[i9000] New Android/WiFi Security Threat - Precautions - Galaxy S I9000 General

Since I know most of us tend to do A LOT or reading on tech sites and Android-focused blogs, you are all likely aware of the new security problem that has recently been headline news (especially on Apple sites).
In a nutshell, it is possible for malicious unsecured WiFi APs and HotSpots to steal the AuthToken from your phone when your WiFi contacts it. This AuthToken then can be used for two weeks to gain access to your Google account, which in turn may make other accounts you have vulnerable. They do this by using very common SSIDs, such as Default or Linksys, to encourage passing Android phones and/or tablets to try an connect with them. Though the connection doesn't complete, just the sniffing that takes place in advance is enough for the theft to take place.
Fortunately Android phones don't automatically try and connect to every cheap, streetcorner HotSpot they see...but they do automatically connect to WiFi APs they have been connected to before. Since these malicious APs are using very common SSIDs, it is likely your phone has connected to an AP with the same name in the past, and it will therefore query the AP, allowing the Token to be swiped.
How do we prevent this? Well, there are a few precautions that can be taken to make it less likely your poor phone gets grifted for being too trusting.
Make sure your home AP and other APs you control do not have common names. If your home AP has the SSID default, or Wireless....change it.
Keep your WiFi OFF when not using it.
Do NOT log into APs when you do not know their origin, and certainly not ones you scan for with names like Free Public WiFi. SSIDs like Evil Hacker Out to Fleece You are right out too.
If you DO log into a legit public AP (especially one with a common SSID), but it isn't one you commonly use, after you are done go into your WiFi settings and have your phone forget it.
Lastly, keep an eye on your Google account for suspicious activity. Did someone just your Google account to pay for $5000 worth of Skype calling to the Canary Islands? If so, report it (unless you got a girlfriend in the Canary Islands). Also use the security features in your gmail account to keep track of what IP numbers are logging into your mail. If someone on the other side of the country suddenly accesses your inbox, change your account details and report it to Google.
Forewarned is forearmed..and the sooner we make this scam unprofitable, the sooner it will go away and the sooner iPhone users will shut up about it.

source?
10char

kepke said:
source?
10char
Click to expand...
Click to collapse
Background on the security problem? All over the interwebs. HERE for example, or HERE.
The suggestions and commentary are my own.

In 2.3.4 this problem is fixed. Is there any chance to use the fixed files in older android versions?
Sent from my GT-I9000 using Tapatalk

HiQ123 said:
In 2.3.4 this problem is fixed. Is there any chance to use the fixed files in older android versions?
Sent from my GT-I9000 using Tapatalk
Click to expand...
Click to collapse
Might be something for the devs to consider adding to their custom ROMS.

Google on the case
In an official statement, Google has said it is already rolling-out a fix for the security flaw, which could affect all Android users, except those already running Gingerbread.
"Today we're starting to roll out a fix which addresses a potential security flaw that could, under certain circumstances, allow a third party access to data available in calendar and contacts.
"This fix requires no action from users and will roll out globally over the next few days."
Read more: http://www.techradar.com/news/phone...-security-flaw-fixing-it-957143#ixzz1N5zq1K7S

HiQ123 said:
In 2.3.4 this problem is fixed. Is there any chance to use the fixed files in older android versions?
Sent from my GT-I9000 using Tapatalk
Click to expand...
Click to collapse
So is 2.3.3 still at risk ?

google already fixed it on their servers. danger averted
Sent from my GT-I9000M

Related

Chrome2Phone -- Exploitable?

Had the thought that perhaps the new feature, to send your nexus a direct link from your computer, might be exploitable by some unfriendly people.
What do you all think the risks are, if any?
If it can tell your phone to open the browser and launch a website, whats to stop someone from telling your phone to buy ten thousand copies of Conan the Barbarian, or destroying itself and catching on fire. Kidding of course, but you get what i mean.
Very difficult. It'd be just as likely as someone stealing your Gmail account.
Mmm, ok. Thought I would ask
It has the potential, under the right circumstances, to be used for evil though! EVIL!
I'm not entirely sure, but from what I understand all intents go through google servers. I assume google is doing checks for malicious behaviour on their end.
Don't you have to register a phone to a gmail account and be logged into that account to send to the phone?
Haven't tried the app myself make it wouldn't make sense any other way ;-)
You have to be logged in. And i thing info is sendt via google servers, so unless someone steals your google account, i think you should be safe
it only triggers the browser or maps. I guess the risk would be real, but on the phone side you have the option to set it to do nothing but notify you FIRST prior to any action. If you didn't initiate anything, then you could click cancel at that time.
chromiumcloud said:
it only triggers the browser or maps. I guess the risk would be real, but on the phone side you have the option to set it to do nothing but notify you FIRST prior to any action. If you didn't initiate anything, then you could click cancel at that time.
Click to expand...
Click to collapse
one of the things being worked on is making the phone dial a number selected on the browser. that could get interesting
I believe that Google are running a closed beta at present too, so the only people that can write apps that use cloud messaging will have been vetted by Google.
All the components of the extension (chrome extension, android application and application server) are open source, what prevent anyone from developing an other extention that use google cloud service to communicate with android ?
ludo218 said:
All the components of the extension (chrome extension, android application and application server) are open source, what prevent anyone from developing an other extention that use google cloud service to communicate with android ?
Click to expand...
Click to collapse
All of the messages go through the Google servers
As I understand, the application engine part of the extension (which runs on google application engine) register itself to "the cloud" using google api. Anyone should be able to use these api, no?
It most certainly could be exploited. I can think of a javascript exploit that would work right now.
However the consequences of an exploit are severely limited by the security model that Android uses. Something can not run in another security context unless you allow it to.
The day "Chrmoe2Phone" asks for root access is the day it should be removed from your phone. Until then they most it could do is tell an app to do something that you've already allowed that app to do (which could arguably be undesirable things).
The user needs to explicitly permit all security privileges in Android remember (read that app install page with security details!). If it can do something, you've permitted it to do so.
tanman1975 said:
one of the things being worked on is making the phone dial a number selected on the browser. that could get interesting
Click to expand...
Click to collapse
That is true, but if i recall correctly, when you choose a phone number link from the browser, it will bring the number up in your dialer application, but you must initiate the call with the green call button, so there is a level of security there.
actually this could be a pretty nifty security feature. Is the phone gets stolen how great would It be to able to enable the gps, camera or mic? Given proper security protocols of course...
@tanman1975
Didn't think of that one. T'would be a very powerful tool against the robbers out there. Nice.

my hotmail account has been spamming people

Long story short i have my hotmail, along with other accounts setup in my evos email client, awhile back I noticed I sent myself an email about diet crap that I personaly did not send and so I dismissed it.
Well tonight I had over a hundred mailer daemon unable to reach address blah blah in my email inbox I check my sent box and sure enough my account has been mailing random people crap about diet stuff.
Anyways i heard Android has some exploits that could be leading to our phones being related in a exploit.
I changed my email password and it stopped doing this temporarily but it started right back up again after a while.
Can this be Related to my phone at all?
Sent from my PC36100 using XDA App
It's probably not your phone.
It's far more likely that you (or someone else in your household) clicked something you shouldn't have on a website, and have a keylogger on your computer now.
Or if you're... Uneducated enough to be running an open WiFi network (or, even more facepalm-worthy, connected to one that doesn't belong to you, and mooching off it), then someone could be picking up your plaintext passwords.
But really, biggest chance is you've got some malware on your computer. Congrats!
Your biggest issue is that you are still using hotmail...
- Changed your hotmail password from a virus-free computer or your EVO's browser.
- Run AntiMalware and an antivirus on your computer.
- Switch to Gmail
Problem solved.
well, i know about wlan encryption and i use wpa2 personal, i also know how to crack wep
i also know about keystroke loggers, i do use them and know how to detect software versions of them
somehow my girlfriend somehow gets a copy forwarded to her of email i reply to, even though there is no trace of a setting for this anywhere that i can find, which i always found suspicious and it doesn't happen all the time. she could be spying or maybe its from when we tried to link our outlook calendars and something broke
i use hot-mail because until recently i have had zero problems and i created this hotmail account back in 2001 on my dream cast before i even knew how to turn on a pc, and now i run a computer repair shop, so it kinda has sentimental value, so i want to fix this, not throw it away. also i have many other email address for work and school purposes so email isn't nothing new to me.
last night i had my gf change my password on my hotmail account because i was on my evo and hotmail.com kept sending me to their mobile site and i couldn't see any settings for change password and she had her laptop in her lap. maybe her laptop is the culpti but i doubt it, i will check into it though.
today i changed my password to my hotmail on my work computer. i will allow my evo access to the new password for the sake of tying to figure out where the culprit is and only changing one thing at a time.
thanks for the replies i really was hoping to hear that someone has less then public information about hotmail email servers them selves being hacked. because i have friends with hotmail accounts that started spamming me not too long before my account starting spamming others.
i guess i'll use this thread to keep notes on this situation, but thanks for the replies
zeuzinn said:
- Changed your hotmail password from a virus-free computer or your EVO's browser.
- Run AntiMalware and an antivirus on your computer.
- Switch to Gmail
Problem solved.
Click to expand...
Click to collapse
yep all I had to do was change my email on another SAFE PC and then I was good to go. But dont discount adware programes and all.
DL and run/update
Malware bytes, Super antispyware and update and load spyware blaster. You'll be good to go.
spybot/teatimer ftw
drmacinyasha said:
It's probably not your phone.
It's far more likely that you (or someone else in your household) clicked something you shouldn't have on a website, and have a keylogger on your computer now.
Or if you're... Uneducated enough to be running an open WiFi network (or, even more facepalm-worthy, connected to one that doesn't belong to you, and mooching off it), then someone could be picking up your plaintext passwords.
But really, biggest chance is you've got some malware on your computer. Congrats!
Click to expand...
Click to collapse
Please don't be politically correct. :|
Stupid not uneducated. He says he knows all this, so uneducated wouldn't apply.
...
Sorry, I'm very blunt. :|
Well my hotmail accounts were still spamming people, also my yahoo account started to join in on the fun.
I changed passwords on both accounts to something very lone Qiu no dictionary words and used numbers and symbols. And about a day later low and behold I am spamming people again.
Focusing in on my hotmail account, I can see the sent folder, in my web based GUI, I can see all these emails that my account has been sending.
I have probably have questionable apps on my phone so I thought I'd wipe my phone. Well, its been 4 days since I have had any problems.
While I can't confirm my suspecion, I can suggest as a possibility that my phone had something that was pulling my passwords and sending them out to someone or something that would inturn log into my accounts and spam away.
I don't have time to really look into this any more thoroughly but I thought I'd document my observations.
Sent from my PC36100 using XDA App
potna said:
well my hotmail accounts were still spamming people, also my yahoo account started to join in on the fun.
I changed passwords on both accounts to something very lone qiu no dictionary words and used numbers and symbols. And about a day later low and behold i am spamming people again.
Focusing in on my hotmail account, i can see the sent folder, in my web based gui, i can see all these emails that my account has been sending.
I have probably have questionable apps on my phone so i thought i'd wipe my phone. Well, its been 4 days since i have had any problems.
While i can't confirm my suspecion, i can suggest as a possibility that my phone had something that was pulling my passwords and sending them out to someone or something that would inturn log into my accounts and spam away.
I don't have time to really look into this any more thoroughly but i thought i'd document my observations.
Sent from my pc36100 using xda app
Click to expand...
Click to collapse
STOP using pirated apps. That's my guess.
It was most likely an app that requests permissions to your contacts and email. There are a lot of shady apps out there and google needs to step up with this crap.
I always avoid them but it's ridiculous how many apps (themes and stupid stuff) request information.
Well surprise surprise, it was most likely an app I got from the market that was stealing my info. Not that I can confirm it, but most of the replies implied I was an idiot and that it couldn't possible be my phone. I eventualy got an email from Google saying I had installed something from the mArket that was infected.
So it was not that I'm stoopid ignorant, it wasnt that i was using hotmail, it wasnt that my pc was infected.
It was my phone all along.
Maybe there is a thread about this already, but I bet my topic.was created first and I thought I'd bring this thread to a conclusion.
Sent from my PC36100 using XDA App
I hate to say it but if you downloaded an app that infected your device with malware you still are pretty stupid. Not trying to be an a**hole here but if you actually researched the app before downloading it you could have advoided it altogether. Common sense is still the best antivirus.
Sent from my PC36100 using XDA App
This isn't malware on your phone. It's been a huge issue with hotmail for the past couple of weeks. People who use the same pass across multiple sites usually are the most vuln. Also happens when you get phished.
I have a friend thats has the same thing going on with his hotmail...hasn't been using it at all and all of a sudden I'm getting emails from him sending me links to increase my penis length...and god knows I don't need that..
I wouldnt dismiss it being non-phone related. I recently have been having it happen on my hotmail account as well and I have not logged into my hotmail account on a computer in years only have it on my phone to setup craigslist ads, Redbox rentals and small stuff like that and use gmail for important stuff. I dont have any Pirated apps or anything just normal stuff 12 or so games and 15 or so other market apps.
Same thing happened to my hotmail a while back. I changed my password and it solved the problem.
Sent from my rooted HTC EVO using the xda app!
alright guys stop calling the op stupid and learn ya something yourselves. Even legitimate apps were affected read the news every once in awhile and you would know. This is just one of the many articles on the topic.
http://m.cnet.com/Article.rbml;jses...fVH2Mtw**?nid=20039881&cid=null&bcid=&bid=-83
Sent from my Supersonic Evo using Xda-app.
Last-Chance said:
This isn't malware on your phone. It's been a huge issue with hotmail for the past couple of weeks. People who use the same pass across multiple sites usually are the most vuln. Also happens when you get phished.
Click to expand...
Click to collapse
Exactly, it happened with my hotmail account a few months ago, and I havent used my hotmail in months.
alright guys stop calling the op stupid and learn ya something yourselves. Even legitimate apps were affected read the news every once in awhile and you would know. This is just one of the many articles on the topic.
Click to expand...
Click to collapse
Unless you login to hotmail from your phone's browser, there is no way one of these apps could get your hotmail info.
i swear, i dont know why i take peoples opinions so damn seriously around here...but for the sake of my sanity and the general level of competence of reading and having accurate postings with good conclusions here i go again.
there were a handful or legitimate applications on the market than were infected.
i already changed my email passwords and it ddint help
when i formatted/re flashed rom...it stopped
i later received some notification of some market tool that Google automatically installed and ran and "fixed the issue"
i received an email from Google telling me about a phone tied to my gmail account may have been infected, but i already solved my issue my self, so their fix didn't apply.
how the hell can you people some how twist this into "op is dumb, or stupid"?
now for a bit of my SPECULATION, and its only that, its not my opinion thrown at you as fact, as so many here love to do.
what are the odds that all of us android users just happen to have our email accounts hacked? whats the one thing all of us email user have in common on these boards....android. just saying
btw, more than just my hotmail account was hacked.
here are some urls that the idiots wont read, talking about what i have been trying to say
http://www.google.com/search?q=Droi...s=org.mozilla:en-US:official&client=firefox-a

[MOD] Stock Mail.apk with the exchange policy removed

First off I take no credit for this at all. All credit goes to Rsotbiemrptson who is a Jedi master for creating this after many have tried and failed.
What you have here is a flashable crack to the HTC Mail.apk that will bypass any and all security administrators that may be otherwise forced onto your device when syncing to an exchange server.
To install:
1. You must remove all mail accounts that you have set up in the Mail app.
2. If you have any existing security administrators present from a previous exchange sync deactivate them.
3. Set your lock time out to none under security settings.
4. Reboot into recovery and wipe Dalvik Cache
5. Flash the attached file.
As with all mods or changes to ROMS do a complete backup in recovery.
If you find this useful please send all thanks to Rsotbiemrptson for cracking this bad boy.
Has anyone tried this?
sdorn77 said:
Has anyone tried this?
Click to expand...
Click to collapse
I don't really understand the point of it. Is there something wrong with Exchange on the Tbolt? Mine works fine.
Shiftyshadee said:
I don't really understand the point of it. Is there something wrong with Exchange on the Tbolt? Mine works fine.
Click to expand...
Click to collapse
This is for people who want to use their Exchange account on their Tbolt, but DON'T want to give their Exchange admin the ability to enforce security policies on their phone (like having to enter a PIN every time you unlock the screen). Sounds like your Exchange admin doesn't implement any of those policies, so you don't need this.
Is this something that was implemented in newer versions of Exchange? I think my company uses 2007 still. Might be why I haven't seen this.
i managed to get my gmail, hotmail an windjammercable mail setup though exchange on my thunderbolt, but i kept getting sync errors where it would try to sync all three emails like every 5 seconds when the phone was operating in peak time. My battery went from like 100 to like 75 in less than 20 minutes So i had to just delete all the email setting i changed an go back to what i had before.
Now, if install your mail akp will this stop the sync errors?
Shiftyshadee said:
Is this something that was implemented in newer versions of Exchange? I think my company uses 2007 still. Might be why I haven't seen this.
Click to expand...
Click to collapse
It's been around since at least the 2003 version but it's all optional settings, your admin may just not have them enabled. Mine doesn't.
Jacquestrapp said:
It's been around since at least the 2003 version but it's all optional settings, your admin may just not have them enabled. Mine doesn't.
Click to expand...
Click to collapse
Gotcha. Thanks for clearing that up for me
This absolutely works on all DAS BAMF roms but should work on any ROM including stock. You only need this if you have exchange policies pushed to your phone by your company. If you don't know what this is you prob don't need it.
I do not know if it will fix the afore mentioned sync errors but I would doubt it.
Here's a new question. When I had CM7 on my Incredible, Exchange wanted to setup device admin rights. Now on my Tbolt with Sense I don't get asked. Any idea why?
madroix said:
This absolutely works on all DAS BAMF roms but should work on any ROM including stock. You only need this if you have exchange policies pushed to your phone by your company. If you don't know what this is you prob don't need it.
I do not know if it will fix the afore mentioned sync errors but I would doubt it.
Click to expand...
Click to collapse
I have installed this on DAS BAMF remix v1.4 and it does work so far. I was able to remove the PIN lock and use a pattern lock, which was not permitted before. Also, I didn't get the exchange security policy notice when I added my exchange account. Syncing appears to be working properly as well so far.
The mod is quite honestly ridiculous. Whats the point of trying to have security setup and protect possible sensitive information, when you don't want an Admin to enforce security rights.
This 100% defeats the purpose that was set in place by Exchange for good reason's. I sure hope everyone understands the SERIOUS consequences of what could happen by flashing this and possibly leak sensitive data into the wrong hands.
^^ it's a very good point. One of the problems with AS and lock screens is that with the default client and iPhones you have to pin to unlock even the phone. Nothing to do with email, just the darn phone. So everyone hates it. I use Touchdown which only requires a pin if you go to check email. But it's $20. Anyway, be careful with hacks that bypass security in a workplace. It could be cause for termination.
I love my phone, I've loved ALL my devices... Yes, I use it for work with MS Exchange email (MS Consultant), and yes the pin/password policies are annoying.
But I'm not about to risk my job over some "hassle" of 3 seconds to enter a pin. Aren't our email Administrators able to see we bypassed this or no?
oc3rulz said:
The mod is quite honestly ridiculous. Whats the point of trying to have security setup and protect possible sensitive information, when you don't want an Admin to enforce security rights.
This 100% defeats the purpose that was set in place by Exchange for good reason's. I sure hope everyone understands the SERIOUS consequences of what could happen by flashing this and possibly leak sensitive data into the wrong hands.
Click to expand...
Click to collapse
To be honest, if someone wanted my data or emails a stupid 4 digit pin is not going to stop them. There are many ways in getting a persons email off of there phone without even unlocking it. This seems like it is for those small companies who's admins are security freaks and its really not needed. Granted, I am sure apple would not be happy if an employee used this app or an android phone lol
Sent from my ADR6400L using XDA Premium App
It is important to keep sensitive data secure. I think a properly set up pattern lock is as good as a 4 digit PIN. I use lookout to be able to remotely wipe if needed.
THANK YOU SO MUCH! Hats off to the dev.
Do I have to remove gmail accounts too, or just the active sync exchange accounts?
Sent from my ADR6400L using XDA App
chriskader said:
To be honest, if someone wanted my data or emails a stupid 4 digit pin is not going to stop them. There are many ways in getting a persons email off of there phone without even unlocking it. This seems like it is for those small companies who's admins are security freaks and its really not needed. Granted, I am sure apple would not be happy if an employee used this app or an android phone lol
Sent from my ADR6400L using XDA Premium App
Click to expand...
Click to collapse
Let them get in hacking your password/pin, you won't be held responsible. However if you have the phone pin/password disabled and they realize this you will be terminated. They will be able to see that you are bypassing security measures, and you could have lawsuit on your hands as well.
Please dont think that I am bashing the dev, I'm simply trying to let people know that they very well could and most likely lose their job and have possible legal action taken against them for using this. Cellphones are such a volatile thing anyhow, but giving them an easier way in is not a good idea, especially not while breaking company policy.
oc3rulz said:
Let them get in hacking your password/pin, you won't be held responsible. However if you have the phone pin/password disabled and they realize this you will be terminated. They will be able to see that you are bypassing security measures, and you could have lawsuit on your hands as well.
Please dont think that I am bashing the dev, I'm simply trying to let people know that they very well could and most likely lose their job and have possible legal action taken against them for using this. Cellphones are such a volatile thing anyhow, but giving them an easier way in is not a good idea, especially not while breaking company policy.
Click to expand...
Click to collapse
Like I said, they don't even Ned to unlock your phone e to read the emails on of. Google it.
Sent from my ADR6400L using XDA Premium App

4.4 OTA breaks certificate-based authentication support

Just upgraded my device to OTA 4.4 and Exchange services crashed every time I opened Email (I kept getting a message "Unfortunately Exchange Services stopped" repeatedly).
After deleting both the email account and the user certificate (we use certificate-based email authentication), I am unable to re-add the Exchange account back (after defining all credentials and parameters, I get a popup that says "Couldn't finish. Can't connect to server."). Additionally, I see a white triangle with an exclamation point inside in the notification bar. When I pull the bar down, the exclamation bar has a caption of "Network may be monitored by an unknown third party". When I click on that caption, I get a new pop-up saying "Network monitoring. A third party is capable of monitoring your network activity, including emails, apps and secure web sites. A trusted credential installed on your device is making this possible". There is a button underneath called "Check trusted credentials" and clicking on that takes me to a "user" portion of the trusted credentials store, where I see my corporate CA certificates.
In general, the issue of certificates issued by a non-public CA generating a "Network may be monitored" message has already been documented in several forums and there is an issue #62076 created for it. However, I suspect that "security features" introduced in KitKat are somehow preventing my device from using my certificate for email authentication (because device does not trust it). I knew I could count on Google to break the most used feature of my phone (email) and thus render it useless. Another win for the history books.
had the same issue after updating to 4.4. in short, i had to re-push both OA and CA certificates to re-establish the authentication system for work
aldouse said:
had the same issue after updating to 4.4. in short, i had to re-push both OA and CA certificates to re-establish the authentication system for work
Click to expand...
Click to collapse
I already tried that twice. No joy.
The most annoying part is that I also have a Nexus 10 tablet and it had ZERO problems after upgrading to KitKat (aside from the annoying "your network is being monitored" notification). This means Motorola yet again mucked with the stock Android install and broke it.
Any other ideas? I'd hate to go through a pain of reverting back to 4.3.
It'll work if you keep deleting, rebooting, then reinstalling the apk for email. At least it did for me. My company issues these certs, and I got it to work eventually.
Sent from my XT1060 using Tapatalk
So....here is what the issue is: https://code.google.com/p/android/issues/detail?id=61785
Looks like quite a lot of people are affected by this. I cant believe how sloppy Google's QA is if something as major as this was pushed out of the door.
Now I need to wait for Motorola to incorporate this fix into their build of Android, then for Verizon to "test" it and roll it out via another OTA update. In the mean time, my Moto X is as good as a brick because I cant get my corporate email/contacts/calendar on it.
Ridiculous!
Use another client
Touchdown is my client of choice and it works great with kit Kat
Sent from my XT1058 using Tapatalk
mj0528 said:
Use another client
Touchdown is my client of choice and it works great with kit Kat
Sent from my XT1058 using Tapatalk
Click to expand...
Click to collapse
+1 for touchdown... Worth the money if you rely on exchange email.
Sent from my XT1053 using Tapatalk
Network security warning cleared also
1ManWolfePack said:
It'll work if you keep deleting, rebooting, then reinstalling the apk for email. At least it did for me. My company issues these certs, and I got it to work eventually.
Click to expand...
Click to collapse
Can you clarify 'work' - I assume this means it is sync'ing - do you still have the security warning about the certificate, or did this get cleared in your reboot/re-install cycles ?
Thanks
Just wanted to update everyone - Google has stated that the issue is fixed "in a future release". One "minor" problem - there is zero information as to which release, as well as when it is going to be rolled out.
So....as of now thousands of people using private certs on Kitkat devices are still screwed and this number is growing by the day. In order to make it more convenient to pretend like the issue is minor and insignificant, Google has blocked further comments on issue 61785 after 260 people starred it, so now users that have an issue cannot even report it.
ek001 said:
In order to make it more convenient to pretend like the issue is minor and insignificant, Google has blocked further comments on issue 61785 after 260 people starred it, so now users that have an issue cannot even report it.
Click to expand...
Click to collapse
If the issue is resolved and Google has a rollout plan for the fix, what use is there for further bug reports or reporting? It just becomes noise in their bug tracking system. Is there a purpose for yet more people to say, "hey, yeah, I have this issue too"?
Strange, I have Exchange email set up on my Moto X 4.4 and synching without issues.
After the pop-up, I accepted or ok'd. We're running a 2010 Exchange Server.
SYNSYNACKACK said:
Strange, I have Exchange email set up on my Moto X 4.4 and synching without issues.
After the pop-up, I accepted or ok'd. We're running a 2010 Exchange Server.
Click to expand...
Click to collapse
Are you using a certificate issued by a private CA for ActiveSync authentication?
ek001 said:
Are you using a certificate issued by a private CA for ActiveSync authentication?
Click to expand...
Click to collapse
Under Exchange settings, Port is 443, Security type is SSL/TLS, client certificate is None.
Strange, I thought it pushed a CA though when I completed the set up.
SYNSYNACKACK said:
Under Exchange settings, Port is 443, Security type is SSL/TLS, client certificate is None.
Strange, I thought it pushed a CA though when I completed the set up.
Click to expand...
Click to collapse
That's the point. This issue only affects users that are using certificates issued by private CAs for ActiveSync authentication. If you are not using certificates, you would not be affected.
ek001 said:
That's the point. This issue only affects users that are using certificates issued by private CAs for ActiveSync authentication. If you are not using certificates, you would not be affected.
Click to expand...
Click to collapse
Not necessarily true. I use exchange email for work and although I can set up my account I cannot receive emails. I can send sometimes. But never receive.
via my slapped KIT KAT moto X
lowvolt1 said:
Not necessarily true. I use exchange email for work and although I can set up my account I cannot receive emails. I can send sometimes. But never receive.
via my slapped KIT KAT moto X
Click to expand...
Click to collapse
What you are experiencing is a separate issue, so please open a separate thread for it.
The issue being discussed here is a situation where an attempt to use private certificates for authentication while adding an Exchange Activesync account to a device running 4.4 results in a bogus "Couldn't finish. Can't connect to server." error message (while the device does not even attempt to go out and establish a connection).
binary visions said:
If the issue is resolved and Google has a rollout plan for the fix, what use is there for further bug reports or reporting? It just becomes noise in their bug tracking system. Is there a purpose for yet more people to say, "hey, yeah, I have this issue too"?
Click to expand...
Click to collapse
There are several reasons the thread should have remained open:
1. While Google is taking their sweet time to roll out a fix, someone may find a workaround for the issue. A workaround is certainly better than a phone with no email/contains/calendar (and no, nobody wants to pay for and use those crappy 3rd party email clients).
2. Having 10,000+ people star a thread gives a great indication of how widespread the issue is, hopefully giving Google developers a hint that it needs to be prioritized and rolled out ASAP (as opposed to incorporating it into the next general patch release).
3. Since most handset vendors customize their Android build, the issue may not exist on every handset made by every manufacturer. Someone may report that a particular device is not suffering from this issue, thus making it safe to buy.
4. If and when the fixed version of Android is finally rolled out and the "fix" does not work, users have no way to report it, other than opening a brand new thread and wasting more resources.

[Q] Textsecure integration?

https://whispersystems.org/blog/cyanogen-integration/
The client logic is contained in a CyanogenMod system app called WhisperPush, which the system hands outgoing SMS messages to for optional delivery. The Cyanogen team runs their own TextSecure server for WhisperPush clients, which federates with the Open WhisperSystems TextSecure server, so that both clients can exchange messages with each-other seamlessly. All of the code involved throughout the entire stack is fully Open Source.
"All of the code involved throughout the entire stack is fully Open Source."
So any possibility of seeing this in omnirom?
SHAWDAH said:
https://whispersystems.org/blog/cyanogen-integration/
The client logic is contained in a CyanogenMod system app called WhisperPush, which the system hands outgoing SMS messages to for optional delivery. The Cyanogen team runs their own TextSecure server for WhisperPush clients, which federates with the Open WhisperSystems TextSecure server, so that both clients can exchange messages with each-other seamlessly. All of the code involved throughout the entire stack is fully Open Source.
"All of the code involved throughout the entire stack is fully Open Source."
So any possibility of seeing this in omnirom?
Click to expand...
Click to collapse
Hmm.
1) All of it would have to get reviewed for security. I know pulser has looked at some of CM's other solutions and found vulnerabilities.
2) Since it sounds like it needs some server infrastructure, it would take some time and planning before we could get it up and running.
TextSecure definitely looked interesting until seeing that it requires gapps.
wkwkwk said:
TextSecure definitely looked interesting until seeing that it requires gapps.
Click to expand...
Click to collapse
Yea its stupid, he partially justifies it here https://github.com/WhisperSystems/TextSecure/issues/127
He also said this
"If you want alternatives to things like GCM, you have to either build them or help the people that are. I would love to use a different push service, but they don't exist.
Likewise, if we want an alternative to Play, we have to build it. What exists now (f-droid) has a centralized trust model, so we're building something else."
Entropy512 said:
2) Since it sounds like it needs some server infrastructure, it would take some time and planning before we could get it up and running.
Click to expand...
Click to collapse
For whatever it is worth, Moxie Marlinspike has said that Open WhisperSystems has a TextSecure server that they will let other ROMs use. Sadly I am unable to link, but /r/Android/comments/1shejv/as_of_today_cyanogenmod_is_integrating/cdxlnck should give you the info and context you're after. I hope that helps alleviate some concerns, or at least makes this somewhat more doable--I would love to see this adopted much more widely!
I just wish they could add return receipt functionality, and fall back to SMS if data delivery doesn't provide one in a reasonable time frame.
palpitations said:
For whatever it is worth, Moxie Marlinspike has said that Open WhisperSystems has a TextSecure server that they will let other ROMs use. Sadly I am unable to link, but /r/Android/comments/1shejv/as_of_today_cyanogenmod_is_integrating/cdxlnck should give you the info and context you're after. I hope that helps alleviate some concerns, or at least makes this somewhat more doable--I would love to see this adopted much more widely!
I just wish they could add return receipt functionality, and fall back to SMS if data delivery doesn't provide one in a reasonable time frame.
Click to expand...
Click to collapse
Ok, that's useful.
I'll let pulser do final judgement on this. He's our resident tinfoilhatter.
I got myself a tinfoil wide-brim to match my duster...
I'll have to get a 4.4 capable phone in the future so I can get OMni.
Entropy512 said:
Ok, that's useful.
I'll let pulser do final judgement on this. He's our resident tinfoilhatter.
Click to expand...
Click to collapse
Resident tinfoil hat responding to duty...
The issue I've seen with this system (and I must say, it is good that work is done on this, and I commend that it has been done) is the implementation.
Once again, a solution has been made, which is smart, has good features, but is crippled in the security area, due to making things "easy to use".
The specific issue is that, from what I can see, at least right now, there is no way to tell if a message is going to be sent encrypted or unencrypted. It's no good knowing AFTER the fact - you need to know before it is sent how it will be sent.
Additionally, if you are using encryption, from what I can see, the message is actually sent over the internet. This means there is a central repository of users stored on a server somewhere. That is centralisation, centralisation is bad... As I raised back at the time, there are side-information risks.
While the new implementation may well eliminate some of these, I am not convinced this system provides the level of anonymity that some may desire. My worry is that since the original idea was conceived, where a user's phone number being available to CM was not seen as a concern, that any solution has been architected without considering every aspect of security.
Securing correspondence via SMS would be very nice to have done properly. But this is simply a "hook", that takes what you *think* is an SMS, and sends it over the internet. There are plenty of people in the world (particularly developing nations), where they have poor, or limited, access to the internet. SMS can be a lifeline for them.
There are also many places (some incredibly large), which regularly and routinely block internet services they disagree with (not at all looking at China here...) - it is important that any system works worldwide, and is resistent to easy "blocking".
I would personally prefer to see the actual messages sent over SMS... That means if you have no internet connection, you can still send the SMS. And you can do so ENCRYPTED, rather than unencrypted.
At the end of the day though, until you can tell 100% whether something will be sent encrypted or unencrypted, you can't trust a system. The server operator may also gain useful metadata in this case (though not ideal, your carrier already gets metadata for SMS).
Tl;dr, it looks nice, but we need to look at everything here, and consider that not everyone has internet access all the time. After key-exchange is complete (I would like offline key exchange via NFC and QRcode (on the screen) as well, for in-person identity verification), we need to ensure that a user can securely communicate without internet connectivity.
Until then, this is just a smaller rival to iMessage. And hey, maybe that's a good thing... But for my money, it's not a secure SMS system...
Thoughts welcomed.
pulser_g2 said:
Resident tinfoil hat responding to duty...
The issue I've seen with this system (and I must say, it is good that work is done on this, and I commend that it has been done) is the implementation.
Click to expand...
Click to collapse
Great criticism Pulser but surely this system (even with its flaws) is better than traditional SMS, where everything you send and receive is logged by your carrier?
slashslashslash said:
Great criticism Pulser but surely this system (even with its flaws) is better than traditional SMS, where everything you send and receive is logged by your carrier?
Click to expand...
Click to collapse
The thing is, since everything is sent via the Internet, there are plenty of other existing ways to send encrypted messages over the Internet where *you can be sure the message is encrypted*.
Pulser touched on my initial concern (which I held off on voicing until he chipped in) - To determine whether to send a cleartext SMS or send the SMS via an Internet message, the app needs to know whether the recipient is "enabled" with this service. There are two ways to do this:
1) The sender explicitly configures the app to say that recipient Y is capable of receiving encrypted SMS
2) The app does some form of peer-to-peer negotiation
3) The app sends data associating your phone number with an account on another service to a centralized server. This appears to be what CM's solution is doing. Which is kind of silly - This is an app for extremely privacy-conscious people, that is enabling widespread data collection of mappings between a users' phone number and other accounts.
Stay away from this app and developer, who in my view, has been compromised. In the latest release (which I compiled about an hour ago), he removed the ability of the user to regenerate identity key. In the last couple of releases, the app would crash unless you allow it to use the internet. He also introduced Google Cloud Pushing services, which means that everyone who is using textsecure will be recorded in centralized Google/Nsa database. That is if you compiled the app from the source. If you download the app from the store, you wouldn't be able to use it at all without Google account and GSF. Having GSF defeats any encryption as every keystroke is recorded and regularly submitted Home (Google/NSA). Stay away and look for alternatives. I am checking Tinfoil sms app.
optimumpro said:
Stay away from this app and developer, who in my view, has been compromised. In the latest release (which I compiled about an hour ago), he removed the ability of the user to regenerate identity key. In the last couple of releases, the app would crash unless you allow it to use the internet. He also introduced Google Cloud Pushing services, which means that everyone who is using textsecure will be recorded in centralized Google/Nsa database. That is if you compiled the app from the source. If you download the app from the store, you wouldn't be able to use it at all without Google account and GSF. Having GSF defeats any encryption as every keystroke is recorded and regularly submitted Home (Google/NSA). Stay away and look for alternatives. I am checking Tinfoil sms app.
Click to expand...
Click to collapse
Stop spreading this your uninformed opinion everywhere.
I answered each and every one of your "arguments" in your original thread:
http://forum.xda-developers.com/showpost.php?p=51818980&postcount=10

Categories

Resources