Related
Microsoft will soon support homebrew developments on their Windows Phone 7 platform following two days of meetings with developers behind the ChevronWP7 unlocking tool.
Late last year following the release of Windows Phone 7, a team of developers uncovered a bug which allowed those with a device running the operating system to install applications on their device without using Microsoft's application store, dubbed the Marketplace.
It made headlines as technology enthusiasts fought over whether the release of the unlocking tool, ChevronWP7, was a good idea to enable freedom on the platform or if it was a bad idea, encouraging jailbreaking and piracy.
However the team behind the software were soon contacted by Microsoft's Brandon Watson, Director of Developer Experience for Windows Phone 7, who took a keen interest in the matter and encouraged the developers to cease offering the tool while discussions about ChevronWP7's future continued between Microsoft and the developers.
Fast track to today, and the future is looking bright for developers and users alike seeking to install apps or customise their Windows Phone 7 device further than the Marketplace allows. In a blog post on the ChevronWP7 website, developers Rafael Rivera, Chris Walsh and Long Zheng confirm the software giant will soon offer an official way for people to "homebrew" develop on their devices, although just how this will happen is still being discussed.
"We're collaborating with Microsoft on an interim solution that will continue to support homebrew developments after the update," the trio wrote. "We will share details of this when it has been finalized."
The breakthrough comes following a two day meeting held at Microsoft's Redmond campus earlier in the month, which Rivera, Walsh and Zheng were invited to. Microsoft confirmed during the meetings that an update will be pushed out "soon" which will fix the bug which allowed the Chevron WP7 tool to work, rendering the unlocking tool useless.
The future isn't looking too gloomy though, with the trio "genuinely excited" about what the future holds for Windows Phone 7, saying they'll continue to work with Microsoft to "support mutual goals of broadening access to the platform while protecting intellectual property and ensuring platform security."
"We appreciate Microsoft's outreach, genuine interest and involvement in this matter and we hope the community can understand we're working towards a win-win scenario."
http://www.chevronwp7.com/post/2885085987/a-first-step-in-the-right-direction
If MS can pull off allowing side loading whilst preventing paid for apps from being pirated then this could be huge.
Even more huge would be if they finally start to offer the paid apps worldwide and not only in 20 countries. It's really abusing when you buy a 500 Euro phone and you can't get the really good apps and games for it even if you want to pay And that's true even for most EU countries.
It's really funny that MS expect me not to pirate WP7 apps but at the same time they offer me no legal way to buy them
TheOnly1 said:
Even more huge would be if they finally start to offer the paid apps worldwide and not only in 20 countries. It's really abusing when you buy a 500 Euro phone and you can't get the really good apps and games for it even if you want to pay And that's true even for most EU countries.
It's really funny that MS expect me not to pirate WP7 apps but at the same time they offer me no legal way to buy them
Click to expand...
Click to collapse
Sod it, just pirate them and give the money you would have spent to a charity of your choice
Confused !
i dont get it !!!!! what is the good point in it for us that using chevron unlocker and it will be patched soon !?
Chevron will die with the official update, but an even better unlocker is already done and waiting just for the update to be released, so that MS don't accidentaly shut it out
TheOnly1 said:
Chevron will die with the official update, but an even better unlocker is already done and waiting just for the update to be released, so that MS don't accidentaly shut it out
Click to expand...
Click to collapse
Might as well post the link so other xda users know where to go to get it.
Windows Phone Device Manager
http://touchxperience.com/
I wonder when the penny dropped with MS. They've lost a lot of ground to Apple and Android - I'm confident they'll catch up, but they'll have to make more of an effort by giving stuff out for free.
For me, for now, I'm back to Android. WP7 was quick and slick, but like Kelly Brook, nice to look at but not a lot going on below the surface.
TheOnly1 said:
Chevron will die with the official update, but an even better unlocker is already done and waiting just for the update to be released, so that MS don't accidentaly shut it out
Click to expand...
Click to collapse
Yes are right !!!!!!!!!!!!!!!!!!!!!!!!!!1 there is nothing impossible so if chevron die the other hacker and developer will rise ! , it is my personal war between me and MS ! cuz of '3 bottuns " !!!!
Hello guys,
are you one of the android developers pissed off by piracy?
I have about 4000 active illegal users (70%), but my app is without any security checks.
Have you found a solution? I gave up on google security checks, it was too easy to hack. There is something more secure?
I've done a lot of research, but I am searching also for some real experience by xda users.
Thank you!
Well, if you chose to implement in-app purchasing, then I suppose that might solve your problem.
taomorpheus said:
Hello guys,
are you one of the android developers pissed off by piracy?
I have about 4000 active illegal users (70%), but my app is without any security checks.
Have you found a solution? I gave up on google security checks, it was too easy to hack. There is something more secure?
I've done a lot of research, but I am searching also for some real experience by xda users.
Thank you!
Click to expand...
Click to collapse
If you have your own server you could crosscheck the user's google account with your purchase list.
Do it hidden, in multiple places and act delayed if you find out about a pirated version, then it's really hard to crack.
If you talk about your facebook app you could be kinda bad mannered and post that they are using an illegal app on their wall
Of course you'd have to be absolutely sure then
octobclrnts said:
Well, if you chose to implement in-app purchasing, then I suppose that might solve your problem.
Click to expand...
Click to collapse
I can't because a lot of people have already purchased the app in the classic way!
superkoal said:
If you have your own server you could crosscheck the user's google account with your purchase list.
Do it hidden, in multiple places and act delayed if you find out about a pirated version, then it's really hard to crack.
If you talk about your facebook app you could be kinda bad mannered and post that they are using an illegal app on their wall
Of course you'd have to be absolutely sure then
Click to expand...
Click to collapse
Actually this is a really cool idea, can I access to my google account using google api?
superkoal said:
If you have your own server you could crosscheck the user's google account with your purchase list.
Do it hidden, in multiple places and act delayed if you find out about a pirated version, then it's really hard to crack.
If you talk about your facebook app you could be kinda bad mannered and post that they are using an illegal app on their wall
Of course you'd have to be absolutely sure then
Click to expand...
Click to collapse
I like this.
taomorpheus said:
Actually this is a really cool idea, can I access to my google account using google api?
Click to expand...
Click to collapse
Have a look at this:
http://stackoverflow.com/questions/2245545/accessing-google-account-id-username-via-android
superkoal said:
Have a look at this:
http://stackoverflow.com/questions/2245545/accessing-google-account-id-username-via-android
Click to expand...
Click to collapse
My Kaspersky Anti-Virus programm says that it is a fishing site.
However, it is STACKOVERFLOW!!!
nikwen said:
My Kaspersky Anti-Virus programm says that it is a fishing site.
However, it is STACKOVERFLOW!!!
Click to expand...
Click to collapse
Kaspersky :silly:
taomorpheus said:
I can't because a lot of people have already purchased the app in the classic way!
Click to expand...
Click to collapse
Sent
In my opinion, create some sort of pop up that says "Attention pirated user, I'm glad you love my app as much as I loved making it, but I need to make money off of it. Please officially purchase this app "
Then have an In app purchase option in the pop up. This would make me want to purchase the app if I pirated it. I don't really believe that fighting piracy with DRM does anything but cause harm. You should just try and make the pirated users feel bad and encourage them to buy the app.
Sent from my SAMSUNG-SGH-I337 using xda app-developers app
v3nturetheworld said:
Sent
In my opinion, create some sort of pop up that says "Attention pirated user, I'm glad you love my app as much as I loved making it, but I need to make money off of it. Please officially purchase this app "
Then have an In app purchase option in the pop up. This would make me want to purchase the app if I pirated it. I don't really believe that fighting piracy with DRM does anything but cause harm. You should just try and make the pirated users feel bad and encourage them to buy the app.
Sent from my SAMSUNG-SGH-I337 using xda app-developers app
Click to expand...
Click to collapse
Ahah yeah that's a good solution!
I've noticed that most of the pirated users come from Burma, where google play doesn't work. So I think that I will leave the app in this way and create another pro version for the nations that have google play issues!
But... how about implementing a solution like ROM Manager does? I mean, with a separate app and a pirate popup as suggested above? I'm clueless on what technology use to create a licensing APK, but it would be easier even for those people that haven't got Play Store, maybe
Tiwiz
I guess the main app checks if the Lisence app is installed and if installed it checks the key from a database of the license app and checks for the validity of Lisence on the cloud
Sent from my GT-S5302 using Tapatalk 2
Hit Thanx Button if i helped you!
taomorpheus said:
Have you found a solution? I gave up on google security checks, it was too easy to hack. There is something more secure?
Click to expand...
Click to collapse
Piracy is a "fact of life" for software. And most anti-piracy measures tend to hurt legitimate paid customers (and the dev) more than the pirates.
If you have a good, useful app, those guys in China can hack almost anything. (No offense to China; no Play there, lower income and an anti-IP culture.)
There are a FEW successful devs who have gone to extra-ordinary lengths at the JNI level. I tested, but never turned any JNI anti-hacking code on, because with thousands of paid users on many weird phones and ROMs, I felt it would break for enough people to not be worth it.
If you have an app that needs a server connection, or data updates, and you have some kind of independent registration system, you have a chance too. But that can be a lot of work.
I'd rather spend my time making my app better and supporting customers. My app price is higher than many would like (but I have virtually no paid competition). And because my app is support intensive, I've taken the view that I'm selling support and convenient updates, not an app, so much.
I mostly verify people are customers before supporting them, do as good a job as I can, get good reviews, and people see there is value there for their money. And yes, I get tons of support requests from pirates. Some of them I've converted to customers.
And... regular updates to an app provides value. If pirates want the latest, they keep having to go look for it. (Or do I recall some pirate update service ?) Updates via Play are easy and that ease has value.
All the above said, I do get angry from time to time, mostly at people stealing my time IE support. And the idea of finding a highly effective anti-piracy measure is fascinating.
But almost none of us is without some sin in our life regarding music, movies or software downloading... So I think it's good to consider the pirates' perspectives. Effective antipiracy definitely drastically reduces the user base and the Internet knowledge base and familiarity, and its' questionable as to how much revenue might increase, if at all.
IE, piracy can be seen as free advertising, and an opportunity to show some pirates there are valid reasons why going legitimate might benefit them, or even reduce their guilt level. I've had a few people buy my app and apologize...
mikereidis said:
Piracy is a "fact of life" for software. And most anti-piracy measures tend to hurt legitimate paid customers (and the dev) more than the pirates.
If you have a good, useful app, those guys in China can hack almost anything. (No offense to China; no Play there, lower income and an anti-IP culture.)
There are a FEW successful devs who have gone to extra-ordinary lengths at the JNI level. I tested, but never turned any JNI anti-hacking code on, because with thousands of paid users on many weird phones and ROMs, I felt it would break for enough people to not be worth it.
If you have an app that needs a server connection, or data updates, and you have some kind of independent registration system, you have a chance too. But that can be a lot of work.
I'd rather spend my time making my app better and supporting customers. My app price is higher than many would like (but I have virtually no paid competition). And because my app is support intensive, I've taken the view that I'm selling support and convenient updates, not an app, so much.
I mostly verify people are customers before supporting them, do as good a job as I can, get good reviews, and people see there is value there for their money. And yes, I get tons of support requests from pirates. Some of them I've converted to customers.
And... regular updates to an app provides value. If pirates want the latest, they keep having to go look for it. (Or do I recall some pirate update service ?) Updates via Play are easy and that ease has value.
All the above said, I do get angry from time to time, mostly at people stealing my time IE support. And the idea of finding a highly effective anti-piracy measure is fascinating.
But almost none of us is without some sin in our life regarding music, movies or software downloading... So I think it's good to consider the pirates' perspectives. Effective antipiracy definitely drastically reduces the user base and the Internet knowledge base and familiarity, and its' questionable as to how much revenue might increase, if at all.
IE, piracy can be seen as free advertising, and an opportunity to show some pirates there are valid reasons why going legitimate might benefit them, or even reduce their guilt level. I've had a few people buy my app and apologize...
Click to expand...
Click to collapse
Well, this is my philosophy. I usually reply to all emails, build the app around the feedback from the community and try to fix all the issues. This permits to create a loyal group of users, and it's the reason why apps like Facebook Home are hated so much: they talk about building apps around people, but for them people is the product, so it's a fail from the beginning
After some considerations I have abandoned the idea to build an antipiracy system, the reason is in part related to your thoughts but also because the 60-70% of pirated versions come from nations like Burma, indonesia, etc etc. So I don't feel that someone is stealing, google play can't provide a service, so people react. The good thing is that despite the lack of a service, they try to use my apps, so that's good, right?
So, at the conclusion, the best antipiracy system is to not use an antipiracy system. Clearly it will be hard to be supported only by paying customers, but the majority accepts some ads if the product is good ( the important thing is to not include spammy and intrusive services, one banner or a full screen on time a day is sufficient).
Thank you for this reply, it's really important to know that there are good developers around! :highfive:
Have you tried google licensing?
taomorpheus said:
Hello guys,
are you one of the android developers pissed off by piracy?
I have about 4000 active illegal users (70%), but my app is without any security checks.
Have you found a solution? I gave up on google security checks, it was too easy to hack. There is something more secure?
I've done a lot of research, but I am searching also for some real experience by xda users.
Thank you!
Click to expand...
Click to collapse
Hi,
I am new to android development but I've read about google licensing services which checks for user account whether the app is actually purchased from that particular account associated with the user. If authentication fails then user gets a blocking dialog to either exit the app or purchase it from play store.
dbroid said:
Hi,
I am new to android development but I've read about google licensing services which checks for user account whether the app is actually purchased from that particular account associated with the user. If authentication fails then user gets a blocking dialog to either exit the app or purchase it from play store.
Click to expand...
Click to collapse
Cracker can easily remove IF and your won't ask to buy it.
There should be VMProtect or Themida like tool for android
GR0S said:
Cracker can easily remove IF and your won't ask to buy it.
There should be VMProtect or Themida like tool for android
Click to expand...
Click to collapse
It was hacked not long after its launch.
http://www.androidpolice.com/2010/0...on-easily-circumvented-will-not-stop-pirates/
taomorpheus said:
After some considerations I have abandoned the idea to build an antipiracy system, the reason is in part related to your thoughts but also because the 60-70% of pirated versions come from nations like Burma, indonesia, etc etc. So I don't feel that someone is stealing, google play can't provide a service, so people react. The good thing is that despite the lack of a service, they try to use my apps, so that's good, right?
Click to expand...
Click to collapse
Yes. Most pirates can't afford the app or wouldn't buy it anyway. I also think that many pirates and those who felt "forced" to buy a protected app are bad customers. They will spread their bad feelings about the app and the "greedy dev".
And many have a sense of entitlement, so they make demands, expect lots of support, complain and write bad reviews. They project their own faults on others, and always assume others are trying to rip THEM off. Some have told me they were "testing" my app, because they were worried about getting ripped off if it didn't work (despite my free version and anytime cancel policy).
Better not to have such customers. These are the same people who think they are more important than everybody else and cheat in traffic and lineups etc.
taomorpheus said:
So, at the conclusion, the best antipiracy system is to not use an antipiracy system. Clearly it will be hard to be supported only by paying customers, but the majority accepts some ads if the product is good ( the important thing is to not include spammy and intrusive services, one banner or a full screen on time a day is sufficient).
Thank you for this reply, it's really important to know that there are good developers around! :highfive:
Click to expand...
Click to collapse
For most of us small devs, yes. Things may be different for certain apps, such as those that need a backend server, and for multi-person companies.
You can also promote that your app is "DRM free". That's definitely a plus, especially to custom ROM users who may avoid using Google Play.
I tried ads for a few months in 2011. The "CPM" rates started good, but quickly dropped to almost nothing. I think it's very hard to make money from ads, unless your app has a million users, and they are more "average" people who might click on the ads, accidentally or not.
I think it's usually better to raise app price as high as you can. I experimented a lot for many months between $1 and $10, usually keeping price constant for at least 2-3 weeks. I, and some others, have found that total income remains somewhat constant no matter what the price, LOL.
Now I've left price at the high end, so I can provide the best support possible, by limiting sales quantity. Some people think we should "make it up in volume", but that's a self-serving wish of the person who wants it cheaper. High volume might be viable if you provide zero technical support though.
What I'd say in terms of pirate stuff is to not try too hard on the software level (though I might write a guide on a few useful methods and pieces of code to prevent the usual circumvention methods) but on the upload level. When you release a new version, wait a couple of days and then search for a pirate version of your app. If you find one, report it, they're usually down in about 5 minutes. The more often you do this, the more likely people are to search, find all the links are "dead" and then just think "stuff it, I'll just buy it". However, this will only work on people who can buy it and are using pirate versions because they wish to, not because they have to
Quinny899 said:
What I'd say in terms of pirate stuff is to not try too hard on the software level (though I might write a guide on a few useful methods and pieces of code to prevent the usual circumvention methods) but on the upload level. When you release a new version, wait a couple of days and then search for a pirate version of your app. If you find one, report it, they're usually down in about 5 minutes. The more often you do this, the more likely people are to search, find all the links are "dead" and then just think "stuff it, I'll just buy it". However, this will only work on people who can buy it and are using pirate versions because they wish to, not because they have to
Click to expand...
Click to collapse
Because they'd PREFER not to spend money, if possible. In most areas of life, that's what most of us do.
Last I looked, this was the best Android cracking site: http://androidcracking.blogspot.ca/ . I read everything there twice before I started experimenting with protection code. If nothing else, it gives a glimpse of how hard it is to protect a popular app well.
I sent DMCA takedown requests to a few sites some time ago, but it's an endless task, and IMO not worth it, unless your app is VERY niche/has relatively few users. I've been "honored" to have my app included in several Torrents full of Android apps. Some of those Torrents are updated regularly.
I will still notify XDA admins if there's a link or offending ROM on XDA. XDA mods take it seriously.
Some companies will put out their own "pirate" fake or crippled versions of movies, and app devs could do the same. Perhaps have endless popups offering to buy the app legitimately. I personally wouldn't bother (at this time) but it could work. I agree that making piracy a hassle may improve sales a bit.
LOL, I just re-looked and see 3 on isohunt that are my app alone, but they are older. If I have time for "fun" later this year I should (1) start my own torrents, (2) collect IP addresses, and... I dunno; don't seriously want to be a copyright troll; rather design & develop.
Hi all.
Haven't seen this topic yet so I thought I'd introduce it. Has a petition ever been sent directly to Microsoft to allow jailbreaking and development of apps in a Cydia like store. I'm positive this would increase the popularity of wp8. There are are so many little things like decreasing the interval for updating live tile, and creating playlists on the phone itself. Widgets would also be nice. I just got a 920 and like it a lot. I was using launcher8 on my gn2 before and that launcher allowed widgets on tiles, more rectangular tile options etc.
Are you really think that Microsoft or somebody else care about these petitions?
Useless guy said:
Are you really think that Microsoft or somebody else care about these petitions?
Click to expand...
Click to collapse
if enough people sign, then yes I do. I'm convinced that many iOS and android users would try a windows phone. There would be far more developers making apps also.
Jailbreaking will never be allowed on windows phone becuase Microsoft wants to win over the business sector. One of the reason the secure boot was implemented was because of businesses complaining about security on WP7.
Besides, there aren't really BIG things to get from jailbreaking, other than useless things some individuals care about. the vast majority of WP8 users are happy with their phones, plus most of the things you are asking (like adding playlists on the phone), will be supported eventually.
Lowering the interval for live tiles is a really bad idea btw.
If microsoft ever allows access to the file system, there will be no need for anything else: developers will pick it up from there and do their thing.
Ain't ever going to happen. Ms is bent over backwards by OEMS and carriers
Sent from my Arc using xda app-developers app
we need to start a kickstarter or offer a bounty on xda
I am sure if we started a bounty or kickstarter and rightfully paid one of the hackers to jailbreak wp8 they could get the job done a lot sooner
so how shall we go about this?
I am ready to offer my contribution
noelito said:
I am sure if we started a bounty or kickstarter and rightfully paid one of the hackers to jailbreak wp8 they could get the job done a lot sooner
so how shall we go about this?
I am ready to offer my contribution
Click to expand...
Click to collapse
Still won't happen dude. I don't know but there seems to be some sort of aversion to WP by all the devs. The iPhone/iPad community has a number of devs piling over eachother to bring out the "next best way to JB". Android, I don't even need to get started. Other OSs too will fall in place soon. But what keeps the devs away from WP is a bit of a mystery to me.
BTW, I hope you know what happened to the kids that jailbroke the first Gen WP devices. They got hired by MS and were given a T shirt, if my memory is good.
So... that's that.
It's hilarious how you people believe that is easy to exploit WP8, Devices that use it have Secure Boot and Bitlocker so exploiting the boot process is practically impossible, exploiting on app-level is also hard as all apps run over a sandbox and the user has no administrator privileges so you can't use the sandbox exploitation available for Windows RT.
Plus there's overall no appeal for hacking it other than it runs over NT.
I think we should do it, there is nothing to loose, but it shouldn't be for jail breaking but for allowing file system access similar to Windows RT
Everybody can try to found a exploit.
If somebody will have luck, he will be the man....
But like people here say...
Its very very hard!
Sent from my GT-I8750 using Board Express
It's better for Microsoft (in the long run) that the OS will not be jailbroken: Jailbroken devices can install pirated applications, and pirated applications makes application developers angry.
Currently, app devs have no choice but to develop their applications to the 2 major OSs out there (iOS and Android), and know that in some point it is quite likely that people who jailbreak their devices can install pirated copies of their applications.
In the long run, as WP would start gaining major market share, application developers would be more keen to focus their development for WP as they'd know their property could not be pirated (if, supposedly, WP will remain unhacked).
This is of course only hypothetical - there's no protection which is made by men and cannot be hacked by men, and I'm more than sure that the more user-base and interest WP gains, the more likely is that someone would find a loophole in the OS and it'd be jailbroken...
And maybe not
Thread moved to General
I am as well very certain that Microsoft will not allow for Jailbreaking of the devices. They have some programs that will get you a free dev account to develop on top of the Plattform but they don't Support changes to the Plattform itself. If you want to make your Point about giving Devs certain APIs go to wpdev.uservoice.com and Support them with your votes.
As for jailbreaking WP: I'm sure it can be done because in the end: techniques exist to exploit basically everything but as was already said: Microsoft isn't making it easy.
StevieBallz said:
I am as well very certain that Microsoft will not allow for Jailbreaking of the devices. They have some programs that will get you a free dev account to develop on top of the Plattform but they don't Support changes to the Plattform itself. If you want to make your Point about giving Devs certain APIs go to wpdev.uservoice.com and Support them with your votes.
As for jailbreaking WP: I'm sure it can be done because in the end: techniques exist to exploit basically everything but as was already said: Microsoft isn't making it easy.
Click to expand...
Click to collapse
It may be possible, but as for now they have closed damn near every hole we could think of. I'd say the only way we can hope for SOME progress is if we can exploit the root certificate and policies somehow. I know GoodDayToDie had a few good potential ideas. It's not that the device NEEDS to be jailbroken, we need to be given more trust. I feel as if Microsoft automatically feels like we will screw everything up so it's being our overprotective mother instead. We all know what happens when you are too overprotective to those you care about.....
With that said, if we can just be given a LITTLE more freedom.. That's all I ask for. I don't think we would have to worry about any type of malware since the App Hub process is smart enough to give me the red X if I'm trying to call MessageBox.Show() from a background task.
/endrant.
What if we paid you the bounty?
Sent from my SGH-T899M using XDA Windows Phone 7 App
iOS is certified afaik for government use, so the business security issue is specious. Not everybody will hack their device anyway.
There are different levels of security certifications, similarily to Mil-Spec Standards that exist for a lot of different criteria. Allowing people to do more with their devices isn't really at the core of Microsoft's concerns here. They don't try to push it though as they want applications in the Store and not on the web. Piracy is likely to play a role here too.
As for a bounty to make a JailBreak happen - it might be an incentive for certain developers to start looking into it. With WP7 the way most of the time was to hack the Bootloader and then flash a custom ROM to allow for additional access. With WP8 people might need to look into other ways in given that Secure Boot is likely to be a very hard nut to crack. Given that the original Jailbreak for WP7 relied on custom certificates it's likely that Microsoft invested there to close this off better but it's of course still worth investigating.
The more important part in the end would be to get Microsoft to make more available through the official APIs. They are extending those and this has made more functionality available every time they did a major update to the OS (Mango, Apollo).
Another point to note is that native interop is now part of the regular SDK. It's therefore likely that native APIs will be better protected against accesses from unauthorized Apps than they have been in WP7 (where the problem was getting native code to run at all).
RCranium666 said:
if enough people sign, then yes I do. I'm convinced that many iOS and android users would try a windows phone. There would be far more developers making apps also.
Click to expand...
Click to collapse
Not trying to be negative but I don't think the would care. On their won suggestion site (http://windowsphone.uservoice.com/forums/101801-feature-suggestions/suggestions/2281201-custom-sounds-for-sms-mms-email-notifications-e) the haven't even responded to the 40,000 + petitions that people have been voting for 2 years for custom MMS\SMS; something that is so easy to do.
Thanks for everyone's responses. I just went back to my gn2. I found too many compromises in wp8. The funny thing is, I use a wp8 launcher on android and it's much more versatile than wp8 itself. The l920 was also a disappointment. I'm no stranger to phone cameras and I was rarely able to take a good picture with it. I like the l920's design better than the gn2, but not much else.
Vulnerability Allows Attackers to Modify Android Apps Without Breaking Their Signatures
This might be the reason why the new MF2 and ME6 are not downgradable and why the 4.2.2 update was delayed.
Source->http://www.cio.com/article/735878/V...ndroid_Apps_Without_Breaking_Their_Signatures
IDG News Service — A vulnerability that has existed in Android for the past four years can allow hackers to modify any legitimate and digitally signed application in order to transform it into a Trojan program that can be used to steal data or take control of the OS.
Researchers from San Francisco mobile security startup firm Bluebox Security found the flaw and plan to present it in greater detail at the Black Hat USA security conference in Las Vegas later this month.
The vulnerability stems from discrepancies in how Android apps are cryptographically verified, allowing an attacker to modify application packages (APKs) without breaking their cryptographic signatures.
When an application is installed and a sandbox is created for it, Android records the application's digital signature, said Bluebox Chief Technology Officer Jeff Forristal. All subsequent updates for that application need to match its signature in order to verify that they came from the same author, he said.
This is important for the Android security model because it ensures that sensitive data stored by one application in its sandbox can only be accessed by new versions of that application that are signed with the original author's key.
The vulnerability identified by the Bluebox researchers effectively allows attackers to add malicious code to already signed APKs without breaking their signatures.
The vulnerability has existed since at least Android 1.6, code named Donut, which means that it potentially affects any Android device released during the last four years, the Bluebox researchers said Wednesday in a blog post.
"Depending on the type of application, a hacker can exploit the vulnerability for anything from data theft to creation of a mobile botnet," they said.
The vulnerability can also be exploited to gain full system access if the attacker modifies and distributes an app originally developed by the device manufacturer that's signed with the platform key -- the key that manufacturers use to sign the device firmware.
"You can update system components if the update has the same signature as the platform," Forristal said. The malicious code would then gain access to everything -- all applications, data, accounts, passwords and networks. It would basically control the whole device, he said.
Attackers can use a variety of methods to distribute such Trojan apps, including sending them via email, uploading them to a third-party app store, hosting them on any website, copying them to the targeted devices via USB and more.
Some of these methods, especially the one involving third-party app stores, are already being used to distribute Android malware.
Using Google Play to distribute apps that have been modified to exploit this flaw is not possible because Google updated the app store's application entry process in order to block apps that contain this problem, Forristal said. The information received by Bluebox from Google also suggests that no existing apps from the app store have this problem, he said.
However, if an attacker tricks a user to manually install a malicious update for an app originally installed through Google Play, the app will be replaced and the new version will no longer interact with the app store. That's the case for all applications or new versions of applications, malicious or non-malicious, that are not installed through Google Play, Forristal said.
Google was notified of the vulnerability in February and the company shared the information with their partners, including the members of the Open Handset Alliance, at the beginning of March, Forristal said. It is now up to those partners to decide what their update release plans will be, he said.
Forristal confirmed that one third party device, the Samsung Galaxy S4, already has the fix, which indicates that some device manufacturers have already started releasing patches. Google has not released patches for its Nexus devices yet, but the company is working on them, he said.
Google declined to comment on the matter and the Open Handset Alliance did not respond to a request for comment.
The availability of firmware updates for this issue will differ across device models, manufacturers and mobile carriers.
Whether a combination of device manufacturers and carriers, which play an important role in the distribution of updates, coincide to believe that there is justification for a firmware update is extremely variable and depends on their business needs, Forristal said. "Ideally it would be great if everyone, everywhere, would release an update for a security problem, but the practical reality is that it doesn't quite work that way, he said."
The slow distribution of patches in the Android ecosystem has long been criticized by both security researchers and Android users. Mobile security firm Duo Security estimated last September, based on statistics gathered through its X-Ray Android vulnerability assessment app, that more than half of Android devices are vulnerable to at least one of the known Android security flaws.
Judging by Android's patch distribution history so far, the vulnerability found by the Bluebox researchers will probably linger on many devices for a long time, especially since it likely affects a lot of models that have reached end-of-life and are no longer supported.
Click to expand...
Click to collapse
I really thought more people would be interested in knowing this. I would really like to know what you guys think about this.
Key phrase here is "for apps not installed through the google store". Hence not an issue for a large fraction of users. Total case of FUD. Someone must be wanting to sell some av software.
Sent from my GT-N7100 using Tapatalk 4 Beta
Kremata said:
I really thought more people would be interested in knowing this. I would really like to know what you guys think about this.
Click to expand...
Click to collapse
Well, X-Ray scanner either does not detect this latest security flaw or N7100 (as of DM6) is allready patched.
Kremata said:
I really thought more people would be interested in knowing this. I would really like to know what you guys think about this.
Click to expand...
Click to collapse
This is the first link I found for XDA on this.
I think it's not that interesting because it's old, old news and exactly why it's being touted as a "new" discovery is beyond me, it's far from new.
We here at XDA have been using this method for years to modify stock Android and OEM system apps with great success. Here's an example by me from 2011: http://forum.xda-developers.com/showthread.php?t=994544 there's a literally hundreds of examples all over XDA.
The real question here is how Bluebox security got everybody to act as a PR machine for them. If they turn up at Black Hat with this "amazing discovery" they're going to get laughed off the stage.
djmcnz said:
This is the first link I found for XDA on this.
I think it's not that interesting because it's old, old news and exactly why it's being touted as a "new" discovery is beyond me, it's far from new.
We here at XDA have been using this method for years to modify stock Android and OEM system apps with great success. Here's an example by me from 2011: http://forum.xda-developers.com/showthread.php?t=994544 there's a literry hundreds of examples all over XDA.
The real question here is how Bluebox security got everybody to act as a PR machine for them. If they turn up at Black Hat with this "amazing discovery" they're going to get laughed off the stage.
Click to expand...
Click to collapse
Ahh! Thats the answer I was waiting for (and from a Recognized Developer). I knew XDA Devs were using this method. My new question is.. If they fix it will it be harder to create Mods? Will it slow down development?
Shouldn't this be posted in the generals forum?
Kremata said:
If they fix it will it be harder to create Mods? Will it slow down development?
Click to expand...
Click to collapse
I suspect so. If they fix it properly it would become impossible to change any aspect of the app without signing it again. If you wanted to maintain compatibility with the original then you'd need the developer's keys.
At the moment really only the manifest and some metadata within the apk is signed, if they extended that to the entire contents of the apk many mods (think themes for stock Google apps etc) are screwed unless users are happy to relinquish Play Store links and updates (i.e. backward compatibility).
Google may not go this far and may only choose to authenticate the code (smali) rather than all of the apk contents (graphics, strings etc), this approach would leave room for some mods to survive. Remains to be seen.
Looks like Cyanogen moving towards their Google Services(less) future with Microsoft. Eugh.. will just mean a pile of microsoft app bloat that I dont use to be removed, hopefully we will still just be able to flash a gapps package though?
http://www.marketwired.com/press-release/-2010445.htm
I'm actually happy with this. Microsoft apps are great in terms of quality and design. I wish they'd started earlier so I wouldn't have settled to Evernote back in the days.
Rosa Elefant said:
I'm actually happy with this. Microsoft apps are great in terms of quality and design. I wish they'd started earlier so I wouldn't have settled to Evernote back in the days.
Click to expand...
Click to collapse
To be fair it may make their OS a little bit more consistent/polished/professional, instead of integrated apps from here and there. But I just dont use any MS products anymore (aside from office programs) and so it wouldnt be of any benefit to me.
Cyanogen Inc. can do as they please. As long as they don't lock me down to anything.
This isn't terrible news. The Microsoft mobile suite is actually really nice. I loved my Windows Phone, the only reason I got rid of it was lack of dev support for apps that I needed.
meh, this just means I definitely won't be using Cyanogen ROMS
I'm all for the idea they have on stripping away Google's influence of Android. However, teaming up with Microsoft doesn't seem the way to do it. It's like trading a Mercedes for a Kia. (no offense to those that drive Kia's)
ciwrl @CyanogenMod said:
To highlight the one take away that matters to CyanogenMod users – We are not bundling or pre-installing Microsoft (or any Cyanogen OS exclusive partner apps) into CyanogenMod.
Click to expand...
Click to collapse
Just like they don't bundle Google services and apps into CM11/12 now which is why you have to flash gapps with nightlies if you want them.
ciwrl @CyanogenMod said:
Your nightlies will not see a sudden influx of Microsoft applications – you can put the pitchforks down. CyanogenMod has historically stayed neutral on your services of choice, whether you use Google, Amazon or Fdroid; we leave that decision to you and we have no intention of changing that.
Click to expand...
Click to collapse
How will it affect nightlies?
ciwrl @CyanogenMod said:
What you will see are new APIs available in the source code, using CM as a platform for other developers to do cool things with. Remember when CM 9 had support for Host Card Emulation well before that functionality was available in Android proper? How about adhoc WiFi support? Those kinds of pushing forward of the Android platform are something we have done for years, and will continue to support whenever we can – but do so in a non-’force you into it’ manner. We’re all about options here.
Click to expand...
Click to collapse
Source
itsamoreh said:
meh, this just means I definitely won't be using Cyanogen ROMS
Click to expand...
Click to collapse
+1 Microsoft products arent optimized, function only the way they dictate. Bugs, backdoors and battery eaters.
demographics: worst strategic move ever, there is a reason Cyanogen users dont own a windows phone.
Microsoft seems to be following Blackberry in this
I'm all for Microsoft. I don't use anything google related that's important enough for me. Email, calendar and contacts are all Microsoft for this guy.
Sent from my A0001 using XDA Free mobile app