[Q] Android Security - EVO 4G General

Is Android really secure enough to bank on?
What security precautions do you all take?

I would not suggest to do any banking on any mobile device not just android specially with hacked roms. The risk is too much for instance losing ur device and if ur device is rooted then it data is exposed.
Sent from my PC36100 using XDA App

I use Mint just to view my bank account, if i ever lose my device, they still need my pin number to get into the app(not your bank pin, any pin you set) and i can always change the password of the account online.
Over a cell network is probably THE safest way to bank. I trust that Cyanogen hasnt done anything that will steal my bank info.

Unlock screen password + BoA app doesn't have my password saved, AND has most of the username censored. 3G is also fairly secure, compared to cable or a WiFi connection.

No matter how you bank online it will be insecure IMO, using an unrooted android phone is probably a little bit more secure then using a PC or mac though. Just don't set it up so anyone can get in there without using a password or something.
I say unrooted because once you root it's a whole new ballgame. Using any custom ROM or giving any 3rd party app SU permissions means they have a free for all to any and everything your phone has and does.

I use the web on the phone to check my accounts, but I do not use an app for it.
I also make sure to never save passwords on the browser as well.

Just don't save your usernames/passwords if you bank on the browser, and make sure to tell any banking app to log out when you leave the program (you might not even be ABLE to stay logged in).
All data through CDMA cell networks is encrypted by default, not to mention the additional encryption that any reputable bank's website/app will have. As was mentioned above, online banking with your phone truly is the safest way to bank online.
In regards to rooting, it is only as dangerous as you make it. If you root and then grant SU permissions to "Swe3T fREE BaBEs 4 U" app, you're probably asking for trouble. But I only grant SU to Quick Boot and SetCPU, and other legitimate applications that don't ask for more permissions than they require. Just don't be an idiot and you'll be fine!

So is there a near consensus now that it can be secure?
Any naysayers remain?

It's really your choice to use it or not all it comes down to. I am in the Information Security field and when you learned about how things work and how to get around them. It's scary!

vboyz103 said:
It's really your choice to use it or not all it comes down to. I am in the Information Security field and when you learned about how things work and how to get around them. It's scary!
Click to expand...
Click to collapse
Taking field bias in consideration, I'm looking for your insight on how to make it most secure or if it's really necessary to wait for further security measures.
There are ways to practice safe sex afterall..

i'm still not quite sure how sending data over a CDMA network is any more secure than any other means. i mean sure CDMA is encrypted to begin with; yes. on top of that, any banking you do should be encrypted with SSL at least. great. now you've got two layers of encryption/security there. the fact is though regardless if it's CDMA or SSL, you're still transmitting data out thru the open air where anything with an antenna can grab it. it doesn't really matter how encrypted the data is at this point, it's unsecure in that is is freely available with only an antenna. security is not really how secure the data is at the presentation layer, but how secure it is at the physical layer as well.

vboyz103 said:
It's really your choice to use it or not all it comes down to. I am in the Information Security field and when you learned about how things work and how to get around them. It's scary!
Click to expand...
Click to collapse
I have a very similar job to you. I used to think the same.
Thing is, getting around those things is possible, but less likely that most other ways. Getting a wallet or purse stolen is common. Handing your CC to a server at a restaurant or bar and not seeing what they do with it is pretty trusting, no? Bet we've all done that.
Do the best you can, and be watchful of your accounts. I bank on my phone with more confidence than I would have at Starbucks on wifi.

Related

Automatic wifi login?

Anyone know of an app, that automatically login into wifi network?
For example, my school have public wifi, however it requires me to open a browser then enter my user Id/password. Is there a way to automated this? I am already using Y5 and this is the last piece of the puzzle.
PS: obviously, I don't want to share my student id/password with the whole wide world as well. So thing like WeFi doesn't seem like the best thing on earth. I just want to store the login info locally on my phone.
NexusX said:
Anyone know of an app, that automatically login into wifi network?
For example, my school have public wifi, however it requires me to open a browser then enter my user Id/password. Is there a way to automated this? I am already using Y5 and this is the last piece of the puzzle.
PS: obviously, I don't want to share my student id/password with the whole wide world as well. So thing like WeFi doesn't seem like the best thing on earth. I just want to store the login info locally on my phone.
Click to expand...
Click to collapse
I have the same issue with my employer's WiFi.
The weird thing is it often works for many days, allowing me to connect/disconnect freely. Then one day randomly, it'll ask for my password again.
I'm pretty sure there's no way to automate entering your password if you have to do it via a browser (mine is via a browser as well).
The only thing I can suggest is adding your username to the dictionary so you can easily type something and get it auto-corrected for the full username. Also, using KeePass to copy/paste the password.
deleted

How will "they" know if I tether with a rooted Nexus One

Just read Tmobile is going to charge for tethering & wi-fi hot spot. How will they know? Isn't data, data? I don't want to be charged for something I might use 5 times a year.
Sent from my Nexus One CM6 using XDA App
I don't know if they can tell, I have used the hotspot feature with my Nexus quite often and AT&T has never tried to charge me.
They wont.
[email protected] said:
Just read Tmobile is going to charge for tethering & wi-fi hot spot. How will they know? Isn't data, data? I don't want to be charged for something I might use 5 times a year.
Sent from my Nexus One CM6 using XDA App
Click to expand...
Click to collapse
Where did you read this from? No source, it didnt happen.
Starts 11/3/2010
Zephyron said:
Where did you read this from? No source, it didnt happen.
Click to expand...
Click to collapse
http://www.boygeniusreport.com/2010/10/26/t-mobile-to-debut-tethering-plan-on-november-3rd-14-99/
the only way they could know if you are tethering is if you are using the carrier's native ROM, i don't think they would ever find out when running a custom rom.
If you don't bother searching - at least do read the same thread on the same 1st page of the forum, instead of opening another one.
Einstein was right about infinite things...
Packages being sent contain HTTP requests, which may contain info on the device that's being used, among other stuff I don't really know about.
If those packages contain specific info on the device, they probably can tell even if you're using a custom ROM, just by putting some effort into it.
Anyways, if by some mean they'd manage to analyze it in a way where they can tell whether you're tethering or not, we'll also find a way to trick them by parsing those packages on the fly.
So, ultimately, I don't know whether they can tell or not if you're tethering, but if they can don't worry, someone will take care of it.
St.Jimmy! said:
Packages being sent contain HTTP requests, which may contain info on the device that's being used, among other stuff I don't really know about.
If those packages contain specific info on the device, they probably can tell even if you're using a custom ROM, just by putting some effort into it.
Anyways, if by some mean they'd manage to analyze it in a way where they can tell whether you're tethering or not, we'll also find a way to trick them by parsing those packages on the fly.
So, ultimately, I don't know whether they can tell or not if you're tethering, but if they can don't worry, someone will take care of it.
Click to expand...
Click to collapse
Companies cannot legally spy into your network traffic in that manner here in the US.
JCopernicus said:
Companies cannot legally spy into your network traffic in that manner here in the US.
Click to expand...
Click to collapse
This is true, deep packet inspection is against the law as it infringes what little privacy we are still allowed thanks to homeland security
St.Jimmy! said:
Packages being sent contain HTTP requests, which may contain info on the device that's being used, among other stuff I don't really know about.
Click to expand...
Click to collapse
Not picking on you, but I'm sure you mean packets
Here in France, SFR set up atransparemt proxy that checks the user-agent sent by your browser.
You can trick it by setting a mobile user-agent on your PC.
Sent from my nexus desire
zEar said:
Here in France, SFR set up atransparemt proxy that checks the user-agent sent by your browser.
You can trick it by setting a mobile user-agent on your PC.
Sent from my nexus desire
Click to expand...
Click to collapse
That's screwed. You can set any UA when using a custom ROM, so you'd be charged for tethering when you set it to Desktop?
In that case, someone might have a good reason to sue them...
Thanks for the info.
Sent from my Nexus One CM6 using XDA App
Jack_R1 said:
That's screwed. You can set any UA when using a custom ROM, so you'd be charged for tethering when you set it to Desktop?
In that case, someone might have a good reason to sue them...
Click to expand...
Click to collapse
First, you're right. But I forgot to mention that they won't charge you, it simply doesn't work. So if you changed the UA the way you suggest, you would see a blank page and quickly fix that
Second, I noticed after answering that I didn't read the question well (sh*t happens ) and didn't get the point about root. So to be more clear about the original question :
- "They" shouldn't be able to know if you're rooted or not, but there may be ways for them to detect that you are tethering.
Tethering and T-mobile...
If you run speedtest.net on a computer that's tethered to the N1, it shows on speedtest.net's server that you are on T-mobile USA's IP. Somehow T-mobile would have to acquire when the tether option was turned on and off at the same time the 3g service is on. They would have to submit that into the header files that get sent to their services. That would be a stretch, but it would be doable in future software updates. Say Gingerbread....
Actually, yesterday I've found something interesting about one of our local carriers.
It has 2 APNs: one for "dumbphones" and one for smartphones.
The first one allows Nexus to use internet and market, but tethering doesn't work. The DNS requests are blocked - I still didn't figure out how they block them. DNS servers get the ping, but the requests aren't resolved. Yet it looks like they're resolved, if sent from the phone.
The second one allows full internet access for the phone - and tethering also works.
So they don't detect tethering (and don't charge for it), but looks like they can block it with some restrictions that still allow the phone browser to work, when using "dumbphone" APN.
Jack_R1 said:
Actually, yesterday I've found something interesting about one of our local carriers.
It has 2 APNs: one for "dumbphones" and one for smartphones.
The first one allows Nexus to use internet and market, but tethering doesn't work. The DNS requests are blocked - I still didn't figure out how they block them. DNS servers get the ping, but the requests aren't resolved. Yet it looks like they're resolved, if sent from the phone.
The second one allows full internet access for the phone - and tethering also works.
So they don't detect tethering (and don't charge for it), but looks like they can block it with some restrictions that still allow the phone browser to work, when using "dumbphone" APN.
Click to expand...
Click to collapse
so all the other data, non browser based - how do they decide if/when to block which data ? i'm assuming this will only work on a non-rooted phone, or they are breaking the law and doing deep inspection.
if they =are= doing deep packet inspection, they can and will be held liable for eavesdropping, child porn, online harrassement (if you ever harrass someone), and a whole host of other things.
the ISP (tmo) not knowing what you're doing is a benefit to them. ignorance is bliss, and knowledge means responsibility the way the gov't views it.
lol, that last statement, the gov't and responsibility could be a joke i guess.
I believe they just have all traffic going through proxy which allows only very few selected packet types through, and blocks the rest for "dumbphone" APN. They don't check/block anything beyond DNS requests, and if you want to connect to a site while tethering "dumbphone" connection by IP - I believe you'll get there (didn't have a chance to test, but pinging IPs works without problems).
And of course, my Nexus with Enomther's ROM was used for experiments and showed exactly the same behavior.
The thing is - if I understand it correctly, it's not a planned behavior. They wanted to shut off all the network but the sites they give access to from their own WAP portal (considered "internal" internet), but in fact for some reason Nexus isn't completely blocked by it. PC is, though, when connected through Nexus.
And again, they don't have something that detects tethering - once a smartphone APN is used, the traffic is the same for Nexus and for tethered devices.
Some technical info...
Hello!
There is a way to detect if You are using tethering. Basically - tethering is routing - adding one more point in communications. So - if You just use Your phone, packets are addressed from/to Your phone. But if You are tethering - packets are addressed to device behind phone (using phone as gateway, basically router with NAT).
So - they may check:
ARP tables
TTLs
OS specific packets/DNS requests/used IP's (Why would Your phone check for MS updates? )
other things...

[Q] Corporate email on Gingerbread

actually this is a question to all Gingerbread rom developers.
while using froyo i was able to use corporate exchange email and calendar without any security limitations, but after i tried almost all Gingerbread roms everyone force me to set phone unlock password and threatening me to provide to the server admins ability to wipe my phone remotely....how i can bypass that??just to have a same exchange features without that security staff??
tonyio said:
actually this is a question to all Gingerbread rom developers.
while using froyo i was able to use corporate exchange email and calendar without any security limitations, but after i tried almost all Gingerbread roms everyone force me to set phone unlock password and threatening me to provide to the server admins ability to wipe my phone remotely....how i can bypass that??just to have a same exchange features without that security staff??
Click to expand...
Click to collapse
If you revert back to FROYO does it not require PIN security? Is there any chance that you company now requires this?
I have Both G2 on CM 6.1.1 and HD2 on Gingerbread. However, my company does require PIN security. Now what bugs me is my Droid X did require a PIN every time I put the phone into "Sleep" Mode.
this is something that your companies Exchange Server admins have enforced. I know mine is that way.
i got back to the froyo and it DOES NOT required me to set any pin or password,it just works as before.
is there any way to port email application from froyo to gingerbread??
There is an excellent app on the Market which I have used for this purpose as my company block access from my phone. This bypasses, and even though I only have owa it acts as though I have active sync.
I have not posted the name as whilst it is free on trial for 30 days , it is then a paid app ( and it's not cheap!)
Pm me if you want more information
i know what u r talking abt, but i'd like not to share any passwords with 3rd part app.
i rolled back to froyo
i payed attention that corporate blackberry does not require any passwords, just simply unlocking the keyboard.
tonyio said:
i payed attention that corporate blackberry does not require any passwords, just simply unlocking the keyboard.
Click to expand...
Click to collapse
Blackberrys (*spit*) are different, they rely on a BES server which interfaces between the phones and the exchange server.
They can be be set to require a password, and can be set so that if you get the password wrong enough times it wipes the device.

[Q] Never use WiFi access point?

Is there any way to tell Android (or CM7, if there's a difference) to never use a particular access point? There are three APs at my office that look equivalent as far as the WiFi software can tell, but two are unusable for administrative reasons, and I'd like to tell my NC to just ignore them. Sometimes it latches onto one of the wrong ones and I have to connect to the right one manually.
Can't just forget them, because they come back next time it scans.
Thanks!
If they can't be accessed then why are they there at all? If they can be accessed by certain people then shouldn't they be password protected? Maybe I'm not understanding the question but In my home I have 2 one connect to everything on my internal network and that's password protected. The other is for guests which don't need a password.
Anyways I did find this app. I have never used it but from the looks of things it may help.
https://market.android.com/details?id=com.hogdex.WifiRuler&feature=search_result
IFLATLINEI said:
If they can't be accessed then why are they there at all? If they can be accessed by certain people then shouldn't they be password protected? Maybe I'm not understanding the question but In my home I have 2 one connect to everything on my internal network and that's password protected. The other is for guests which don't need a password.
Click to expand...
Click to collapse
The answer has more to do with the administratium density in the building than anything sensible. One is fully open, another is open at the 802.11 level and password protected, but you have to access an internal website to find today's password, and the third is is inside the firewall but 802.1x protected and they don't support Android for that.
Anyways I did find this app. I have never used it but from the looks of things it may help.
https://market.android.com/details?id=com.hogdex.WifiRuler&feature=search_result
Click to expand...
Click to collapse
Thanks for the pointer! I've installed it, and it helps quite a bit. I reliably get the new mail notification noise from my bag before I pass through security.

What is everyone here doing for a firewall?

Am a little bit surprised (to say the least) that a device for ebook reading with a shop based function, has no working firewall!
Especially as the kernel is based on Linux!
What are people here doing for a firewall?
Has anyone manged to get ipchains etc back onto the Nook?
Freya
FreyaBlack said:
Am a little bit surprised (to say the least) that a device for ebook reading with a shop based function, has no working firewall!
Especially as the kernel is based on Linux!
What are people here doing for a firewall?
Has anyone manged to get ipchains etc back onto the Nook?
Freya
Click to expand...
Click to collapse
I doubt that an unrooted NST has any listening ports, so no need for a firewall. Credit Card details aren't stored on the NST itself, so an attacker would need to sniff the (SSL-encrypted+signed?) network traffic and use that to log into the account, if that's even possible. I suspect that all an attacker could do would be to buy books for the registered user without their permission.
cowbutt said:
I doubt that an unrooted NST has any listening ports, so no need for a firewall. Credit Card details aren't stored on the NST itself, so an attacker would need to sniff the (SSL-encrypted+signed?) network traffic and use that to log into the account, if that's even possible. I suspect that all an attacker could do would be to buy books for the registered user without their permission.
Click to expand...
Click to collapse
We know that at least port 80 exists because of the built in web browser and the nook must be receiving data somehow for the books etc.
You are right that the credit card details are almost certainly stored remotely but once a hacker is inside they can log the data from the keyboard so that when you update your credit card details you are passing on the details to who knows who.
Freya
FreyaBlack said:
We know that at least port 80 exists because of the built in web browser and the nook must be receiving data somehow for the books etc.
You are right that the credit card details are almost certainly stored remotely but once a hacker is inside they can log the data from the keyboard so that when you update your credit card details you are passing on the details to who knows who.
Freya
Click to expand...
Click to collapse
No, that's not how TCP works.
The NST will make a connection from an ephemeral source port in the range 1024-65535 to the destination port of 80 (http) or 443 (https) on the server. Connections cannot be established to the ephemeral port on the NST without MITMing the connection. If you're worried about that, you should also worry about lots of other attacks (e.g. transparent malicious proxies) that an IP firewall also won't protect against. And don't connect your WiFi devices to untrusted networks (which is good advice anyway).
TL;DR: the lack of an IP firewall on an unrooted NST is the least of your worries.
cowbutt said:
No, that's not how TCP works.
The NST will make a connection from an ephemeral source port in the range 1024-65535 to the destination port of 80 (http) or 443 (https) on the server. Connections cannot be established to the ephemeral port on the NST without MITMing the connection. If you're worried about that, you should also worry about lots of other attacks (e.g. transparent malicious proxies) that an IP firewall also won't protect against. And don't connect your WiFi devices to untrusted networks (which is good advice anyway).
TL;DR: the lack of an IP firewall on an unrooted NST is the least of your worries.
Click to expand...
Click to collapse
Well I would worry about malicious proxies but I'm not sure I can do anything about them really.
So what you appear to be saying is that the whole firewall thing is very overrated and isn't really all that necessary.
I assume it was just one of those things that was trendy for a short while some time ago but has now gone out of fashion.
I know a lot of people turn off their firewalls to play networked computer games because the firewall tends to get in the way, so maybe they are a lot less important than I assumed.
You are right that I probably worry too much about these things.
The thing you say that makes me pause for thought tho, is about connecting to untrusted networks.
Isn't the internet itself an untrusted network? Or am I being over the top again because I'm basically protected by my ISP?
Freya
FreyaBlack said:
Well I would worry about malicious proxies but I'm not sure I can do anything about them really.
So what you appear to be saying is that the whole firewall thing is very overrated and isn't really all that necessary.
Click to expand...
Click to collapse
It depends.
IP firewalls are still quite useful to protect networks where people may connect hosts running network services that don't comply with the organisation's security policy. And host firewalls are sometimes useful if there are listening network services that cannot easily be disabled, or if there are outbound connections that one wishes to block. More intelligent firewalls that perform some deep packet inspection can also be useful these days (mostly because so many so-called "firewall friendly" network protocols just run over HTTP(S)).
The thing you say that makes me pause for thought tho, is about connecting to untrusted networks.
Isn't the internet itself an untrusted network? Or am I being over the top again because I'm basically protected by my ISP?
Click to expand...
Click to collapse
That depends how competent and/or malicious your ISP is, and how co-operative they are with the local government!
Freya
Click to expand...
Click to collapse

Categories

Resources