Related
I'm doing a little bluetooth serial connection to a PCB I've done for my thesys. It should work, since it is based on the one posted at anddev, and I've only added an xml interface and now it connects and send a msg using 2 buttons.
Problem is I don't have an Android phone right now, and I need to test it. PC emulator doesn't support BT, and using VirtualBox doesn't work for my laptop either.
When I run the app, an error appears, and application is forced to shutdown. Can anyone test it to see if this error is due to not having bluetooth at the emulator or some code error?
If you have a look at the code and make some suggestions I won't complain. I have attached the Eclipse project
(I hope this is allowed at this forum)
ill check it out, but without the PCB you have i dont think i could test any functionality. you want me to just check for any FCs while pressing buttons and what not?
The apk in the bin/ folder of your eclipse project won't install. Error parsing package
Ill try to compile when I get home but try to just post an apk
From something awesome
I just realised that I was using a virtual machine running 2.1 for an app using 3.0 libraries. I'm fixing it, but anyway I'd love you to have a look at the app, just for getting the bluetooth running, even without connecting
The Vulnerability
In recent updates to some of its devices, HTC introduces a suite of logging tools that collected information. Lots of information. LOTS. Whatever the reason was, whether for better understanding problems on users' devices, easier remote analysis, corporate evilness - it doesn't matter. If you, as a company, plant these information collectors on a device, you better be DAMN sure the information they collect is secured and only available to privileged services or the user, after opting in.
That is not the case. What Trevor found is only the tip of the iceberg - we are all still digging deeper - but currently any app on affected devices that requests a single android.permission.INTERNET (which is normal for any app that connects to the web or shows ads) can get its hands on:
the list of user accounts, including email addresses and sync status for each
last known network and GPS locations and a limited previous history of locations
phone numbers from the phone log
SMS data, including phone numbers and encoded text (not sure yet if it's possible to decode it, but very likely)
system logs (both kernel/dmesg and app/logcat), which includes everything your running apps do and is likely to include email addresses, phone numbers, and other private info
Normally, applications get access to only what is allowed by the permissions they request, so when you install a simple, innocent-looking new game from the Market that only asks for the INTERNET permission (to submit scores online, for example), you don't expect it to read your phone log or list of emails.
But that's not all. After looking at the huge amount of data (the log file was 3.5MB on my EVO 3D) that is vulnerable to apps exploiting this vulnerability all day, I found the following is also exposed (granted, some of which may be already available to any app via the Android APIs):
active notifications in the notification bar, including notification text
build number, bootloader version, radio version, kernel version
network info, including IP addresses
full memory info
CPU info
file system info and free space on each partition
running processes
current snapshot/stacktrace of not only every running process but every running thread
list of installed apps, including permissions used, user ids, versions, and more
system properties/variables
currently active broadcast listeners and history of past broadcasts received
currently active content providers
battery info and status, including charging/wake lock history
and more
Let me put it another way. By using only the INTERNET permission, any app can also gain at least the following:
ACCESS_COARSE_LOCATION Allows an application to access coarse (e.g., Cell-ID, WiFi) location
ACCESS_FINE_LOCATION Allows an application to access fine (e.g., GPS) location
ACCESS_LOCATION_EXTRA_COMMANDS Allows an application to access extra location provider commands
ACCESS_WIFI_STATE Allows applications to access information about Wi-Fi networks
BATTERY_STATS Allows an application to collect battery statistics
DUMP Allows an application to retrieve state dump information from system services.
GET_ACCOUNTS Allows access to the list of accounts in the Accounts Service
GET_PACKAGE_SIZE Allows an application to find out the space used by any package.
GET_TASKS Allows an application to get information about the currently or recently running tasks: a thumbnail representation of the tasks, what activities are running in it, etc.
READ_LOGS Allows an application to read the low-level system log files.
READ_SYNC_SETTINGS Allows applications to read the sync settings
READ_SYNC_STATS Allows applications to read the sync stats
Theoretically, it may be possible to clone a device using only a small subset of the information leaked here.
I'd like to reiterate that the only reason the data is leaking left and right is because HTC set their snooping environment up this way. It's like leaving your keys under the mat and expecting nobody who finds them to unlock the door. For a more technical explanation, see the section below.
Additionally, and the implications of this could end up being insignificant, yet still very suspicious, HTC also decided to add an app called androidvncserver.apk to their Android OS installations. If you're not familiar with the definition of VNC, it is basically a remote access server. On the EVO 3D, it was present from the start and updated in the latest OTA. The app doesn't get started by default, but who knows what and who can trigger it and potentially get access to your phone remotely? I'm sure we'll know soon enough - HTC, care to tell us what it's doing here?
Technical Details
In addition to Carrier IQ (CIQ) that was planted by HTC/Sprint and prompted all kinds of questions a while ago, HTC also included another app called HtcLoggers.apk. This app is capable of collecting all kinds of data, as I mentioned above, and then... provide it to anyone who asks for it by opening a local port. Yup, not just HTC, but anyone who connects to it, which happens to be any app with the INTERNET permission. Ironically, because a given app has the INTERNET permission, it can also send all the data off to a remote server, killing 2 birds with one stone permission.
In fact, HtcLogger has a whole interface which accepts a variety of commands (such as the handy :help: that shows all available commands). Oh yeah - and no login/password are required to access said interface.
Furthermore, it's worth noting that HtcLogger tries to use root to dump even more data, such as WiMax state, and may attempt to run something called htcserviced - at least this code is present in the source:
/system/xbin/su 0 /data/data/com.htc.loggers/bin/htcserviced
HtcLoggers is only one of the services that is collecting data, and we haven't even gotten to the bottom of what else it can do, let alone what the other services are capable of doing. But hey - I think you'll agree that this is already more than enough.
Patching The Vulnerability
... is not possible without either root or an update from HTC. If you do root, we recommend immediate removal of Htcloggers (you can find it at /system/app/HtcLoggers.apk).
Stay safe and don't download suspicious apps. Of course, even quality-looking apps can silently capture and send off this data, but the chance of that is lower.
Affected Phones
Note: Only stock Sense firmware is affected - if you're running an AOSP-based ROM like CyanogenMod, you are safe.
EVO 4G
EVO 3D
Thunderbolt
EVO Shift 4G? (thanks, pm)
MyTouch 4G Slide? (thanks, Michael)
the upcoming Vigor? (thanks, bjn714)
some Sensations? (thanks, Nick)
View 4G? (thanks, Pat)
the upcoming Kingdom? (thanks, Pat)
most likely others - we haven't verified them yet, but you can help us by downloading the proof of concept above and running the APK
HTC's Response
After finding the vulnerability, Trevor contacted HTC on September 24th and received no real response for five business days, after which he released this information to the public (as per RF full disclosure Policy). In my experience, lighting fire under someone's ass in public makes things move a whole lot faster, which is why responsible disclosure is a norm in the security industry. (This is where we come in.)
As far as we know, HTC is now looking into the issue, but no statement has been issued yet.
HTC, you got yourself into this mess, and it's now up to you to climb out of the hole as fast as possible, in your own interest.
The ball is in your court.
Credit
ANDROID POLICE
Huge thank you to Trevor Eckhart who found the vulnerability and Justin Case for working with us today digging deeper.
Hi there, I need help, someone is consistently hacking into my phone, htc evo 4g, they are penetration testers and pc savvy, currently I cant login to the phn for trying to do a factory reset. They kept intercepting me and now my password does not work. Who knows maybe they changed it on their side. I wrote down everything I saw. I was seeing all these process running for the same app. in my applications. My phone was getting hot, freezes but its people that live in my apt complex and at work. can you help?
zzm5 said:
Hi there, I need help, someone is consistently hacking into my phone, htc evo 4g, they are penetration testers and pc savvy, currently I cant login to the phn for trying to do a factory reset. They kept intercepting me and now my password does not work. Who knows maybe they changed it on their side. I wrote down everything I saw. I was seeing all these process running for the same app. in my applications. My phone was getting hot, freezes but its people that live in my apt complex and at work. can you help?
Click to expand...
Click to collapse
Is your device rooted?
I used root explorer and removed the HtcLoggers.apk and other than the forced close loop that removing it caused (requiring me to remove the battery), after rebooting all seems to be working fine.
EDIT: Actually I didn't just delete HtcLoggers.apk but moved it to a safe location on the SD Card in case there was a problem and it needed to be restored. I highly suggest you do this instead of just deleting it, or better yet, a nandroid backup.
there are a few good ROMS out there that have the ICQ loggers removed already.
Do we really need three threads on the front page about the same thing?
You did read the title and still clicked so I think you may need this little app
I wanted to see the Android device log convenient on my desktop browser without using USB cable and also be able to send APKs to the device to update my apps. Without root! App install of course needs confirmation on device.
Also a nice log view on the device is always helpful - I found aLogCat scrolling too slow to be usefull and it can not jump directly to errors.
For tests of my remotely running app MobileWebCam I also need the possibility to get logs saved even without internet connection - so SMS can be sent to the device to trigger logging. For other apps there is an intent to trigger logs if Remote LogCat is installed. And the standard feature is there, too: dump logs from time to time onto sdcard, http or others like email with the support of my other app AutoShare ...
Filtering the log is a little complicated right now but I found myself using the full log most of the time anyway ...
Find the apk is attached to this post or in Android Market.
Nice. I will try it when I get time. It seems very useful.
Ohh, for some time I've wanted something like this! Thank you _miha_!
Downloading now, will report a little bit later as my phone is currently in 'flashing' state!
Thanks _miha_! Working great on my LG Thrill 2.3.5. I would love to see it auto scroll on the pc browser side. Even without it, awesome app. Thanks again!
Wow this is work great already do a test from Browser & everything is Great
Nice
It does not work for me, because the browser URL shows up like this:
http://fe80::123:65ff:fe68:767a%wlan0:8080
Why is that?
I am using a SGS2 with CM9.
Also, the RemoteLogCat service is running all the time, even when the app is closed....
CRXed said:
http://fe80::123:65ff:fe68:767a%wlan0:8080
Why is that?
Click to expand...
Click to collapse
That is an IPv6 format address. I do not know why you have one - maybe CM9 uses v6 preferred?
Try to enter [ and ] around the numbers and ::s. Like:
http://[fe80::123:65ff:fe68:767a%wlan0]:8080
(see here: http://superuser.com/questions/242122/accessing-non-port80-web-server-using-ipv6)
You can disable webserver with the third setting (Enable - HTTP server enabled. Access using Browser...) - it is enabled default at the moment so users do not have to search it before trying the app.
I can't get it to work.
My phone has a normal IPv4 IP adres, 192.168.0.13
I tried
http://[fe80::123:65ff:fe68:767a%wlan0]:8080
http://[fe80::123:65ff:fe68:767a]:8080, because, what is %wlan ??
Anything else I can try?
Also, when disabling HTTP server and exiting the app with the back button, the logcat service is still alive.
version 1.04
CRXed said:
Anything else I can try?
Also, when disabling HTTP server and exiting the app with the back button, the logcat service is still alive.
Click to expand...
Click to collapse
Updated version 1.04 displays ipv4 adress only now. And does no longer let Android restart the service in case it is not enabled (thanks for making me aware of that)!
IPv4 is working now!
But when I disable the HTTP server, I still see a service running in the background.
Which service is this? I use SystemPanel to check.
Also, when opening the app for the first time, my entire phone get's very slow, because it is trying to retreive all logging info.
After clearing the log, everything is smooth again.
Also, when the log is very big, I get this:
Code:
W/dalvikvm(18755): threadid=21: thread exiting with uncaught exception (group=0x40a541f8)
E/AndroidRuntime(18755): FATAL EXCEPTION: Thread-333
E/AndroidRuntime(18755): java.lang.OutOfMemoryError
E/AndroidRuntime(18755): at java.lang.AbstractStringBuilder.enlargeBuffer(AbstractStringBuilder.java:94)
E/AndroidRuntime(18755): at java.lang.AbstractStringBuilder.append0(AbstractStringBuilder.java:145)
E/AndroidRuntime(18755): at java.lang.StringBuilder.append(StringBuilder.java:216)
E/AndroidRuntime(18755): at com.dngames.remotelogcat.a.a(HelloServer.java:85)
E/AndroidRuntime(18755): at com.dngames.remotelogcat.h.run(NanoHTTPD.java:424)
E/AndroidRuntime(18755): at java.lang.Thread.run(Thread.java:856)
W/ActivityManager( 1803): Force finishing activity com.dngames.remotelogcat/.RemoteLogCat
More info in my signature.
To stop the always running background service please disable in the settings and leave the app. This seems not to be obvious enough - so maybe I should add a button in the first menu?
After a long time a little update to version 1.08 ...
I stripped html from the browser logcat so it is no longer confused when apps log html tags. Also two error message crashes are fixed.
I had high hopes (very high!) that I could get tasker to run on the ouya, unfortunately I have not had any luck as of yet.
Maps was installed, as was a few files that needed to be manually installed in /system, but unfortunately neither seemed to work.
Has anybody had any luck? Please let me know if you did, I had big plans for this little system and tasker was a key piece to it.
Thanks.
Well, apparently I'm batting 1000 tonight on threads.
A reboot allowed instillation of the tasker trial version.
It looks like everything works, or as much as you would expect for the ouya. I did two test tasks. First was just a screen popup, which obviously worked great. The other was a reboot to test root access, and this also worked perfect (say hello to automated weekly reboots!).
Now, to see if autoremote can be made to work, and then on to autovoice or utter! and the inherently difficult prospect that will be.
Snoman002 said:
Well, apparently I'm batting 1000 tonight on threads.
A reboot allowed instillation of the tasker trial version.
It looks like everything works, or as much as you would expect for the ouya. I did two test tasks. First was just a screen popup, which obviously worked great. The other was a reboot to test root access, and this also worked perfect (say hello to automated weekly reboots!).
Now, to see if autoremote can be made to work, and then on to autovoice or utter! and the inherently difficult prospect that will be.
Click to expand...
Click to collapse
Please periodically update this thread with your progress? Curious to follow suit, though don't have the time to help in the investigations
A few issues with tasker itself, such as I can't download from Google play, it won't recognize my original order #, i can't find 'my' .apk, basically can't get my purchased version working and am stuck on the 7 day trial version. As for functionality it works great.
Current main task is to start XBMC if Autoremote received a certain message, as well as sending a message when xbmc is open and a different one when it closes.
On my tablet when I fire up the Yatse app, Tasker checks to see if XBMC is running, if not it displays a popup asking if I want to start xbmc. If I say yes it sends a command through autoremote which is what triggers tasker to start xbmc.
OK, a few things I have found.
Originally I could not download Tasker through the Play Store as the Ouya showed up as 'incompatible', however after a Play Store crash that removed it from my system, and subsequent reinstall, I can now download it from Google Play. I don't know why this was, but when I first did the play store mod I didn't have busybox installed, I did for the reinstall. I don't need the play version however as I was able to get the 'Trial' version validated, which is good as the direct download has added functionality (that I will never use). To validate the trial version you need to find the 15 digit order number (not the 16 digit Google provides in the email). This is best accomplished by using the 'Contact Crafty Apps' link in the email, and then finding Tasker, the 15 digit order number should then be visible. This only works if you bought Tasker before March 2013 though, otherwise you will need the Play store version (thanks Google :/)
To get Tasker to run you need to be Rooted and move two Google files to the proper location on the Ouya. Tasker will not run without the Google maps framework and oddly enough installing Google maps doesn't install the full framework. You can get these files by flashing the gapps package with CWM, or just install the two files themselves. To get the files unzip the gapps package, I think in the 'framework' folder. You need to move com.Google.android.maps.XML to /system/etc/permissions, and move com.Google.android.maps.jar to /system/framework. This WILL require you to remount /system as writeable. ES File Explorer worked for me (download an old version, 3.0.4 maybe, as the newest Play store version crashes), it was the only free root access file manager to work for me. Remount /system back to the way it was. BTW, I did all of this without adb, it was all done on the system itself with some help from dropbox (unzipped on my nexus, it was easier).
Tasker itself works great and I currently have it sending messages through autoremote to update variables on my other devices, this triggers a popup that asks if I want to start XBMC when I start my XBMC remote app (only if XBMC isn't running). If I select yes then it sends an Autoremote message that triggers a Tasker profile that starts XBMC. I also have Utter! setup to trigger the 'Start XBMC' Auto remote message on my Nexus
My next two tasks will be for an automatic nightly reboot, and a task that sends the Ouya into sleep mode when I start my alarm clock app on my nexus. I'm still trying to think of good ideas to implement. I hope to get a microphone working to use voice commands directly on the Ouya, and my dream is for an IR blaster to work so the Ouya could turn on my TV with voice commands (old TV)
Snoman002 said:
OK, a few things I have found.
Click to expand...
Click to collapse
Wow! I really commend you for your perseverance and willingness to share your experience and findings...people don't realize how much this helps others.
Scenes Working
Hey Snoman002,
I have my Ouya rooted and found a Tasker that can be used to mount and unmount NFS mounts. I have the two google maps files installed and have version 4.2 of Tasker installed. When i try to open the scene or even create a new one Tasker closes and goes back to the Make Menu. Have you seen a similar thing with the version you have been using ?
Thanks
Techhhead33
Techhead33 said:
Hey Snoman002,
I have my Ouya rooted and found a Tasker that can be used to mount and unmount NFS mounts. I have the two google maps files installed and have version 4.2 of Tasker installed. When i try to open the scene or even create a new one Tasker closes and goes back to the Make Menu. Have you seen a similar thing with the version you have been using ?
Thanks
Techhhead33
Click to expand...
Click to collapse
Sadly, other than getting it running initially I have done nothing more with Tasked on my ouya.
Your trying to make a scene in tasked? Scenes are really only for overlays and custom menus (drastic oversimplification I know). I fail to see the need for the complication of a scene just for mounting and unmounting. Perhaps you could change the tasker task to a simple popup menu (which now that I think about it may be a scene...). Popups worked for me, but that's all I can say about it.
Sorry, I'm not here much anymore as my ouya just runs xbmc now. I will try and check in more often.
Been a long time since I posted here.
I don't use my Nook as much as I I could or I think I should. I think the main reason is that I haven't been using apps which sync across devices for fear of ruining the very good battery life.
What are some good apps which integrate with say Chrome? What things have you found useful? Do you toggle WiFi on and off? If so do you then need to hit sync or does that partial wakelock reciever for detecting that WiFi is on and off do that for you? Or will this app keep trying to sync even when there is no wifi?
I think if I start using something like ReaditLater again (tap button in chrome, sync and then read on Nook)... I'll probably use it more.
Also, pulling apps off Google Play and installing the apk was better for battery but I can't get the apk extractor websites to work anymore. Did anyone have a workaround for that?
One more thing, I have been using the latest Cyanogenmod and I notice it comes with PrivacyGuard. Now, the interersting thing about that is that PrivacyGuard now has options to block autostart, keep device awake and wake up device. So this could be useful to put in a ROM, or something like it, bearing in mind the nice battery life we get. Or, maybe have 2 modes - one with everything disabled for hikes, and another for use at home where a charger is handy and the auto sync is more useful.
Apologies, didn't search well enough:
http://forum.xda-developers.com/showthread.php?t=1898358
(adbsync)
Yeah, Renate NST's adbsync program is definitely going to be your best (and really only) option that fits your description.
Thinking about it, there's probably more efficient ways to do it.
For example, Evernote, Unified Remote Full, Wiki Encyclopedia Offline. I don't think Pocket (formerly ReaditLater works anymore very unfortunately... that was my favorite thing)
But of course, getting these things working on the older Android now could be difficult. How do I get the apks from play these days now the various website extractors don't work?
And ways to automate adbsync. For example, have it as a schedule in the background along with adb connect to your Nook. But remember to give the Nook a static IP on the WiFi by assigning via MAC on the router.
If you save pages as .pdf and automate the sync that's good but browsing pages as pdf isn't great.
edit to avoid bump:
You can use it as a 2nd monitor.
Windows:
http://superuser.com/questions/62051/is-there-a-way-to-fake-a-dual-second-monitor
(then use VNC to access. My thread has a howto for install) (MaxiVista probably works to if you're prepared to pay or steal)
Also possible on other platforms. The key phrase to use when searching is "Extend desktop"
I don't know why I didn't think of this before but you can access Evernote through the web interface. Probably similar for OneNote too.
A browser I heard is good, possible better than Opera now is NakedBrowser and the apk is available from the authors website.
I found a way to get the apk is to find an old phone to install too and then use an apk extractor app. A desktop extractor would still be better
Edit again;
I'm still not using it like I feel I should. I think this is because it's just not as Easy to pick up and read. The problem with advanced is that I have to wake up the nook, turn on WiFi and then hit my sync script on the desktop. Because of this I only use it if I have a lot to read, like a full book. I envisioned using it for just reading lengthier forum posts and white papers.
A start I think is to disable the screen saver.
Next will be to put enabling WiFi and keep awake while charging, and then disable after a period if the user fails to cancel and it's unplugged.
If you know how to do either of these things please let me know.
edit avoid bump:
I can't install the tasker apk unfortunately... and they're not giving out licenses anymore without Play. Is there an similar alternative is now my search..
Would be really good to enable and disable adb wireless and wifi when plugged in.
Actually there's a fix for tasker asking for a .jar. So it should be possible tonautomate connecting to WiFi and adb WiFi. Just a matter of getting tasker license or something else. AutomateIT won't run.
jago25_98 said:
I'm still not using it like I feel I should. I think this is because it's just not as Easy to pick up and read. The problem with advanced is that I have to wake up the nook, turn on WiFi and then hit my sync script on the desktop. Because of this I only use it if I have a lot to read, like a full book. I envisioned using it for just reading lengthier forum posts and white papers.
A start I think is to disable the screen saver.
Next will be to put enabling WiFi and keep awake while charging, and then disable after a period if the user fails to cancel and it's unplugged.
If you know how to do either of these things please let me know.
Click to expand...
Click to collapse
My Nook is currently out of commission, but I know at one point I had Pocket running (while it was still called ReadItLater), so there might be an old apk floating around that works. Alternatively, you can setup Wallabag, which is the same thing but run on your own server. Between that and a feed reader, I had thousands of articles to pick from whenever I picked up my Nook. It was quite a delight.
Also, there are a couple of wifi saving tools that can be found in F-Droid. If I recall, I used one called Battery Fu to have my Nook connect, force a sync, then disconnect once every few hours. It worked quite well.
thanks FbYAx
I looked up wallabag but when I try to install every version back to 1.6 I get the message 'older SDK'. I guess you had an older version... but I don't know how far back i have to go.
i will have to start archiving and hosting apks that work
edit to try to be a bit more helpful for people who might be trying to do this same:
get android version (mine is 2.1. i think that is normal (kitkat)):
Code:
adb shell getprop ro.build.version.release
change sdk apk version to see if it was developed without using newer sdk stuff (force it):
http://stackoverflow.com/questions/...on-and-targetsdkversion-specified-both-in-and