Since one on my last Android app caused lots of discussion regarding the "ad-checker" tool, today I'd like to share with all the Android developers the simple peace of code that I'm using there, with the hope that other developers could start using and improving it.
Here it is:
Code:
public class AdChecker
{
private static Boolean m_adsValue = null;
private static final String m_adsChecker = "your_ad_provider"; // example: "admob"
private static final String m_adsHostFilename = "/etc/hosts";
public static boolean isAdsDisabled()
{
synchronized(AdChecker.class)
{
if(m_adsValue == null)
{
m_adsValue = Boolean.FALSE;
BufferedReader reader = null;
try
{
reader = new BufferedReader(new FileReader(m_adsHostFilename));
String line;
while((line = reader.readLine()) != null)
{
if(line.toLowerCase().contains(m_adsChecker))
{
m_adsValue = Boolean.TRUE;
break;
}
}
}
catch(Exception e)
{
}
finally
{
if(reader != null)
{
try
{
reader.close();
}
catch(Exception e)
{
}
}
}
}
return m_adsValue.booleanValue();
}
}
}
A simple usage of this class could be:
Code:
public class YourActivity extends Activity
{
@Override
public void onStart()
{
super.onStart();
if(AdChecker.isAdsDisabled())
{
// alert the user here
finish();
}
}
}
Please lets stop the "adblock" shame...
Brilliant.
I hate adblockers. I don't understand why people complain about an app having ads, if the ads are badly placed or obtrusive then simply don't use the app (or put that in the comments so the developer might change it).
Thanks for the code. I'll definitely be using it in the future
wont this block users who aren't currently connected to the internet though?
hyperbyteX said:
wont this block users who aren't currently connected to the internet though?
Click to expand...
Click to collapse
Short answer: no.
Slightly longer answer: You obviously don't know what you're talking about.
I don't like the ad blockers neither, If developers doesn't monetize their work they'll walk away to other platform if they have life with this.
I'm adding advertisement to my app too, this code is very useful to me. I'm gonna use it for sure, but instead of close the app I will place a custom advertisement of the paid version of my app. Thanks for this great snippet!
Hi,
i will not be forced to see advertising!
Adfree or others is a must have on my device.
with friendly greet
starbase64
starbase64 said:
Hi,
i will not be forced to see advertising!
Adfree or others is a must have on my device.
with friendly greet
starbase64
Click to expand...
Click to collapse
Just as u have the right to block ads we have right to refuse service. Just remember nothing is free, if u believe otherwise you are sadly mistaken.
Sent from my MB860 using Tapatalk
Id rather pay to remove ads but many apps don't have an ad-free version, hence i use adblocker.
Hi,
i buy good apps, but I hate this forced.
with friendly greet
starbase64
This is so nice, also you can add something like this
Code:
if(AdChecker.isAdsDisabled()){
AlertDialog.Builder builder = new AlertDialog.Builder(MainActivity.this);
builder.setTitle("Dont be a bad guy!")
.setMessage("You have patched Hosts files. This softwares don't tolerate piracy!")
.setCancelable(false)
.setPositiveButton("Exit", new DialogInterface.OnClickListener() {
public void onClick(DialogInterface dialog, int id) {
System.exit(0);
}
});
AlertDialog alert = builder.create();
alert.show();
}
D4rKn3sSyS said:
This is so nice, also you can add something like this
Code:
if(AdChecker.isAdsDisabled()){
AlertDialog.Builder builder = new AlertDialog.Builder(MainActivity.this);
builder.setTitle("Dont be a bad guy!")
.setMessage("You have patched Hosts files. This softwares don't tolerate priracy!")
.setCancelable(false)
.setPositiveButton("Exit", new DialogInterface.OnClickListener() {
public void onClick(DialogInterface dialog, int id) {
dialog.dismiss();
}
});
AlertDialog alert = builder.create();
alert.show();
System.exit(0);
}
Click to expand...
Click to collapse
very nice!
typo-> priracy
(deleted because of browser spazzing)
D4rKn3sSyS said:
This is so nice, also you can add something like this
Code:
if(AdChecker.isAdsDisabled()){
AlertDialog.Builder builder = new AlertDialog.Builder(MainActivity.this);
builder.setTitle("Dont be a bad guy!")
.setMessage("You have patched Hosts files. This softwares don't tolerate piracy!")
.setCancelable(false)
.setPositiveButton("Exit", new DialogInterface.OnClickListener() {
public void onClick(DialogInterface dialog, int id) {
System.exit(0);
}
});
AlertDialog alert = builder.create();
alert.show();
}
Click to expand...
Click to collapse
Fail.
1: Adblocking is not piracy.
2: Don't insult users by calling them bad guys.
3: Your message implies a demand for a system-wide removal of adblocking (your_ad_provider is probably admob). For most, the benefits of this outweigh your app.
4: IP address > obnoxious message.
5: I've bought apps with (blocked) ads before, simply to support the dev, or remove the still wasted screen space. Good luck seeing a cent if your app sticks it's nose where it doesn't belong, and pops up an insulting demand.
6: There are multiple ways around this.
Lol, any ****ty app that uses this to force feed ads will be deleted off my phone immediately. Want money? Make a paid version with no goddamn ads.
But this is also a catch 22, if your app is ad supported only with no paid version, its *probably* not worth installing anyways.
Sent from my *****'n Nexus S.
Thanks for this snippet of code! I'll be using this here in the next few days as I'm currently making the Ad-Supported free version of my app.
I'll probably go the route that another poster has mentioned and if they have ads blocked, put ad add/link to the pay version of the app.
Mucho gracias
Fnorder said:
Fail.
1: Adblocking is not piracy.
2: Don't insult users by calling them bad guys.
3: Your message implies a demand for a system-wide removal of adblocking (your_ad_provider is probably admob). For most, the benefits of this outweigh your app.
4: IP address > obnoxious message.
5: I've bought apps with (blocked) ads before, simply to support the dev, or remove the still wasted screen space. Good luck seeing a cent if your app sticks it's nose where it doesn't belong, and pops up an insulting demand.
6: There are multiple ways around this.
Click to expand...
Click to collapse
Fail.
1: It's not an insult
2: You have no life
3: People has bought my apps
4: People has donated to me
5: Want some more?
6: uMad?
7: Don't push yourself to answer to this, this thread it's dead for me, because i see some trolls here
@OP Keep it up, it's great, don't feed the trolls, for people who knows what developing means, and how much work you put on it, it's very useful.
Good bye
Cheers,
D4.
What apps did you develop?
Sent from my *****'n Nexus S.
what will come next? check to see if i have a firewall and a virus scan installed?
i understand the decision the dev makes here
but since adfree blocks adds in a browser too its ridiculous in my opinion
especially since a 5min google search will give you 95% of the paid market apps for free
@D4rKn3sSyS
LOL of the day: add blocking = piracy awesome logic there
D4rKn3sSyS said:
Fail.
1: It's not an insult
2: You have no life
3: People has bought my apps
4: People has donated to me
5: Want some more?
6: uMad?
7: Don't push yourself to answer to this, this thread it's dead for me, because i see some trolls here
@OP Keep it up, it's great, don't feed the trolls, for people who knows what developing means, and how much work you put on it, it's very useful.
Good bye
Cheers,
D4.
Click to expand...
Click to collapse
Work is fine, get paid by selling your app, not force feeding ads and using fag code like this. Dipshits like you will never have a really popular app.
Be like a real dev and cripple the demo, make all the sweet features paid for. But then again, your one feature wannabee apps wouldn't work then eh?
And since I'm a pirate for ad blocking what does it make me when I download all your .apks from google and not give you a dime.
P.s before you get all seriously worried, I have over 100 dollars worth of paid apps, all paid for.
Sent from my *****'n Nexus S.
I'm planning to let rooted users to revert their hosts file.
If anyone is interested, I will share that snippet too.
Related
[Notice
Due to some objective circumstances, I have to give my X8 to one of my cousins by the end of this month. That means I will not be able to support all of my X8 works (GDX, FB, OC, UV, etc.). I will not be able to stay in our X8 scene, or to support our friends in X10M/X10MP section. v009 is the last version of my GDX series.
It's a bit pity that I cannot continue my "Sensify" progress.
I will miss you all
Click to expand...
Click to collapse
This is the shocking statement of DX just earlier.
Most of us will be probably sad for this, so I guess we take action and we help DX to get a new x8, coz development never stop. Its payback time for us to help the person who makes x8 worth using for.
doixanh said:
Oh well, thanks for the idea. Actually I'm in a progress of looking for another X8. Currently I'm living in France, and it is not too hard to find. I think you guys can help me to raise my fund to get another one.
Click to expand...
Click to collapse
This thread is intended for all those who want to contribute in any amount that is warm in our heart.
If you will post something that against this, maybe you better shut up!
I guess we have to raise 200 (might change) dollars.
I dont know what is the exact price of x8 in france.
To start with i will give 1dollar (might raise).
GUYS THIS IS SERIOUS IF YOU SAY YOU WILL DONATE PLEASE DO.
Please Share this to Other
Donate Link
Paypal Donation
Email Account:
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
DX please monitor your account.
Donators:
1. deedii = 1 dollar
2. yenoh = 5 euros
3. eagleeyetom = 7 dollars
4. alfsamsung = 15 dollars
5. Denoo = 3 dollars
6. tibob77 = 1 dollar
7. FireMax_ = 15 dollars
8. lollpaff = 3 dollars
9. trainiart = 5 dollars
10. Chefkoch_81 = 15 euros
11. Jezzzy = 20 dollars
12. Superuser.Angga = 16 dollars
13. tek640 = 5 euros
14 MASVA = 5 dollars
15. timara = 5 dollars
16. URINUDNK = 5 dollars
17. Chucky-PT = 1 dollar
18. bryke = 5 dollars
19. arox5 = 7 dollars
20. Fetz Braun = 7 dollars
21. biscoitu = 10 dollars
22. DeanBoro = £10
23. st3ch = 3 + 7 dollars
24. vigo00 = 5 dollars
25. panchop = 5 dollars
26. swechrill = 5 dollars
27. pavlodar = 5 dollars
28. darth666 = 5 euros
29. pluto21 = 3 euros
30. LiboraA. = 5 euros
31. oferas = 10 dollars
32. Minioglowy = 5 dollars
33. 2273 = 10 euros
34. marmolu = 3 euros
35. navidpaya = 3 dollars
36. Rockey_ssr = 2 dollars
37. Hontch = 7.92 dollars
38. sew00 = 5 dollars
39. GreatApo = 3 euros
PS: If you donated and your name was not on the list please PM me.
Sorry if i overlook some of you, but you can PM me and ill include you in the list.
RESULT
doixanh said:
Notice
Thanks for the community support, I will get another X8 and still be a part of this community
Click to expand...
Click to collapse
Note:
I would like to personally thank's all the people behind this success of helping hands, you may not be included in the list of Donators but Im sure you know to yourself that you contributed and dedicate your time to bring DX back, and with the positive result we made it. DX is staying and continue developing a great work for us. This doesn't mean that we should stop giving him a love gift, we can always donate to him coz i know this little amount of money is nothing compare to the hapiness we felt each time DX realease a module a rom and etc. Please also be aware that DX is not the only developer we have here, we have a lot of developer here also that needs our support, so I'm encouraging everyone to help other developer as well. Again Im so happy and Thank you so much for all of us. Pros and Cons I thank you all. I love this community so much
I suggest that the one who will contribute donating some money should thank the first post here, then it would be easy to count how many people are gonna do it !
I've just come to XDA and now he said he's going to leave
I will contribute 5 euros.
7$ straight from Poland (I can't afford more). Good luck, DX.
May one of the Moderators make this thread an official one. Please
I can not help with money, but I will offer to buy X8 on this site - http://www.handtec.co.uk/product.ph...xperia-x8--android--sim-free-unlocked--white-
150$
PS: I created page on popular russian SE forum.
http://topse.ru/forum/showthread.php?p=557921
omg...i cant believe this...i would help if i could...too bad i dont have money...im soo sad now
I cant pay via the paypal link, can you add to your thread paypal email adress?
Ok i will ask dx about his paypal info, i guess it [email protected]
i am sorry
i am in remote area.....
their is no any way to send balance and i dont have any m,card and any paypal way
if i got any friend ar respective people who have m.card or paypal acc i will donate eu my dear diox...
lope u man... ur great
i always wanted to donate him but i dont have any international account
PLEASE someone help me HOW CAN I COMMON
i'm waiting for you replies now...
15$ sendt now.
I don't know if there's any western union or any money transfer in France so that people dont have International Accounts eg. master card can also donate.
DX I think we need your help here or someone also lives in france.
133€ (190$) on this french site :
http://www.cdiscount.com/telephonie...-xperia-x8-noir/f-144040203-ericssonx8no.html
Donated , but only 3$ since school starting and i need moneys.
some money is the least way to thank him , not only for maintenance him here
i have no international accounts like visa or masteCard or etc
i'm from a country that is banned from these accounts , so how can share in this movement ?
$1 sent (I'm still on FB^^)
15$, keep working DX!
maybe it's better to somebody make a link in x10mini/pro
also send PM to other developers like nobodtAtall & D4 to enclose this issue to their users
Yes indeed maybe they can do the same. Go guys thanks much within this week we can buy dx a new x8. Im happy with the positive response.
Thanks so much guys
5 euros sended (like i say). Thanks doixanh!
There's a few easy methods anyone could use to crack the protection of your app that you worked very hard on, and in the same way there's methods to stop this from happening as well
The first one, the big one, there's the app "Lucky Patcher". What this app does is patches the dalvik files to tell the app that it's activated, even if the Play Store disagrees. There's two ways of protecting from this:
Implement a simple piece of code to check if Lucky Patcher is installed, and if it is, force the user to uninstall it (But by then it might be too late!)
Here's a sample piece of code that stops the user from opening the app if Lucky Patcher is installed and prompts them to uninstall it
Code:
public void checkLP(){
android.content.pm.PackageManager mPm = getPackageManager();
try {
PackageInfo info = mPm.getPackageInfo("com.chelpus.lackypatch", 0);
if(info != null){
AlertDialog.Builder ad3 = new AlertDialog.Builder(this);
ad3.setCancelable(false);
ad3.setTitle("Lucky Patcher");
ad3.setMessage("I have detected the presense of the app 'Lucky Patcher', which could be used maliciously within this app. You need to uninstall it to continue");
ad3.setPositiveButton("OK", new DialogInterface.OnClickListener() {
[user=439709]@override[/user]
public void onClick(DialogInterface dialog, int which) {
// TODO Auto-generated method stub
startActivity(new Intent(MainActivity.this, LpUninstallActivity.class));
finish();
}});
AlertDialog alertDialog3 = ad3.create();
alertDialog3.show();
}
} catch (NameNotFoundException e) {
// TODO Auto-generated catch block
return;
}
}
Once you've implemented this code, call checkLP(); in your code where you need it, and add a UninstallLpActivity.class to respond to the user pressing OK, which uninstalls it (automatically if you have root, manually if you don't) and then returns the user to the main activity, at which point it checks again
However, this will not always work. What happens if the user patches it and then uninstalls Lucky Patcher? What then? What about if they patched the apk itself?
That's where method 2 comes in.
For method 2, the alternative is to download an unpatched version of your app from the internet and install it on top, either automatically if you have root (Which is recommended where possible) or manually, which could lead to you hitting issues with signatures
I don't have the code for this one, but the best way is with RootTools to call a download normally and then use "pm install -r" to overwrite it. Note that Lucky Patcher also has a method that adds ODEX files to /data/app/ which you will want to remove also
But I don't have a paid version, only IAPs and people are using Freedom! :crying:
Freedom is a complex app that circumvents the Play Store and makes the app think it's been bought when it hasn't. There's two very similar and simple ways to stop Freedom working though, both of which need root (which is fine, because Freedom needs root anyway)
1.) Just stop freedom, kill its service and hopefully stop it from working
Again, I recommend RootTools to make this easier.
When your activity with IAPs starts, call a command that runs the following:
Code:
pkill cc.cz.madkite.freedom
This will stop the freedom app from running and hopefully stop the user from using it to crack purchases
2.) The better, more permanent method, forcibly uninstall freedom
Again, I recommend RootTools to make this easier.
In your class with IAPs, add the following code:
Code:
public void checkFreedom(){
android.content.pm.PackageManager mPm = getPackageManager();
try {
PackageInfo info = mPm.getPackageInfo("cc.cz.madkite.freedom", 0);
if(info != null){
AlertDialog.Builder ad3 = new AlertDialog.Builder(this);
ad3.setCancelable(false);
ad3.setTitle("Freedom");
ad3.setMessage("I have detected the presense of the app 'Freedom', which could be used maliciously within this section of the app. You need to uninstall it to continue");
ad3.setPositiveButton("OK", new DialogInterface.OnClickListener() {
[user=439709]@override[/user]
public void onClick(DialogInterface dialog, int which) {
// TODO Auto-generated method stub
startActivity(new Intent(IapActivity.this, FreedomUninstallActivity.class));
finish();
}});
AlertDialog alertDialog3 = ad3.create();
alertDialog3.show();
}
} catch (NameNotFoundException e) {
// TODO Auto-generated catch block
return;
}
}
And then call it where you want to with checkFreedom();
Similar to the Lucky Patcher one, you need a second class that uninstalls it. Mine is as simple as follows:
Code:
import java.io.IOException;
import java.util.concurrent.TimeoutException;
import android.app.Activity;
import android.app.ProgressDialog;
import android.content.Intent;
import android.os.Bundle;
import android.view.Menu;
import android.view.MenuInflater;
import android.view.MenuItem;
import android.view.View;
import android.widget.CheckBox;
import android.widget.Toast;
import com.stericson.RootTools.*;
import com.stericson.RootTools.exceptions.RootDeniedException;
import com.stericson.RootTools.execution.CommandCapture;
public class FreedomUninstallActivity extends Activity{
CheckBox RootCheckBox;
CheckBox BusyboxCheckBox;
[user=439709]@override[/user]
protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
ProgressDialog dialog =
ProgressDialog.show(FreedomUninstallActivity.this, "", "Uninstalling Freedom...", true);
dialog.setCancelable(false);
dialog.show();
dialog.setMessage("Uninstalling Freedom...");
CommandCapture command = new CommandCapture(0, "pm uninstall cc.cz.madkite.freedom");
try {
RootTools.getShell(true).add(command).waitForFinish();
} catch (InterruptedException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (IOException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (TimeoutException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (RootDeniedException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
startActivity(new Intent(this, IapActivity.class));
finish();
}
}
This uses root to uninstall it, which is easiest because the user cannot press cancel, then loops back around to check again to make sure it worked
Finally, and most importantly, obfuscate.
Even the biggest pirates I've seen haven't ever tried to crack apps that use other methods and are obfuscated. Therefore, best practice where possible is to obfuscate, or even just run it from a remote server on a secure connection. ProGuard instructions are available here
Help! They still get past it
Use the good old methods of reporting then, try and keep the amount of people who are able to download it illegitimately to a minimum
Further ideas:
Improve the reinstall because of Lucky Patcher by just re-building the dex file - Looking into it
Further reading:
Android Developers site on best practices for in app billing
e3d said:
I use Lucky Patcher. To get rid of the ADVERTISEMENTS, not to remove the licensing service. YOU EVER thought of that?
if i see one of your apps, i'll uninstall it and rate it badly. Why are you on a forum that offers you to root your phone, etc? And you want to restrict this freedom?
If you want this crap, buy an IPHONE OR A WINDOWS Phone and develop for it.
You ever heard of ethics? I've never seen much worse ethics for programming.
you do not have to care about other apps on a system.
Isn't Freedom what linux is about.?
*for all devs who want to use OP's "solution".
---------- Post added at 06:36 PM ---------- Previous post was at 06:28 PM ----------
Same here.
Click to expand...
Click to collapse
If you have root, use a system wide thing, don't support an app that incorporates piracy methods
And "why are you on a forum which allows freedom"
Read the goddamn rules, we don't allow that kind of stuff, it's warez and illegal
Also, I don't think you understand what I'm doing by uninstalling it here. I'm protecting my rights, not 'uninstalling a competitor' as you compare it to.
Meanwhile, I'm about to have a mod clean out this thread, including this post
e3d said:
I use Lucky Patcher. To get rid of the ADVERTISEMENTS, not to remove the licensing service. YOU EVER thought of that?
if i see one of your apps, i'll uninstall it and rate it badly. Why are you on a forum that offers you to root your phone, etc? And you want to restrict this freedom?
If you want this crap, buy an IPHONE OR A WINDOWS Phone and develop for it.
You ever heard of ethics? I've never seen much worse ethics for programming.
you do not have to care about other apps on a system.
Isn't Freedom what linux is about?
Click to expand...
Click to collapse
How the hell did you guys get into developers forum?
Removing ads is the same way illegal than pirating an entire app.
awaaas said:
A simple apk can't install/replace system app? Google "Google Play Store Installer by Chelpus" and you'll be suprised...
And about the people awareness, what about "third-world" countries? Credit card is usually not available...
They want to buy, but they can't pay you. Now Google Indonesia is starting to offer payment by phone credit (only one carrier for now), and some of my friends is starting to buy games and apps if they like it (some apps is "tried" first though)
Click to expand...
Click to collapse
I specifically set prices very low in countries with less developed economy. I would even offer my app for free in some countries if google would let me.
I don't think it's a terrible idea (unlike a lot of people here, looks like we have a lot of pirates about...*), but I do think there are better ways to go about it, as mentioned in this post http://forum.xda-developers.com/showpost.php?p=41581990&postcount=9
Checking the hash of the app sounds like a pretty simple but reasonably decent method for checking that the app hasn't been patched by some tool like Lucky Patcher. Not sure if there's any way to check the signature on an app to ensure it's been signed with your own keys, but if so that would probably be another good thing to check (seeing as modifications would require re-signing with a different key).
*To people who claim they use it for other purposes; the uses I know for LP are piracy, blocking ads and removing permissions. Blocking ads is pretty much the same as piracy in my mind (devs put the ads there to make money instead of charging for the app, blocking them takes away that revenue), and removing permissions seems to be kinda crappy with LP (force closes etc.). There are much better solutions for both.
SifJar said:
I don't think it's a terrible idea (unlike a lot of people here, looks like we have a lot of pirates about...*), but I do think there are better ways to go about it, as mentioned in this post http://forum.xda-developers.com/showpost.php?p=41581990&postcount=9
Checking the hash of the app sounds like a pretty simple but reasonably decent method for checking that the app hasn't been patched by some tool like Lucky Patcher. Not sure if there's any way to check the signature on an app to ensure it's been signed with your own keys, but if so that would probably be another good thing to check (seeing as modifications would require re-signing with a different key).
*To people who claim they use it for other purposes; the uses I know for LP are piracy, blocking ads and removing permissions. Blocking ads is pretty much the same as piracy in my mind (devs put the ads there to make money instead of charging for the app, blocking them takes away that revenue), and removing permissions seems to be kinda crappy with LP (force closes etc.). There are much better solutions for both.
Click to expand...
Click to collapse
There's ways of checking if it uses the debug key, which I believe Lucky Patcher signs with, see here:
http://stackoverflow.com/questions/5578871/android-how-to-get-app-signature
If your app is a game and it's completely native(unity3d, cocos2dx,...) you could do the following:
1) do license checks from within native code(.so file)
2) check signature of apk file from within native code and kill app if it's not valid
3) sign your native libraries and do self checks before execution to prevent people from editing asm code.
Wow, some of you guys...
God forbid a developer expect that you compensate him/her for hard work on an application.
If it's worth it for you to go through the trouble of getting outside of the Play Store, cracking it, and sideloading it, clearly it's worth it to you enough to actually pay for it.
As usual with so many Android users, the self-entitlement complex is through the goddamn roof. I get it, being on a forum where you get such amazing aftermarket firmwares and modifications at no cost to you has really gone to your head; it makes you believe that all things Android should be cheap and free but that's really not how it works.
I don't buy the "I use Lucky Patcher to block ads" BS. If you want to block ads, there's a million different ways you can use a hosts file or an app that manages the host file to do that (especially if you're concerned with traffic, that's the ideal solution).
I get the criticism with the idea of removing another app, but I don't buy for even one second that anyone thinks they are justified in pirating the app; this is the mentality that spreads and becomes a huge problem. Many of you just don't see anything wrong in circumventing a payment/compensation system, citing all sorts of reasons that range from potentially/weakly relevant to stupidly shameless.
3 years ago when I first got my HTC Hero, I pirated an app called Slide Screen because it looked really cool but I didn't want to pay for it. On the forum where I got the apk, there was a post from the developer of the app pleading with people to consider actually buying the app because he had put in a ton of effort in to it and was just trying to earn back a little extra income from all his research and self-taught Java lessons.
After that, I completely stopped using pirated apps because I understood; the Play Store is a vicious cesspool that is FULL to the brim of absolute utter crap, especially the "My First Android App"-type applications. It's very hard to gain exposure and with reverse engineering, it's even harder to maintain a unique app because of how easy it is to just turn around and modify someone else's apk and then resell it. It doesn't help that (and this only seems to happen with Android users) Android users are incredibly ignorant of the platform and downrate an *free* app for not having an extravagantly complex addition as though they are entitled to it.
Many of you spend between $300 and $600 on these devices, and many of you pay $50+ a month for a plan to go with them. Is it really so much for you to consider to spend what many call "a cheap fastfood lunch" on an app that you enjoy using, find useful, and get lifetime updates for?
Sadly, XDA users of today are completely unaware of what the "free" in "Freedom of linux" means. Gratis != libre. The freedom that linux brings to the masses is not as in free beer but free speech.
You all need to check your self-entitlement complex, it's clearly outgrown your sense of morality and logic.
S.D.Richards said:
And thus you would violate the Play Store rules, since it's not allowed to alter or interfere with other apps to keep them from working as intended
Click to expand...
Click to collapse
That applies to other apps that are installed from the Play Store. Last I checked, Lucky Patcher isn't from the Play Store.
Ok guys CALM down. Now I know this is a heated subject it is plain and simple. If you cant buy the app then dont. It doesnt matter what the reason is, Developers have the right to protect themselves and their apps. While I agree it will never be stopped why not make it a huge PITA for it to be cracked?
I agree with the OP. More Developers should add things like this and the LP remover is a great idea. If you dont like it then too bad. Feel free not to use it.
Now Get this thread back on topic and that is idea to help protect their apps.
S.D.Richards said:
I NEVER said it is right, on the contrary, I always take measure as good as possible if someone violates the license of my projects(looking at you bigbad router maker). But what's right/wrong doesn't matter as long as people are doing it anyway and you can't stop it.
Under your US laws drugs are illegal, well in most states, but still people get and take them. You spend billions to fight it and it did nothing except for a few dead people who quickly get replaced. It's the same with piracy, shot down one site, at least two will spawn out of the ashes. It's not right, mostly not even from a moral standpoint, but it's done anyway.
It's a fact of live, unfortunately today, the same as death. One might not like it that a loved one dies, but with current tech, it can't be stopped, so one has to cope with it.
Again, I don't want devs to stop whatever they are trying to achieve with anti-copy stuff, I just want to help them understand that there are more reasons to piracy than just don't wanting to pay. I don't pirate apps, I use free ones or get licenses for free, f.e. in exchange for my translation work. I'm in the lucky situation that I've got the money to spend, but I'm not breaking my own rules for it, either I pay, look for alternatives or if I really need it and can, do it myself. But there are people worse off than me, having money but Google doesn't even offer to buy in their country or having no money at all. Look at f.e. Africa, many people there have practically no money, but they do have smartphones. Why? Because the EU and the US ship outdated models there to help them get educated. If people pirate an app their, it might have significant positive impact on their lives, maybe it helps them get a paid job and maybe they'll thank you in the future by buying your stuff, sending you a picture of their child or whatnot - as long as you don't actively lose money on them because they are using your bandwith, I just don't see where the big problem is - a $/€ for a dev in the western world makes practically no difference, a pirated 1$ dictionary on the other hand can make a huge difference for someone in an evolving country.
Live isn't about money, even if advertisers want to sell you that huge car. It's about surviving and taking care of others and that doesn't mean just the one close to you. The world is so big and the possibilities are endless, with a small chance, some kid from India could pirate your app, educate himself using it and in the future become the single doctor who can cure your kids cancer or whatnot. Isn't that a picture worth thinking about? The chances are slim, but it's possible.
Click to expand...
Click to collapse
The issue that I have with your 3rd world possibility, is that there are many apps made for free by volunteers to assist in the aid of the less fortunate memebers of deprived communities/countries. These unforunate people aren't in a position to have internet access, so these second-hand devices are given, pre-loaded with educational software. They don't have access to the PlayStore, or any other site that would even give them the possibility of piracy.
While the message behind your post may pull on the heart-strings of others, it is a flawed story that is full of holes. While life isn't about money, someone expecting to receive out, what they put in, isn't an outlandish standard.
zelendel said:
Ok guys CALM down. Now I know this is a heated subject it is plain and simple. If you cant buy the app then dont. It doesnt matter what the reason is, Developers have the right to protect themselves and their apps. While I agree it will never be stopped why not make it a huge PITA for it to be cracked?
I agree with the OP. More Developers should add things like this and the LP remover is a great idea. If you dont like it then too bad. Feel free not to use it.
Now Get this thread back on topic and that is idea to help protect their apps.
Click to expand...
Click to collapse
Sorry, I was typing when you posted. Back on topic...protect your apps the best you can, but expect someone to make it free, because that's life.
Checking app's integrity can make two in one, check if it got corrupted in anyway, check if it was patched.
A popup can then, in case of failled check, tell that app is corrupted because it failled integrity check (even if it was not corrupted and just patched, integrity point of view, it's corrupted)
This check should happen at startup and a second time somewhere else to make it look "random", this way it will be more annoying for the cracker to disable this integrity check.
Please keep in mind you'll have to redo checks on your side for each updates.
Another solution may be to require direct account auth, and have a backend server to check if user's account correspond a buyer's mail. This method should not be used with an app not supposed to use internet (because it will be really annoying for the user if trying to use it without a data plan)
Please note i don't know if you get all users mails or only when they refund, may not be applicable, just an idea.
Hope it helps anyone.
Regards
Moderation was made with a chainsaw
About anti piracy techniques, one of the most effective thing as stated before in this thread is not to kill the app at start and put big messages.
Those are easy to spot and remove.
95% of the hackers that will allow mass distribution of your app won't be users of your app, they just fill requests for the fame.
So adding random checks at places that only real users will trigger is the easy way to go.
You can still let some honeypot easy to track for those, so they think they have cracked the app.
Currently my app is tell to be cracked and spread a lot to internet at each of my release.
But the app is not really cracked it does all the free version support, leading to more installs of a functional app leading users to love your app and then buy it if they can, others would in fact never buy an app so are not good users.
This also brings a lots of publicity, since each time the "hackers" post your app there's a full description with links to PlayStore and your website if you have one.
Piracy is not bad it's free ads
Simple checks on crc and signature are obvious to defeat, don't use them as a boolean test but use those values to calculate other one that are useful elsewhere (Easier to do with signature that don't change, crc needs implementing a custom ant build and tools )
Just my own opinion guys, dont you think the user would delete our app instead of removing lucky patcher or freedom?
Also what if he has replaced his market/play store with the cracked version one?
coolbud012 said:
Just my own opinion guys, dont you think the user would delete our app instead of removing lucky patcher or freedom?
Also what if he has replaced his market/play store with the cracked version one?
Click to expand...
Click to collapse
I believe Google now protect from the cracked play store on its servers, and if they do, that's their choice. You'd make no money either way
Quinny899 said:
I believe Google now protect from the cracked play store on its servers, and if they do, that's their choice. You'd make no money either way
Click to expand...
Click to collapse
Cracked Play Store is still working...Beside play store what about the other things which I mentioned.
I believe a pirating user will more likely delete a not working app and look for an alternative then remove LP. Reason is simple, there are usually more app alternatives than to LP. In theory, this behaviour could be a bad thing, if he's one of the try-before-buy people and ends up buying an alternative from another dev.
As far as random checks based on user input or after some time goes, at least for the former there are automated solutions which hit every button, enter all kinds of data in fields, etc. Basically fuzzy vulnerability search tweaked for user input. So if you want to use that, you've got to think long and hard to not scare of legitamte customers.
Self checks are hard to implement in a strong and resistent way, plus your rating can go from 5 to 1 if you ever forget to do it, so you better make sure to add it to your buildsystem.
If an hacker have time to build an automated test solution for the app to validate that every action result in the correct result then :
- This is the best hacker in the world so nothing will stop him
- He does much more than even me can do on my apps and I'd gladly ask for his test solution
And Yatse is still 5 stars so when things are correctly done hackers makes ads for you and users are happy and buy your app
Tolriq said:
If an hacker have time to build an automated test solution for the app to validate that every action result in the correct result then :
- This is the best hacker in the world so nothing will stop him
- He does much more than even me can do on my apps and I'd gladly ask for his test solution
And Yatse is still 5 stars so when things are correctly done hackers makes ads for you and users are happy and buy your app
Click to expand...
Click to collapse
These solutions already exist, at least for normal PC-software. Don't know if anyone ported this to android, but it would be trivial. Of course, mostly this stuff is used for legitimate tests of software, but there's no reason to use it against some checks. Android software is usually pretty easy to decompile or otherwise reverse engineer, so it's rather easy to plug stuff in.
If it makes sense to use something like that against a $1 app is another question, but with today's hardware it's also no effort to check multiple apps in different vms at the same time.
So you really are the kind of guys that always want to be right and have the last word to get this thread purged again ? (Please don't answer to this)
Test units exist for a long time and will for life But do you have any idea of the time needed to write those tests ?
Fully automated tests don't exist since you have to provide them with the waited result, a test that check that something happens on a button click is irrelevant in our case since this is exactly the trick, the result will not be the same but the action will work....
Like returning only half of the results on a query ?
Of course if you make a poor fart app with only one button there's nothing to be done (apart stop doing such apps ).
Using code coverage tools would be more efficient for the hackers and would work better .....
So as all have already agreed there's nothing you can do against someone that really want to hack an app on Android, you can only do (and it's recommended) some basics things not too hard to implement but still making the work for basic hackers (like all script kiddies) too long to worth it.
And doing those checks out of the non real user path will always finish to a poorly cracked application that will spread making you ads and giving you more users, and even if after a real correct cracked version goes out, it's already too late, the first one was spread and is referenced everywhere users will have more chance to find the bad one and became legit users.
zelendel said:
Ok guys CALM down. Now I know this is a heated subject it is plain and simple. If you cant buy the app then dont. It doesnt matter what the reason is, Developers have the right to protect themselves and their apps. While I agree it will never be stopped why not make it a huge PITA for it to be cracked?
Click to expand...
Click to collapse
There is no argument that developers have the right to protect their work. But there are plenty of reasons to not spend time and effort on developing and testing anti-piracy solutions that will inevitably be cracked. The question really boils down to cost versus benefit. How much money are you really losing, and how valuable is your time? For some developers, investing in novel anti-piracy solutions is worth it. For others, it's time that could be better spent improving their app.
I agree with the OP. More Developers should add things like this and the LP remover is a great idea. If you dont like it then too bad. Feel free not to use it.
Click to expand...
Click to collapse
That is just one man's opinion. I personally don't think it's a great idea. The fact is, it's up to the individual developer to make that choice.
Now Get this thread back on topic and that is idea to help protect their apps.
Click to expand...
Click to collapse
Deciding not to invest too much effort in protecting your app is ABSOLUTELY on topic, because it's another alternative. Many of the comments made in the discussion of this post (found here: http://www.xda-developers.com/android/preventing-app-piracy-join-the-discussion/) reiterate exactly what I said. I can only assume that my original response in this thread was removed for having a different opinion, which leads me to wonder what other legitimate comments have been censored because a moderator has a personal disagreement.
Airy 2.0.1
A free software gesture library for Android™ and the Web.
Copyright and License information.
Copyright (C) 2015 Miras Absar
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
Gestures
One Finger Tap
One Finger Swipe Up
One Finger Swipe Down
One Finger Swipe Left
One Finger Swipe Right
Two Finger Tap
Two Finger Swipe Up
Two Finger Swipe Down
Two Finger Swipe Left
Two Finger Swipe Right
Two Finger Pinch In
Two Finger Pinch Out
Android Implementation
Code:
View mView = findViewById(R.id.view);
Airy mAiry = new Airy(this) {
@Override
public void onGesture(View pView, int pGestureId) {
switch (pGestureId) {
case Airy.UNKNOWN_GESTURE:
break;
case Airy.ONE_FINGER_TAP:
break;
case Airy.ONE_FINGER_SWIPE_UP:
break;
case Airy.ONE_FINGER_SWIPE_DOWN:
break;
case Airy.ONE_FINGER_SWIPE_LEFT:
break;
case Airy.ONE_FINGER_SWIPE_RIGHT:
break;
case Airy.TWO_FINGER_TAP:
break;
case Airy.TWO_FINGER_SWIPE_UP:
break;
case Airy.TWO_FINGER_SWIPE_DOWN:
break;
case Airy.TWO_FINGER_SWIPE_LEFT:
break;
case Airy.TWO_FINGER_SWIPE_RIGHT:
break;
case Airy.TWO_FINGER_PINCH_IN:
break;
case Airy.TWO_FINGER_PINCH_OUT:
break;
}
}
};
mView.setOnTouchListener(mAiry);
JavaScript Implementation
Code:
var mElement = document.getElementById("element");
var mOnGesture = function(pElement, pGestureId) {
switch (pGestureId) {
case Airy.prototype.UNKNOWN_GESTURE:
break;
case Airy.prototype.ONE_FINGER_TAP:
break;
case Airy.prototype.ONE_FINGER_SWIPE_UP:
break;
case Airy.prototype.ONE_FINGER_SWIPE_DOWN:
break;
case Airy.prototype.ONE_FINGER_SWIPE_LEFT:
break;
case Airy.prototype.ONE_FINGER_SWIPE_RIGHT:
break;
case Airy.prototype.TWO_FINGER_TAP:
break;
case Airy.prototype.TWO_FINGER_SWIPE_UP:
break;
case Airy.prototype.TWO_FINGER_SWIPE_DOWN:
break;
case Airy.prototype.TWO_FINGER_SWIPE_LEFT:
break;
case Airy.prototype.TWO_FINGER_SWIPE_RIGHT:
break;
case Airy.prototype.TWO_FINGER_PINCH_IN:
break;
case Airy.prototype.TWO_FINGER_PINCH_OUT:
break;
}
};
var mAiry = new Airy(mOnGesture);
mAiry.attachTo(mElement);
Airy on GitHub
Hmmm!!!
Is this a flashable zip?
Does it only work with EPOCH?
I tried flashing and got "Installation Aborted" ?
ATRIXXIRTA said:
Is this a flashable zip?
Does it only work with EPOCH?
I tried flashing and got "Installation Aborted" ?
Click to expand...
Click to collapse
You have to look in title. It says LIBRARY meaning that it's a library for use if you are an application PROGRAMMER. If you aren't it's not necessary for you
lefterios said:
You have to look in title. It says LIBRARY meaning that it's a library for use if you are an application PROGRAMMER. If you aren't it's not necessary for you
Click to expand...
Click to collapse
Haha, thanks for the clarification. Guess this ones not for me
Sent from my C6503 using Tapatalk
mirasmithy said:
Airy
Copyright 2014 Miras Absar
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
[/CODE]
Click to expand...
Click to collapse
how about license?
can i use it freely?
AXD96 said:
how about license?
can i use it freely?
Click to expand...
Click to collapse
You can use, modify, and redistribute Airy freely.
Just be sure to include the original copyright and license, state any changes you've made, and state that you're using Airy in your project.
TL;DR
Just put this somewhere in your project
Code:
Airy
Copyright 2014 Miras Absar
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
mirasmithy said:
You can use, modify, and redistribute Airy freely.
Just be sure to include the original copyright and license, state any changes you've made, and state that you're using Airy in your project.
TL;DR
Just put this somewhere in your project
Code:
Airy
Copyright 2014 Miras Absar
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
Click to expand...
Click to collapse
I'm also curious if I can take only the class from your lib( may be a noobish question) and not the path. Of course keeping the copyright.
lefterios said:
I'm also curious if I can take only the class from your lib( may be a noobish question) and not the path. Of course keeping the copyright.
Click to expand...
Click to collapse
As long as you keep the copyright intact, you're good to go!
Hello.
May I kindly ask for what Android API level is this:
RelativeLayout mRelativeLayout = new RelativeLayout();
?
voriax said:
Hello.
May I kindly ask for what Android API level is this:
RelativeLayout mRelativeLayout = new RelativeLayout();
?
Click to expand...
Click to collapse
API level 1. Search Android Developers
lefterios said:
API level 1. Search Android Developers
Click to expand...
Click to collapse
This is also easy to find that this API (1) is Obsolete...
But thanks anyway...
voriax said:
This is also easy to find that this API (1) is Obsolete...
But thanks anyway...
Click to expand...
Click to collapse
It means it's compatible starting API 1... meaning RelativeLayout was part of the very first SDK and will continue being part since it's one of the fundamental Android views.
But thanks anyway...
mradzinski said:
It means it's compatible starting API 1... meaning RelativeLayout was part of the very first SDK and will continue being part since it's one of the fundamental Android views.
But thanks anyway...
Click to expand...
Click to collapse
I was referring to Constructor
not RelativeLayout itself...
Teddymobile app comes preinstalled by oneplus and had been added in OxygenOS Open Beta 2. This app is sending data to Teddymobile servers in China without users consent.
The OnePlus clipboard app contains a strange file called badword.txt ? In these words, you can find: Chairman, Vice President, Deputy Director, Associate Professor, Deputy Heads, General, Private Message, shipping, Address, email, ...
Details here: Pastebin Link
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
This badword.txt is duplicated in a zip file called pattern. This archive contains 7 files: - badword.txt - brackets.txt - end.txt - follow.txt - key.txt - start.txt
All these files are used in a obfuscated package which seems to be an #Android library from teddymobile. TeddyMobile is a Chinese company, they worked with a lot of manufacturers including oppo. Their website http://teddymobile.cn/
As far it can be understood that teddymobile is making number identification in SMS The picture below can be translated like this: - Total number of SMS 20M+ - SMS identification accuracy 100% - Identification number recognition rate of 70% - recognition accuracy of 95%
According to the code OnePlus is sending your IMEI and the phone manufacturer to a Chinese server owned by teddymobile
In the TeddyMobile's package com.ted, they have a class called SysInfoUtil. This class contains the following methods:
- getAndroidID
- getCPUSerial
- getDeviceId
- getHardwareSerialNumber
- getIMEI
- getIPAddress
- getMacAddress
- getPhoneNumber
- getScreenPixels
Except getIPAddress and getScreenPixels, all the other methods are used. They also send JSON messages to their servers with a "telephone" and "messageText" fields...
This is a good reminder...Please don't copy paste your bank account number...TeddyMobile has a dedicated method to recognize a bank account...
Verify it yourself from the Oneplus clipboard apk available at koodous project. Link is here
After deeper investigation only a small part of the tedmobile sdk is used. In the ClipboardManager, in the verifyExpress method they used the method parserOnline.
This parserOnline will send what you have in your clipboard data to a teddymobile server in order to parse it. It important to say that this method is used only for Chinese users.
The conditions to send your data to teddymobile server are: - clip data is not numeric - not an email - Chinese OnePlus phone - clipboard data matched the express pattern. It good to say that parserOnline method is used 3 times in the code, so this is only 1 of the 3 use cases!
So finally word of caution, whoever has installed OxygenOS Open Beta 2, there is a good chance your data is with Teddymobile right now.
Uh oh the hysteria! A tech company may be collecting information???? Never heard of that happening before...
Wasn't this already debunked over on Reddit?
this is very alarming.
http://www.androidpolice.com/2018/01/26/no-oneplus-still-not-sending-clipboard-data-china/
Please read and inform yourself before spreading false information.
And god what is it with the massive font and broken OP ?
i did some digging. paradoxx is right. but what about this app ?
False Information!! This looks like false information to you? Did you even bother to read all the technical explanation being mentioned here. Company will obviously deny the allegations saying it as baseless.
I have mentioned everything step by step which are revealed by a renowned hacker Elliot Alderson . Check his twitter bio - https://twitter.com/fs0c131y
Apologies for the large fonts, corrected them. By the way, I am an Oneplus 5T user since Oneplus One.
Paradoxxx said:
Please read and inform yourself before spreading false information.
And god what is it with the massive font and broken OP ?
Click to expand...
Click to collapse
https://www.gsmarena.com/oneplus_re...ther_clipboard_data_accusation-news-29344.php
arka.b said:
False Information!! This looks like false information to you? Did you even bother to read all the technical explanation being mentioned here. Company will obviously deny the allegations saying it as baseless.
I have mentioned everything step by step which are revealed by a renowned hacker Elliot Alderson . Check his twitter bio - https://twitter.com/fs0c131y
Apologies for the large fonts, corrected them. By the way, I am an Oneplus 5T user since Oneplus One.
Click to expand...
Click to collapse
https://www.reddit.com/r/android/comments/7t6joy
https://www.reddit.com/r/android/comments/7t6joy/_/dtaggn3
I am eager too. but did someone including mods looked at thw screenshot i sent, is it a safe apk to have in the phone ?
---------- Post added at 02:17 PM ---------- Previous post was at 02:16 PM ----------
it seeks like the clipboard app was controversial. it has been removed in beta 3.
arka.b said:
False Information!! This looks like false information to you? Did you even bother to read all the technical explanation being mentioned here. Company will obviously deny the allegations saying it as baseless.
I have mentioned everything step by step which are revealed by a renowned hacker Elliot Alderson . Check his twitter bio - https://twitter.com/fs0c131y
Apologies for the large fonts, corrected them. By the way, I am an Oneplus 5T user since Oneplus One.
Click to expand...
Click to collapse
I know who he is, I have seen this couple of days before you even posted here, and unlike you, I actually done some research on other website to find more info regarding this.
Please read AndroidPolice's article on this.
Hmm interesting
Sent from my ONEPLUS A5010 using Tapatalk
The web is full of misinformation. The code is/was there. The fact that it was 'inactive' on US handsets means - exactly- doodily squat. If you know anything about linux code then you know that it wouldn't take very much for the proprietors of said code to 'activate'. Especially with the code being in ROM at a place where it is given any permissions they deem fit w/out the typical end-user's knowledge.
It was wise on op's part to remove it. They already have the credit card fiasco to deal w/.
Excerpts from the aforementioned AndroidPolice article:
- but the company says
-the company is wasting no time issuing a clear explanation of the situation
-According to OnePlus,
-So, it sounds like OnePlus' only mistake here was including files from HydrogenOS in the OxygenOS
Hardly a hard hitting piece that rises to the bar of journalistic integrity.
Clipboard code removed from Oneplus 5T Open Beta 3
And may be because of this controversy, Oneplus removed the clipboard from Open Beta 3.
http://www.firstpost.com/tech/news-...lity-and-adds-cpu-security-patch-4327815.html
https://www.gsmarena.com/oxygenos_o...ols_removes_clipboard_function-news-29392.php
Lossyx said:
https://www.reddit.com/r/android/comments/7t6joy
https://www.reddit.com/r/android/comments/7t6joy/_/dtaggn3
Click to expand...
Click to collapse
yeah, right. Appreciate your concern!
Paradoxxx said:
I know who he is, I have seen this couple of days before you even posted here, and unlike you, I actually done some research on other website to find more info regarding this.
Please read AndroidPolice's article on this.
Click to expand...
Click to collapse
arka.b said:
And may be because of this controversy, Oneplus removed the clipboard from Open Beta 3.
http://www.firstpost.com/tech/news-...lity-and-adds-cpu-security-patch-4327815.html
https://www.gsmarena.com/oxygenos_o...ols_removes_clipboard_function-news-29392.php
Click to expand...
Click to collapse
Damage has already been done because of circle jerks...
chas123 said:
The web is full of misinformation. The code is/was there. The fact that it was 'inactive' on US handsets means - exactly- doodily squat. If you know anything about linux code then you know that it wouldn't take very much for the proprietors of said code to 'activate'. Especially with the code being in ROM at a place where it is given any permissions they deem fit w/out the typical end-user's knowledge.
It was wise on op's part to remove it. They already have the credit card fiasco to deal w/.
Excerpts from the aforementioned AndroidPolice article:
- but the company says
-the company is wasting no time issuing a clear explanation of the situation
-According to OnePlus,
-So, it sounds like OnePlus' only mistake here was including files from HydrogenOS in the OxygenOS
Hardly a hard hitting piece that rises to the bar of journalistic integrity.
Click to expand...
Click to collapse
arka.b said:
yeah, right. Appreciate your concern!
Click to expand...
Click to collapse
To add on top of that, some people actually tried to trigger the application activities, and no contact to any server could be made.
I installed Pi-hole on my Android device and pointed DNS at 127.0.0.1
Saw a bunch of funky domains in the query log and blocked them.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
But what was causing it?
Code:
[email protected]:~# tcpflow -p -c -i wlan0 port 80 | grep -oE '(GET|POST|HEAD) .* HTTP/1.[01]|Host: .*'
reportfilename: ./report.xml
tcpflow: listening on wlan0
GET /logs/log.info?package=com.swe.dgbluancher&osv=10&gaid=ff9300dd-f771-40ff-84d7-42184fc40d95&get_ip_info=ff9300dd-f771-40ff-84d7-42184fc40d95&model=MBOX&make=Google&aid=df53b410ca1fd8a6&version=2.85&cid=1410&status=-1 HTTP/1.1
Host: 128.199.97.77
GET /logs/log.active?package=com.swe.dgbluancher&osv=10&gaid=ff9300dd-f771-40ff-84d7-42184fc40d95&model=MBOX&make=Google&aid=df53b410ca1fd8a6&version=2.85&cid=1410&status=-1 HTTP/1.1
Host: 128.199.97.77
GET /logs/log.info?package=com.swe.dgbluancher&osv=10&gaid=ff9300dd-f771-40ff-84d7-42184fc40d95&get_ip_info=ff9300dd-f771-40ff-84d7-42184fc40d95&model=MBOX&make=Google&aid=df53b410ca1fd8a6&version=2.85&cid=1410&status=-1 HTTP/1.1
Host: 128.199.97.77
GET /?timestamp=1668566687503&version=1&biz=10016&os=2&id=3e2dfd4c426e38721ac0bcc09612aa96&sign=d59dab2813001575f0a9dfb2ce850353 HTTP/1.1
Host: www.forfor123.com
GET /get_endpoint?timestamp=1668566687493&version=1&biz=10016&os=2&id=3e2dfd4c426e38721ac0bcc09612aa96&sign=135d9c2723c76587e86a540fced231ec HTTP/1.1
Host: qweqwe135.top
POST /u.php?id=30018&m=cTUJPWA&s=d1,u3&p=cY29tLnN3ZS5kZ2JsdWFuY2hlcg&aid=df53b410ca1fd8a6&am=2 HTTP/1.0
Host: v.sustat.com
GET /stg?channel=hzsdk_05&sdk=js_club HTTP/1.1
Host: sdk2.appclicking.com
GET /logs/log.info?package=com.swe.dgbluancher&osv=10&gaid=ff9300dd-f771-40ff-84d7-42184fc40d95&get_ip_info=ff9300dd-f771-40ff-84d7-42184fc40d95&model=MBOX&make=Google&aid=df53b410ca1fd8a6&version=2.85&cid=1410&status=-1 HTTP/1.1
Host: 128.199.97.77
GET /logs/log.info?package=com.swe.dgbluancher&osv=10&gaid=ff9300dd-f771-40ff-84d7-42184fc40d95&get_ip_info=ff9300dd-f771-40ff-84d7-42184fc40d95&model=MBOX&make=Google&aid=df53b410ca1fd8a6&version=2.85&cid=1410&status=-1 HTTP/1.1
Host: 128.199.97.77
GET /d/bcc/v2/o/ffeca781ecfd6067e5e56b04d67edc7e HTTP/1.1
Host: dct.g1ee.com
This is exactly why I debloated my android tv using adb app control and removed everything that wasn't necessary. And got a new launcher to get rid of the crappy one.
That's all good and fine but you don't really know if your device is cleaned-up until you've snooped its wire and can account for the traffic going out.
Is your device roughly the same as this?
Code:
https://www.amazon.com/gp/product/B08CRV62C4
I have that one. It still has the shipped build. I haven't had it hooked up much because it is kind of a piece of crap. I'll check and see what it has.
This might be kind of a good argument to use certified builds on certified devices. But the amount of data collection done by those would make your head spin. And it is all outsourced to the factory. Servers to sdmc, sei, skyworth, and the like. Sdmc even advertises these features as "big data" features.
goapy said:
Is your device roughly the same as this?
Code:
https://www.amazon.com/gp/product/B08CRV62C4
I have that one. It still has the shipped build. I haven't had it hooked up much because it is kind of a piece of crap. I'll check and see what it has.
This might be kind of a good argument to use certified builds on certified devices. But the amount of data collection done by those would make your head spin. And it is all outsourced to the factory. Servers to sdmc, sei, skyworth, and the like. Sdmc even advertises these features as "big data" features.
Click to expand...
Click to collapse
That’s the one! I’m about to pull the trigger on a second one to see how deep the rot goes. If this is how they come from Amazon it’d be a pretty big deal.
can confirm it is there out of the box.
forexamplejohn said:
can confirm it is there out of the box.
Click to expand...
Click to collapse
That's... horrifying.
Just to confirm, you're using a stock device, unflashed box?
Did you see the да folder in:
Code:
/data/data/com.swe.dgbluancher/files
How did you discover your device was infected? If possible, can you name where you bought the device, like an Amazon link or similar?
yes, stock. I bought four of these:
https://www.amazon.com/dp/B08X11HGR4
They were being blown out for ~ $14 each. Wonder why.....
I can't claim credit, found your threads here. I was looking for options to flash linux to them in order to run klipper or kodi. Had taken a look around the stock android, and being paranoid that included preinstalled apps. I was actually thinking it was fairly clean compared to say an ATT motorola prepaid android phone or something. But that "luancher" was there, for sure. WIthout uninstall or disable options
I speak Russian, what want me to do?
Arealhooman said:
I speak Russian, what want me to do?
Click to expand...
Click to collapse
It seems to be a popular Android box over there. Here is the link to a megathread dedicated to that deivce:
{Mod edit: Link removed. Oswald Boelcke}
It might be helpful to ask in that forum if anyone with one of these devices sees the folder:
Code:
/data/data/com.swe.dgbluancher/files/да
...and if so, let them know their device is compromised.
The firmware links being shared here and elsewhere have the malware built-in. Actually, I have yet to see a 'clean' downloadable firmware for this box, anywhere on the Internet.
forexamplejohn said:
yes, stock. I bought four of these:
https://www.amazon.com/dp/B08X11HGR4
They were being blown out for ~ $14 each. Wonder why.....
I can't claim credit, found your threads here. I was looking for options to flash linux to them in order to run klipper or kodi. Had taken a look around the stock android, and being paranoid that included preinstalled apps. I was actually thinking it was fairly clean compared to say an ATT motorola prepaid android phone or something. But that "luancher" was there, for sure. WIthout uninstall or disable options
Click to expand...
Click to collapse
Thanks for the info. Really hard to believe these devices can be built for $14 with the reseller making a dollar or two per unit.
Does the foler /data/data/com.swe.dgbluancher/files/да exist on your device?
forexamplejohn said:
"luancher" was there, for sure. WIthout uninstall or disable options
Click to expand...
Click to collapse
To be clear, com.swe.dgbluancher appears to be a simple open-source launcher that was rebuilt with the malware and packaged in the ROM. the presence of the launcher is not an indication of malware, but the "/да" folder definitely is.
The Universal Android Debloater will get rid of this easily, but I'm not sure that is enough to clean the device. There may be more nasty stuff in the ROM I haven't yet found. For a safe replacement, I'm using Microsoft Launcher because it includes an entry point to the device's settings menu.
One last bit of traffic I can't account for:
Code:
ycxrl.com / li1470-135.members.linode.com (139.162.57.135)
Every few minutes the T95 wants to send "something" to ycxrl.com
Code:
|ycxrl.com|POST /terminal/client/eventinfo HTTP/1.1
|ycxrl.com|POST /terminal/client/apiInfo HTTP/1.1
How many of these things sold on Amazon and AliExpress?!
Update -- The malware injects the system_server process. Looks to be deeply baked-into the ROM.
If I can't remove this malware, find a clean ROM, or get 'regular' Linux running, this T95 box is worse than useless.
Pretty sophisticated malware, resembling CopyCat in how it works.
This was actually an interesting topic. Part of me isn't surprised because I've heard of a lot of these types of boxes and mobile devices used for stuff like botnets. I have a Xiaomi Mi box and am curious if they are also similar.
It makes me curious what a good modern android box is these days.
Xiaomi maybe not so much, but these vendors on Amazon operating with names like BLAÜMTRON could be up to anything apparently.
If other T95 owners can check their devices for DNS traffic to ycxrl.com it'd be a huge help to determine the extent of this problem.
Would this open source malware checker find it on the android tv boxes?
Can someone check?
Hypatia | F-Droid - Free and Open Source Android App Repository
A real-time malware scanner
www.f-droid.org
DesktopECHO said:
It seems to be a popular Android box over there. Here is the link to a megathread dedicated to that deivce:
{Mod edit: Link removed. Oswald Boelcke}
It might be helpful to ask in that forum if anyone with one of these devices sees the folder:
Code:
/data/data/com.swe.dgbluancher/files/да
...and if so, let them know their device is compromised.
The firmware links being shared here and elsewhere have the malware built-in. Actually, I have yet to see a 'clean' downloadable firmware for this box, anywhere on the Internet.
Click to expand...
Click to collapse
@DesktopECHO
I've removed the link to 4pda from your above post! 4pda is not only another phone related website (and not at all affiliated with xda-developers) but also well known for the distribution of malware and warez. Links or references to 4pda are not accepted on XDA.
XDA Forum Rules (excerpt):
...
6. Do not post or request warez.
If a piece of software requires you to pay to use it, then pay for it. We do not accept warez nor do we permit members to request, post, promote or describe ways in which warez, cracks, serial codes or other means of avoiding payment, can be obtained or used. This is a site of developers, i.e. the sort of people who create such software. When you cheat a software developer, you cheat us as a community.
(...)
11. Don’t post with the intention of selling something.
Don’t use XDA to advertise your product or service. Proprietors of for-pay products or services, may use XDA to get feedback, provide beta access, or a free version of their product for XDA users and to offer support, but not to post with the intention of selling. This includes promoting sites similar / substantially similar to XDA-Developers.com.
Do not post press releases, announcements, links to trial software or commercial services, unless you’re posting an exclusive release for XDA-Developers.com.
Encouraging members to participate in forum activities on other phone related sites is prohibited.
Off-site downloads are permitted if the site is non-commercial and does not require registration.
Off-site downloads from sites requiring registration are NOT encouraged but may be permitted if both of the following conditions are met:
A) The site belongs to a member of XDA-Developers with at least 1500 posts and 2 years membership, who actively maintains an XDA-Developers support thread(s) / posts, related to the download.
B) The site is a relatively small, personal website without commercial advertising / links (i.e. not a competitor forum-based site with purposes and aims similar to those of XDA-Developers.com.)
...
Click to expand...
Click to collapse
Please refrain from sharing of such links in future! Thanks for your cooperation.
Regards
Oswald Boelcke
Senior Moderator
Thorough write-up here: T95 H616 Malware
Reported online by BleepingComputer,PCMag and others
Thanks for the investigation of this device.