Update:
PDroid privacy protection is now available for both CM7.2 and CM9 via BotBrew (no source or patching, just an install).
Still no sign of CM permission management in CM9.
See this thread for more info:
http://forum.xda-developers.com/showthread.php?t=1589259
End update
I tried CM9 alpha build 17. Still no sign of permissions management, so I flashed back to CM7.2.
Is anyone else waiting for permissions management to get merged before switching? Here is a poll, and also a place to discuss facts, rumors and idle gossip about permissions management.
I guess there's no reason we can't discuss the design of PM also, not that the CM devs will necessarily notice.
I would be interested in any ideas regarding how to take control of our phones and ensure they aren't selling us out byte by byte to the highest bidder.
https://play.google.com/store/apps/details?id=com.stericson.permissions&hl=en
bearsfan85 said:
https://play.google.com/store/apps/details?id=com.stericson.permissions&hl=en
Click to expand...
Click to collapse
"Permissions Denied" is a great app, but superseded by CM PM when available. It does have a feature I'd like to see in PM: the ability to control a given permission globally instead of just app by app. It would be good to be able to set for example "read phone state and identity" to be globally denied by default, and enable it as desired.
i was providing you an alternative i never said that its better or worse, thanks again for proving that people on XDA are ungrateful
bearsfan85 said:
i was providing you an alternative i never said that its better or worse, thanks again for proving that people on XDA are ungrateful
Click to expand...
Click to collapse
I should thank you for providing an unexplained link to an app I had used maybe a year ago? I should try hassling everyone I've given advice to to see if I can whine my way to a higher thanks count.
Or just ignore you instead.
cashmundy said:
I should thank you for providing an unexplained link to an app I had used maybe a year ago? I should try hassling everyone I've given advice to to see if I can whine my way to a higher thanks count.
Or just ignore you instead.
Click to expand...
Click to collapse
Next time I'll put the whole google play store description in a screen shot and attach it to the post, makes more sense? All the information you need is on the link. And you think I care about my thanks count? what do I have like 20 and I've been a member over a year, if I wanted to up my thanks count I'd go to the "bricked phone" threads and walk people through fixing their phones every 3 hrs.
its also cute that you made a thread about a CM specific feature in a Vibrant section (though you did notice that the devs probably wont see it). You should post it on the cm website, oh and heres the kicker, maybe instead of complaining about it not being in there why dont you look at the source for it and port it to ICS, or do you not have the knowledge to do so?
Finally the last sentence in the OP, "I would be interested in any ideas regarding how to take control of our phones and ensure they aren't selling us out byte by byte to the highest bidder." apparently you arent due to the snarky comment you left.
What "Permissions Management" is
So far three people have clicked on "what is PM?".
Permissions Management (not sure if that is the official name) is a CyanogenMod feature that allows you to disable permissions on an app-by-app basis. You first have to enable Settings.CyanogenMod Settings.Application.permission management.
Then, when you go to Manage Applications, pick an app and scroll down to the permissions, if you touch a given permission, it will change from normal type to strike-thru, showing that the permission is disabled.
The Whisper Systems approach looks even better. If Twitter ever frees the code, maybe it will get merged into some ICS variant.
See http://www.whispersys.com/permissions.html for info about that.
You can use PDroid on CM9 although you need to compile CM9 from source.
This thread has more info: http://forum.xda-developers.com/showthread.php?t=1554960
I have it running on i9100 (sgs2).
wkwkwk said:
You can use PDroid on CM9 although you need to compile CM9 from source.
This thread has more info: http://forum.xda-developers.com/showthread.php?t=1554960
I have it running on i9100 (sgs2).
Click to expand...
Click to collapse
Very very interesting. Thanks for posting this. Hopefully some of the ICS variants will integrate this into their roms.
BTW, thanks, ferhanmm.
There's another external app, LBE Privacy Guard, which can block access to various elements of the Java Android API. This one does need nothing but root.
https://play.google.com/store/apps/details?id=com.lbe.security.lite
I used it a few times while on Gingerbread CM7 because it delivers fake data to the blocked apps. Unlike CM7's permission control feature which often makes apps crash (except in case of the network permission).
Not sure if LBE works as well on ICS/CM9.
But... nevertheless, I, too, hope the CM7 permission feature comes back. It was just too convenient being integrated into the OS app management without a need for an external app.
Psyraven said:
There's another external app, LBE Privacy Guard, which can block access to various elements of the Java Android API. This one does need nothing but root.
https://play.google.com/store/apps/details?id=com.lbe.security.lite
I used it a few times while on Gingerbread CM7 because it delivers fake data to the blocked apps. Unlike CM7's permission control feature which often makes apps crash (except in case of the network permission).
Not sure if LBE works as well on ICS/CM9.
But... nevertheless, I, too, hope the CM7 permission feature comes back. It was just too convenient being integrated into the OS app management without a need for an external app.
Click to expand...
Click to collapse
Good note, thanks.
I tried LBE. It seemed to do less than Permission Denied, but actually work. PD was too buggy to be useful for me.
Neither are open-source, and both need root, so you do have to totally trust the authors.
Hopefully we will soon have an ICS with some sort of PM built in.
PDroid
I've decided PDroid is the way to go, much better than CM PM,
which for political reasons will never have real teeth. I found an interesting CM forum thread where this explained :
http://forum.cyanogenmod.com/topic/44589-combining-cyanogen-with-pdroid/
I think I'll start another poll, this time about PDroid, to maybe encourage rom developers to add it.
cashmundy said:
I've decided PDroid is the way to go, much better than CM PM,
which for political reasons will never have real teeth. I found an interesting CM forum thread where this explained :
http://forum.cyanogenmod.com/topic/44589-combining-cyanogen-with-pdroid/
I think I'll start another poll, this time about PDroid, to maybe encourage rom developers to add it.
Click to expand...
Click to collapse
I would love to use only PDroid and thus be free to choose other ROMs but PDroid doesn't support all possible permissions, especially the internet access thus CM's PM is still essential.
Furthermore even though I prioritize PDroid first, using CM PM for the same permission has its advantages for debugging.
Hopefully the other permissions can be added to PDroid, or perhaps they require hacks in the kernel or VM.
PDroid for CM7.2 and CM9
PDroid privacy protection is now available for both CM7.2 and CM9 via BotBrew (no source or patching, just an install).
See this thread for more info:
http://forum.xda-developers.com/showthread.php?t=1589259
Related
(Note posting in this topic as to dev category for obvious reasons)
This whole incident has taken me by surprise with the actions of Google against Cyanogen. Now the actions from my understanding so far are likely the result of the early release of the Market app with his new Donut based releases. There is a valid argument for Google in which it is their own proprietary code in which they want to release on their terms I would assume, however I prefer to take the side of the community. The community around XDA has supported and nurtured the development of the Android OS and the devices based upon it, with the developers pushing the limits on what they can do and implementing smarter and better solutions. We the community in a sense become beta testers for the latest and greatest Android has to offer, how many applications do you think have already added support for 1.6 due to Cyanogen's mods and our feedback?
In summary, I believe while Google does have a valid argument against, but it would better serve them to not continue with this course of action. I invite you all to write and use all social networks available to you to spread the world, submit to every news site, raise awareness of the problem. Don't waste your time with petitions, just spread the word, go viral with it.
Digg search for cyanogen:
http://digg.com/search?s=cyanogen
Original article:
http://androidandme.com/2009/09/hacks/cyanogenmod-in-trouble/
Facebook group:
http://www.facebook.com/group.php?gid=144634407186&ref=nf
Send tweets to @google also, flood the information stream.
Email the people at Engadget, Slashdot, Gizmodo, all the major blogs just to keep focus upon it.
Someone should put it up on reddit too, get some visibility on wired.com!
Listen, this situation is really cut and dry. Cyanogen had NO LICENSE to distribute the CLOSED SOURCE APPS. The rest of it is perfectly fine.
The solution:
Develop the roms, DELETE the closed source apps, sign, publish. When someone installs the roms, let them install the closed source apps themselves -- i.e., *somebody* (who won't be linked back to cyanogen) will likely post a simple "closed-source-google-apps-for-cyanogenmod-4.xx.xx.xx.zip" which can be installed from recovery mode.
Problem solved.
wont that person then be "under-fire"?
gospeed.racer said:
wont that person then be "under-fire"?
Click to expand...
Click to collapse
Only if the person gets caught.
tool to extract non free files and create a update image
If the binary files in a existing ROM can be used by cyanogenMod, what we need is a tool to reuse them in cyanogenMod. Am I wrong?
Or is it rebuild from source code ?
lbcoder said:
Listen, this situation is really cut and dry. Cyanogen had NO LICENSE to distribute the CLOSED SOURCE APPS. The rest of it is perfectly fine.
The solution:
Develop the roms, DELETE the closed source apps, sign, publish. When someone installs the roms, let them install the closed source apps themselves -- i.e., *somebody* (who won't be linked back to cyanogen) will likely post a simple "closed-source-google-apps-for-cyanogenmod-4.xx.xx.xx.zip" which can be installed from recovery mode.
Problem solved.
Click to expand...
Click to collapse
Are you a lawyer? no. So don't give your interpretation of what Cyanogen's license was and wasn't. You already started a thread about it and you're spamming the hell out of another. Don't mess with legal guesses, it's a bad bad idea. As I am someone who is studying law (and also a programmer/generally tech-smart), I am doing and suggesting to stay the hell away from that part when possible. Law -> politics -> flamewars -> ad hominem/bad posts. This is not tvtropes.
Meanwhile, can you even get past the start/initialization page without having the closed source apps, as they are market/gmail? This question is to actual modders.
Google has made a mess of thus, if they stop him from distributing with the apps it's only going to get *waaaay* messier.
You, are an IDIOT.
What happens when you *assume*? I'm sure that if you are, in fact, a law student (as you imply yourself to be, though you really only call yourself a "student" of the law, which could mean that you simply watch CNN from time to time), that this would have been answered on the first day of your first class.
Cyanogen's license *IS EXACTLY* the same as the license granted to *ALL OTHER USERS*. You want to read it? Its in your phone under About Phone --> Legal Information --> Google legal. Until you have read and understand *it all*, you should immediately cease offering your suggestions.
Edit: I just noticed your post count... 3.
Amazing, the audacity of some people. Whenever things start to get beyond the understanding of the average, all the chicken-littles come out from the woodwork and start crying about how evil the big company is. It is a direct function of a lack of understanding of the issues.
My advise: FORGET ABOUT IT. This has nothing to do with you and most likely won't have any (significant) impact on your life. At worst, you will have to add ONE SMALL STEP to the process of flashing the latest modrom.
Let me repeat: THIS IS NOT A BIG DEAL! IT DOESN'T REALLY MATTER! Your phone is NOT about to catch on fire or start spying on you.
Oh, and for you information: regarding how I know what Cyanogen's license was....
1) the fact that it is included with the phone.
2) the fact that he received a c&d order (which they wouldn't send if he was licensed, or if they had, it would be the simplest matter to resolve).
3) the fact that he said so himself.
designerfx said:
Are you a lawyer? no. So don't give your interpretation of what Cyanogen's license was and wasn't. You already started a thread about it and you're spamming the hell out of another. Don't mess with legal guesses, it's a bad bad idea. As I am someone who is studying law (and also a programmer/generally tech-smart), I am doing and suggesting to stay the hell away from that part when possible. Law -> politics -> flamewars -> ad hominem/bad posts. This is not tvtropes.
Meanwhile, can you even get past the start/initialization page without having the closed source apps, as they are market/gmail? This question is to actual modders.
Google has made a mess of thus, if they stop him from distributing with the apps it's only going to get *waaaay* messier.
Click to expand...
Click to collapse
gospeed.racer said:
wont that person then be "under-fire"?
Click to expand...
Click to collapse
At this point we're talking warez, and though I won't advocate warez, when was the last time you saw Ahmed Ahmed Ahmed from Iran get persecuted for distributing warez?
Remember that the US government can't even find Bin Laden....
Or the apps can be pulled by the users from *legitimate* images, like ADP1. This, at least, is legal for owners of ADP1's for use on ADP1's.
Frankly, adding a step to complicate the process would probably go at least a little way in getting the super-noobs out of the game. They get *really* annoying.
Oh FYI: I got that board you sent me more-or-less cleaned up now, going to start mapping it out soon.
setupr said:
If the binary files in a existing ROM can be used by cyanogenMod, what we need is a tool to reuse them in cyanogenMod. Am I wrong?
Or is it rebuild from source code ?
Click to expand...
Click to collapse
Exactly. It is incredibly simple.
unzip (official-update.zip) /path/to/file1toextract /path/to/file2toextract ... /path/to/filentoextract
zip -g (mod-rom-update.zip) /path/to/file1extract /path/to/file2extract ... /path/to/filenextract
java -jar testsign.jar (mod-rom-update.zip)
Then just copy file to /sdcard/, recovery, flash, done.
Yeah, I know that us modders will continue to be doing the same thing and continue on, I know they aren't going after the entire community. It was for distributing the new Market app before its release as I understand currently. Hell, all I would do I an adb pull from a rom and push it into a new release. Just like I will be doing with the Market app if he can't put it in another release haha.
However the point of this thread was not to see if Google had the right to do that, they did. It is that simple. It is their proprietary code that was released early, by cyanogen, but I think it is unnecessary. The point of it was to support cyanogen for more ideological reasons, this community pushes the development at a rapid pace. My Dream would have been a nightmare without the likes of JF, haykuro, cyanogen, Dude, etc. With cyanogen releasing Donut in his builds, our community has been pushing developers to up their support to it and fix bugs relating to 1.6 before it is pushed as an update. The same thing with the Market app applies, how many of those apps have screenshots already? Why alienate the true heart of the device, we are basically beta testers for those of us running experimental roms. I understand the Google position, I just wish they would see that no harm, no foul.
And don't equate the amount someone posts to the boards to their understanding of a situation. There are quite a few people that just get the ROMs, run them and can use a search button if they have problems.
holy cow batman, flame much? Some people lurk for a long time before registering such as I.
I agree it's a small issue, and cyanogen is probably already working on it at least based off of his twitter. However, it doesn't matter what you or I feels about the licensing, nor even what the courts would interpret were it to get to that point.
It however, is very inappropriate to be ad hominem and/or bar threatening to people over this issue, basically getting worked up yourself. Honestly, playing seniority and insulting my schooling? I was not trying to be threatning to you, simply pointing out that you are not a spokesperson for interpreting a software license. Really, it's like you went into an emotional rage the minute cyanogen got the C&D.
Cyanogen in trouble
I can't believe Google is pulling this crap. I can only hope that Google is smart enough to work something out with Cyanogen so he may continue to share his awesome developments. I would expect some restrictions, but they need to work with him and let him do his thing. Otherwise, where's the incentive for anyone else following in his footsteps to make programs better for Google?
setupr said:
If the binary files in a existing ROM can be used by cyanogenMod, what we need is a tool to reuse them in cyanogenMod. Am I wrong?
Or is it rebuild from source code ?
Click to expand...
Click to collapse
Maybe this is the answer?
cyanogen : And regarding the keep-proprietary-apps-on-device-for-custom-rom install, with all the odexing and resource id mismatches... Ugh.​http://twitter.com/cyanogen/status/4384352484
Just a general warning to those who seek out APK's on the internet.
I've noticed an increasing number of people posting APK links on XDA-developers using 3rd party hosting such as multi-upload instead of the official developers websites. This is a potential security risk to your own phone, because Android code CAN be decompiled, and dodgy code can be added before re-uploading. You at a greater risk of downloading compromised APK's if you download them from an untrusted party.
Many of these APK's seem to be hosted officially by the developers already, so please link directly to the developers OWN servers when possible, and those who use their phone for business or store sensitive data on it, should avoid using APK's from sources which weren't set up by the original developers.
andrewluecke said:
Just a general warning to those who seek out APK's on the internet.
I've noticed an increasing number of people posting APK links on XDA-developers using 3rd party hosting such as multi-upload instead of the official developers websites. This is a potential security risk to your own phone, because Android code CAN be decompiled, and dodgy code can be added before re-uploading. You at a greater risk of downloading compromised APK's if you download them from an untrusted party.
Many of these APK's seem to be hosted officially by the developers already, so please link directly to the developers OWN servers when possible, and those who use their phone for business or store sensitive data on it, should avoid using APK's from sources which weren't set up by the original developers.
Click to expand...
Click to collapse
First off: Who's to say the original developer can't put this so-called "dodgy code" in their own apks?
Secondly: The Android marketplace doesn't have any strict rules as to what someone can post, and the code isn't even checked. You have just as high a chance of getting this "dodgy code" from any app you download straight from the market.
Nobody. But it is a hell of a lot safer from a trusted first party, than being passed down a chain of untrusted people before it makes it's way to you. Especially since apk's don't seem to be digitally signed (I may be wrong).
I'm just concerned that you can post any APK you want here which have an official website, insert a trojan, and nobody would be none the wiser. I'd simply like to see a change in attitude.. If someone posts an unofficial link to an APK which is already available by developers, I'd like to see people stand up and point to the OFFICIAL website.
At the moment, people are actually ENCOURAGING bad security practices, and doing so makes XDA a target ripe for future attack. And I don't want to wake up to a forum of people *****ing about Samsung, for a problem caused because of a trojaned copy of Angry birds beta on XDA.
We should build awareness now for people to get files from the last link in the chain, rather than wait for someone to try it (which they probably will, and may have already done)
andrewluecke said:
Nobody. But it is a hell of a lot safer from a trusted first party, than being passed down a chain of untrusted people before it makes it's way to you. Especially since apk's don't seem to be digitally signed (I may be wrong).
I'm just concerned that you can post any APK you want here which have an official website, insert a trojan, and nobody would be none the wiser. I'd simply like to see a change in attitude.. If someone posts an unofficial link to an APK which is already available by developers, I'd like to see people stand up and point to the OFFICIAL website.
At the moment, people are actually ENCOURAGING bad security practices, and doing so makes XDA a target ripe for future attack. And I don't want to wake up to a forum of people *****ing about Samsung, for a problem caused because of a trojaned copy of Angry birds beta on XDA.
We should build awareness now for people to get files from the last link in the chain, rather than wait for someone to try it (which they probably will, and may have already done)
Click to expand...
Click to collapse
Are you familiar with modifying an APK? It is not nearly as easy as you make it seem. If the developer doesn't release the source code, it can't easily be functionally modified minus a few graphics and the like. Not to mention, this is how the iPhone jailbreak system works in regards to getting content. And has been going on with PC for years.
I really do not think it's something we have to worry about. Just install an anti-virus on your phone if you're worried.
1) Grab 7zip to decompress your apk package.
2) And yep, there are tools to decompile dex files too. Technically it seems to be more like disassembly, but can probably easily be modified to cause the app to ring russian phone sex numbers every 10 minutes without your consent, or do other nasty things. There are some security mechanisms in place, but that doesn't make them invincible.
You tell me, what is the advantage of encouraging reposting of APK's with already existing websites? Because it doesn't seem to have any advantages, but can have BAD security implications.
Good thing to raise awareness among users, but alas - most of them don't even bother to read the permissions requested by apps downloaded from the market.
There are actually quite few people that have an idea of what could happen if they had a rouge app on their phones. I recently tried to give a similar general warning in another forum that people should take care when flashing "beta" firmwares downloaded from some hosting site and not from the developer... You think most of them cared? Sadly they didn't...
There's nothing wrong with being a bit cautious and smart about the way we do things. I'll trust the app if I see the dev is in "the" community.
Sent from my GT-I9000M using XDA App
andrewluecke said:
1) Grab 7zip to decompress your apk package.
2) And yep, there are tools to decompile dex files too. Technically it seems to be more like disassembly, but can probably easily be modified to cause the app to ring russian phone sex numbers every 10 minutes without your consent, or do other nasty things. There are some security mechanisms in place, but that doesn't make them invincible.
You tell me, what is the advantage of encouraging reposting of APK's with already existing websites? Because it doesn't seem to have any advantages, but can have BAD security implications.
Click to expand...
Click to collapse
So, obviously you've never tried to actually edit one of those XML files within it. try that and get back to me.
APK's are not open source and cannot be decompiled and edited. The only way for what you are suggesting can happen, to happen, is if the APK in question had its sources released so someone else could release an edited version of the program, made from scratch, in java.
"can probably" is not very sure. The chances of someone posting a completely separate app with the name of a well known app is much more likely than someone editing an existing app (assuming the sources were available).
If you have no clue about android apk development why even bother arguing?
opensourcefan said:
There's nothing wrong with being a bit cautious and smart about the way we do things. I'll trust the app if I see the dev is in "the" community.
Sent from my GT-I9000M using XDA App
Click to expand...
Click to collapse
Agree 100%. Much better said! You don't know who's releasing what, so watch what you're installing and just make sure it looks like the program you were looking for in the first place..
Electroz said:
So, obviously you've never tried to actually edit one of those XML files within it. try that and get back to me.
Click to expand...
Click to collapse
Refer to apktool Link
Or Apk Manager (My Signature)
Xml's can be 100% decompiled/recompiled from binary to human readable and back thanks to apktool.
2 options to make sure ur safe :
1. Dont install root applications (they require 0 upfront standard android api permissions hence u won't know what its doing behind the scenes)
2. Install apps by transferring them to ur phone and using the package manager, that way you can see standard permissions (if any) and judge accordingly.
You know what would be cool, if superuser could log the "su" commands a root requiring app executes
Daneshm90 said:
Refer to apktool Link
Or Apk Manager (My Signature)
Xml's can be 100% decompiled/recompiled from binary to human readable and back thanks to apktool.
Click to expand...
Click to collapse
Wow, my bad.... But no wonder major game companies aren't developing for the platform yet.
But even if the apk that u downloaded from the net have a virus (eg. sends SMS to get money), you will still see the permission when installing so an antivirus isnt needed, or am i wrong?
leoon said:
But even if the apk that u downloaded from the net have a virus (eg. sends SMS to get money), you will still see the permission when installing so an antivirus isnt needed, or am i wrong?
Click to expand...
Click to collapse
If its a non-root requiring app then yes, it must disclose its permissions prior to installing it through package manager not if u use adb to install.
You just have to judge, if a wifi toggle app is asking for email/sms permissions, you might want to be careful
As for root-requiring apps, theres not much you can do other than read reviews for that app or decompile and try to understand what its doing behind the scenes.
Electroz said:
Wow, my bad.... But no wonder major game companies aren't developing for the platform yet.
Click to expand...
Click to collapse
It's quite easy to modify disassembled app code as well - trust me ;-) Also I think we will have possibility to decompile to Java code in the future.
Just don't think of your phone as a smaller PC (especially Windows), because this isn't true. There will never be antiviruses for Android and your only protection are permissions. Anyone could create market account and upload malicious app.
About game companies: they usually write in native code and it's really hard to decompile (or maybe even impossible for now). Besides... did you heard about gameloft's recent games? They're really awesome. Note that first 3d-gaming capable Android phones were released just ~10 months ago, so it's still quite early.
leoon said:
But even if the apk that u downloaded from the net have a virus (eg. sends SMS to get money), you will still see the permission when installing so an antivirus isnt needed, or am i wrong?
Click to expand...
Click to collapse
It should, however, what if it is an alternate launcher, in which case, you'd expect it to be able to send SMS's and make phone calls. That's all fine, until you realise the copy of launcherPro you downloaded using a multi-upload in XDA is having phone sex with a russian operator costing you hundreds of dollars.
It's actually good Brut spoke here. Brut[Maps] is relevant, because it introduces new features which distinguishes it from Google's version. However, can we trust Brut as much as we can trust Google? He seems trustworthy yes, but as trustworthy as Google? Questionable. (Btw Brut, good work on your mod). Of course, his mod does have considerable benefits showing he is interested in helping the community and he hasn't caused any problems thus far. That only means his official multi-upload posts are safe though, if I repost them elsewhere, you shouldn't trust my copies.
It's common sense that programs should pass by as few hands as possible to remain secure. We need to build awareness about security practices (particularly for business users who may compromise their companies security or information). I'm not saying all rom's are safe.. Think about it though, if an APK is already readily accessible, why would someone go through the effort of re-uploading it?
Furthermore, we should encourage people using their phone's for important purposes to use the official Kies releases, not random firmware's available from Samfirmware's (which may not even be final versions).
Remember, trojans are common in the warez world, and it's better to change the attitude of the community before they become a problem here too (otherwise, people will be stuck in a poor mindset that compromises herd immunity). XDA is a website targeted at the technical crowd, and we should set a good example.
@Electroz. Haven't disassembled them myself, but checked a tutorial. But someone has responded already anyway.. Just because I don't have experience doing it myself anyway, doesn't mean it isn't widely known to be possible.
Several big guys already launched Antivirus For Android
Norton, Trend, and a few more
i think we are pretty safe with those
however... it's suck if they run in the background all the time eating the juice+cpu power away
Anti-virus only helps for known trojans anyway, and since so few people have it installed, it doesn't help much. When Android has it built in though, it may be more useful.
Anti-virus should be considered a last line of defense anyway. And either way, I'm not concerned, because I try to minimise the risks of my own sgs. However, it's a concern that people here don't believe such a risk exists, and are actually encouraging a global attitude which might make the Android population ripe for social engineering attacks in the future.
@andrewluecke
I understand you, I don't say there is no problem with security. I say it doesn't matter you will get malicious software from mirror or Market itself. We could assume apps downloaded from WWW are more dangerous, but this problem is general one: people should be cautious whenever they install something with critical permissions. If they won't they will have problems anyway - it's just a matter of time.
I agree with you: it's important to aware people of that problem. This is actually only one thing we can do: be aware and cautious.
Ahh and in many situations it's possible to protect yourself against problem with redistribution. First, you could check md5 - many developers give it to people, I do. Second: signatures. Each app is signed by its author, so you could check its authenticity. You could check signatures of downloaded apk using public key uploaded by dev to his WWW or using "safe" apk you downloaded earlier. Unfortunately there are no tools to do that easily :-/ Also Android does this check automatically when you install new software. So if you have installed e.g. GM modded by me, then you have downloaded new version from some mirror and succeed at installing it, you can be sure it was also from me and nobody modified it.
AllGamer said:
Several big guys already launched Antivirus For Android
Norton, Trend, and a few more
Click to expand...
Click to collapse
Hmm? I think it's impossible, cause apps can't get to data and resources of others apps. And creating an app for root users only wouldn't have much sense.
I have found Norton Smartphone Security for Android and it's anti-theft protection, not anti-virus.
I'm not a coder and came from IT field so I have lots of general questions about apk security and found this thread...great discussion. TY
Just a general question about apk security...how easy is it to alter apk for malicious intent? And is it possible for spyware writers to turn some freebie apk or rom into a bunch of botnet drone? ...just kinda scary to imagine
the news about android virus gets me nervous about installing any apk released from any individual
http://www.talkandroid.com/24949-new-android-trojan-virus-discovered-dubbed-gemini/
kobesabi said:
how easy is it to alter apk for malicious intent?
Click to expand...
Click to collapse
Quite easy for a good developer.
kobesabi said:
And is it possible for spyware writers to turn some freebie apk or rom into a bunch of botnet drone?
Click to expand...
Click to collapse
Yes, but I think that would be quickly noticed by people and then these apks, roms and developers would be banned from every forum in the internet.
Brut.all said:
Quite easy for a good developer.
Yes, but I think that would be quickly noticed by people and then these apks, roms and developers would be banned from every forum in the internet.
Click to expand...
Click to collapse
Wow, scary. Unless there is something else, that they can't get away, I don't think banning would deter much, they just laugh at the weak security as a fun challenge. If they already got tons of ip under their control...banning by account, ip, or email will not help much...they can always get new ones.
Is there a way user can authenticate/verify apk signing from authentic author/writer? Many just post apk but did not post md5 or sha sum so how can a user find out if it is original or not?
Anyway to test these apk without loading up to real phone?
How can I know that a custom rom has not been tainted with malicious code or rootkits somewhere along the line? Is it usual to get google security updates from the developers for a particular rom? Is there a team that audits code? It would nice if xda rom developers had homepages that discussed these issues - I haven't found any yet. If there are some that exist, please let me know.
I mean no disrespect to devs, and I do appreciate all your hard work.
However,
+1
Basically you have to have some blind faith and the hope that some ROM users check codes.
Also +1
Sent from my ADR6300 using XDA App
Usually we are pretty good at finding these kinds of ROM's / Malicious code thanks to the diligent community of developers. Although we haven't seen any it is quite possible for it to happen with some "rogue" app included. The main reason this doesn't happen is the fact that editing system APK's is tough as editing them can break down other app's dependencies which would raise a flag quickly for users. In my opinion we are pretty safe, if you do encounter such an instance please report the offending thread and it will be handled.
Captainkrtek said:
Usually we are pretty good at finding these kinds of ROM's / Malicious code thanks to the diligent community of developers. Although we haven't seen any it is quite possible for it to happen with some "rogue" app included. The main reason this doesn't happen is the fact that editing system APK's is tough as editing them can break down other app's dependencies which would raise a flag quickly for users. In my opinion we are pretty safe, if you do encounter such an instance please report the offending thread and it will be handled.
Click to expand...
Click to collapse
I wonder how many lines of Kernel code it would take to do a malicious kernel exploit. What of there was a malicious version of ls or mv? Would anyone notice in time to prevent a drastic failure?
So people are at least slightly aware of the news about NSA/PRISM and how Google is taking part in handing over our personal data.
I know it's a small step but I'm thinking of removing Gapps and making my phone slightly less compromised than it is now.
Anyone else done this? I've already been recommended F-Droid as an alternative by someone, it's probably not even 10% as good as the Play store but I'm more concerned with not being snooped on.
Removing GAPPS lol doesn't mean Google can't still put ads on your phone...and like all of us on this forum why would anyone spy on us.. Unless we are in the mob or a criminal...I'm sure Google has no interest in snooping on you man.don't be so paranoid
Sent from my Galaxy Nexus using Tapatalk 2
---------- Post added at 11:14 PM ---------- Previous post was at 11:09 PM ----------
And all these people who think Google is snooping on them look dumb...Google is using your actions..like clicked ads and what you buy... Why would a billion dollar company want to spy on a no name android user
Sent from my Galaxy Nexus using Tapatalk 2
This is a valid question which I'd also like answered. I suspect that running CM or other AOSP ROMs without installing GApps will be sufficient.
Those who do not appreciate this discussion are kindly invited to abstain from commenting.
Im sure even without Gapps there is some low level thing that can collect your data.. Android is maintained by Google..
-Grift- said:
Im sure even without Gapps there is some low level thing that can collect your data.. Android is maintained by Google..
Click to expand...
Click to collapse
When using CyanogenMod there isn't. Only if you install apps that do this.
And seriously, stop with the trolling. You're not helping the discussion and you're getting reported. I'm not "afraid", "butthurt", or "paranoid". Google have openly admitted that they don't care about our privacy.
http://www.theguardian.com/technology/2013/aug/14/google-gmail-users-privacy-email-lawsuit
wrsg said:
When using CyanogenMod there isn't. Only if you install apps that do this.
And seriously, stop with the trolling. You're not helping the discussion and you're getting reported. I'm not "afraid", "butthurt", or "paranoid". Google have openly admitted that they don't care about our privacy.
http://www.theguardian.com/technology/2013/aug/14/google-gmail-users-privacy-email-lawsuit
Click to expand...
Click to collapse
Nono i would just like to hear your view on it, take a look at this quote from Pulser_g2
Another unaddressed concern is why CM would prefer someone else make a privacy fork, rather than care about user privacy within the ROM (beyond the anti-leech properties of privacy guard). Apparently that wasn't within the scope of what they were doing.
Surely CM should be trying to push the envelope, making a fully usable and amazing experience ROM, as Steve said above, without betraying their users to advertisers and tracking networks who profit from selling the user as a product. While privacy guard is a good "half step" (stops apps like faces from harvesting your contacts without permission, for those who use it), it remains a half step, as it's still possible to uniquely identify a user by their device by any app, without any permissions (ahem, CPU serial and device serial number).
Since the user can't easily change these, they can forever be tracked, and have their actions sold on to others, based on these identifiers. Is that OK to do to the user, after telling them they're protected by privacy guard?
Click to expand...
Click to collapse
From here Link
Personally dont think this is "trolling" but if you feel the need to report then please do.
-Grift- said:
Nono i would just like to hear your view on it, take a look at this quote from Pulser_g2
From here Link
Personally dont think this is "trolling" but if you feel the need to report then please do.
Click to expand...
Click to collapse
Sorry, the request to stop the trolling wasn't meant at you. I just didn't think it was worth quoting each of them separately.
Thread closed
This thread leads to non-sense posts or flaming.
You like the Google Apps use them, you don't like them or don't trust them don't use them, this is that simple
Hello! I'm doing my bachelor thesis on Android security issues and I'd love to hear what you guys think about it, mainly on how you work with security issues when you develop your apps!
I threw together a quick 10 question multiple answer google docs form, should take 2-3 min max to fill out and it would really help me and hopefully lead to something that will benefit the android dev community when it's finished!
It's totally anonymous and requires no registration and i don't need any contact info to you :fingers-crossed:
LINK: https://docs.google.com/forms/d/1fvs166K4C9lcv7bHeNnOLfeaHK3LQNmc1qGffWWYjO4/viewform
(While i'm aware that this is technically a question I felt it goes under discussion rather than being a simple Q&A post, so that's why i posted here instead of the Q&A forum, hope you agree!)
Hi!
I read your questions but I don't think it's as easy as that.
The time spent on security varies very much with the kind the of app. For example, you don't need to spend much time on security if there's no network interaction and no sensitive data which needs to be stored.
So I would have entered that I spend no time on security. That, however, doesn't mean that I wouldn't spend time on security if an app would require that.
Do you get my point?
QuestionAsker said:
Hello! I'm doing my bachelor thesis on Android security issues and I'd love to hear what you guys think about it, mainly on how you work with security issues when you develop your apps!
I threw together a quick 10 question multiple answer google docs form, should take 2-3 min max to fill out and it would really help me and hopefully lead to something that will benefit the android dev community when it's finished!
It's totally anonymous and requires no registration and i don't need any contact info to you :fingers-crossed:
LINK: https://docs.google.com/forms/d/1fvs166K4C9lcv7bHeNnOLfeaHK3LQNmc1qGffWWYjO4/viewform
(While i'm aware that this is technically a question I felt it goes under discussion rather than being a simple Q&A post, so that's why i posted here instead of the Q&A forum, hope you agree!)
Click to expand...
Click to collapse
I completed it but I think there are maybe 2 quite different questions here...
1) Security from a user's perspective (i.e. their personal data)
2) Security from a developer's perspective (i.e. their IP / product)
I guess they overlap a bit but as a developer you need to consider both separately.
PicomatStudios said:
I completed it but I think there are maybe 2 quite different questions here...
1) Security from a user's perspective (i.e. their personal data)
2) Security from a developer's perspective (i.e. their IP / product)
I guess they overlap a bit but as a developer you need to consider both separately.
Click to expand...
Click to collapse
Thanks for the input, i was hoping to discuss the relationship between the user and the developer by examining how the developer handles the users data and to what extent the user can take control over the data s/he has inputted if for some reason s/he would like to make sure that the data never will end up somewhere it shouldn't. Because this data can be obtained in different ways, the survey has questions that could be perceived to relate to different questions perhaps? I should probably have written about the end goal more in detail
Anyways, thanks for participating!
QuestionAsker said:
Thanks for the input, i was hoping to discuss the relationship between the user and the developer by examining how the developer handles the users data and to what extent the user can take control over the data s/he has inputted if for some reason s/he would like to make sure that the data never will end up somewhere it shouldn't. Because this data can be obtained in different ways, the survey has questions that could be perceived to relate to different questions perhaps? I should probably have written about the end goal more in detail
Anyways, thanks for participating!
Click to expand...
Click to collapse
OK, I see.
I work on a Keyboard app.
There's an interesting phenomenon you might be interested in regarding 3rd party keyboards... almost all of them require internet permission.
When we started out we figured that nobody would download a keyboard with internet permission, as that's all you need for a keylogger.. we were wrong about that though ! In the end, the usability issues with having to download multiple language pack apps troubled more people than the potential security issues in downloading an internet-aware keyboard.
There's another one, which is that our app (and others) is quite heavily pirated and distributed on blogs etc (we know that, because we can measure how many apps are downloaded vs the number of language installations there have been). That's despite the fact that an unofficial copy could very easily be a keylogger - it still doesn't put people off !
PicomatStudios said:
OK, I see.
I work on a Keyboard app.
There's an interesting phenomenon you might be interested in regarding 3rd party keyboards... almost all of them require internet permission.
When we started out we figured that nobody would download a keyboard with internet permission, as that's all you need for a keylogger.. we were wrong about that though ! In the end, the usability issues with having to download multiple language pack apps troubled more people than the potential security issues in downloading an internet-aware keyboard.
There's another one, which is that our app (and others) is quite heavily pirated and distributed on blogs etc (we know that, because we can measure how many apps are downloaded vs the number of language installations there have been). That's despite the fact that an unofficial copy could very easily be a keylogger - it still doesn't put people off !
Click to expand...
Click to collapse
Hehe that's indeed pretty interesting. I know lots of people who don't even bother reading the permissions of apps, even knowing that Play is full of malicious content.