android security - Android Software Development

In many application downloaded from market, like anysoftkeyboard, there is a popup warning window that says "the application may be able to collect all the text you type... passwords, credit cards numbers(!!!) etc.". The preinstalled applications on a device do the same? Finaly is the android applicable for secure usage in everyday transactions like online shopping or internet banking?

sinnaiy said:
In many application downloaded from market, like anysoftkeyboard, there is a popup warning window that says "the application may be able to collect all the text you type... passwords, credit cards numbers(!!!) etc.". The preinstalled applications on a device do the same? Finaly is the android applicable for secure usage in everyday transactions like online shopping or internet banking?
Click to expand...
Click to collapse
Not 100% sure as I didn't write the apps, but as far as I know, it doesn't actually "collect" your passwords and credit card numbers in the sense of stealing it...but rather certain keyboards allow you to add custom words into the dictionary. For example, if you were to write "ROFL," this obviously wouldn't be in the dictionary. If you choose to add this word to the dictionary, the keyboard will effectively collect (store) the word. So, as you see, the keyboard only "remembers" the words, with your approval, to make typing easier for you in the future.

Keyboard could collect key data, but they need internet access to send them to other people. So if the keyboard doesn't has got full internet access you're safe. (Unless it saves data to SD and another app sends that file to server, but most keyboard doesn't has got SD-card write access)

fifarunnerr said:
Keyboard could collect key data, but they need internet access to send them to other people. So if the keyboard doesn't has got full internet access you're safe. (Unless it saves data to SD and another app sends that file to server, but most keyboard doesn't has got SD-card write access)
Click to expand...
Click to collapse
In a perfect world this would be true but there are a few eploitable holes to pass that data to the internet.
Just because an app doesnt have the INTERNET permission does not mean it cant send out certain data.
Some of the exploits are known but I'm not going to go into detail about them. Just be sure you trust they keyboard people before installing their keyboard.

I think you don't have to be afraid as long as you use the stock keyboard. If you use an other one check what was said in tue prevoius posts. And don't forget, Google doesn't checks the apps, this message is shown for every keyboard to let you know the risks
Sent from my GT-I5700 using XDA Premium App

Related

This message will self destruct...

Hiya All,
Some serious thinking came across my mind couple of days ago...what if my device will get lost ? Any person that will find it will be able to view anything on my device such as contacts, calendar, notes and even use the phone.
Of course there is an option to lock the device but who the h*ll want to unlock it everytime he is starting to use it ?
What I was thinking is to send a restructive sms message or anything alike that will make a HR to the device or lock it with long enough password to avoid hacking.
Anyone has encoutered this kind of app that can make the above request ?
Any other usefull thoughts on this subject ?
Thanks in advance,
Bright Star
You could install One-Pass. It locks the PPC until a password is entered. WIth this software installed, no one could get into your PPC. They could get what ever was on your storage card, though.
I have an application I am in final beta stages that will hard reset the ppc,
based on a user defined code being sent via sms.
inane, does it hard reset when anyone sends the sms or does it recognise only certain numbers? Last thing I would want is my mates finding out about the message and sending it to me for a laugh!
There's an app that comes with the WM5 SDK that allows you to lock ur device via SMS but obviously you'd need WM5 :wink:
Bright Star said:
What I was thinking is to send a restructive sms message or anything alike that will make a HR to the device...
Click to expand...
Click to collapse
Bright Star,
There is a commercial application available that does exactly that. It is named PDAKill. The developer is ScpSoft (http://www.scpsoft.com).
Here is a brief blurb from their website:
PDAKill is designed to protect users of PDA's from loss/theft of their devices. It allows users to send a predefined SMS message which will hard reset the PDA, deleting the user data (including the storage area* and Storage Card which eliminates any files surviving the hard reset) returning the device to its original factory settings.
You can purchase it from Handango for about $15.00. I've never used it so I can't provide you with any other comment. I just recalled reading about it.
- Peter
PDAKill
Thanks alot Peter,
This looks like the s/w I've been looking after.
I'll buy it and give it a try.
Bright S.
Re: PDAKill
Bright Star said:
Thanks alot Peter,
This looks like the s/w I've been looking after.
I'll buy it and give it a try.
Bright S.
Click to expand...
Click to collapse
Better back up your data first...
I still like one-pass better. It locks the screen with your user information showing. This allows an honest person who finds your PDA to call you and collect the generous reward you offer.
THe only way to get out of the 1-pass system is to do a hard reset, which kills the internal memory and storage.
nedge2k said:
There's an app that comes with the WM5 SDK that allows you to lock ur device via SMS but obviously you'd need WM5 :wink:
Click to expand...
Click to collapse
Do you know where I can get this, I have the BlueAngel with WM5 and would love to use a program like this. I am sure that it would require a client install and the sms to the device would require some type of code.
Thanks
it would be cool if there would be a low level application which could reflash the boot rom with zero's and somehow disable bootloader mode and then preform a soft reset. the device could then be thrown into a trash without a service in a repair center... :twisted:
stevedebi said:
You could install One-Pass. It locks the PPC until a password is entered. WIth this software installed, no one could get into your PPC. They could get what ever was on your storage card, though.
Click to expand...
Click to collapse
Do you know who wrote One-Pass?
http://www.omegaone.com/pass/default.htm
FYI it can be nicely resource hacked to make it match your own theme
I'll try to post a screenshot some time.
V
But how would you know which number you send the SMS to? You will never now what SIM card the "thief" is using!
kta said:
But how would you know which number you send the SMS to? You will never now what SIM card the "thief" is using!
Click to expand...
Click to collapse
maybe it could send you a message first after every sim card change? to see the numbers
no need to install One-Pass, just set the "prompt if device unused" to 0 minutes, then it will always ask for password.
Man if we could get a program like this it would be great (SMS Lock), and more than likely if someone finds your phone they are not going to know what to do with it...
dwd said:
no need to install One-Pass, just set the "prompt if device unused" to 0 minutes, then it will always ask for password.
Click to expand...
Click to collapse
What if they do a reset? I don't think the password is in effect at that time. You could require a password (PIN) for the phone, but I find that to be a hassle.
With one-pass, the phone won't complete the soft reset unless the password is entered.
It also allows you to program the buttons for a "quick password".

			
				
not to get too offtopic but I for a start would NEVER put important data on an mobile device. It's risky enough with some docs on my notebook but those are now going to be transferred to an remote encrypted server with an stable VPN connection.
PDAs aren't secure. PERIOD. I never store any important data on my Magician. The worst thing you'll find are the text messages to my gf, hehe. Btw i'm I the only one concerned about losing an € 500 device ?
Liking the boom-on-SMS idea tough. Will prob never use it. I use deltalock to lock the screen of my Magician. 9 of 10 ppl are too stupid to figure out how to unlock it. hehehe.
MMaster23 said:
not to get too offtopic but I for a start would NEVER put important data on an mobile device. It's risky enough with some docs on my notebook but those are now going to be transferred to an remote encrypted server with an stable VPN connection.
PDAs aren't secure. PERIOD. I never store any important data on my Magician. The worst thing you'll find are the text messages to my gf, hehe. Btw i'm I the only one concerned about losing an € 500 device ?.
Click to expand...
Click to collapse
hence
will also use gps capability when availible
Click to expand...
Click to collapse
no more lost device!

PSA: Android malware; watch your back

Here's an interesting occurrence. A family member recently accidentally clicked on an advertisement posing as a facebook-esque message indicator. They mistook it for a valid part of the site, and it took them to the porn site "MFUN2U". The site then proceeded to trigger a download of "HotBabe_adm_~.apk" every few seconds. Apparently it was intended that the user click the download message (either accidentally or to see what it is), and hopefully be naive enough to click through the market install screen that would result.
So just a public service announcement to everyone; make sure you keep "Install from unknown sources" OFF whenever you are not actively using it, and watch what you click. Careful not to fall for banners claiming "You have a new message from a friend" or other similar phrases. And if you find yourself at a bad website, you can quickly close it by going into the "Windows" screen from the browser menu.
To those with root, be sure to pay attention to what programs you give access to.
And remember, no operation system that allows users to install programs is "virus proof". Android does not understand the intents of programs beyond its simple permissions, nor can it detect if a program is "good" or "bad". If you install a program that can read your text messages and access the internet, than it can freely do both things, even if it decides to send your texts to a third party site. It already has your consent; you agreed to the permissions when installing it.
For more info, the advertisement was served by AdMob on DeviantArt. The APK package was "com.firstlogix.streammedia.HotBabe", and had the permissions SEND_SMS, INTERNET, and ACCESS_NETWORK_STATE.
Are you sure it's malware and just not some random app that shows pr0n?
Either way, good looking out. Malware or not, I obviously don't want it on my phone.
Should an app to display pictures need to send SMS messages? It might not be, but considering the nature of "delivery", it certainly had bad intentions.
By malware, I don't mean trojans or anything of that nature. Consider that a program with those permissions could retrieve a list of phone numbers and messages from the internet and start sending them from your phone. Could be part of a bot net to send advertisements to others, or subscribe you to payed daily text messages.
At any rate, android has now become large enough to be targeted by things like this.
RoboPhred said:
Should an app to display pictures need to send SMS messages? It might not be, but considering the nature of "delivery", it certainly had bad intentions.
By malware, I don't mean trojans or anything of that nature. Consider that a program with those permissions could retrieve a list of phone numbers and messages from the internet and start sending them from your phone. Could be part of a bot net to send advertisements to others, or subscribe you to payed daily text messages.
At any rate, android has now become large enough to be targeted by things like this.
Click to expand...
Click to collapse
True, true. I'm just thinking to openly about it, lol. Way I look at it: MANY apps need control over things you wouldn't think they would need control over. Seeing as how it's delivered, as you said, certainly implies it's up to no good..
RoboPhred said:
Should an app to display pictures need to send SMS messages? It might not be, but considering the nature of "delivery", it certainly had bad intentions.
By malware, I don't mean trojans or anything of that nature. Consider that a program with those permissions could retrieve a list of phone numbers and messages from the internet and start sending them from your phone. Could be part of a bot net to send advertisements to others, or subscribe you to payed daily text messages.
At any rate, android has now become large enough to be targeted by things like this.
Click to expand...
Click to collapse
Yes, if it's a program that allows pictures to be shared by sms.
amazinglarry311 said:
Yes, if it's a program that allows pictures to be shared by sms.
Click to expand...
Click to collapse
You're way off subject, bro. Read all 3 posts first, not just the second to last.
I've said it before, and I'll say it again... Android's security system needs to offer the user the ability to selectively DENY a program the permissions that it requests.
Note however; this does not imply a virus.
In fact, android is more or less impervious to virii. A windoze virus works because it has ROOT PERMISSION -- does whatever it wants. A linux process is limited to the permissions given to that specific user -- this even applies to a VIRUS process.
In android, EACH APPLICATION (except for shared apps, but they need to be signed by the same key for this to work) has its very own user, so any one application can ONLY access ITS OWN files and that data (not files) specifically authorized based on the requested/granted permissions.
Also note: The access that an application gets from pulling data through the permissions is very limited -- it has to request data in certain specifically configured data sets, and the system responds in a very restricted way to those.
This particular application mentioned can access the internet, read network state (i.e. connected/disconnected), and SEND sms. It can NOT read contact list, and thus cannot spam your contacts. It cannot barf up your system. If you erase it, its gone without a trace.
The WORST it can do is send a billion SMS messages and/or basically hand over your phone number to phone-spammers (i.e. via callerid from the sms).
And contrary to what was said above, the permissions requested are a GREAT way to determine if a program is safe/sensible. If the program does not need the permission but still asks for it, you need to ask yourself WHY it would be asking for it... and IF that program REALLY DOESN'T need the permission, then it is one of two reasons: either the developer is a retard and asked for blanket permissions, or the developer has nefarious intentions. Either reason means that you don't want to install that application (or would, in the least, demand that the permissions be restricted to something more sensible).
If a program doesn't appear to need the permission, then it DOESN'T. Simple as that.
This program is not a virus. That doesn't mean that this program is a good program or is entirely benevolent.
"Virus" has come to be a blanket term now, rather than just something that just spreads itself around. Most would consider a trojan to be a virus, despite the fact that they are usually targeted and traditionally don't send themselves to others. Programs don't need root access to behave in ways you don't want them to. Ask anyone to describe "a program that sends text messages from your phone to spammer companies so they can get your phone number", and they probably would choose "virus".
At any rate, no one ever made the claim that the program was a virus in the traditional sense, just malware. Android certainly has very effective security features, and an apk can't take over the phone (without root permission anyway), but thats little consolation when you have to get a new phone number.
I feel I need to step back and say that this wasn't intended to be reactionary (nor are people treating it as such, but its getting close). This is just a general alert to remind people to pay attention to what they do with their devices, and to be suspicious of any unexplained downloads or other events.

Do any custom roms have any data privacy features built in? How safe is our data?

It worrys me when I try to install a new app, only to see a long list of permissions its requesting. Why would a simple game require it access my call logs, phone number etc...
Is there anything built into custom roms that prevents this private data being sent out? Can these apps really pull your info such as your whole contact list and call history?
I just installed an app called LBE privacy guard, and even Launcher Pro is trying to access my call logs and sms messages. Ive set most all apps to restricted on it and my security log is full of downloaded apps trying to access my info.
redspeed said:
It worrys me when I try to install a new app, only to see a long list of permissions its requesting. Why would a simple game require it access my call logs, phone number etc...
Is there anything built into custom roms that prevents this private data being sent out? Can these apps really pull your info such as your whole contact list and call history?
I just installed an app called LBE privacy guard, and even Launcher Pro is trying to access my call logs and sms messages. Ive set most all apps to restricted on it and my security log is full of downloaded apps trying to access my info.
Click to expand...
Click to collapse
CM7 allows for the ability to restrict permissions for specific applications(not finished yet), but that's the only one.
FWIW, Launcher Pro requests those permissions to do little "pop ups" on the dock for missed calls and text messages.
Decad3nce said:
FWIW, Launcher Pro requests those permissions to do little "pop ups" on the dock for missed calls and text messages.
Click to expand...
Click to collapse
That makes me feel a little bit better at least. Thought Launcher Pro was betraying me by stealing my info
When an app requests permissions like read contact data- does it actually have the ability to go through my private contact list and send back the names and phone numbers to their server?
I've always thought it funny that people who worry about data security will install a ROM built by a semi-anonymous chef. At least when you deal with Samsung and Sprint you know who has to answer for any problems. With a cooked ROM, who knows what could be in there?
I don't know what they would want to do with anyone's contacts but like posted above most apps use notification features even though some don't use the feature that often it is still available I trust that Google's os has certain inalienable features to keep app in check and make sure data is safe..... I haven't heard of anyone being killed or follwed because location data was sent to a corporation .... now calleriq is something to be requined with...
No one show the OP what carrieriq is ...lol
Sent from my SPH-D700
poit said:
I've always thought it funny that people who worry about data security will install a ROM built by a semi-anonymous chef. At least when you deal with Samsung and Sprint you know who has to answer for any problems. With a cooked ROM, who knows what could be in there?
Click to expand...
Click to collapse
I believe moderators examine Roms for that sort of thing. Also, if it was found out that someone was doing that, there would be some major problems.

Wheres my Phone

Would anyone be able to tell me if there is an app like HTC Sense online that lets me see where my phone is at any time?
Cheers
Where's my Droid
Sent from my GT-I9100 using xda premium
Try
samsungdive.com
redesignni said:
Would anyone be able to tell me if there is an app like HTC Sense online that lets me see where my phone is at any time?
Cheers
Click to expand...
Click to collapse
Try Android Lost
digi_fort said:
Try Android Lost
Click to expand...
Click to collapse
+1
.....................
The best & free solution is already on your phone. On your SGSII Go to Settings>Accounts & Sync. Create a Samsung account there if you haven't already. Then go to samsungdive.com to track your device, lock it, make it ring if lost.
what if it is stolen and the ROM has been changed?
Cerberus protects even starting without a Sim or a different one, and capture photos if wrong screen lock, call logs and SMS, remote wipe, tracking with GPS, phone wake and scream, popup message, apply extra lock, call phone even if you don't know the number, record calls, hide app, etc. can be SMS or Web activation, Cheap lifetime license and can be installed on 5 devices. Vendor built Sim checker before then two years ago and I can confirm that service is still running. can be moved to /system/app and survives factory reset, Basically only new flash ROM will kill it.
Sent from my GT-I9100 using Tapatalk
With remote lock applied from Web site
Lol just saw can take photo on demand and email it, or if phone finder dismisses a popup request to return the phone.
Used push notification unlike Samsung solution which I found was battery killer
Sent from my GT-I9100 using Tapatalk
You can give a try to
- Watchdroid
- Phone locator
- Lost Phone
- Wheres my Droid
- SMS remote control
....
I didn't still find the right one ;-) and still searching....
Guys,
I have lost my Galaxy S1 earlier this year; had Samsung dive setup while the phone was lost, but did not help me.The phone was switched off by the time I realized the loss.
I guess, folk who get their hand on some ones phone, kinda know what to do with the Samsung beasts/beauties. Handovers to someone to wipe and flash, would be their best bet, I reckon. I am sory, not taking about all honest folks who would have return the devices to the actual owners.
Since then, have been searching for solutions which are wipe proof / flash proof but not successful. I have even checked android feature request sometime back ,found none.
Since then I have been thinking of this crazy idea that Google needs to implement as part of android OS.
Since we are registering phone / market app on the phone with Google with a gmail id, why can't Google associate the IMIE of the phone with that gmail id ?
If the registered user decides to sell / transfer the phone to someone else the registered user, the register user of the phone initiates the request for transfer with another gmail id / approves the request from another gmail id, without which all/most to the Google support Android features like maps, browser, market ,emails would not work.
i am not finished yet.., android should have a feature to re-confirm the ownership regularly every after a fixed duration of time, which can be user defined. As long as he/she is on data connection, the renewal is a silent process with the cached credentials on the device. If not, provide some window of time time reconfirm the ownership, failing which the lock the features down to just phone calls / limited set user defined and basic android operations. This could be a optional feature, rather than losing the phone and would opt for this feature and i wont mind reconfirming my phone ownership at regular intervals
If someone lost an android phone , he/she has to just change the registered gmail account password which would make if difficult to renew the ownership.If the phone has a data connection, using the registered Google account on the lost device,one should be able to push a message to displayhttp://media.xda-developers.com/images/icons/icon9.gifed on the lock screen and home screen. Similar to ChromeTohone / SendToPhone feature.
Mandatory reconfirmation on every flash which are not Non -Wipe. On devices with NFC/ similar chips with writable memory, the ownership details can be written to it and will not be wiped off by wipe or flashing.
Also I would make a humble request to all devs and ROM chefs to keep their busy hands off this feature, if implemented. Ethical stuff
We all love/hate our android phones but won't want to loose them, please let me know you feedback.
PS : I have moved on since my SGS1 only after mouning the loss,but now owns a SGS2
androidlost is the best

[Q] wrappTheApp!! App

Hi!
Does anyone want to try to make an app that can take control of the apps in the phone's I / O data. An app that allows me to take control of the In and Out data retrospectively after instalation. Many, many apps empties phone on sensitive data such as IP number, e-mail phone GPS info, and even account number etc.. It should be pretty easy to make an app that wrapp the apps in the phone ands allows me to take kotrollen over what my appa's access to and have to do with my data, a kind of App-Firewall.
Should not be too hard to Write that code. Had been super HITT! sure of that i am!
Anyone who is interested!
Henrik Bie

Resources