Related
The Vulnerability
In recent updates to some of its devices, HTC introduces a suite of logging tools that collected information. Lots of information. LOTS. Whatever the reason was, whether for better understanding problems on users' devices, easier remote analysis, corporate evilness - it doesn't matter. If you, as a company, plant these information collectors on a device, you better be DAMN sure the information they collect is secured and only available to privileged services or the user, after opting in.
That is not the case. What Trevor found is only the tip of the iceberg - we are all still digging deeper - but currently any app on affected devices that requests a single android.permission.INTERNET (which is normal for any app that connects to the web or shows ads) can get its hands on:
the list of user accounts, including email addresses and sync status for each
last known network and GPS locations and a limited previous history of locations
phone numbers from the phone log
SMS data, including phone numbers and encoded text (not sure yet if it's possible to decode it, but very likely)
system logs (both kernel/dmesg and app/logcat), which includes everything your running apps do and is likely to include email addresses, phone numbers, and other private info
Normally, applications get access to only what is allowed by the permissions they request, so when you install a simple, innocent-looking new game from the Market that only asks for the INTERNET permission (to submit scores online, for example), you don't expect it to read your phone log or list of emails.
But that's not all. After looking at the huge amount of data (the log file was 3.5MB on my EVO 3D) that is vulnerable to apps exploiting this vulnerability all day, I found the following is also exposed (granted, some of which may be already available to any app via the Android APIs):
active notifications in the notification bar, including notification text
build number, bootloader version, radio version, kernel version
network info, including IP addresses
full memory info
CPU info
file system info and free space on each partition
running processes
current snapshot/stacktrace of not only every running process but every running thread
list of installed apps, including permissions used, user ids, versions, and more
system properties/variables
currently active broadcast listeners and history of past broadcasts received
currently active content providers
battery info and status, including charging/wake lock history
and more
Let me put it another way. By using only the INTERNET permission, any app can also gain at least the following:
ACCESS_COARSE_LOCATION Allows an application to access coarse (e.g., Cell-ID, WiFi) location
ACCESS_FINE_LOCATION Allows an application to access fine (e.g., GPS) location
ACCESS_LOCATION_EXTRA_COMMANDS Allows an application to access extra location provider commands
ACCESS_WIFI_STATE Allows applications to access information about Wi-Fi networks
BATTERY_STATS Allows an application to collect battery statistics
DUMP Allows an application to retrieve state dump information from system services.
GET_ACCOUNTS Allows access to the list of accounts in the Accounts Service
GET_PACKAGE_SIZE Allows an application to find out the space used by any package.
GET_TASKS Allows an application to get information about the currently or recently running tasks: a thumbnail representation of the tasks, what activities are running in it, etc.
READ_LOGS Allows an application to read the low-level system log files.
READ_SYNC_SETTINGS Allows applications to read the sync settings
READ_SYNC_STATS Allows applications to read the sync stats
Theoretically, it may be possible to clone a device using only a small subset of the information leaked here.
I'd like to reiterate that the only reason the data is leaking left and right is because HTC set their snooping environment up this way. It's like leaving your keys under the mat and expecting nobody who finds them to unlock the door. For a more technical explanation, see the section below.
Additionally, and the implications of this could end up being insignificant, yet still very suspicious, HTC also decided to add an app called androidvncserver.apk to their Android OS installations. If you're not familiar with the definition of VNC, it is basically a remote access server. On the EVO 3D, it was present from the start and updated in the latest OTA. The app doesn't get started by default, but who knows what and who can trigger it and potentially get access to your phone remotely? I'm sure we'll know soon enough - HTC, care to tell us what it's doing here?
Technical Details
In addition to Carrier IQ (CIQ) that was planted by HTC/Sprint and prompted all kinds of questions a while ago, HTC also included another app called HtcLoggers.apk. This app is capable of collecting all kinds of data, as I mentioned above, and then... provide it to anyone who asks for it by opening a local port. Yup, not just HTC, but anyone who connects to it, which happens to be any app with the INTERNET permission. Ironically, because a given app has the INTERNET permission, it can also send all the data off to a remote server, killing 2 birds with one stone permission.
In fact, HtcLogger has a whole interface which accepts a variety of commands (such as the handy :help: that shows all available commands). Oh yeah - and no login/password are required to access said interface.
Furthermore, it's worth noting that HtcLogger tries to use root to dump even more data, such as WiMax state, and may attempt to run something called htcserviced - at least this code is present in the source:
/system/xbin/su 0 /data/data/com.htc.loggers/bin/htcserviced
HtcLoggers is only one of the services that is collecting data, and we haven't even gotten to the bottom of what else it can do, let alone what the other services are capable of doing. But hey - I think you'll agree that this is already more than enough.
Patching The Vulnerability
... is not possible without either root or an update from HTC. If you do root, we recommend immediate removal of Htcloggers (you can find it at /system/app/HtcLoggers.apk).
Stay safe and don't download suspicious apps. Of course, even quality-looking apps can silently capture and send off this data, but the chance of that is lower.
Affected Phones
Note: Only stock Sense firmware is affected - if you're running an AOSP-based ROM like CyanogenMod, you are safe.
EVO 4G
EVO 3D
Thunderbolt
EVO Shift 4G? (thanks, pm)
MyTouch 4G Slide? (thanks, Michael)
the upcoming Vigor? (thanks, bjn714)
some Sensations? (thanks, Nick)
View 4G? (thanks, Pat)
the upcoming Kingdom? (thanks, Pat)
most likely others - we haven't verified them yet, but you can help us by downloading the proof of concept above and running the APK
HTC's Response
After finding the vulnerability, Trevor contacted HTC on September 24th and received no real response for five business days, after which he released this information to the public (as per RF full disclosure Policy). In my experience, lighting fire under someone's ass in public makes things move a whole lot faster, which is why responsible disclosure is a norm in the security industry. (This is where we come in.)
As far as we know, HTC is now looking into the issue, but no statement has been issued yet.
HTC, you got yourself into this mess, and it's now up to you to climb out of the hole as fast as possible, in your own interest.
The ball is in your court.
Credit
ANDROID POLICE
Huge thank you to Trevor Eckhart who found the vulnerability and Justin Case for working with us today digging deeper.
Hi there, I need help, someone is consistently hacking into my phone, htc evo 4g, they are penetration testers and pc savvy, currently I cant login to the phn for trying to do a factory reset. They kept intercepting me and now my password does not work. Who knows maybe they changed it on their side. I wrote down everything I saw. I was seeing all these process running for the same app. in my applications. My phone was getting hot, freezes but its people that live in my apt complex and at work. can you help?
zzm5 said:
Hi there, I need help, someone is consistently hacking into my phone, htc evo 4g, they are penetration testers and pc savvy, currently I cant login to the phn for trying to do a factory reset. They kept intercepting me and now my password does not work. Who knows maybe they changed it on their side. I wrote down everything I saw. I was seeing all these process running for the same app. in my applications. My phone was getting hot, freezes but its people that live in my apt complex and at work. can you help?
Click to expand...
Click to collapse
Is your device rooted?
I used root explorer and removed the HtcLoggers.apk and other than the forced close loop that removing it caused (requiring me to remove the battery), after rebooting all seems to be working fine.
EDIT: Actually I didn't just delete HtcLoggers.apk but moved it to a safe location on the SD Card in case there was a problem and it needed to be restored. I highly suggest you do this instead of just deleting it, or better yet, a nandroid backup.
there are a few good ROMS out there that have the ICQ loggers removed already.
Do we really need three threads on the front page about the same thing?
Anyone playing with 4.2 yet?
Second and subsequent users seem to have to go through some kind of set up. Can they/do they need to use a Google Account they already have on another device? Is it a good idea for them to do so?
WibblyW said:
Anyone playing with 4.2 yet?
Second and subsequent users seem to have to go through some kind of set up. Can they/do they need to use a Google Account they already have on another device? Is it a good idea for them to do so?
Click to expand...
Click to collapse
was just playing around on mine yeah it seems it's set up as another user (inc google sync everything) what i was hoping for was like a guest account that could browse the web use some of the apps (according to a whitelist or something) say im with some friends and am streaming music and want to be able to let them use it without giving them access to my email and other stuff?
sadly not to be i fear unless someone can allay my fears?
Looks like you have to emulate a guest user by pre configuring them as a 'dummy' account, with dummy email etc.
Would be difficult to get them access your paid apps though. And what if you set up free apps under that account? Are re downloaded and take up space? That would be a bummer for big apps like games.
WibblyW said:
Looks like you have to emulate a guest user by pre configuring them as a 'dummy' account, with dummy email etc.
Would be difficult to get them access your paid apps though. And what if you set up free apps under that account? Are re downloaded and take up space? That would be a bummer for big apps like games.
Click to expand...
Click to collapse
exactly want to show the thing off but don't want to have to stand over them making sure they don't go rooting around
WibblyW said:
Looks like you have to emulate a guest user by pre configuring them as a 'dummy' account, with dummy email etc.
Would be difficult to get them access your paid apps though. And what if you set up free apps under that account? Are re downloaded and take up space? That would be a bummer for big apps like games.
Click to expand...
Click to collapse
How is this going to be managed then?
Good Point !
Wilks3y said:
How is this going to be managed then?
Good Point !
Click to expand...
Click to collapse
I've tried that out with my girlfriends account and it seems like if you download an app, which you already have on your device, it "installs" it almost immediately. There is no re-download of the file. However, if you start the app you'll see a new instance of it, without any data taken from your other account. Maybe there are some apps which keep their settings but those which I've testet so far seem to start naked. This will mean that the app itself will only stored once, the data like savegames etc. is stored per user.
What bugs me is that there seems no way (maybe with root) to access the internal storage area of the other user. As example, I have some movies stored on my device and I can only access them in the account which was active, when I copied the files to the device.
Edit:
BOOOM: Here we go. Tried to install the facebook app on two users and got the following message:
"You cannot install this app because another user has already installed an incompatible version on this device"
Seems like Google adding this feature is only one part of the story. I think there are quite a lot apps out there which will run into the same issue.
Edit2:
Looked a little bit deeper into this and found out, that this was NOT caused by an incompatibility issue from the facebook app itself. I've modified the apk (for testing purposes, don't use facebook much) with "AppGuard" and installed it outside of the google play store. As I tried to reinstall the facebook app from the play store I ran into the previous described error message.
So am I correct in thinking there will be no way to "make apps available" to all users? I thought this would be a great tool for my son, so i can basically say you can have access to these 10 games and that's it. but if i have to add my google account then "install" each game that's going to be a pain in the arse!
Is there no resource documentation on this? I looked I could not find anything on google that addressed apps really at all.
Each user appears to get a their own "home" directory created in /mnt/shell/emulated.
Default user dir is "0"
Second user dir is "10"
Each contain the standard dir's from 4.1 and earlier.
I took a CWM nandroid backup immediately after upgrading and the clockworkmod folder is in the same directory, so I'm guessing that any app that uses the old-style home path will need updating.
since adding the second user SuperSu has had issues - hangs & then crash, and the Settings app crashed - if I have time I'll revert to stock, upgrade again, and then add another account without rooting & installing supersu/busybox et al.
(sorry about my chinglish )
So here's how:I locked my nexus10 and forgot the password, and I do not see the "Forgotten" button on the screen and also I didn't turn USB debugging mode on, so is there any possibility I can save my data instead of cleaning them up? Thank you (btw, I deleted the original recover files(because I once booted Ubuntu Touch on it) how can I reset it anyway?) Tanks a lot
EX_RIVER said:
(sorry about my chinglish )
So here's how:I locked my nexus10 and forgot the password, and I do not see the "Forgotten" button on the screen and also I didn't turn USB debugging mode on, so is there any possibility I can save my data instead of cleaning them up? Thank you (btw, I deleted the original recover files(because I once booted Ubuntu Touch on it) how can I reset it anyway?) Tanks a lot
Click to expand...
Click to collapse
If you have TWRP (not sure about Clockworkmod), "Factory Reset" will leave personal files on while clearing settings, custom apps, etc. FORTUNATELY, there is no way to bypass, other than resetting the device, the password for security reasons
dibblebill said:
If you have TWRP (not sure about Clockworkmod), "Factory Reset" will leave personal files on while clearing settings, custom apps, etc. FORTUNATELY, there is no way to bypass, other than resetting the device, the password for security reasons
Click to expand...
Click to collapse
Pretty sure that's not true, strictly speaking. Unless OP is talking about encryption, flashing a new ROM over top will preserve most user data saved on /sdcard (much to my annoyance).
Rirere said:
Pretty sure that's not true, strictly speaking. Unless OP is talking about encryption, flashing a new ROM over top will preserve most user data saved on /sdcard (much to my annoyance).
Click to expand...
Click to collapse
You are correct. I forgot that circumstance. TWRP specifically excludes the data/media area
Sent from my Samsung Galaxy Victory via XDA Developers App
dibblebill said:
You are correct. I forgot that circumstance. TWRP specifically excludes the data/media area
Sent from my Samsung Galaxy Victory via XDA Developers App
Click to expand...
Click to collapse
I mean, it's useful because if you flub a flash you can use a backup, but these recoveries are not secure and aren't designed to be.
EX_RIVER said:
(sorry about my chinglish )
So here's how:I locked my nexus10 and forgot the password, and I do not see the "Forgotten" button on the screen and also I didn't turn USB debugging mode on, so is there any possibility I can save my data instead of cleaning them up? Thank you (btw, I deleted the original recover files(because I once booted Ubuntu Touch on it) how can I reset it anyway?) Tanks a lot
Click to expand...
Click to collapse
USB debugging isn't required for ~all~ USB stuff, so you should try it anyways.
Then, as long as you still know your Google password you can install this to your Nexus, via the web (no log on to device actually needed):
http://www.androidlost.com/
I haven't actually tried or used that program, so cant say 100% it will work on N10 - but "in general" it seems like it should!
:good:
bigmatty said:
USB debugging isn't required for ~all~ USB stuff, so you should try it anyways.
Then, as long as you still know your Google password you can install this to your Nexus, via the web (no log on to device actually needed):
http://www.androidlost.com/
I haven't actually tried or used that program, so cant say 100% it will work on N10 - but "in general" it seems like it should!
:good:
Click to expand...
Click to collapse
I don't know if AndroidLost can unlock a device, and he doesn't seem to have lost it either. Unless an app had root/device admin access, I can't imagine that it would have the privileges necessary to remove authentication from a device (since that seems to be the pinnacle of bad security). Secure Settings + Tasker can do it, but you need to set that up beforehand.
Rirere said:
I don't know if AndroidLost can unlock a device, and he doesn't seem to have lost it either. Unless an app had root/device admin access, I can't imagine that it would have the privileges necessary to remove authentication from a device (since that seems to be the pinnacle of bad security). Secure Settings + Tasker can do it, but you need to set that up beforehand.
Click to expand...
Click to collapse
It says it can:
Lock the phone
You can lock and unlock the phone from the web. If you forget your pincode you can simply overwrite it or remove it from the web
bigmatty said:
It says it can:
Lock the phone
You can lock and unlock the phone from the web. If you forget your pincode you can simply overwrite it or remove it from the web
Click to expand...
Click to collapse
I don't think this means what you think it means (and I could be wrong). Many security apps like avast! offer a similar "locking" functionality, where the normal lockscreen (whatever security it is) is covered by a second lockscreen, superimposed over all system UI elements to prevent access. This lockscreen is controlled by the app, but it will not affect any underlying security (basically, think of it as a replacement lockscreen for security reasons, not much unlike HoloLocker or Go Launcher's lockscreen).
Rirere said:
I don't think this means what you think it means (and I could be wrong). Many security apps like avast! offer a similar "locking" functionality, where the normal lockscreen (whatever security it is) is covered by a second lockscreen, superimposed over all system UI elements to prevent access. This lockscreen is controlled by the app, but it will not affect any underlying security (basically, think of it as a replacement lockscreen for security reasons, not much unlike HoloLocker or Go Launcher's lockscreen).
Click to expand...
Click to collapse
I don't know man, and like I said I've never tried it. But its a super popular app, and has been featured in write ups. On their main page it states that text, as the fifth "main feature" which seems pretty straight forward to mean "the main lock screen"...
bigmatty said:
I don't know man, and like I said I've never tried it. But its a super popular app, and has been featured in write ups. On their main page it states that text, as the fifth "main feature" which seems pretty straight forward to mean "the main lock screen"...
Click to expand...
Click to collapse
No good, sorry. You're right on one count-- I just tested it, and it does interact with the stock lockscreen. Unfortunately, as I said earlier, unless the app is granted root/device admin privileges, no Android app can change the stock lockscreen...and since OP can't get into his device, he can't grant it device admin.
Rirere said:
No good, sorry. You're right on one count-- I just tested it, and it does interact with the stock lockscreen. Unfortunately, as I said earlier, unless the app is granted root/device admin privileges, no Android app can change the stock lockscreen...and since OP can't get into his device, he can't grant it device admin.
Click to expand...
Click to collapse
Nice on the testing! Too bad about the unlock. Perhaps he can still use it to offload his content though.
Did you try to "push" it to your device w/out installing it direct? I have wondered if I should pre-load this app on my devices, but "they" tout its remote-install-ablity, so I somewhat feel like I would not have to pre-install. (But then again, Im always apprehensive of claims that make things seem super easy.)
EDIT: Hmmm.... I see it requires "SMS" to install this on a device via Push - so I guess it NEEDS to be pre-loaded on a N10 if one wishes to use it to retrieve a lost N10, or even use it in this context! Now to decide if I install this or not...
bigmatty said:
Nice on the testing! Too bad about the unlock. Perhaps he can still use it to offload his content though.
Did you try to "push" it to your device w/out installing it direct? I have wondered if I should pre-load this app on my devices, but "they" tout its remote-install-ablity, so I somewhat feel like I would not have to pre-install. (But then again, Im always apprehensive of claims that make things seem super easy.)
Click to expand...
Click to collapse
I installed direct. I use Cerberus (and before that, avast! Anti-Theft) to help secure my devices, but these things are all a game of chance. My advice: completely disregard remote-install abilities. If you're going to use this kind of service, it really doesn't make any sense not to install it yourself, where you can change your preferences (such as install to /system or rename the application) to work for you.
The bigger problem is that, obviously, six hundred million things could go wrong. I noticed that AndroidLost noted that they were using Google to push messages, which indicates that they're using C2DM (unlikely, it's deprecated) or GCM push services, which require your phone being connected to a network (itself a big assumption) that will allow Google's ports to send traffic. This excludes no small number of places, particularly corporate networks (and many schools as well). It also looks like one of the wakeup methods if SMS, which is not only noticeable (to a thief), but potentially may be intercepted by other apps on the phone (such as an alternative SMS app).
The idea is that these apps intercept and delete any command SMS before any other app, but in practice this doesn't always happen. So test your setup before something happens!
Rirere said:
I installed direct. I use Cerberus (and before that, avast! Anti-Theft) to help secure my devices, but these things are all a game of chance. My advice: completely disregard remote-install abilities. If you're going to use this kind of service, it really doesn't make any sense not to install it yourself, where you can change your preferences (such as install to /system or rename the application) to work for you.
The bigger problem is that, obviously, six hundred million things could go wrong. I noticed that AndroidLost noted that they were using Google to push messages, which indicates that they're using C2DM (unlikely, it's deprecated) or GCM push services, which require your phone being connected to a network (itself a big assumption) that will allow Google's ports to send traffic. This excludes no small number of places, particularly corporate networks (and many schools as well). It also looks like one of the wakeup methods if SMS, which is not only noticeable (to a thief), but potentially may be intercepted by other apps on the phone (such as an alternative SMS app).
The idea is that these apps intercept and delete any command SMS before any other app, but in practice this doesn't always happen. So test your setup before something happens!
Click to expand...
Click to collapse
Thanks for the info, I will look into Cerberus. I am assuming you would recommend that as you are currently using it? Do you think its better than AndroidLost, even though you haven't spent as much time w/ AndroidLost?
bigmatty said:
Thanks for the info, I will look into Cerberus. I am assuming you would recommend that as you are currently using it? Do you think its better than AndroidLost, even though you haven't spent as much time w/ AndroidLost?
Click to expand...
Click to collapse
I like it a lot more, but I will admit I personally liked avast! better. Its uncertain future (plus a nice promotion) led me to jump ship to Cerberus. I'd have to play around with it a bit more to be sure though.
Rirere said:
No good, sorry. You're right on one count-- I just tested it, and it does interact with the stock lockscreen. Unfortunately, as I said earlier, unless the app is granted root/device admin privileges, no Android app can change the stock lockscreen...and since OP can't get into his device, he can't grant it device admin.
Click to expand...
Click to collapse
Yep, you're right I can't get root under this situation, thanks a lot I'm trying to figure out how to save my data mow
EX_RIVER said:
Yep, you're right I can't get root under this situation, thanks a lot I'm trying to figure out how to save my data mow
Click to expand...
Click to collapse
It's not root you need per se, it's device admin. But root isn't an easy option for you either, because unlocking your bootloader will hose your data. I also think most of the locked-bootloader exploits require the device to be on and unlocked. If you're signed into your Google account, you should have a fair degree of stuff backed up already-- what sorts of data are you trying to save?
Rirere said:
It's not root you need per se, it's device admin. But root isn't an easy option for you either, because unlocking your bootloader will hose your data. I also think most of the locked-bootloader exploits require the device to be on and unlocked. If you're signed into your Google account, you should have a fair degree of stuff backed up already-- what sorts of data are you trying to save?
Click to expand...
Click to collapse
Mostly..........Photos and videos
EX_RIVER said:
Mostly..........Photos and videos
Click to expand...
Click to collapse
...do you have a Google+ account? Slash have you ever opened the app? If so, you might actually be in luck and your data should have been backed up to your Google+ (or PicasaWeb if you prefer).
I'm hoping someone can point me in the right direction after spending a day reading about mobile phone security. I'm still confused as to what an app can do and how I can limit access. Some answers or a point in the right direction for more information would be helpful.
Apps that are granted permission "Modify/Delete SD Card" can pretty much read/write anything on my device? Could an app go through my sd card and see files, for example, music, movies, other data from different apps; file names/content? I have about 35 apps running on my phone with this access. I'd rather not leave it to "how much I trust the developer" and have some means to limit access to data.
I don't keep national security secrets on my nexus but there is work and personal information that is sensitive and I wouldn't want shared. It looks like if I use android to encrypt my data it only encrypts the /data folder and there doesn't seem to be much in there.
What about securing contact and calendar data? Is this possible? Not as critical as guarding my file data, but still important to me. Thanks.
Yes, files on the external sdcard are not protected, I.e. all apps which have the right to read/write sdcard can read/write everything there. One reason is just the filesystem type: on FAT you don't have access rights. On internal /sdcard it's a bit different, because it's using ext4 as a filesystem, so principally not all apps can read everything, but also here you have the problem that for example the camera, the gallery app, ... need access to the same files and directories. So at the moment you need to trust the apps in a certain way or not to install it at all.
Sent from my Nexus 7 using xda app-developers app
While it is difficult for someone with limited tech experience, it is plausible to protect your data with measures like XPrivacy or PDroid.
However, if you're looking for an answer without jumping through a few technical hoops, there aren't many good ones unfortunately. The best bet is as you already suggested, that is to be smart about where you browse the net, and only install trusted apps. Always think twice and review permissions carefully for any app even if it's from the Play Store.
And don't forget encryption only works similar to a house door. It's only good if you keep it locked. But if you let the bad guys into your house (i.e., installing a naughty app), it doesn't protect you much. It only keeps them out so long as you don't let them in (physical access). P.S. I'm assuming you're talking about the stock android encryption not actually having individual encrypted files on your device if not then ignore this paragraph (although I'm sure some will disagree that even having SHA-512 AES encrypted files with a extremely complex and long passwords is still not enough to protect data once a malicious user gets their hands on that file.)
Even on the internal SD card, it looks like once I give an app access to "modify/delete" the entire sd card is exposed; did I understand that correctly? It looks like grant access to everything or nothing.
After reading this:
http://appanalysis.org/
It seems that even trusted developers can't be trusted. I don't consider myself a novice user but I'm really surprised at how exposed the data is on phones and tablets. Its like leaving money on your front porch and hoping it isn't too tempting for someone to walk though a broken gate and grab.
Any idea what WP, iOS or BB10 offer in the way of data protection?
TheAltruistic said:
While it is difficult for someone with limited tech experience, it is plausible to protect your data with measures like XPrivacy or PDroid.
However, if you're looking for an answer without jumping through a few technical hoops, there aren't many good ones unfortunately. /QUOTE]
XPrivacy looks good, might be worth rooting for that app.
I'm not as concerned with an app downloading files and using a high level attack on my data. I am concerned about an app where the developer decides to go through my contacts, photos, and files which are unlocked and easily viewed. Then sell the data to whomever that can do whatever. No effort required, no ability to know the data was even accessed and no ability to lock the data. I think like most things, if there is more than a slight effort needed to access the data, they'll move on to something else.
I see Google offers encryption but I can't find information on exactly what is encrypted and if I install an app with say permission to contacts does that give them encrypted access to all contacts? For example, a program that can add a contact via sms I don't want to allow it to read all my contacts, just add a new one.
Maybe Android isn't the right platform for me.
Click to expand...
Click to collapse
mgerbasio said:
TheAltruistic said:
While it is difficult for someone with limited tech experience, it is plausible to protect your data with measures like XPrivacy or PDroid.
However, if you're looking for an answer without jumping through a few technical hoops, there aren't many good ones unfortunately. /QUOTE]
XPrivacy looks good, might be worth rooting for that app.
I'm not as concerned with an app downloading files and using a high level attack on my data. I am concerned about an app where the developer decides to go through my contacts, photos, and files which are unlocked and easily viewed. Then sell the data to whomever that can do whatever. No effort required, no ability to know the data was even accessed and no ability to lock the data. I think like most things, if there is more than a slight effort needed to access the data, they'll move on to something else.
I see Google offers encryption but I can't find information on exactly what is encrypted and if I install an app with say permission to contacts does that give them encrypted access to all contacts? For example, a program that can add a contact via sms I don't want to allow it to read all my contacts, just add a new one.
Maybe Android isn't the right platform for me.
Click to expand...
Click to collapse
Heh don't give up. To be honest at least android tells you when it grants a program certain permissions unlike some other OSes where you're in the dark in terms of security.
As far as I know, and I'm assuming we're talking about the same thing, the type of encryption Android offers only prevents people from gaining unauthorized access to your data if your device is mounted or accessed when your lock screen is up. (I'm sure someone will correct me if I'm wrong--please do). But if your device is not password protected (e.g., you set lock password to lock every hour and they get it when it's unlocked) then your data can potentially be compromised.
This encryption does not, however, protect your data as you're browsing the internet, or running apps like facebook.
If you're looking for something to protect your data from say facebook finding your GPS location without your permission, or accessing your contacts and doing God knows what with it, then XPrivacy and PDroid (links above) is your answer, and I'd say that's awesome.
I may not play around with an iPhone / iOS enough, but I'm confident enough to say that they don't offer the same privacy protection even from Cydia that you can get from communities like here on XDA. Perhaps for iOS users, ignorance is bliss?
Click to expand...
Click to collapse
TheAltruistic said:
mgerbasio said:
Heh don't give up. To be honest at least android tells you when it grants a program certain permissions unlike some other OSes where you're in the dark in terms of security.
Click to expand...
Click to collapse
Thanks again. I appreciate the comments.
All I'm really looking to do is prevent an app downloading all my contacts, photos, movies, files, etc. I have some work data on my tablet that isn't confidential but it is what I would call sensitive. Actually, I rarely use external memory, mostly just use in internal sd card.
It seems all the "good apps" grab more permissions than they need or, the permission they do need to operate gives them way more access than I'd like. I'm not so concerned that I'd start using Tor or duckduckgo, but just trusting a developer with an open door to data is more than I can to leave to chance.
From what I've been reading the sandboxing in iOS and WP provide good security and in BB you can remove permissions from apps; BB10 is still the most secure if you can believe the internet articles. I'd like to see Google make it more clear as to what encryption actually allows and prevents.
There seems to be apps that button up a lot of holes, like photos, but there still are gaping holes.
Click to expand...
Click to collapse
Hi guys,
Any progress? I use PDroid on my smartphone and find it unnerving to see how much and how often data is accessed not only by third party apps but by Google itself. With PDroid you can restrict permissions without bricking the app because it can provide fake data rather than none. I have to say that I am not entirely happy with it though. I hope that Firefox OS will have success in stopping the appification of our devices. Data wise, it is much safer to use web-based services than app-based services.
I think Google's Android is so successful with developers (also) because they can gather so much data. Our smartphones are unfortunately "data gold mines" for the ICT industry.
If you have any progress in improving privacy, safety and security of the Nexus 7 than I'd be happy to read about it.
Okay, so this is a difficult one. I'm not even sure if this is possible, as it's so specific and probably will not get the responses I want for this... but here goes.
I am trying to retrieve the data (passwords, history, settings, etc.) from Vivaldi web browser. Here's the problem: it's not easy to locate. On Windows and Linux, I can just go through the file system and see it there; it will even appear in my user data directories. On Android, however, it's a whole different ball of wax. I go to SDCARD/Android/data/com.vivaldi.browser only to find that nothing is there. I then do some web searching to find out that it may be stored in ROOT/data/data/, which is a problem because I can't access it normally. For most everything beyond user folders, I need root access. Pulling with ADB does nothing, as I get the does not have sufficient permissions error. To top it all off, I then go to vivaldi://about and find that it may actually store the stuff in /data/user/0/com.vivaldi.browser! It too is inaccessible.
Now, this is my friend's Tab A. I have had experience in root before, but it often ends up with me fiddling with patches in order to get stubborn apps to ignore the fact that it is rooted, and even THEN some apps don't work well at all because of things I've done on the system level. Therefore, I am very wary about rooting, but I don't know what else to do. Is there ANY WAY, other than rooting, that I can retrieve all the browser data files I want access to, so I don't potentially damage or even brick my friend's device? Is there something besides root that I can install or use that will override the device restrictions, or perhaps there is a better way to retrieve the data? I am well aware of Sync, but my friend doesn't want a Vivaldi account. I also know that passwords can be exported as text, but I also would like to import them onto another Android device (ANY Android device) where Vivaldi will be installed.
HarvHouHacker said:
Okay, so this is a difficult one. I'm not even sure if this is possible, as it's so specific and probably will not get the responses I want for this... but here goes.
I am trying to retrieve the data (passwords, history, settings, etc.) from Vivaldi web browser. Here's the problem: it's not easy to locate. On Windows and Linux, I can just go through the file system and see it there; it will even appear in my user data directories. On Android, however, it's a whole different ball of wax. I go to SDCARD/Android/data/com.vivaldi.browser only to find that nothing is there. I then do some web searching to find out that it may be stored in ROOT/data/data/, which is a problem because I can't access it normally. For most everything beyond user folders, I need root access. Pulling with ADB does nothing, as I get the does not have sufficient permissions error. To top it all off, I then go to vivaldi://about and find that it may actually store the stuff in /data/user/0/com.vivaldi.browser! It too is inaccessible.
Now, this is my friend's Tab A. I have had experience in root before, but it often ends up with me fiddling with patches in order to get stubborn apps to ignore the fact that it is rooted, and even THEN some apps don't work well at all because of things I've done on the system level. Therefore, I am very wary about rooting, but I don't know what else to do. Is there ANY WAY, other than rooting, that I can retrieve all the browser data files I want access to, so I don't potentially damage or even brick my friend's device? Is there something besides root that I can install or use that will override the device restrictions, or perhaps there is a better way to retrieve the data? I am well aware of Sync, but my friend doesn't want a Vivaldi account. I also know that passwords can be exported as text, but I also would like to import them onto another Android device (ANY Android device) where Vivaldi will be installed.
Click to expand...
Click to collapse
Even if you unlock the bootloader and permanently change the knox flag, you cannot be sure that the files pertaining to Vivaldi are not encrypted and associated with one particular device.
Consequently, your action may be useless.
ze7zez said:
Even if you unlock the bootloader and permanently change the knox flag, you cannot be sure that the files pertaining to Vivaldi are not encrypted and associated with one particular device.
Consequently, your action may be useless.
Click to expand...
Click to collapse
I'd still like to try, regardless, just to see if it can be done.
HarvHouHacker said:
I'd still like to try, regardless, just to see if it can be done.
Click to expand...
Click to collapse
Wouldn't it be more prudent to ask on the Vivaldi forum if this is doable?
Vivaldi for Android
Join the Vivaldi Community to connect with friends from around the world and discuss technology, the future of the web, and development of the Vivaldi Browser.
forum.vivaldi.net
ze7zez said:
Wouldn't it be more prudent to ask on the Vivaldi forum if this is doable?
Vivaldi for Android
Join the Vivaldi Community to connect with friends from around the world and discuss technology, the future of the web, and development of the Vivaldi Browser.
forum.vivaldi.net
Click to expand...
Click to collapse
I didn't know where to ask, honestly. Besides, I use Vivaldi as an example, but I also have other browsers I wanted to get their data from, and they're not common ones (DuckDuckGo browser, for instance).