Is Android really secure enough to bank on?
What security precautions do you all take?
I would not suggest to do any banking on any mobile device not just android specially with hacked roms. The risk is too much for instance losing ur device and if ur device is rooted then it data is exposed.
Sent from my PC36100 using XDA App
I use Mint just to view my bank account, if i ever lose my device, they still need my pin number to get into the app(not your bank pin, any pin you set) and i can always change the password of the account online.
Over a cell network is probably THE safest way to bank. I trust that Cyanogen hasnt done anything that will steal my bank info.
Unlock screen password + BoA app doesn't have my password saved, AND has most of the username censored. 3G is also fairly secure, compared to cable or a WiFi connection.
No matter how you bank online it will be insecure IMO, using an unrooted android phone is probably a little bit more secure then using a PC or mac though. Just don't set it up so anyone can get in there without using a password or something.
I say unrooted because once you root it's a whole new ballgame. Using any custom ROM or giving any 3rd party app SU permissions means they have a free for all to any and everything your phone has and does.
I use the web on the phone to check my accounts, but I do not use an app for it.
I also make sure to never save passwords on the browser as well.
Just don't save your usernames/passwords if you bank on the browser, and make sure to tell any banking app to log out when you leave the program (you might not even be ABLE to stay logged in).
All data through CDMA cell networks is encrypted by default, not to mention the additional encryption that any reputable bank's website/app will have. As was mentioned above, online banking with your phone truly is the safest way to bank online.
In regards to rooting, it is only as dangerous as you make it. If you root and then grant SU permissions to "Swe3T fREE BaBEs 4 U" app, you're probably asking for trouble. But I only grant SU to Quick Boot and SetCPU, and other legitimate applications that don't ask for more permissions than they require. Just don't be an idiot and you'll be fine!
So is there a near consensus now that it can be secure?
Any naysayers remain?
It's really your choice to use it or not all it comes down to. I am in the Information Security field and when you learned about how things work and how to get around them. It's scary!
vboyz103 said:
It's really your choice to use it or not all it comes down to. I am in the Information Security field and when you learned about how things work and how to get around them. It's scary!
Click to expand...
Click to collapse
Taking field bias in consideration, I'm looking for your insight on how to make it most secure or if it's really necessary to wait for further security measures.
There are ways to practice safe sex afterall..
i'm still not quite sure how sending data over a CDMA network is any more secure than any other means. i mean sure CDMA is encrypted to begin with; yes. on top of that, any banking you do should be encrypted with SSL at least. great. now you've got two layers of encryption/security there. the fact is though regardless if it's CDMA or SSL, you're still transmitting data out thru the open air where anything with an antenna can grab it. it doesn't really matter how encrypted the data is at this point, it's unsecure in that is is freely available with only an antenna. security is not really how secure the data is at the presentation layer, but how secure it is at the physical layer as well.
vboyz103 said:
It's really your choice to use it or not all it comes down to. I am in the Information Security field and when you learned about how things work and how to get around them. It's scary!
Click to expand...
Click to collapse
I have a very similar job to you. I used to think the same.
Thing is, getting around those things is possible, but less likely that most other ways. Getting a wallet or purse stolen is common. Handing your CC to a server at a restaurant or bar and not seeing what they do with it is pretty trusting, no? Bet we've all done that.
Do the best you can, and be watchful of your accounts. I bank on my phone with more confidence than I would have at Starbucks on wifi.
Forgive my noobness if this sounds stupid but was looking at the company apps setting on my Lumia 928 and was wondering if it could be exploited in anyway as far as sideloading homebrew? Out of curiosity, not that I expected it to work, I emailed myself a .xap file and got an error saying there was something wrong with my company app and to contact the company's support person. So went to company app settings and it asks for email,password, username,domain, and server but does it actually check the authenticity of the domain and/or server for a legitimate company or could someone simply set up a server hosting .xap files to be downloaded simply by registering and logging in with these settings? Even wondered if I simply used this info from the email server if it would install through email but seems too simple and haven't messed with it.
tonbonz said:
Forgive my noobness if this sounds stupid but was looking at the company apps setting on my Lumia 928 and was wondering if it could be exploited in anyway as far as sideloading homebrew? Out of curiosity, not that I expected it to work, I emailed myself a .xap file and got an error saying there was something wrong with my company app and to contact the company's support person. So went to company app settings and it asks for email,password, username,domain, and server but does it actually check the authenticity of the domain and/or server for a legitimate company or could someone simply set up a server hosting .xap files to be downloaded simply by registering and logging in with these settings? Even wondered if I simply used this info from the email server if it would install through email but seems too simple and haven't messed with it.
Click to expand...
Click to collapse
this would work, but theres a lot you have to do to set it up:
There are some general steps that companies must follow to establish a company account, enroll devices, and distribute apps to their enrolled devices. The following sections provide an overview of this process:
1. The company registers a company account on Windows Phone Dev Center and acquires an enterprise certificate from Symantec.
2.The company creates an application enrollment token (AET).
3.The company develops a Company Hub app.
4.The company prepares their apps for distribution.
5. Employees (or other users) enroll for company app distribution on their phones and install the company apps by using the Company Hub app.
you have to use intune director. Companys have to register with windows phone dev and aquire an enterprise cert. This *could* be a way to install homebrew apps, but it'd be easier if there was some kind of workaround.
more info here..
http://msdn.microsoft.com/en-us/library/windowsphone/develop/jj206943(v=vs.105).aspx
Thanks aclegg2011 and my apologies to the Forum Administrator as I just saw a similar post in a different section.
While I was writing and testing a WP 8 web app, I had it connected via wifi to Fiddler2. When I plugged my Dev Unlocked HTC 8x into my computer, the phone "dialed out" to h ttps://developerservices.windowsphone.com/Services/WindowsPhoneRegistration.svc/01/2010/DeviceStatus?deviceId=deviceid&fulldDeviceId=fulldeviceid The response is an XML packet that tells the phone how many days are left of being DeveloperUnlocked as well as the number of apps that are allowed!
this request/response sequence happens EVERY time I plug my developer unlocked Windows Phone 8 into the USB port of my Dev PC and PIN unlock it.
Keep in mind I installed the root cert that Fiddler generated for my PC a while back, so it can decrypt HTTPS traffic to/from my phone.
If anyone knows what the integer equivalent of "that magic DWORD value" is, I will craft a custom response packet and see if it changes anything.
Please see the attached screenshot for proof!
Edit:
So I did try GoodDayToDie's xaps and it looks like increasing the value from 10 to 2147483647 (I think its the integer equivalent to 0x7FFFFFFF) didn't have any effect that I could see. The InteropCapNoOem xap fails to deploy with error code 0x81030120. This error code normally means you are NOT interop unlocked back in the WP7 days. The OemCapsNoInterop.xap file generates an error telling me to "fix the Capabilities in [the] WMAppMAnifest.xml file.
I wonder if I can sideload more than 10 apps now though?
Maybe we can figure out what app is generating this "call home" and see if there are any other funky things we can stick in the xml tree?
Whoa. I could have sworn they were using cert pinning for that. I'll investigate, though...
EDIT: Couldn't get that connection request even showing up on my work computer. Will try from home.
Here is the service operations page:
https://developerservices.windowsphone.com/Services/WindowsPhoneRegistration.svc/help and (according to API) DeviceStatus call don't have fullDeviceId={FULLDEVICEID} parameter.
BTW, compu829, what is the fullDeviceId parameter, how it looks like?
Wait... You could change the value on the phone? That's a huge improvement. I'm stuck with only 3 apps (stupid dreamspark) and desperately need more!
This is a great find! I, unfortunately have never seen this happen though. Do you happen to know if you had the WP Device Registration program or the Application Deployment program running at the time?
EDIT: I've been debugging multiple apps with Fiddler up and proxy on my phone and I haven't noticed this. I see it now. I feel stupid lol Time to play around
EDIT 2: Microsoft does NOT like when you have fiddler intercepting on Registration. It returns a success result, but the developer registration tool gives an error indicating that it cannot connect to the phone. Grrr and after I went through the work of changing the response value for the number of apps that can be sideloaded. I bet this is a timing thing... I'll see what I can do.
I don't think it's timing. Even if I left the request completely unmodified and just ran it through the proxy to watch the process, the tool said that there was a problem, and the phone did not get unlocked. They're either testing for the presence of a proxy somehow, or there's some side channel that *is* using cert pinning, and is therefore unable to connect through Fiddler.
Also, editing the a:AppsAllowed element doesn't seem to work. The phone doesn't complain or anything, but the registry value doesn't change.
On my phone, I noticed it AFTER I had developer unlocked it. More concrete steps on what I did to reproduce:
1. On test PC, Installed Fiddler.
2. On test PC, exported trusted root certificate that Fiddler installed.
3. Emailed certificate to my phone and installed it.
4. Now enable the proxy on the phone. Things like email, Windows Phone Updates, etc will now work normally!
5. Plug phone in to Visual Studio Development PC, and wait for the PC to detect the device.
6. You will see the phone "dial out".
Without installing the fiddler trusted root certificate, you will see the handshake, but the phone doesn't know what do do with the packet because the certificate generated by fiddler is untrusted.
Using this same technique, you can have some serious fun with Windows Updates
GoodDayToDie said:
Also, editing the a:AppsAllowed element doesn't seem to work. The phone doesn't complain or anything, but the registry value doesn't change.
Click to expand...
Click to collapse
see last post Are you guys installing the trusted root certificate on your phone?
compu829 said:
see last post Are you guys installing the trusted root certificate on your phone?
Click to expand...
Click to collapse
It would be nice if Fiddler's cert was trusted :/. I'm able to see all HTTPS requests, etc but it just hates it when dev unlocking the phone. Which other trust root cert are you speaking about?
more detailed instructions
snickler said:
It would be nice if Fiddler's cert was trusted :/. I'm able to see all HTTPS requests, etc but it just hates it when dev unlocking the phone. Which other trust root cert are you speaking about?
Click to expand...
Click to collapse
this is what I did:
On Development PC:
1. Click Start, click Start Search, type mmc, and then press ENTER.
2. On the File menu, click Add/Remove Snap-in.
3. Under Available snap-ins, click Certificates, click Add, select current user, and then click Finish.
4. click ok to close the add/remove snap-in dialog
5. In the left-hand pane navigate to "Trusted Root Certification Authorities" --> "Certificates"
6. in the right-hand pane, look for the certificates labeled "DO_NOT_TRUST_FiddlerRoot" (I have two for some reason, you may only have 1)
7. Right-click on the certificate and go to "All Tasks" --> "Export".
8. Run through the certificate export wizard, leaving everything as the defaults.
9. Once you have exported your certificates, email them as attachments to your Windows phone.
10. Open the email on your WIndows Phone. Click on the certificate file and wait for it to process. Then when prompted, install it.
11. After that, any https traffic that you intercept/edit will go through as trusted to your Windows phone, provided that the application isn't expecting a specific certificate.
Things this made work:
1. all App communications over https
2. Windows Updates
3. all email accounts.
4. App Store communications (except for actually downloading apps, IIRC).
Things that didn't work:
1. Anything that requires certificate pinning as the certificate is embedded within the app. Therefore it doesn't make a call into the trusted root certificate store. I believe this includes running the actual "Developer Unlock" app.
if you place the following code in the "OnBeforeResponse" section of the CustomRules.js file, you should be able to install more than 3 or 10 apps, provided the program that is "phoning home" isn't using certificate pinning.
Code:
oSession.utilDecodeResponse();
oSession.utilReplaceInResponse("AppsAllowed>10</","AppsAllowed>400</");
... These are steps that have already been taken. You actually did even more steps then necessary. All you have to do is point to your computer's IP address and port that Fiddler is running on within IE Mobile (Make sure Remote IP access in Fiddler is enabled), click on the certificate and it will install on the phone. You'll be able to see the requests from the phone. Everything you listed above is what I've been able to do. Nothing different from what I was saying .
@compu829: Yes, of course I am. If I weren't, it wouldn't be possible to edit that value at all; I wouldn't even see it because the TLS handshake would fail... (FWIW, I work with proxies all the time, usually Burp Suite not Fiddler, but in any case I'm quite familiar with setting up the MitM certs). I do wonder whether there's something changed here (GDR2 change, maybe?) because I could have sworn that intercepting the phone's traffic during unlock didn't work at all before (presumably due to cert pinning). I may be mistaken, though.
In any case, it still doesn't *actually* work. I guess I could try invisible proxying - use ARP spoofing or a custom routing rule on the router to send the data through my PC, and capture/modify it there, without revealing the presence of a proxy - but I don't know if that's the issue or if it's something else entirely.
EDIT: Your steps are way more complex than needed. For example, you can export the root cert from Fiddler by going to Tools menu (in Fiddler) -> Fiddler Options -> HTTPS.
whoops lol. Oh well. I didn't realize it was so easy to export/Import!
Anyways, All I know is that I could pretty much do nothing on my phone when I connected it to the proxy until I emailed myself the root cert. Once I did that, email started flowing, apps started working, and WIndows Updates stopped erroring out.
It is entirely possible that whatever is generating the call is silently rejecting the response packet. I was just shocked when I plugged my phone in to see that packet show up.
I know that Windows Updates lets me modify the requests and responses without complaining, so maybe that is another way in? I assume that must be running elevated lol. Maybe we can get it to launch a background app that is already on the phone.
The way I see it, this will only work temporarily. Next time phone dials home without you running the Fiddler it will reset the AppsAllowed value. Am I right?
@amaric: If you'd actually read the thread, you'd see that it doesn't appear to work at all...
But yes, it would probably reset itself too. We don't have the ability (right now) to edit the registry keys which control that phone-home behavior. However, it might be / have been possible to do that if we had interop-unlock...
on the phone there is the file "PhoneReg.exe", which works with this data, and it check certificate Common Name (must be Microsoft...) and Thumbprint to hardcoded data
Didn't the ChevronWP7 work exactly like this until MS fixed the bug in NoDo?
@snickler, @GoodDayToDie
There is something I can't get out of my head...after the Ativ S devices are interop unlocked, they'd "reset" after a while until we made them stop phoning home...This means that somehow Microsoft is associating the phone's device ID with your interop level...is this something done purely server side, or is there a way to maybe send this info TO Microsoft's servers so they can send the info back to our phones? Just a thought....
That's an interesting research question; we can set the URLs which are used to make those "phone home" checks to a site we control, possibly use HTTP instead of HTTPS, and see if they work. Worst case, cert pinning will cause the connection attempt to fail and we're right where we are now; best case, it's... umm, well it's interesting, but I don't see any likelihood of actually getting *additional* permissions out of this. Still, I've been wrong about things like that before. Somebody want to set up a transparent HTTP -> HTTPS proxy to listen for the request, forward it, record the response and forward it?
I am creating a new type of security application that sits at OSI Layer 2/3 and encrypts packets of data flowing between devices. With this proven technology, I can create apps such as Secure Skype, Private Messenger and so forth and I can do things such as blend Triple DES and AES 256 bit encryption (this will eventually be an open source encryption platform) on the same communication channel. We run underneath higher level, more limited, options such as SSL and VPN and we have been working on desktops for years.
The problem is that I cannot figure out how to port my Linux version over to Android due to the need to have admin rights for my app. I do NOT want to try to force people to root their phone and I am looking for some legal option.
In Windows and Apple, you can get your code verified - in Windows it is called Windows Logo verification. In those case, your code is run through a whole series of tests, the source code is signed and that cert is then authorized for admin rights.
Given how Android works, it would seem that a similar option should exist but I cannot find anything.
Can somebody please point me in the right direction?
Thank you very much for your time.
You can give your app administrator permission only for rooted devices.
I have an issue, whenever I'm trying to setup the intune company portal, it keeps telling me that I need to set a pin code although I'm set with a pin code but there is no way to secure startup
What's "intune company portal"?
it's an app used to securely access work related outlook etc. It works fine on all my devices.
mameenbh said:
I have an issue, whenever I'm trying to setup the intune company portal, it keeps telling me that I need to set a pin code although I'm set with a pin code but there is no way to secure startup
Click to expand...
Click to collapse
Maybe it has something to do with encryption? Contact the developers or just try encrypting the phone
I'm on stock and phone is encrypted
Simple but working solution:
[Tutorial] [Root] How to configure 'Microsoft Intune' to make it work with 'Magisk' (Update: Q1/2023)
Update 04.01.2023: I've updated/added additional steps to make this tutorial work again. This question was asked many times and often all the answers did not work: How do I get Magisk to work with Microsoft Apps like Microsoft Teams, Microsoft...
forum.xda-developers.com