Nasty Permissions - EVO 4G General

How does the Android community ban apps that ask for crazy permissions? For people who root and have some level of sophistication - we're not going to fall for bad behaving apps.
But for all those who don't even know what permissions are, they need to be warned.
Take a look at this one:
https://market.android.com/details?id=com.antonio.fashion&feature=search_result
Comes from a banned company called Plankton that rebranded itself as StartApp.
I feel sorry for people that install this and can't get rid of all the nasty stuff they injected into their device.

Android Market said:
Permissions
This application has access to the following:
Network communication
full Internet access
Allows an application to create network sockets.
Your personal information
write Browser's history and bookmarks
Allows an application to modify the Browser's history or bookmarks stored on your device. Malicious applications can use this to erase or modify your Browser's data.
read Browser's history and bookmarks
Allows the application to read all the URLs that the Browser has visited, and all of the Browser's bookmarks.
Phone calls
read phone state and identity
Allows the application to access the phone features of the device. An application with this permission can determine the phone number and serial number of this phone, whether a call is active, the number that call is connected to and the like.
Storage
modify/delete USB storage contents modify/delete SD card contents
Allows an application to write to the USB storage. Allows an application to write to the SD card.
Show all
Network communication
view network state
Allows an application to view the state of all networks.
view Wi-Fi state
Allows an application to view the information about the state of Wi-Fi.
System tools
automatically start at boot
Allows an application to have itself started as soon as the system has finished booting. This can make it take longer to start the device and allow the application to slow down the overall device by always running.
Click to expand...
Click to collapse
I have a problem with an app that supposedly just displays pictures but needs access to my phone, my browser AND starts on boot. The network communication and SD modify I understand since it needs to retrieve the pictures from somewhere and save them in the memory other than the internal one but the rest of the permissions are just completely unnecessary.

Wow that's crazy, I fully agree!

Wow! Those permissions are crazy. That company should be banned. People are having a similar issue with the Amazon "Free app of the day" today. It's a game that is asking for a ton of permissions. There were a lot of complaints and the developer remarked on their Twitter account that they accidentally uploaded a version with "remnant permissions." Ya..right. Too many companies are getting away with this "we accidentally uploaded a test/alpha/beta/developer...etc version of our app." *rolls eyes
Sent from my PC36100 using xda premium

Related

Is it safe to give an App my gmail password ?

NM. I answered my own question. The log in screen was misleading. Have to stop multi tasking when I do these things. @ me.
KOF33 said:
NM. I answered my own question. The log in screen was misleading. Have to stop multi tasking when I do these things. @ me.
Click to expand...
Click to collapse
Just for fun, the answer is most definitely *NO*. Not if you have any personal information on your google account since this would allow that app to not only steal all your personal information, it would allow the app author to hijack your account, send your login credentials to china, etc.
lbcoder said:
Just for fun, the answer is most definitely *NO*. Not if you have any personal information on your google account since this would allow that app to not only steal all your personal information, it would allow the app author to hijack your account, send your login credentials to china, etc.
Click to expand...
Click to collapse
So can't use GDoc or Greed?
cigar3tte said:
So can't use GDoc or Greed?
Click to expand...
Click to collapse
I wouldnt...
Unless you know the code and compiled it yourself.
Or if you definitely don't have any sensitive info on your account.
There's no telling what they'll do with it.
Do you know the author? Have you met them? Do you even know what country they're in?
If you have a rooted device then id watch out for any apps you install, I've read about malware that uploads you browser.db and other data, and we all know that google didn't implement encryption into password storage.
I'm developing a shell app to do this over adb or on the phone console I have implemented
Browser database
Contact database
Ebuddy password
you could always use a password you just made up out of the blue. the app won't be able to recognize whether it's your actual gmail password or not.
tazz9690 said:
you could always use a password you just made up out of the blue. the app won't be able to recognize whether it's your actual gmail password or not.
Click to expand...
Click to collapse
Well the app that made me ask didnt "Require" it. But just recently after that A Gmail/Fbook sync app asks for both passwords.
Without it it wont work. I dont feel comfortable giving my PW to some random app.
Sudox-
Do you mean installing from non marketplace ?
Even rooted marketplace should be ok no ?
Ive never looked extensively at the safety precautions Google implemented.
KOF33 said:
Well the app that made me ask didnt "Require" it. But just recently after that A Gmail/Fbook sync app asks for both passwords.
Without it it wont work. I dont feel comfortable giving my PW to some random app.
Sudox-
Do you mean installing from non marketplace ?
Even rooted marketplace should be ok no ?
Ive never looked extensively at the safety precautions Google implemented.
Click to expand...
Click to collapse
The only thing that the market gives you is a partial assurance that the publisher's market account can be traced back to them based on the credit card number that was used to sign up. Google does NOT security verify the applications that are posted there. The security is built in to the OS -- and note that the app shows you what kind of data it can access at install time. It is therefore UP TO YOU to ensure that the application doesn't get any information that you would consider "sensitive".
And as for root access... this is a potential danger if you aren't careful about limiting root access from certain applications. The community-root scheme is fairly OK, but any program to which you grant ROOT PERMISSION will have access to *everything*. Be careful about what applications you give root to.
lbcoder said:
The only thing that the market gives you is a partial assurance that the publisher's market account can be traced back to them based on the credit card number that was used to sign up. Google does NOT security verify the applications that are posted there. The security is built in to the OS -- and note that the app shows you what kind of data it can access at install time. It is therefore UP TO YOU to ensure that the application doesn't get any information that you would consider "sensitive".
And as for root access... this is a potential danger if you aren't careful about limiting root access from certain applications. The community-root scheme is fairly OK, but any program to which you grant ROOT PERMISSION will have access to *everything*. Be careful about what applications you give root to.
Click to expand...
Click to collapse
This is something I have been wondering for a while now. Say you grant an app SU rights, however upon installation that app did not specify "Internet Access", meaning that the permissions for that program do not allow access to the internet (for sending of any information it could possibly gather). Can that app somehow access the internet, or modify it's own permissions in packages.xml?
daveid said:
This is something I have been wondering for a while now. Say you grant an app SU rights, however upon installation that app did not specify "Internet Access", meaning that the permissions for that program do not allow access to the internet (for sending of any information it could possibly gather). Can that app somehow access the internet, or modify it's own permissions in packages.xml?
Click to expand...
Click to collapse
Yes, any app with root access *can* change its own permissions, yes, any app with root access can access the internet, even withOUT internet permissions, and yes, an update to the app can come with additional permissions than an earlier version.
Note possible attack;
publish an app withOUT internet and/or read contacts permission,
app tries to send sensitive information to china -- permission denied, catch exception, no visible effect to the user. App granted ROOT access, alters /data/system/packages.xml to add internet and read contacts permissions and immediately the phone "randomly" reboots, upon reboot, that app has permissions required to send sensitive information to china.
And yes, the root app is NOT completely secure/trustworthy. There are several vulnerabilities that need to be considered...
1) A *pair* of apps can conspire to break out... i.e., one "trusted" app with root can modify a DIFFERENT app into the whitelist. This can include granting blanket root access.
2) The userid of an uninstalled application may remain in the whitelist, allowing it to be replaced by a *different* app that could later use that root access to do all kinds of nasty things.
In general, a better form for the community root database app would be along the following lines;
1) There should be NO WHITELIST.
2) The root permission state should remain in *memory* for a limited period of time (i.e. 1 minute).
3) The root app should request a PASSWORD (to prevent other people from tampering with it) -- store a password hash in the app's home directory,
4) The root app should be *forced* to be a *system* app in order to eliminate possibility of other user uninstalling and reinstalling it to bypass the password.
1 and 2 should be considered essential. 3 and 4 make it bulletproof, but still can't possibly do anything to stop an app given root from running amok.
In fact, note this;
Even WITH a secured root app, all any app needs is a MOMENT with root to do severe nastiness -- like give itself its very own su command that can't be stopped by the root-app...
Note: in order to *really* give decent security, the su command/app should work more like 'sudo' than like 'su'.
I.e., some app runs "sudo somecommand". This invokes the "sudo" app, which says... "XYZ is attempting to run this command as root: ---. Do you want to allow it?" You know, it is a much stronger position to be in if you can see *exactly* what some root-wanting app is trying to run. Also, nice to prevent some app from just going off as root any time it wants to.

Chrome2Phone -- Exploitable?

Had the thought that perhaps the new feature, to send your nexus a direct link from your computer, might be exploitable by some unfriendly people.
What do you all think the risks are, if any?
If it can tell your phone to open the browser and launch a website, whats to stop someone from telling your phone to buy ten thousand copies of Conan the Barbarian, or destroying itself and catching on fire. Kidding of course, but you get what i mean.
Very difficult. It'd be just as likely as someone stealing your Gmail account.
Mmm, ok. Thought I would ask
It has the potential, under the right circumstances, to be used for evil though! EVIL!
I'm not entirely sure, but from what I understand all intents go through google servers. I assume google is doing checks for malicious behaviour on their end.
Don't you have to register a phone to a gmail account and be logged into that account to send to the phone?
Haven't tried the app myself make it wouldn't make sense any other way ;-)
You have to be logged in. And i thing info is sendt via google servers, so unless someone steals your google account, i think you should be safe
it only triggers the browser or maps. I guess the risk would be real, but on the phone side you have the option to set it to do nothing but notify you FIRST prior to any action. If you didn't initiate anything, then you could click cancel at that time.
chromiumcloud said:
it only triggers the browser or maps. I guess the risk would be real, but on the phone side you have the option to set it to do nothing but notify you FIRST prior to any action. If you didn't initiate anything, then you could click cancel at that time.
Click to expand...
Click to collapse
one of the things being worked on is making the phone dial a number selected on the browser. that could get interesting
I believe that Google are running a closed beta at present too, so the only people that can write apps that use cloud messaging will have been vetted by Google.
All the components of the extension (chrome extension, android application and application server) are open source, what prevent anyone from developing an other extention that use google cloud service to communicate with android ?
ludo218 said:
All the components of the extension (chrome extension, android application and application server) are open source, what prevent anyone from developing an other extention that use google cloud service to communicate with android ?
Click to expand...
Click to collapse
All of the messages go through the Google servers
As I understand, the application engine part of the extension (which runs on google application engine) register itself to "the cloud" using google api. Anyone should be able to use these api, no?
It most certainly could be exploited. I can think of a javascript exploit that would work right now.
However the consequences of an exploit are severely limited by the security model that Android uses. Something can not run in another security context unless you allow it to.
The day "Chrmoe2Phone" asks for root access is the day it should be removed from your phone. Until then they most it could do is tell an app to do something that you've already allowed that app to do (which could arguably be undesirable things).
The user needs to explicitly permit all security privileges in Android remember (read that app install page with security details!). If it can do something, you've permitted it to do so.
tanman1975 said:
one of the things being worked on is making the phone dial a number selected on the browser. that could get interesting
Click to expand...
Click to collapse
That is true, but if i recall correctly, when you choose a phone number link from the browser, it will bring the number up in your dialer application, but you must initiate the call with the green call button, so there is a level of security there.
actually this could be a pretty nifty security feature. Is the phone gets stolen how great would It be to able to enable the gps, camera or mic? Given proper security protocols of course...
@tanman1975
Didn't think of that one. T'would be a very powerful tool against the robbers out there. Nice.

4million people downloaded data-stealing Android app

http://www.tgdaily.com/security-brief/50862-as-many-as-4-million-people-downloaded-data-stealing-android-app
Mike Luttrell | Thu 29th Jul 2010, 08:30 am
A seemingly innocuous Android app that let users change their phone's wallpaper has actually been stealing private user information and may have been downloaded millions of times.
Users should be concerned if they downloaded an app from "Jackeey Wallpaper." While it does perform the functions described in the app download page, it also ends up taking the phone's Internet browser history, mobile phone number, every single text message, and voicemail password. That information is then sent to a website based in Shenzhen, China.
Click to expand...
Click to collapse
http://phandroid.com/2010/07/29/another-app-stealing-data/
[Update]: MyLookout chimed in with us to clarify some details that other outlets have been reporting. Specifically, the app does collect data from your phone, but only the device’s phone number, subscriber identifier, and voicemail number fields are retrieved. SMS and browsing history are not touched by any of the apps they analyzed throughout their Blackhat conference. Your voicemail’s password is also not transmitted unless you included the password in your phone’s voicemail number field.
We’re not yet certain on what the developer’s intentions are for using the pieces of data it does send to China – so we can’t outright call it malicious – but it is collecting and sending data nevertheless. Hopefully that clears up some of the confusion everyone’s been faced with regarding the read-only property READ_PHONE_STATE that the application uses to access certain pieces of data.
Click to expand...
Click to collapse
So no SMS, browsing history or voice mail password taken.
FOR REAL?!?!
All your data belongs to somebody else
jp_macaroni said:
http://www.tgdaily.com/security-brief/50862-as-many-as-4-million-people-downloaded-data-stealing-android-app
Click to expand...
Click to collapse
Free isn't free: http://www.androidpolice.com/2010/0...t-all-your-data-are-belong-to…-somebody-else/
Same happened to me with an app posted here for movies
Flixster for android
http://www.flixster.com/
I did find out ON TIME , that someone was messing with my gmail account , had to change my password inmediatly
I received an altert from an IP ( from their site ) trying to change my password !
You've been warned , happened to me !
It's not like it doesn't show you the stuff when you install apps.. And this "Genome Project" thing is out of context nonsense.... 14% of free apps have access to your contacts. You realize that includes IM programs, SMS programs, Email programs, etc....
If you install a wallpaper app that requests access to your Accounts and Contacts, well....
http://www.cyrket.com/search?q=Jackeey+Wallpaper
I don't see such permissions on the 2-3 I looked through, but maybe specific ones did.
Another thing about this "lookout" app and Genome Project.. Look at the permissions on their app on the market:
Permissions: ACCESS_COARSE_LOCATION , ACCESS_FINE_LOCATION , ACCESS_NETWORK_STATE , CLEAR_APP_CACHE , DISABLE_KEYGUARD , GET_ACCOUNTS , INTERNET , MANAGE_ACCOUNTS , MODIFY_AUDIO_SETTINGS , PERSISTENT_ACTIVITY , READ_CONTACTS , READ_LOGS , READ_OWNER_DATA , READ_PHONE_STATE , READ_SMS , READ_SYNC_SETTINGS , READ_USER_DICTIONARY , RECEIVE_BOOT_COMPLETED , RECEIVE_SMS , VIBRATE , WAKE_LOCK , WRITE_CALENDAR , WRITE_CONTACTS , WRITE_SETTINGS , WRITE_SMS , WRITE_SYNC_SETTINGS , WRITE_USER_DICTIONARY , com.android.browser.permission.READ_HISTORY_BOOKMARKS , com.android.browser.permission.WRITE_HISTORY_BOOKMARKS
What if the 'AV' software itself turns out to be the one stealing data? If anything could, it could.
we get that all apps ask for permission to allow access to our location, contacts, emails etc....but to gather our private info and sell them to China.....thats messed up.
time to sue.
That information is then sent to a website based in Shenzhen, China.
Click to expand...
Click to collapse
question:
if this app was downloaded and used by US government....would it be considered as a SPY? lol
It's a big deal, but it illustrates very well that android users are in a ffa environment without someone looking over their shoulder to protect them.
It's good and bad. Some people will call bad on google for not protecting them, but others will see it for the truth of it and know they have to cover their own ass.
Wouldnt a functional firewall app work for this?
cutting off apps access to non essential portions of data...but also from data transmitting?
Flixster is malicious??
pvillasuso said:
Same happened to me with an app posted here for movies
Flixster for android
http://www.flixster.com/
I did find out ON TIME , that someone was messing with my gmail account , had to change my password inmediatly
I received an altert from an IP ( from their site ) trying to change my password !
You've been warned , happened to me !
Click to expand...
Click to collapse
Woaaah now... I have used this app on almost ever ROM I flash - downloaded straight from the market each time. I've never had an indication that my information was compromised in any way... Are you 100% sure that Flixster was the culprit? That's a pretty heavy claim for what I think is a very widely used (and recommended) app.
and what about all the gmail notifiers?
More fears:
I will preface this by saying I don't know much about Android security, but to me, it's as secure as any PC.
So: what about gmail notifier apps and apps that ask for access to your gmail account?
Do they have access to your gmail password? Seems like it. So what's to stop malicious gmail notifier developers from stealing your gmail passwords and having their way with your google account, for example, grepping your mailbox for banking information.
Also think about keyboard apps, what's to top malicious keyboard developers from writing a keyboard which logs all your keystrokes to a zipfile then uploads it to a russian server for analysis of B-A-N-K and P-A-S-S-W-O-R-D and then the next keystrokes which follow that?
It doesn't end there. Picture apps which can steal your pictures. Apps which can record your phone conversations and upload the audio to servers a few hours later so you don't notice that data going on.
bwolmarans said:
More fears:
I will preface this by saying I don't know much about Android security, but to me, it's as secure as any PC.
So: what about gmail notifier apps and apps that ask for access to your gmail account?
Do they have access to your gmail password? Seems like it. So what's to stop malicious gmail notifier developers from stealing your gmail passwords and having their way with your google account, for example, grepping your mailbox for banking information.
Also think about keyboard apps, what's to top malicious keyboard developers from writing a keyboard which logs all your keystrokes to a zipfile then uploads it to a russian server for analysis of B-A-N-K and P-A-S-S-W-O-R-D and then the next keystrokes which follow that?
It doesn't end there. Picture apps which can steal your pictures. Apps which can record your phone conversations and upload the audio to servers a few hours later so you don't notice that data going on.
Click to expand...
Click to collapse
The same things are possible for a regular computer as well. You can connect to a site and it could execute a download that then snoops your keystrokes and uploads them somewhere.
The difference (so far) is that on android you have to install an app to do that.
The takehome message is to excersize caution and install apps you can verify where they come from and what they do.
This will happen more and more. Mobile is where people are doing most of there communication and beginning alot of banking.
Not just Android all mobile OS.
Like I said a zonealarm/lilsnitch like app would be of great use. Even if logging or reading they still need to communicate out. An easy low mem/bat/cpu usage app that monitors this behaviour would go along way.
This is becomming a bigger issue and we do need some type of security alert monitor!
http://www.newsfactor.com/story.xhtml?story_id=13100EVAC2WI
"Mobile apps on Android-powered smartphones and Apple's iPhone can disclose more personal data than most users realize, security vendor Lookout revealed Wednesday at the Black Hat USA 2010 conference in Las Vegas. Rather than being malicious, users often give the apps permission to access data when they are installed...."
jp_macaroni said:
http://www.tgdaily.com/security-brief/50862-as-many-as-4-million-people-downloaded-data-stealing-android-app
Click to expand...
Click to collapse
Opps missed this post prior to posting my thread...
http://forum.xda-developers.com/showthread.php?t=739446
Arcarsenal said:
Woaaah now... I have used this app on almost ever ROM I flash - downloaded straight from the market each time. I've never had an indication that my information was compromised in any way... Are you 100% sure that Flixster was the culprit? That's a pretty heavy claim for what I think is a very widely used (and recommended) app.
Click to expand...
Click to collapse
100% sure , I checked out the IP involved , and it pointed directly to their website !!!
pvillasuso said:
Same happened to me with an app posted here for movies
Flixster for android
http://www.flixster.com/
I did find out ON TIME , that someone was messing with my gmail account , had to change my password inmediatly
I received an altert from an IP ( from their site ) trying to change my password !
You've been warned , happened to me !
Click to expand...
Click to collapse
Don't be stupid. Flixster is a 100% legitimate app. Don't bad mouth it because you fell for a phishing scam some place else.
GldRush98 said:
Don't be stupid. Flixster is a 100% legitimate app. Don't bad mouth it because you fell for a phishing scam some place else.
Click to expand...
Click to collapse
Use it then, who cares anyway ..!
Hope u get your gmail account hacked ...
samagon said:
The takehome message is to excersize caution and install apps you can verify where they come from and what they do.
Click to expand...
Click to collapse
Easy to say, but how do you 'verify where they come from and what they do'?

Why on earth does Torch Light APK need access to the following?

I am running CheckROMv3 on my Note, and decided to install the Torch Light application of Samsung.
I found the apk in the developers thread, and when I opened it with Installer it requested a lot of permissions. Some highlights are listed bellow:
//
Add or modify calendar events, read browser's history and bookmarks, read contact data, read user defined dictionary, write contact data.
SysScope (??) (sound snooping enough?)
Directly call phone, send, receive, read, edit SMS or MMS.
Your location, both coarse as well as GPS.
Your account: act as account authenticator, use credentials.
Modify, delete USB sotrage contents.
Change audio settings, record audio, take pictures and videos.
System tools including BT, wifi etc
Discover knowns accounts, read Google service configuration, view configured accounts.
Automatically start at boot, read Home settings and shortcuts.
//
All of that for a simple torch widget?
Seriously Samsung, why do you need my GPS and access to my SMS and Google services to light a dark staircase? And how are you planning on acting as an authenticator on my part?
Is this even legal or ethical? And how about all the stock ROM users that have no idea of the above list? Are they really making an educated decision when accepting the update?
This is why I love android and cooked ROMs. I get to decide what I want to share and in this case I decided not to install it.
PS: I just hope this is just an oversight of the programmers. They might have just used a shared library that requests all of the above. Today the Torch Light widget might be using none of them, but if you give your permission to it, future updates will not inform you of any changes.
:O good thing i deleted it.
shahadat said:
:O good thing i deleted it.
Click to expand...
Click to collapse
Unfortunately it is not in the market to Vote/comment it

Possible that I am being checked/hacked ChatOn/WhatsApp remotely ?

My girlfriend and I are using ChatOn for chatting, sometimes WhatsApp. She uses the Galaxy S2. She thinks that her ex-boyfriend is checking/stalking her, while I have said that it would be nearly impossible that he could actually see the messages we exchange. He probably can access her router at home (he installed it). We were using ChatOn (instead of WhatsApp) thinking that he would not know that, or would be familiair with that (it is not that popular over here).
This night, 2am, I received 2 smileys in the ChatOn chat, from my girlfriend (portraying a spitting smiley, which we never use, and we were talking angry and frustrated about the ex-boyfriend). My girlfriend says she cannot have send those 2 smileys. She would need to have logged into her Phone (long password) and she was definitely asleep at that time.
My questions to the biggest experts here:
- Can somebody really get into Chaton, and send messages on your behalf, remotely ? The ChatOn accounts are not linked to anything we do not have Samsung accounts and we have not given access to any other account within ChatOn (I know it would be possible to use webChatOn, but you should give permission for that I think from within the ChatOn Mobile App)
- The same for WhatsApp ?
- Everything send through WiFi is encrypted in the App itself, so text would not be visible from the router ? You can only see encrypted data ? And it would be impossible to send something from the account through the router ?
- Would there be any explanation for the smileys ?
We are getting quite nervous ....
Unfortunately yes..
It is possible that her bf may have access to her whatsapp by mac spoofing.He may know the mac address of her phone.
MAC spoofing is a technique for changing a factory-
assigned Media Access Control (MAC) address of a
network interface on a networked device. The MAC
address is hard-coded on a network interface
controller (NIC) and cannot be changed. However,
there are tools which can make an operating system
believe that the NIC has the MAC address of a user's
choosing. The process of masking a MAC address is
known as MAC spoofing. Essentially, MAC spoofing
entails changing a computer's identity, for any
reason, and it is relatively easy.
The changing of the assigned MAC address may allow
the bypassing of access control lists on servers or
routers , either hiding a computer on a network or
allowing it to impersonate another network device.
MAC spoofing is done for legitimate and illicit purposes
alike.
He might have spoofed his phones mac address and assign hers.This way whatever replies she gets will be received by him......but still the question is that if he knows the mac address
You should change the router config asap. Also.. Does your gf use a ROM installed by the ex? My advice its flash a new fresh ROM and change every app password ,including emails
Using Tapatalk GT-I9505
Quite Possible
Especially for the older versions of chat-on app (2012-12-04 and before), do not use Public WiFi networks. The communication between client and server is not encrypted (whereas Whatsapp encrypts before sending). the Session can easily be intercepted or even spoofed. Though it requires a little Technical skills for Spoofing. But its not impossible. You have to judge it from the Ability of her Ex.
If the Chat On app is the updated one then no need to worry as it uses the AES encryption, but still the files being uploaded/downloaded are not encrypted, and hence can be intercepted.
Change wifi pass... Make it complicated alphanumeric with numbers
Use wpa2psk on wifi
To do an arp spoof he would need to be on the same network. Thus do the above ASAP
Whatsapp Video Limit Problem
You want To send videos larger than 16Mb through Whatsapp?
yes, You can send Just Follow some steps
#Goto:
Xda-Link
Possible that I am being checked/hacked ChatOn/WhatsApp remotely
MattRob said:
My girlfriend and I are using ChatOn for chatting, sometimes WhatsApp. She uses the Galaxy S2. She thinks that her ex-boyfriend is checking/stalking her, while I have said that it would be nearly impossible that he could actually see the messages we exchange. He probably can access her router at home (he installed it). We were using ChatOn (instead of WhatsApp) thinking that he would not know that, or would be familiair with that (it is not that popular over here).
This night, 2am, I received 2 smileys in the ChatOn chat, from my girlfriend (portraying a spitting smiley, which we never use, and we were talking angry and frustrated about the ex-boyfriend). My girlfriend says she cannot have send those 2 smileys. She would need to have logged into her Phone (long password) and she was definitely asleep at that time.
My questions to the biggest experts here:
- Can somebody really get into Chaton, and send messages on your behalf, remotely ? The ChatOn accounts are not linked to anything we do not have Samsung accounts and we have not given access to any other account within ChatOn (I know it would be possible to use webChatOn, but you should give permission for that I think from within the ChatOn Mobile App)
- The same for WhatsApp ?
- Everything send through WiFi is encrypted in the App itself, so text would not be visible from the router ? You can only see encrypted data ? And it would be impossible to send something from the account through the router ?
- Would there be any explanation for the smileys ?
We are getting quite nervous ....
Click to expand...
Click to collapse
I don't think someone can send messages on your behalf but yes your messages could be read very easily. That's the reason why chat apps like Photo4tune are coming up with innovations such as fire messaging and self destruct pics to eliminate the provacy concerns of apps such as whatsapp which sell our data to big shot companies.
identify the pic sent to from whatsapp database
is it possible to identify to whom the pics have been sent to from the database files of someone else ?
@MattRob:
Try Threema instead of WhatsApp or ChatOn, here it would be really impossible to compromise the messages, because it uses real End-to-end encryption.
Sent from my Nexus 4 using Tapatalk
Remote Connectivity
MattRob said:
My girlfriend and I are using ChatOn for chatting, sometimes WhatsApp. She uses the Galaxy S2. She thinks that her ex-boyfriend is checking/stalking her, while I have said that it would be nearly impossible that he could actually see the messages we exchange. He probably can access her router at home (he installed it). We were using ChatOn (instead of WhatsApp) thinking that he would not know that, or would be familiair with that (it is not that popular over here).
This night, 2am, I received 2 smileys in the ChatOn chat, from my girlfriend (portraying a spitting smiley, which we never use, and we were talking angry and frustrated about the ex-boyfriend). My girlfriend says she cannot have send those 2 smileys. She would need to have logged into her Phone (long password) and she was definitely asleep at that time.
My questions to the biggest experts here:
- Can somebody really get into Chaton, and send messages on your behalf, remotely ? The ChatOn accounts are not linked to anything we do not have Samsung accounts and we have not given access to any other account within ChatOn (I know it would be possible to use webChatOn, but you should give permission for that I think from within the ChatOn Mobile App)
- The same for WhatsApp ?
- Everything send through WiFi is encrypted in the App itself, so text would not be visible from the router ? You can only see encrypted data ? And it would be impossible to send something from the account through the router ?
- Would there be any explanation for the smileys ?
We are getting quite nervous ....
Click to expand...
Click to collapse
I think that BF using any softwares to control remotely like android lost, etc,, check any unwanted apps installed on it.
My advice is to install a new ROM, i prefere official roms, and change all passwords set in phone (email,fb,twitter .....), also change router config to avoide any technique of hacking.
Shreyseviltwin said:
It is possible that her bf may have access to her whatsapp by mac spoofing.He may know the mac address of her phone.
MAC spoofing is a technique for changing a factory-
assigned Media Access Control (MAC) address of a
network interface on a networked device. The MAC
address is hard-coded on a network interface
controller (NIC) and cannot be changed. However,
there are tools which can make an operating system
believe that the NIC has the MAC address of a user's
choosing. The process of masking a MAC address is
known as MAC spoofing. Essentially, MAC spoofing
entails changing a computer's identity, for any
reason, and it is relatively easy.
The changing of the assigned MAC address may allow
the bypassing of access control lists on servers or
routers , either hiding a computer on a network or
allowing it to impersonate another network device.
MAC spoofing is done for legitimate and illicit purposes
alike.
He might have spoofed his phones mac address and assign hers.This way whatever replies she gets will be received by him......but still the question is that if he knows the mac address
Click to expand...
Click to collapse
I may have hit on something big. It is possible to "jump" into another person's Whatsapp account and send and receive messages and even change settings like profile picture and account name. Initially to set this up, the victim's phone is required but at the end it is not and all this can be done remotely. Both the hacker's and the victim's phones need to be rooted, unfortunately. Use an app like Titanium Backup and backup the victim's whatsapp and get that backup and restore the app data on the hacker phone and open Whatsapp and that's it. To reuse the hacker phone's original whatsapp, a seperate backup of it can be restored.
It is possible to create an application that can be installed in a non-rooted phone, with the ability to root it (applications that can do this merely, already exist) and make an application data copy that can be shared via a network (like the internet) to another party that can use an application (even the same one) that uses this data and jacks (takes-over or 'shares') the Whatsapp account on the device the 'application' was primarily install on.
destevez said:
You should change the router config asap. Also.. Does your gf use a ROM installed by the ex? My advice its flash a new fresh ROM and change every app password ,including emails
Using Tapatalk GT-I9505
Click to expand...
Click to collapse
I would have suggested this same opinion.. Thanks to the earlier poster.:thumbup::thumbup::thumbup:
Sent from my GT-I9300 using XDA Free mobile app
Whatsapp Hack
Thanks For Whatsapp Hack Remotely
Yes there are ways
There are few ways to achieve this. Changin wifi password with wpa/psk and making sure there is no app that helps x access phone info will make sure that its safe. Read my article to understand the hacking techniques for whatsapp
Discussion to promote or condone services for the purposes of illegally hacking something that you do not own will not be permitted.
Droidriven
Forum Moderator
OP no longer active. Thread closed.
Droidriven
Forum Moderator

Categories

Resources