Bouncer security for Android Market - Xperia Arc General

Googles Bouncer is basically an app-crawler that scans all the apps in the Android Market, including every new submission. It checks for known trojans and malware, much like a security app on your phone might, while also analyzing how apps run in a virtual machine, to try and ferret out new threats. Finally, Bouncer also tracks developer account behavior, so repeated offenders are caught when they open a new account to cause havoc with.
Another technique by google is use of sand-boxing to prevent malware from accessing data. it doesn’t have permission to the system itself, and the fact that Android is designed so that malware can’t make changes to the OS itself – which means all you have to do to clean an infected phone is remove the offending app.
what do you think of new security features?

I would be interested in sandboxing on my phone, do you have any tutorial links or just general information for me you can share?

Related

Anyone heard of a android virus/trojan yet?

Sometimes I come across an app thats not on the Android market and you have to install it manually. Has anyone come across a virus/trojan on Android yet? Im curious how easy or hard it is to modify a legit applications and put a virus/trojan in it?
Lol have not seen one yet. Android isn't that big yet so doubt hackers would really spend time putting trojans to get stuff like your email password lol.
Take everything you know about microshaft windoze and forget it. The system architecture of android is almost completely invulnerable to viruses/worms/etc.
In a typical unix system, hacks can take one of very few possible approaches;
1) service bug targeting, i.e., if one were to discover a security vulnerability in the Apache HTTP server, one could theoretically compromise it. That particular service I mean.
2) user account targeting, i.e., one could convince a user to run something dangerous, which would infect that specific user's account, of course, this attack would limit itself to damaging that user's personal data and would not be able to take down the whole system unless it also targeted a kernel or X-server exploit.
Note specifically regarding #1, that in a well configured system, that targeting a particular service would be restricted to a specific user account just as in #2 since each service runs as its own username.
3) Targeting KERNEL defects; this is perhaps the most frightening possibility. It is also the least likely since it would also require #1 or #2. Any particular kernel attack, particularly in Linux is also very unlikely to work for long due to the open sourced nature of Linux. There are a LOT more people involved in monitoring the fundamental securities of the Linux kernel than any other OS because of its open nature. It is also a source of PRIDE for kernel HACKERS that they ALSO be responsible for openly providing the SOLUTION to any exploits that they discover. And they usually do this with their REAL NAME since it basically immortalizes them. The end result is that every time a kernel exploit is discovered, it tends to be patched within hours of its first application.
Now of course you want to know how this affects Android, since by all appearances, there is no user-level security. WRONG. The Android security level is actually on par with service level security on unix servers. EVERY SINGLE application installed is granted is own user account, which means that if any particular application is dangerous, its range of damage is restricted to that particular application's private data, as well as any permissions that the application is explicitly granted (i.e. when you install an application, it gives you the required security list). There is also the very slim possibility of a kernel exploit (though this is extremely unlikely), and it could damage the data on the sdcard (since it is an MS-crap filesystem with no security restrictions).
Of course you will note that older versions of the ADP1 system image came with an unregulated 'su' command (which you could also end up with using a "cat sh > su; chmod 4755 su" root approach) which basically can be used by any application to take over the whole system. Make sure that you don't have any such su command on your droid. Either use a password-protected su command (which will cause problems for trusted apps requesting root privileges), or the gui-supported su command. Subsequent ADP1 images came with an su command that was restricted to the debugging terminal user, which is fine.
In other words... you don't have much to worry about. Just don't do anything really stupid, like installing an untrusted application that wants a boat load of privileges that it shouldn't be asking for.
lbcoder said:
EVERY SINGLE application installed is granted is own user account, which means that if any particular application is dangerous, its range of damage is restricted to that particular application's private data, as well as any permissions that the application is explicitly granted (i.e. when you install an application, it gives you the required security list).
Click to expand...
Click to collapse
Might be worth pointing out that android apps are for the most part interpreted language apps, meaning the onus of security and stability (just from an apk standpoint) falls largely on the vm. All the lower level subsystems are pretty well protected by the Linux kernel, and these have been significantly tried in fire by decades of Linux server deployment.
lbcoder said:
The system architecture of android is almost completely invulnerable to viruses/worms/etc.
Click to expand...
Click to collapse
jashsu said:
Might be worth pointing out that android apps are for the most part interpreted language apps, meaning the onus of security and stability (just from an apk standpoint) falls largely on the vm. All the lower level subsystems are pretty well protected by the Linux kernel, and these have been significantly tried in fire by decades of Linux server deployment.
Click to expand...
Click to collapse
All the points about the protection offered from the Linux kernel and the VM are valid. Computer secuity is an ongoing battle between the software originators and the hackers trying to get in. I'm not saying it's remotely likely, particularly due to the market share, but rule one in my book is don't taunt the hackers.
lbcoder said:
Take everything you know about microshaft windoze and forget it. The system architecture of android is almost completely invulnerable to viruses/worms/etc.
Click to expand...
Click to collapse
Until the Android Dev team screw up again and lets any app run in the system process when requested (which was why cupcake was delayed in the US).
thanks for the post.
I was curious if someone could unpack a .apk file and modify a application easily, say have it send personal info to xyz server instead of the server the app was designed for or send it to both servers so the user doesnt think anything is wrong.
Are the files in the .apk editable, like an .exe is compiled for windows and the .exe cannot be edited (since its machine code).
androidmonkey said:
thanks for the post.
I was curious if someone could unpack a .apk file and modify a application easily, say have it send personal info to xyz server instead of the server the app was designed for or send it to both servers so the user doesnt think anything is wrong.
Are the files in the .apk editable, like an .exe is compiled for windows and the .exe cannot be edited (since its machine code).
Click to expand...
Click to collapse
Yes, apks are basically just zip files with cryptographic signatures. If you get your apks from Market then there is little to no risk of apks being tampered with. If you install your apks from any source other than Market, then you just have to trust the source that the apk hasn't been modified. Obviously if the apk itself doesn't ask for many permissions then it shouldn't be a problem. For example if you download a game apk from a developer's personal webpage and it asks for just permission to keep the screen alive, there's little risk to your data. However if you download an app that has read/write access to your contacts, or has root access, then you better be sure that the site you get it from is trustworthy.
jashsu said:
Yes, apks are basically just zip files with cryptographic signatures. If you get your apks from Market then there is little to no risk of apks being tampered with. If you install your apks from any source other than Market, then you just have to trust the source that the apk hasn't been modified. Obviously if the apk itself doesn't ask for many permissions then it shouldn't be a problem. For example if you download a game apk from a developer's personal webpage and it asks for just permission to keep the screen alive, there's little risk to your data. However if you download an app that has read/write access to your contacts, or has root access, then you better be sure that the site you get it from is trustworthy.
Click to expand...
Click to collapse
So the files in the .apk not executables, rather interpreted with the VM? Im curious if those files can be read and changed. For instance, can someone open the file in a Java SDK and change the code? Or are those files protected so they cant be modified? For instance, could you download soundboard app from the Market, "unzip" the .apk, and put your own sounds in it?
androidmonkey said:
So the files in the .apk not executables, rather interpreted with the VM? Im curious if those files can be read and changed. For instance, can someone open the file in a Java SDK and change the code? Or are those files protected so they cant be modified? For instance, could you download soundboard app from the Market, "unzip" the .apk, and put your own sounds in it?
Click to expand...
Click to collapse
Unless the classes are specifically performing security/sanity checks, there's nothing keeping you from replacing asset files (pngs, wavs, etc) and then resigning the apk with any key of your choosing. However, altering xmls and classes is more difficult as they are obfuscated/optimized by default.
For apps distributed officially through the Android market, the only way Google can provide assurance for the app producer against tampering is app-protected folder. Of course that assumes that root access is not provided, which is most likely a prerequsite for any phone to be branded "with Google" and have Market access. From the viewpoint of the consumer, apps are guaranteed by Google against tampering only if retrieved through Market. Once the app is on the device, it is protected via Android's use of Linux user access permission model (each app is its own user). The consumer may of course alter the file him/herself, unless it is a protected app, in which case root is required.
sounds buggy. i hope not. this reminds me of when Mozilla firefox became popular i slowly starte dto see code become available to make pop ups n my belloved browser
Virus found on Android phone...
Article 1:
NEWS
An employee at Spanish antivirus firm Panda Security received a new Android-based Vodafone HTC Magic with malware on it, according to researchers at Panda Labs.
"Today one of our colleagues received a brand new Vodafone HTC Magic with Google's Android OS," researcher Pedro Bustamante wrote on the Panda Research Blog on Monday.
"The interesting thing is that when she plugged the phone to her PC via USB, her Panda Cloud Antivirus went off, detecting both an autorun.inf and autorun.exe as malicious," he wrote. "A quick look into the phone quickly revealed it was infected and spreading the infection to any and all PCs that the phone would be plugged into."
Article 2:
Mariposa virus back on Vodafone Android smartphones
HTC Magic According to a Spanish blogger, around 3,000 memory cards supplied by Vodafone Spain were infected with the Mariposa bot client. The mobile network operator has now reportedly confirmed that these included HTC Magic Android-based smartphone models, as well as other devices. A spokesperson for the company has told CNET that it is a "local incident". Vodafone says it has identified customers that could potentially be affected and it will be sending them new memory cards. It has also offered to supply them with tools to restore the integrity of their devices.
Reports of an HTC Magic smartphone carrying the virus were first published less than two weeks ago, however the malware is not able to harm the Android smartphone itself. The bot only attempts to contact a command & control server when connected to a Windows PC. The virus should be detected by most up-to-date anti-virus solutions.
Personal take:
Interesting to note that the virus being carried on an Android phone and was used to infect PC's NOT other Android phones. It came straight from manufacturing with the virus on, so as of yet I still haven't heard of a virus that can infect an android phone.
Further more, I have seen Anti-virus software on the market place AND being offered by Norton. What do they protect against if there are no known virus threats? Do they just draw a nice pretty anti-virus logo on the screen to make you feel comfy? hehehe.
Trojans in the hacked up ROMs people are distributing
androidmonkey said:
Sometimes I come across an app thats not on the Android market and you have to install it manually. Has anyone come across a virus/trojan on Android yet? Im curious how easy or hard it is to modify a legit applications and put a virus/trojan in it?
Click to expand...
Click to collapse
I've found a trojan in at least one of the ROMs being distributed on here. Even reported directly from the developer's own file sharing site.
"Stock" ROM http://forum.xda-developers.com/showthread.php?t=2066023
Attached is a photo of the file scanned from the linked file sharing site for the KERNEL he wants you to INSTALL!!
Click the link to JB_KERNEL_3.17.841.2_EVITA_Init.d_Support_Installer.zip - 8.54 MB in that thread and see for yourself.
Be careful what you install on your device. ANDR.Trojan.GingerBreak takes full administrative control of your device and downloads more trojans to siphon out your private personal data.

Android vs iPhone - A comparison of Security Models

Since there have been so many security discussions going on for Android and iPhone, I did a short post on the topic comparing the security models of both. Do chime in with your comments all
Android vs iPhone: Security Models
One point about the "sandbox".
You already pointed out that Apple doesn't have "permissions", but that also affects the sandbox. An app doesn't have to ask permission to get your personal data and they would have no way of stopping it even if it did.
Android not only requires the app to ask for the permission when you install it, they can also enforce that restriction if the permission wasn't requested. The Android sandbox does not allow code to do things it never advertised because it is running tightly controlled bytecodes that can be statically proven to only access the information it was given permission to access.
On the contrary, iOS apps can run any code without any controls other than what the reviewer observes.
So, the "permissions" and the tighter control of the Android sandbox combine to make the apps even more tightly restricted.
One thing I would love to see added to Android is the Blackberry style of permissions where each request can be set to "allow, ask each time, disallow" so you can disallow an app from using a permission it requested, or even allow it, but require the OS to ask you to verify each time the app uses that capability. Right now Android says "this is what it *WILL* do and if you install it I won't do anything to restrict it - either accept this or don't install the app" which is very limiting.
There are quite a few apps that I've installed which asked for permissions that it isn't important for me to give them. I want to use their main feature, but the programmer went and added what they thought was a nifty unrelated feature and that secondary feature requires permissions. If I only want the main feature then I should be able to disallow the unnecessary "addon" permissions. (To name an example - a Zip file browsing app that wants to kill tasks? Really? Why? Oh, because the developer thought it was cool to add a task killer to every app in the market. D'oh!)
Also, the lack of this per-permission "line item veto" capability is teaching Android users to just blindly accept an apps permission requests because they all sound daunting even for benign apps and so they learn to stop thinking about it and the permission granting is really just noise for the sheep for the most part. Granted, there are a few security conscious users that will push back when apps request permissions outside of their needs, but it would be better if the average user would see every time an app does something suspicious, rather than just letting it happen willy-nilly under the covers and the security conscious would have better tools to investigate their suspicions by verifying that the app only generally does use the capabilities when it is about to do something worthwhile.
^^ I totally agree with what you say.. And the ability to revoke certain permissions from the app at certain times is what i desire as well. .This is something that always makes me doubtful when installing apps.. They should atleast do this for the internet permission. I know I can do this by rooting my phone but I want to be able to do it without rooting...

[Virus warning]Don't install Android Market Security app.

Just a quick word of advice for those of you who are feeling a bit icky due to recent viruses and malware in the Android market – don’t download the Android Market Security Tool. The version in the Android market is clean and straight from Google, but you do not need to install this on your own. Google will use this tool automatically whenever they do a security sweep.
There’s another version on alternate app stores with the same name and icon, but these are injected with viruses. Do not download these either, for obvious reasons. Your best bet is to let Google do what they do and if you’re still feeling a bit vulnerable, check out official offerings from Lookout, AVG and more. (Or just do extensive research and check permissions on the applications you do download.) [PC World]
(source Phandroid)
I wonder if this will be highjacked and re-posted by someone again.....

[Q] is there a patch for this bug 13678484 (fake id)

can anyone make a patch for all variants of hd2 roms from gb up i used the bluebox app to check if my phone was vunerable for this bug 13678484 (fake id) and my daily driver barebone cm7 v2b was, and id say all roms developed for hd2 are vunerable have searched the net for how to patch this vunerability but cant find the info abywhere this is something i think all xda devs for this device will have to sort out as we cannot get help from carriers on this as this is what advice is given "contact your carrier or phone vendor for patch. if anyone has advice on how to sort this out would be very thankful i think xda should run a piece about this vunerability and what steps are being taken by all devs on xda to patch this vunerabilitu for older handsets likemy hd2.
Bluebox Security revealed a significant security flaw that affects all Android devices since version 2.1. Our hyperbolic title mocks the fact that he had little to ignite the Internet powders. If the fault is real, it should take a step back and put the case in context instead of screaming panic for nothing.
A serious flaw that affects a large number of terminals
Very schematically, the fault Fake ID allows malware to authenticate using the signature of a known application to hide its true origin. The firm provides an example of a virus masquerading as an Adobe Systems and Google software which would be able to become a Trojan horse or steal data used by Google Wallet acquiring the necessary permissions without using the user.
The flaw is serious. However, Google has already been made ​​aware, he has already released a patch he sent to his partners, he corrected the flaw in Android 4.4 KitKat, he scanned the Google Play and can say that no application in its store uses this vulnerability. Finally, Verify Apps, which monitors the behavior of applications on an Android device, is also fixed and can detect an application attempting to exploit Fake ID.
A patch already in place and a flaw in a very limited scope that still show that Google still has work to do in terms of security
In short, it is true that it is possible to be a victim of this fault, but it requires a terminal that has not been updated, download an application containing malware does not come from Google and Play Verify Apps have disabled or have an Android version of which is free. Suffice to say that the cases in question are very limited.
This flaw shows that Google still has work to do in terms of its security strategy. Last month, we décriions lax features the Play Store. Today, we are dealing with a flaw of a limited scope, but was discovered by analyzing the shortcomings of the source code of the operating system.
This flaw shows that Google still has work to do in terms of its security strategy. Last month, we décriions lax features the Play Store. Today, we are dealing with a flaw of a limited scope, but was discovered by analyzing the shortcomings of the source code of the operating system.[/QUOTE]
while the info you have given is fine and i thank you for it, but there are other app stores people use beside google play store and reading up on this bug it is still possible their phones could become compromised downloading apps from them?
A Big Big Thank You
Just an update: opssemnik backported the fake id xposed module and it works perfectly with gb roms a big big thank you to him. he also supplied a link in the comments on http://www.xda-developers.com/android/fight-fake-id-vulnerability-xposed/ So once again a big thank you to opssemnik

[Guide] A little guide to security & privacy on Android - Update 01.08.15

A little intro:​I spent a lot of time with malware on windows and which apps/settings can actually protect you. By working with malware you also get a lot of background info on how people / companies / governments can steal your privacy from you and how to protect yourself against it. When I decided to care about all that, I noticed that a lot of "security forum experts for PCs" have no clue about Android and its risks although probably the same if not more data is stored on our phones than on our PCs. So I decided to do some background research, worked with Android malware and played around with the different ways and options that can protect your security & privacy.
When I am looking for a security setup then I want one that is reliable & easy-to-work-with but also lightweight on the system. I don't want my security setup to cripple down my system.
I have done similar guides for Windows and as I haven't seen anything likewise for Android I thought I would give it a go.
What can you do to protect your security & privacy:​Security - Firewall: To block incoming / outcoming traffic per app or per IP/DNS/Port. Can drain the battery and be a pain to configure on Android.
Security - Antivirus: To scan files after they have been downloaded or to scan files after they have been installed. Due to the way how Android is coded it is not possible to scan in real-time (while downloading, while installing) which means you can't detect malware based on their behavior. AV's on Android can only detect malware by their signature which is easy to bypass. However is still better than nothing and a one-time scan of downloaded files or an on-demand scan while your phone is charging won't hurt your battery or slow down the device. A lot of AV-Products come with multiple features built in. Some of them are often useless (e.g. maybe anti-theft), others are worth the usage (e.g. security audits for non-fixed exploit vulnerabilities or bad system settings e.g. USB-Debugging enabled).
Security - SuperSU: To actively manage which apps will get "unlimited" root access.
Security - Password manager: Use a password manager for all your passwords. Built in password managers (e.g. browser, ftp, mail ,etc) aren't really a save solution (even with the so called "master password"). Apps like KeePass offer a lot more than just having all your passwords stored safely. It lets me open apps + automatic login with just 2 clicks (e.g. FTP, SSH, Mail, Browser,...). It let's me create unique password so that I won't be using the same password on all websites. And there is still a lot more.
Security & Privacy - DNS: Change the DNS-Server you use to something like NortonDNS which will protect you from malware/phishing sites as well as semi-bypass the tracking of browsing behavior by your phone/internet provider. The DNS provider/resolver that you use (usually your phone/internet provider) will transform the domain you want to access into the IP adress of the desired server (the one which hosts the website you want to visit). This means that what ever domain you are going to browse will be transmitted to your DNS provider... so choose one carefully ! Also the better the connection to your DNS provider is (and the better the providers connection to the world-wide-web is) the faster your domain requests will be processed.
Security & Privacy - VPN: An easy way for attackers in your network (especially open & free wifi's) to steal data from you are MITM (Man In The Middle) attacks. They can modify SSL certificates which means even using HTTPS might not always be safe or simply read your network activity (such as logins which includes accounts + password). By using a VPN all the traffic that leaves your device will be encrypted and routed directly to a safe receiver which means no one can interrupt your traffic and sniffs (read) it.
Security & Privacy - SSH-Tunnel: Using an SSH-Tunnel has pretty much the same effect as using a VPN but the difference is you have to configure each app that you want to use the SSH-Tunnel. I prefer this method on Windows as I can encrypt only the traffic of my browser/mail/communicator while playing games or other apps will use the non-encrypted (and often faster) internet connection. Sadly there is no app on Android that in my opinion works flawlessly as SSH-Tunnel client.
Security & Privacy - Adblockers: We all know adblockers. They block ads and trackers to protect your privacy and some of them (e.g. mdl-malwaredomainlist) also protect you from malware & phishing websites.
Privacy - App Ops: App Ops or similar apps let you block permissions per app which means whatever app is installed / running can be forced to not use specific permissions. E.g. you can block Facebook from using your GPS and tracking your location.
Privacy - Android 5.x disable allowed certificates: Every website and every (good) app will have a certificate that Android and also AV's check online to see if the website/app is trustworthy. Out-of-the-box Android allows many questionable certificates from governments and companies that might sell their certificates to websites/app that are not so trustworthy. Since Android 5.x you can remove/add certificates to disallow governments or companies that sell their certificates to questionable websites/apps.
Privacy - Encrypt your phone: By encrypting your phone you ensure that no one who finds your phone will be easily able to read anything saved on your phone. Not even by entering the recovery mode. It may slow down the performance a bit and increase battery drain slightly, but for me (Nexus 6) I had no troubles so far.
You can make that list longer by using only secure apps for communication (e.g. encrypted chats with Telegram or using Firefox and add-ons such as HTTPS-Everywhere) but I think that is more advanced and takes away the freedom and choice of readers/users. So I will stop here as I think I have covered the basics and most important things.
Which setup should you choose?​Well first of all I recommend using only apps/services of companies that you can trust. E.g. companies that exist for a long time but haven’t done any questionable actions in the past. I have been a long-time-user of Comodo but looking at what Comodo has allowed itself in the past made me choose something different. On Android a good example are sms/call blockers. There are many options to choose from for example one is produced by a company named "NQ Security". Now do your google work and you will find some details that either makes you think of this company as trustworthy or not. Or maybe there are other companies with the same product which you would rather trust?
One thing to notice is that in the end your setup should cover most if not all aspects that I have mentioned above. Now you can either choose to use many different products (e.g. if they are free) or use on paid solution that covers everything at once. In any case, don't forget about stuff that might get installed but be useless to you. E.g. at some point I found my setup to have 3 different call blockers and 4 different sms blocker installed.
I have made a list of a few picks that I would recommend:
Must-Have​SuperSU / Rooted device (Click for Google play): 99% of all apps & configurations listed here will need your device to be rooted. Also SuperSU gives you a good overview about which apps have root access and is a good tool to configure those apps.
Override DNS (Click for Google play): It automatically changes the used DNS Server for 2G/3G/4G/WIFI to whatever you want (e.g. NortonDNS which has malware & phishing protection but also is one of the fastest DNS providers available world wide). Currently it is the only app that works with Android 5.x.
AdAway (Click for download link): Lets you block ads, tracking, malware and phishing sites. I recommend the standard sources + www.malwaredomainlist.com/hostslist/hosts.txt
App Ops (Click for Google play): App Ops lets you block permissions per app which means whatever app is installed / running can be forced to not use specific permissions. E.g. you can block Facebook from using your GPS and tracking your location.
KeePass2Android online/offline (Click for Google play): KeePass2Android comes as two different apps that you can choose from in the GooglePlayStore. One supports online syncing via various services so that you can sync your password database on all your devices (Android, Windows, OSX, Linux, iOS,... ). The other option is called "KeePass2Android offline" which completely removes all features that would require an internet connection. The App doesn't even have permissions for internet connections ! If you don't know KeePass, it is one of the oldest password managers around. It is opensource, has a lot of plugins and the leightweight but feature rich app supports nearly every device & operating system. On Android you can even log into websites from the browser via KeePass2Android by clicking -> Share -> KeePass2Android -> Log into your database -> it will automatically get the right login data for the website you are currently browsing and pastes it into the login fields. My personal setup: KeePass2Android offline with another syncing/backup app that will sync my passwords via my own server. On my laptop I use KeePass with a plugin which replaces my browsers built-in password manager with KeePass.
GSP - Good Security Practice (Recommendations)​Disable untrusted certificates (Android 5.x) (Mozilla Firefox list of allowed certificates): Use a source you trust and check what certificates they usually allow in their software (e.g. Mozilla Firefox). Then check that with what is enabled in your Android's security settings and disable whatever Android has enabled but e.g. Mozilla Firefox doesn't.
A very recommended app is "Trust Manager (Click for Google play)" by Bluebox. It lists all certificates on the phone and sorts them by categories which makes it easy to disable all untrusted certificates within two clicks.
Encrypt your phone: Enable encryption of your Android device.
Antivirus: You can check AV-Test.org for monthly security reviews on mobile security products and choose from there. But I recommend either "Bitdefender Free" for a simple file-scanner of downloaded files and installed apps as well as on-demand scanner or "ESET Free/Premium" which includes file-scanner, security audit, sms & call blocker as well as phishing protection and even anti-theft if needed. Both companies are in my option very trustworthy and provided good results over the past month/years (not only on the mobile market but also the PC market). Avast is a free option with lots of features from another trustworthy company but I found it to be heavier on my system than Bitdefender or ESET.
VPN if you use public WIFI: I also recommend the use of a VPN from a trustworthy VPN provider. They don't cost too much and improve your security & privacy on public wifi a lot. Avast offers a great VPN service. Actually their app makes their services superior to me comlared to other VPN providers and apps. You might want to try the Avast VPN 14-day-trial.
Firefox (HTTPS-Everywhere + Adblock Edge) > Chrome: Firefox seems to be the winner in terms of privacy and security. But on my system Chrome is a lot faster than Firefox.
TextSecure > Telegram > WhatsApp > Facebook: Telegram was my favorite choice until @muppetmania and @bmstrong informed me about flaws and trust issues with Telegram. Instead it is highly recommended to use TextSecure. It is available on iOS and Android. Feature wise it might not be as good as Telegram (e.g. missing desktop client for windows/osx/linux) but I believe that this is a fair trade for privacy.
The bottom line​
I tried to give a little overview of what kind of protection is available and what it does. I also added my choice of tools which will provide you with protection. It is up to you to decide whether it is useful in your case (based on your phone-behavior) and if you are willing to pay money for it or rather use free services. I will gladly help you with any questions or configuration/setup related things. Please let me know if you have any suggestion or corrections so that I can improve this thread !
Useful resources / links​
http://droid-break.info/
https://prism-break.org/en/categories/android/
https://guardianproject.info/apps/
https://people.torproject.org/~ioerror/skunkworks/moto_e/
https://blog.torproject.org/blog/mission-impossible-hardening-android-security-and-privacy
https://medium.com/backchannel/why-i-m-saying-goodbye-to-apple-google-and-microsoft-78af12071bd
http://crashoverridenetwork.tumblr.com/post/109948061867/account-security-101-passwords-multifactor
http://dimitritholen.nl/how-to-reclaim-your-privacy-on-the-internet/
http://www.alternet.org/print/news-...ng-encryption-isnt-enough-protect-our-privacy
https://youtu.be/seNHe5oMquw
https://pack.resetthenet.org/
https://jrruethe.github.io/blog/2015/03/29/protect-yourself-online/
http://www.privacytools.io/
https://tacticaltech.org/projects/security-box
https://bluebox.com/technical/quest...into-the-root-certificates-on-mobile-devices/
https://securityinabox.org/en
http://www.infoworld.com/article/29...managers-for-pcs-macs-and-mobile-devices.html
https://www.reddit.com/r/trackers/comments/30xtk9/trackers_security_and_you/
AV tests & comparisons:
http://www.av-test.org/en/antivirus/mobile-devices/
http://www.av-comparatives.org/mobile-security/
Thanks to:
Yuki2718 @wilderssecurity.com for teaching me a few things
@bmstrong for useful links and suggestions
@muppetmania for pointing out flaws and trust issues with Telegram !
Changelog:
01.08.2015 - Removed Telegram and replaced it with TextSecure
28.06.2015 - Updated useful resources & links
08.06.2015 - Updated useful resources & links
06.06.15 - Added "Trust Manager" by Bluebox to quickly and easily disable a punch of root certificates. Also added Avast VPN app
22.05.15 - Added a good link/explenation on non-trustworthy certificates that are installed on mobile devices out of the box ( https://bluebox.com/technical/quest...into-the-root-certificates-on-mobile-devices/ )
18.04.15 - Added ressources for AV tests and comparisons
07.04.15 - Added more useful resources & links
21.03.15 - Added more useful resources & links; fixed a typo in the changelog
14.03.15 - Added more useful resources & links; also changed the thread title to give an easier view for new updates
10.03.15 - Added useful resources & links
06.03.15 - Added "password managers" and "KeePass2Android online/offline" as recommended password manager
01.03.15 - Added a more detailed description of DNS and why you should care about it
28.01.15 - Fixed typos and grammar
zakazak said:
Changelog:
28.01.15 - Fixed typos and grammar
Click to expand...
Click to collapse
Interesting. Would like to see sections on GPG, U2F, 2FA applications, Android with Yubikey, etc.
bmstrong said:
Interesting. Would like to see sections on GPG, U2F, 2FA applications, Android with Yubikey, etc.
Click to expand...
Click to collapse
Thanks, I might add those later but I wanted to keep this guide as "easy" as possible so that every "normal" android user could increase his security and privacy with simple tools in a short time. E.g. yubikey is awesome and a very interesting topic but not very handy for the average guy?
01.03.15 - Added a more detailed description of DNS and why you should care about it.
http://crashoverridenetwork.tumblr.com/post/109948061867/account-security-101-passwords-multifactor
Really decent overview of general security.
bmstrong said:
http://crashoverridenetwork.tumblr.com/post/109948061867/account-security-101-passwords-multifactor
Really decent overview of general security.
Click to expand...
Click to collapse
Good suggestion, I have a few more and will add both (your link) and my stuff to the thread
KeePass2Android offline + KeePass on desktop + syncing via own server = win !
bmstrong said:
http://crashoverridenetwork.tumblr.com/post/109948061867/account-security-101-passwords-multifactor
Really decent overview of general security.
Click to expand...
Click to collapse
Aaaaand it's done ! Added password managers to the OP.
zakazak said:
Aaaaand it's done ! Added password managers to the OP.
Click to expand...
Click to collapse
Cool. You might want to touch on the open source vs. proprietary philosophy. Just being open source isn't necessarily better but I feel transparency is important part of security.
http://droid-break.info/
https://prism-break.org/en/categories/android/
https://guardianproject.info/apps/
https://people.torproject.org/~ioerror/skunkworks/moto_e/
https://blog.torproject.org/blog/mission-impossible-hardening-android-security-and-privacy
https://medium.com/backchannel/why-i-m-saying-goodbye-to-apple-google-and-microsoft-78af12071bd
http://dimitritholen.nl/how-to-reclaim-your-privacy-on-the-internet/
Another very good privacy and security article.
bmstrong said:
http://crashoverridenetwork.tumblr.com/post/109948061867/account-security-101-passwords-multifactor
Really decent overview of general security.
Click to expand...
Click to collapse
bmstrong said:
http://dimitritholen.nl/how-to-reclaim-your-privacy-on-the-internet/
Another very good privacy and security article.
Click to expand...
Click to collapse
bmstrong said:
Cool. You might want to touch on the open source vs. proprietary philosophy. Just being open source isn't necessarily better but I feel transparency is important part of security.
http://droid-break.info/
https://prism-break.org/en/categories/android/
https://guardianproject.info/apps/
https://people.torproject.org/~ioerror/skunkworks/moto_e/
https://blog.torproject.org/blog/mission-impossible-hardening-android-security-and-privacy
https://medium.com/backchannel/why-i-m-saying-goodbye-to-apple-google-and-microsoft-78af12071bd
Click to expand...
Click to collapse
Thanks ! I added all the links to the OP and mentioned you for giving such great feedback and suggestions
http://www.alternet.org/print/news-...ng-encryption-isnt-enough-protect-our-privacy
Interesting take on security in general.
bmstrong said:
http://www.alternet.org/print/news-...ng-encryption-isnt-enough-protect-our-privacy
Interesting take on security in general.
Click to expand...
Click to collapse
14.03.15 - Added more useful resources & links; also changed the thread title to give an easier view for new updates
Added your link... I will soon add a few of my links that I saved in my bookmarks. I will then split the "link category" in something like "good to know and what to do" and "privacy theory articles"... if you know what I mean
zakazak said:
10.03.15 - Added more useful resources & links; also changed the thread title to give an easier view for new updates
Added your link... I will soon add a few of my links that I saved in my bookmarks. I will then split the "link category" in something like "good to know and what to do" and "privacy theory articles"... if you know what I mean
Click to expand...
Click to collapse
Cool. Schneier has another book out now. Data and Goliath. This talk is worth the listen.
https://youtu.be/seNHe5oMquw
bmstrong said:
Cool. Schneier has another book out now. Data and Goliath. This talk is worth the listen.
https://youtu.be/seNHe5oMquw
Click to expand...
Click to collapse
21.03.15 - Added more useful resources & links; fixed a typo in the changelog
Thanks, took me some time to add the link, at the moment I don't have much time to improve the guide.
Utini said:
21.03.15 - Added more useful resources & links; fixed a typo in the changelog
Thanks, took me some time to add the link, at the moment I don't have much time to improve the guide.
Click to expand...
Click to collapse
As I'm concerned about privacy and security thanks for your thread but you forgot XPrivacy the best privacy manager I know it's not completely ready for Lollipop but works perfectly on Kitkat it's not about that fault it's Xposed it has a bug which I hope will be resolved soon.
Good luck! Regards.
Cyclu said:
As I'm concerned about privacy and security thanks for your thread but you forgot XPrivacy the best privacy manager I know it's not completely ready for Lollipop but works perfectly on Kitkat it's not about that fault it's Xposed it has a bug which I hope will be resolved soon.
Good luck! Regards.
Click to expand...
Click to collapse
You are right, XPrivacy seems to be a really nice tool but I haven't been able to try it myself (as it is not compatible with Android 5.x) which is the reason why I haven't added it to the list yet
I might give it a try on my Nexus 4 with Android KitKat !
https://pack.resetthenet.org/
https://jrruethe.github.io/blog/2015/03/29/protect-yourself-online/
http://www.privacytools.io/
https://tacticaltech.org/projects/security-box
bmstrong said:
https://pack.resetthenet.org/
https://jrruethe.github.io/blog/2015/03/29/protect-yourself-online/
http://www.privacytools.io/
https://tacticaltech.org/projects/security-box
Click to expand...
Click to collapse
Once again thanks for your input. I added them to the OP but I am still really busy with my job/reallife. I hope I can improve the OP soon.
Question about choices
Utini said:
Security - Antivirus: To scan files after they have been downloaded or to scan files after they have been installed. Due to the way how Android is coded it is not possible to scan in real-time (while downloading, while installing) which means you can't detect malware based on their behavior. AV's on Android can only detect malware by their signature which is easy to bypass. However is still better than nothing and a one-time scan of downloaded files or an on-demand scan while your phone is charging won't hurt your battery or slow down the device. A lot of AV-Products come with multiple features built in. Some of them are often useless (e.g. maybe anti-theft), others are worth the usage (e.g. security audits for non-fixed exploit vulnerabilities or bad system settings e.g. USB-Debugging enabled).
Antivirus: You can check AV-Test.org for monthly security reviews on mobile security products and choose from there. But I recommend either "Bitdefender Free" for a simple file-scanner of downloaded files and installed apps as well as on-demand scanner or "ESET Free/Premium" which includes file-scanner, security audit, sms & call blocker as well as phishing protection and even anti-theft if needed. Both companies are in my option very trustworthy and provided good results over the past month/years (not only on the mobile market but also the PC market). Avast is a free option with lots of features from another trustworthy company but I found it to be heavier on my system than Bitdefender or ESET.
Click to expand...
Click to collapse
Hi, I've been juggling this question for a few days now and I'm hoping you will have an answer to assist me. First, I have read your post and this is absolutely what I have been looking for for the past few weeks. Thanks has been given and I hope you keep this up. Second, I read the wildersecurity link but still do not have an answer to this question.
Why choose ESET Premium over BitDefender. Can you tell me what one offers that the other doesn't? I've been leaning to BitDefender only because I have and use an Android Wear device. Again, thank you for any assistance or time.

Categories

Resources