql", restart a job, whatever. I'm not going to write a couple of thousand lines of code, but I might look at a couple of thousand lines of a log file! Instead, I have to fire up the PC, which means I have to be around the PC, and I'd rather have the freedom of mobility.

Skype for Android Exposes Sensitive User Data to Rogue Apps

Thought I'd post for anyone using this ...
Skype for Android users are potentially at risk for having malicious apps steal sensitive user data from their phone because of incorrectly assigned file permissions
A vulnerability in the way Skype’s Android app locally stores data could potentially exposes users’ sensitive information, an Android developer discovered.
http://www.eweek.com/c/a/Security/S...ses-Sensitive-User-Data-to-Rogue-Apps-117334/
yikes !!
Market reviews already made it clear it was a ****-ass program. I guess this just seals my decision never to install it. Oh well, time is on my side, as the song goes.
just a bump to be sure all that should see it do ...
Skype was updated today to resolve that. Now I just want video calling on it damnit!
I was never able to actually get Skype to log me in, today's update included.
I wont be using it either

Android Security Concerns

I'm hoping someone can point me in the right direction after spending a day reading about mobile phone security. I'm still confused as to what an app can do and how I can limit access. Some answers or a point in the right direction for more information would be helpful.
Apps that are granted permission "Modify/Delete SD Card" can pretty much read/write anything on my device? Could an app go through my sd card and see files, for example, music, movies, other data from different apps; file names/content? I have about 35 apps running on my phone with this access. I'd rather not leave it to "how much I trust the developer" and have some means to limit access to data.
I don't keep national security secrets on my nexus but there is work and personal information that is sensitive and I wouldn't want shared. It looks like if I use android to encrypt my data it only encrypts the /data folder and there doesn't seem to be much in there.
What about securing contact and calendar data? Is this possible? Not as critical as guarding my file data, but still important to me. Thanks.
Yes, files on the external sdcard are not protected, I.e. all apps which have the right to read/write sdcard can read/write everything there. One reason is just the filesystem type: on FAT you don't have access rights. On internal /sdcard it's a bit different, because it's using ext4 as a filesystem, so principally not all apps can read everything, but also here you have the problem that for example the camera, the gallery app, ... need access to the same files and directories. So at the moment you need to trust the apps in a certain way or not to install it at all.
Sent from my Nexus 7 using xda app-developers app
While it is difficult for someone with limited tech experience, it is plausible to protect your data with measures like XPrivacy or PDroid.
However, if you're looking for an answer without jumping through a few technical hoops, there aren't many good ones unfortunately. The best bet is as you already suggested, that is to be smart about where you browse the net, and only install trusted apps. Always think twice and review permissions carefully for any app even if it's from the Play Store.
And don't forget encryption only works similar to a house door. It's only good if you keep it locked. But if you let the bad guys into your house (i.e., installing a naughty app), it doesn't protect you much. It only keeps them out so long as you don't let them in (physical access). P.S. I'm assuming you're talking about the stock android encryption not actually having individual encrypted files on your device if not then ignore this paragraph (although I'm sure some will disagree that even having SHA-512 AES encrypted files with a extremely complex and long passwords is still not enough to protect data once a malicious user gets their hands on that file.)
Even on the internal SD card, it looks like once I give an app access to "modify/delete" the entire sd card is exposed; did I understand that correctly? It looks like grant access to everything or nothing.
After reading this:
http://appanalysis.org/
It seems that even trusted developers can't be trusted. I don't consider myself a novice user but I'm really surprised at how exposed the data is on phones and tablets. Its like leaving money on your front porch and hoping it isn't too tempting for someone to walk though a broken gate and grab.
Any idea what WP, iOS or BB10 offer in the way of data protection?
TheAltruistic said:
While it is difficult for someone with limited tech experience, it is plausible to protect your data with measures like XPrivacy or PDroid.
However, if you're looking for an answer without jumping through a few technical hoops, there aren't many good ones unfortunately. /QUOTE]
XPrivacy looks good, might be worth rooting for that app.
I'm not as concerned with an app downloading files and using a high level attack on my data. I am concerned about an app where the developer decides to go through my contacts, photos, and files which are unlocked and easily viewed. Then sell the data to whomever that can do whatever. No effort required, no ability to know the data was even accessed and no ability to lock the data. I think like most things, if there is more than a slight effort needed to access the data, they'll move on to something else.
I see Google offers encryption but I can't find information on exactly what is encrypted and if I install an app with say permission to contacts does that give them encrypted access to all contacts? For example, a program that can add a contact via sms I don't want to allow it to read all my contacts, just add a new one.
Maybe Android isn't the right platform for me.
Click to expand...
Click to collapse
mgerbasio said:
TheAltruistic said:
While it is difficult for someone with limited tech experience, it is plausible to protect your data with measures like XPrivacy or PDroid.
However, if you're looking for an answer without jumping through a few technical hoops, there aren't many good ones unfortunately. /QUOTE]
XPrivacy looks good, might be worth rooting for that app.
I'm not as concerned with an app downloading files and using a high level attack on my data. I am concerned about an app where the developer decides to go through my contacts, photos, and files which are unlocked and easily viewed. Then sell the data to whomever that can do whatever. No effort required, no ability to know the data was even accessed and no ability to lock the data. I think like most things, if there is more than a slight effort needed to access the data, they'll move on to something else.
I see Google offers encryption but I can't find information on exactly what is encrypted and if I install an app with say permission to contacts does that give them encrypted access to all contacts? For example, a program that can add a contact via sms I don't want to allow it to read all my contacts, just add a new one.
Maybe Android isn't the right platform for me.
Click to expand...
Click to collapse
Heh don't give up. To be honest at least android tells you when it grants a program certain permissions unlike some other OSes where you're in the dark in terms of security.
As far as I know, and I'm assuming we're talking about the same thing, the type of encryption Android offers only prevents people from gaining unauthorized access to your data if your device is mounted or accessed when your lock screen is up. (I'm sure someone will correct me if I'm wrong--please do). But if your device is not password protected (e.g., you set lock password to lock every hour and they get it when it's unlocked) then your data can potentially be compromised.
This encryption does not, however, protect your data as you're browsing the internet, or running apps like facebook.
If you're looking for something to protect your data from say facebook finding your GPS location without your permission, or accessing your contacts and doing God knows what with it, then XPrivacy and PDroid (links above) is your answer, and I'd say that's awesome.
I may not play around with an iPhone / iOS enough, but I'm confident enough to say that they don't offer the same privacy protection even from Cydia that you can get from communities like here on XDA. Perhaps for iOS users, ignorance is bliss?
Click to expand...
Click to collapse
TheAltruistic said:
mgerbasio said:
Heh don't give up. To be honest at least android tells you when it grants a program certain permissions unlike some other OSes where you're in the dark in terms of security.
Click to expand...
Click to collapse
Thanks again. I appreciate the comments.
All I'm really looking to do is prevent an app downloading all my contacts, photos, movies, files, etc. I have some work data on my tablet that isn't confidential but it is what I would call sensitive. Actually, I rarely use external memory, mostly just use in internal sd card.
It seems all the "good apps" grab more permissions than they need or, the permission they do need to operate gives them way more access than I'd like. I'm not so concerned that I'd start using Tor or duckduckgo, but just trusting a developer with an open door to data is more than I can to leave to chance.
From what I've been reading the sandboxing in iOS and WP provide good security and in BB you can remove permissions from apps; BB10 is still the most secure if you can believe the internet articles. I'd like to see Google make it more clear as to what encryption actually allows and prevents.
There seems to be apps that button up a lot of holes, like photos, but there still are gaping holes.
Click to expand...
Click to collapse
Hi guys,
Any progress? I use PDroid on my smartphone and find it unnerving to see how much and how often data is accessed not only by third party apps but by Google itself. With PDroid you can restrict permissions without bricking the app because it can provide fake data rather than none. I have to say that I am not entirely happy with it though. I hope that Firefox OS will have success in stopping the appification of our devices. Data wise, it is much safer to use web-based services than app-based services.
I think Google's Android is so successful with developers (also) because they can gather so much data. Our smartphones are unfortunately "data gold mines" for the ICT industry.
If you have any progress in improving privacy, safety and security of the Nexus 7 than I'd be happy to read about it.

Attention: this phone is a spyware device!

According to Samsung customer support and some members of this forum, this device does not have a built-in way of blocking Internet access for specific applications!
Many of those apps have permissions like "storage", "phone ID", "contacts", "calendar", "camera", "microphone", etc...
Therefore, when those applications are given Internet access they will be able to send all our data via the Internet...
That's why it would be of crucial importance and vital to have a built-in way of blocking Internet access to those apps.
For example, if an application has access to your data, to your storage or your contacts, it stands to reason that it should not have Internet access...
The only explanation for the lack of such an integrated system of blocking Internet access for specific applications can only be explained by the fact that Samsung and Google intend to have all our data and info sent over the Internet ... probably for specific domains ...
Google, Samsung or any other companies should not have, simultaneously, access to our storage data, contacts, calendar, camera, microphone..., and Internet access to send out all those data and info...
Besides, most apps are proprietary... so nobody knows what info or data the app is really sending out...
(Curiously and as a side note, my son has a Huawei P10 and that device allows the user to block Internet access to specific apps).
Therefore, given that this Samsung device does not have a way to limit specific applications from reaching the Internet, the phone is a spyware device!
Niccolò Paganini said:
The only explanation for the lack of such an integrated system of blocking Internet access for specific applications can only be explained by the fact that Samsung and Google intend to have all our data and info sent over the Internet ... probably for specific domains ...
Click to expand...
Click to collapse
Its google that doesn't want to implement an internet permission, we can block apps from access to storage/location/contacts and whatnot but not the internet, blame google not samsung.
peachpuff said:
Its google that doesn't want to implement an internet permission, we can block apps from access to storage/location/contacts and whatnot but not the internet, blame google not samsung.
Click to expand...
Click to collapse
Well, blame them both. Samsung is knowingly 'accepting' the Google 'flaw' on it's phone. So Samsung is also culpable.
Talk about an Over the Top Melodramatic 1st post!
Stay off the internet - Get rid of your Smart TV - Live in a box... SMH
Sent from my SM-G955W ??
Niccolò Paganini said:
According to Samsung customer support and some members of this forum, this device does not have a built-in way of blocking Internet access for specific applications!
Many of those apps have permissions like "storage", "phone ID", "contacts", "calendar", "camera", "microphone", etc...
Therefore, when those applications are given Internet access they will be able to send all our data via the Internet...
That's why it would be of crucial importance and vital to have a built-in way of blocking Internet access to those apps.
For example, if an application has access to your data, to your storage or your contacts, it stands to reason that it should not have Internet access...
The only explanation for the lack of such an integrated system of blocking Internet access for specific applications can only be explained by the fact that Samsung and Google intend to have all our data and info sent over the Internet ... probably for specific domains ...
Google, Samsung or any other companies should not have, simultaneously, access to our storage data, contacts, calendar, camera, microphone..., and Internet access to send out all those data and info...
Besides, most apps are proprietary... so nobody knows what info or data the app is really sending out...
(Curiously and as a side note, my son has a Huawei P10 and that device allows the user to block Internet access to specific apps).
Therefore, given that this Samsung device does not have a way to limit specific applications from reaching the Internet, the phone is a spyware device!
Click to expand...
Click to collapse
I wouldn't worry about it the NSA and Google already know everything about you.
without permissions 99% of your apps won't work. want to stop tracking ?dig deep into your account, real real deep to cut off a lot of privacy issues
then when you have time, google your name
pltctytc said:
....then when you have time, google your name
Click to expand...
Click to collapse
Not much came out for me, just a Google+, Twitter, Photobucket and my company activity...
But: I must agree with OP to some extent...at the end it is weighting between functionality vs privacy.
Gregzi said:
Not much came out for me, just a Google+, Twitter, Photobucket and my company activity...
But: I must agree with OP to some extent...at the end it is weighting between functionality vs privacy.
Click to expand...
Click to collapse
Agreeing to ANY extent with the OP's RIDICULOUS and ABSURD post & a Thread Title that is Entirely Misleading and Uninformed!
While everyone is entitled to their opinion - This Thread & Particularly it's Title are perilously close to warrant being Reported to the Mods!
It's a simple process to Disable Background Data for each and every Application that you decide to disable in Settings - Apps - Permissions - Data - Background /Toggle Off.
I made reference to Smart TV's as they are constantly "listening" in order to provide functionality - Then there's Laptop cameras which could be equally used to "spy" on their users... Are we to disable the functionality offered by Ok Google - Which is also "listening" to provide the functionality that we have come to expect from our technology?
Two Tin Cans and String are the bastion of the Paranoid & Conspiracy Theorists.
Sent from my SM-G955W ??
**** this I'm going back to a Palm Pixi so the NSA can't spy on me!
What if.....
The NSA IS Google?!
Seriously? You're downloading things from F-Droid and Yalp and you're concerned with what data individual apps are sending? If you don't trust an app to have an internet connection, why on earth are you using it? If you don't trust the company behind an app to use your data appropriately, whey are you using that app? Do you shut off all data so your internet/mobile provider can't sniff out what you're doing? Tin foil is relatively cheap.
Niccolò Paganini said:
The only explanation for the lack of such an integrated system of blocking Internet access for specific applications can only be explained by the fact that Samsung and Google intend to have all our data and info sent over the Internet ... probably for specific domains ...
Click to expand...
Click to collapse
Surely this is "the only reason", surely. I'll assume you have thought through the entire process of creating a mobile phone operating system as complex as Android, and also every detail involved in creating an application ecosystem that scales to millions of user created applications access by billions of people that worldwide probably generates over a trillion dollars in overall economic revenue (including employment by business built around it, advertising money spent, etc). Surely you saw a foolproof way too easily do all of this AND follow seemingly arbitrary privacy rules? You MUST have also COMPLETELY ruled out every other innocent explanation using this model, including showing conclusively that it wouldn't cause ANRs, app crashes, or anything else. Right?
You also have data showing more than just you would revoke this permission right?
Right?
Mr. Orange 645 said:
What if.....
The NSA IS Google?!
Click to expand...
Click to collapse
You mean you only just realised this NOW???!
I have to say, I'm always amazed how little people care about the spying that's being done through their phones. Saying "live in a box" or "just don't use the app" is a stupid response. You can still want to be part of society (which nowadays REQUIRES using whatsapp/facebook/google) EVEN THOUGH you're uncomfortable with the privacy implications. Someone acknowledging and being aware of this, and trying to improve upon it (or even simpler, just demanding improvements by the companies you pay a thousand dollar for a new phone) is often ridiculed as if it wouldn't matter, or people accept it as an something that is required for the systems we use. Social networks could work totally fine without being centralized, google maps doesn't actually need to send your location to google to function, and no app that i know of needs to send your usage of the phone to their company to do whatever it promises to do. Yet many apps do. It's not so much about that it is possible, the problem is that it is allowed. It shouldn't be allowed, much of the data collection should simply be outlawed. But, since hardly anyone seems to care, I don't see that coming anytime soon. I've tried to find people interested in this, but not even on reddit /r/privacy/ this seems to be a major concern.
@the_toast
There's a difference between being responsible for the amount of privacy you have and the amount of personal information that has already been made available... long before people were even aware of the amount of personal information that was already gleaned from the Products and Services that you have been using for years. To some extent trying to reign in your personal information is like closing the barn door after the horse is long gone.
The guy who originally posted this Thread is focusing his "panic" on one device and THAT is naive and Grossly Misleading!
Whether it's FB (which I don't use) or signing up for a Loyalty card - Your personal information is everywhere! Using common sense going forward is the only rational approach, but standing on an imaginary mountain top and shouting to the world that one device is "spyware" is ridiculous and deserves to be called out ?
Sent from my SM-G955W ??
Ahh, the time of the Internet where everyone knows who you are, what you're doing, what you're buying, what sites you browse, your fetishes, etc. Most importantly, here in the U.S., your IP now can sell your internet history to anyone they please, even that time you looked up 2 girls and a cup. Sorry, Charlie, your life is no longer a private one and never will be again.
MiMtnBiker said:
Ahh, the time of the Internet where everyone knows who you are, what you're doing, what you're buying, what sites you browse, your fetishes, etc. Most importantly, here in the U.S., your IP now can sell your internet history to anyone they please, even that time you looked up 2 girls and a cup. Sorry, Charlie, your life is no longer a private one and never will be again.
Click to expand...
Click to collapse
And if you Travel into the USA... Did you know THIS?
https://www.google.ca/amp/www.cbc.ca/amp/1.4494371#ampshare=http://www.cbc.ca/1.4494371
Sent from my SM-G955W ??
@shaggyskunk True, the OP is alarmist and uninformed. I was just put off by many of the answers, which basically said "why do you use Internet then". With respect to your post about searching phones - we can easily make this a scare thread (and people would be scared for good reasons). Let me continue:
- apps that want to use your microphone without apparent reason (of course also the ones WITH a good reason to use the mic) can track you through high-pitched sounds you cannot hear, which are emitted e.g. by some retailers to track you through their store.
- You talk about 1 in 13.000 people arriving in the US getting their phone/laptop looked at and potentially copied? How about knowing for 1Bn people (1 in 7 on earth) who they talk with, when they talk with them, and in which location they are whenever their phone has internet. That's Whatsapp.
@MiMtnBiker Gnn that's exactly my problem, people just accept it and believe it's never going to change. I'm not happy they know what kind of porn I'm looking at, and even less happy that they could sell the information (although I don't live in the US). If it is that way, it CAN be fixed, you CAN prohibit selling this information. Or to collect it at all. It's definitely better to know the big 5 have all my information but won't have all future information about me than to know they can continue like this forever
@the_toast
Many of the answers - including "live in a box" - "stay off the internet" were in direct response to the careless & irresponsible comments by the OP - like = like?
Not only your phone has the potential to gain access to your personal information - But your Laptop camera - Your Smart TV (that is "listening") But this technology is something that most people appreciate and expect their tech to provide them with the functionality that they want - Being aware of the capabilities of your Tech is prudent - being paranoid & frightened by it is just sad.
The issues of Privacy are extensive and if someone decides to pull on that thread - it's going to be never ending.
Common sense & being informed is the most appropriate way to go ??
Sent from my SM-G955W ??
the_toast said:
@shaggyskunk True, the OP is alarmist and uninformed. I was just put off by many of the answers, which basically said "why do you use Internet then". With respect to your post about searching phones - we can easily make this a scare thread (and people would be scared for good reasons). Let me continue:
- apps that want to use your microphone without apparent reason (of course also the ones WITH a good reason to use the mic) can track you through high-pitched sounds you cannot hear, which are emitted e.g. by some retailers to track you through their store.
- You talk about 1 in 13.000 people arriving in the US getting their phone/laptop looked at and potentially copied? How about knowing for 1Bn people (1 in 7 on earth) who they talk with, when they talk with them, and in which location they are whenever their phone has internet. That's Whatsapp.
@MiMtnBiker Gnn that's exactly my problem, people just accept it and believe it's never going to change. I'm not happy they know what kind of porn I'm looking at, and even less happy that they could sell the information (although I don't live in the US). If it is that way, it CAN be fixed, you CAN prohibit selling this information. Or to collect it at all. It's definitely better to know the big 5 have all my information but won't have all future information about me than to know they can continue like this forever
Click to expand...
Click to collapse
I'm afraid the only way you are going to change it is to completely get off the grid. Many people are oblivious to the fact that they are willingly giving up their personal information when they have their noses buried in their smartphones pert near all day. What's worse is that the politicians only seem to cater to the wealthy, and since they are salivating at the idea of getting their grubby hands on your info, this will continue. Unless there is a huge uprising and people assemble in protest of this, it will not stop. Heck, I don't even think it will stop, then. Nope, money is the reason as to why this won't change and, unfortunately, you have no say in the matter. Unless, that is, you do get completely off the grid.

Categories

Resources