[Q] [q] tap edition warning - General Marketing & SEO

Hi,
I would like to formally post this recommendation to avoid using the TapEdition Publishing system on tapedition . com for Android distribution. Please also note, I have no issue with their iOS product. But we all know, iOS is a different bird altogether.
Help in dealing with this would also be welcomed.
Let me explain.
I have a client who's publication receives an ERROR when people attempt to purchase the client's in-App products. This has resulted in an unnaturally high rate of uninstalls, low conversion rate to purchased content, and yet is above average for the category. The statistics show that there should be a higher level of conversion, or a lower rate of uninstalls.
Long story short, there is an error with the code when validating the purchase receipt. It is clearly isolated (via screenshots, LogCat, and Crash Reports) to the Purchase Validation code. The binary is older than the hills; there have since been changes and updates in the In-App Purchasing code provided by Google.
The client does limit their liability quite a bit; I'm not asking for a refund; just servicing of the app to fix this problem (which, by the way, is replicated throughout their entire Android app library).
Details will be shared via PM, thoughts and questions, I welcome.
Oh, did I also mention, TapEdition's application stores PURCHASED PDF content on the External Storage device, and LogCat publishes the Unique Token required to access the paid content, bypassing the store altogether?
My goodness...

Related

Looking for developer opinions on a security guide for new android users

Hello XDA
I've written a security guide I have posted to quite a few Android communities/forums. This guide is intended for new users to Android so probably doesn't apply to anyone here. But I do think Android users deserve solid advice from the experts and with all the media scare tactics going around, now more than ever.
However, I was hoping that if some Devs had the time, they could give some of it a quick read. I'm hoping to get a more informed developer opinion on whether I missed anything or am mis-representing something or another. I'd like to make sure that my information is as accurate as possible, and since Android is a community thang, I figure why not ask some other devs if they want to have a look and chime in.
The one topic I havent really yet covered is rooting, so I know at least that much is missing.
Thanks in advance and please feel free to post all feedback -- positive/negative/or your favorite cheesecake recipe.
=================================
Background about Android
The first thing when understanding the security of your phone is to know a little bit about what makes it tick. Android is a 'lite' version of Linux with most applications that you download from the market written in Java.
The reason that this is important to know is that it means Android is very unlikely to ever get a 'virus' in the traditional sense. Part of the reason why is because Linux is a fairly secure operating system that protects various parts of itself from other parts. This is similar to how Windows has admin accounts and limited user accounts. Because of this protection, applications downloaded from the market do not have access to anything by default. You must grant them permission for each activity they want to perform when they are installed. This is a very important point which we will address a bit later. Also due to some bad choices by Google, there are a few exceptions to this rule that we'll talk about in the permissions section.
Nevertheless, while Android is very unlikely to get a 'virus', that does not mean you are completely safe from 'malware', 'spyware', or other harmful types of programs.
Types of Dangerous Programs
Probably the biggest/most common threats from applications on Android are:
1) When the developer/app tricks the user into giving the app permissions it does not need to do its job
2) When the app hides malicious code behind legitimate permissions.
3) When the app tricks the user into entering in personal information or sensitive data (such as a credit card number)
There are various ways malicious developers (also knowns as hackers or crackers) accomplish this. We'll briefly define each kind just to have a common understanding of the terms.
Malware
Malware generally is an all-encompassing term used to describe any harmful program. This includes spyware, viruses, and phishing scams (sometimes).
Spyware
Spyware is used to describe software or applications that read your information and data without you actually knowing it and reporting it back to some unknown third party for nefarious purposes. Often times this includes keystroke loggers to steal passwords or credit card information. Some people include certain types of Advertising tracking in this category (sometimes called Adware, see below). However that's a much larger debate we wont cover here.
Phishing
Phishing and spyware are closely related. They work on a similar principle: tricking the user and sending user information to a 3rd party to steal it. The difference with phishing however, is that the application (or website) will pretend to be from a trusted source to try and 'trick' you into entering in your details. Contrastly spyware would try to hide itself from being known to the user. One way to think about the difference is that phishing is masquerading while spyware is hiding, but the end goal of stealing your data is the same.
An example of this would be a app or website pretending to be affiliated with your bank or Paypal or your email provider (Gmail, Hotmail, Yahoo). However it can, and does, include any service where someone might want to steal your identity or password.
There have been known successfull phising attacks releated to at least one bank on Android.
Virus
The definition of virus used to be more all-encompassing. These days that term has been replaced by malware. Virus is more typically used to describe a specific type of software that takes control of your operating system and either damages it, or uses it for its own purposes. An example might be when a virus send emails to everyone in your email address book. Again this is the type of program least likely to be a problem for Android.
Trojan Horse
A trojan horse is really just a specific type of virus. It merely refers to the idea that the app pretends to be something useful or helpful or fun for the user while actually causing harm or stealing data. This term is often used to describe spyware and phishing attacks as well.
Adware
Adware is typically a bit of a grey area. Sometimes this is also called nuisance-ware. This type of application will often show the users an excessive amount of advertising in return for providing a service to the user of dubious quality. However, this type of program can often be confused with legitimate ad-supported software, which shows a mild to moderate amount of advertising while providing a useful service that the user wants. Because it can be hard to tell the difference, there exists a grey area from most anti-virus companies as to how to handle adware.
Warez
This is a term you'll sometimes hear referring to 'pirated' or unlicensed software. Often times warez forums and websites will offer "free apps" or "apks" (Android Package).
Don't be fooled by these sites, and do NOT download these files and load them to your phone. These files are stolen from the real developers by unscrupulous people who have no regard for the work put into apps by the developers, or the law. Often times they will even try making money off of the advertising on their "warez" forums. They are profiteers that do the entire Android community a great disservice, and hurt the developers. Furthermore this is very often the most popular 'vector' (method) of attack that malware writers use. Some go as far as stealing apps and putting them on the Android Market itself under different names.
If you are a user that cannot access the paid Android Market, there are alternatives these days. The most trustworthy markets (in my opinion) are the following:
- Android (Google) Market
- Amazon Appstore
- SlideMe
- Archos AppsLib
- AndAppStore (possibly)
- AndroidTapp (possibly)
- Verizon's Market (not sure if this is live yet)
- Motorola's Market (not sure if live or where, might be focused on Latin America?)
Other than these markets, I would not advise anyone to download and install an app from anywhere else.
However there are a few exceptions related to open source. These are places that independent developers can upload free and/open source apps. They don't guarantee your safety (nothing does) but they are not warez sites and are much more likely to be safe.
Open source or free apps: (very likely safe, not warez)
- XDA Developers
- Googlecode
- GitHub
How to Protect Yourself
There are no full-proof ways to avoid all bad situations in the world, but any sane person with a reasonable head on their shoulders knows that a few good habits can keep you safe for a long, long time in whatever you do. Here are a few tips I have learned from many years as a professional software developer and from reading these forums that have many people smarter and more knowledgeable than I about Android
Read the comments in the Market
This should go without saying. Before you download any applications, be sure to read the comments. Don't just read the first three either, click through and see what people are saying. This can also help you understand how well an app work on your particular phone or your particular version of Android. Comments should also be read EVERY time you update an app.
Check the Rating
Any app that fails to maintain abpve 2.5 stars is likely not worth your time. If you are brave enough to be one of the first few to download an app, this does not apply to you. Nevertheless almost all good apps have between 3 and 5 stars. To me, this is just a general rule to help find quality apps.
Check the permissions
There are many things an app can do to, and for, your phone. But anything an app can do is told to you when you download and install it. Before you download and install an app, you will be shown a list of permissions the application is requesting. Read them. Try your best to understand them in terms of what the application is supposed to do for you. For example, if you download a game of checkers, and the Market warns you that it wants to be able to read your contacts, you should think twice and probably not download it. There is no sane reason a game of checkers needs to know your friend's phone numbers.
To see the permissions given to an application after installation, go to the Market, press [menu], then [downloads] or [my apps], then select the app, press [menu] again, then press [security].
Below I have a list of some of the most commonly used permissions. The list has explanations of how important they are, what they do, and what types of apps might legitimately need them. This should help you get a basic understanding of what to allow and when to skip an app. Please feel free to ask about a permission or let me know if I have missed any.
Check the developer's website
Make sure the developer has a website and not just some Wordpress blog. This is often again a good indication of quality as well as safety. If the developer cares about their app they will likely have a relatively nice looking website or, if they are open source, a site on Google Code. Note: sites on Google code are NOT verified or approved by Google. However, open source is usually (but not always) more likely to indicate a safe application.
NOTE: This is not definitive indicator if a developer is good or bad, just one more peice of information you can use. Their are a lot of exceptions to this particular rule, as a lot of Good devs might not have anything more than a Blogger blog, and a lot of bad devs could just point to a nice looking site they have no affiliation with. However, the developer's website can be helpful just as an extra peice of information you can use in making your decision about the developer or app.
Updating applications is the same as installing them fresh
Each time you update an application on your phone, you should use the same diligence as if you were installing it for the first time. Reread the permissions to see that it is only asking for what it needs and no more. Reread the comments to see if anything has changed in the opinions of the users and to see if it still works for your phone. If you see that an application says Update (manual) next to it, that means the developer has CHANGED the permissions they are requesting from the version you have on your phone. This is not necessarily a bad thing -- but it should indicate that you should pay a bit closer attention to the permissions and re-evaluate them as needed.
If you are still unsure, ask around -- the community is your anti-virus
If you see an app you want, but it seems to be asking for more permissions that it should, or it's comments and ratings are mediocre, go ahead and ask about the app in these (and other) forums. You will often find dozens if not more people who know the answers and another whole bunch wishing to know the answers to the same questions you have.
I can't stress this point enough. This is the best part about Android. The community are usually the first to identify any Malware or dangerous programs, and are the best resource for finding quality apps.
Beware the Sockpuppets, Shills, and Spammers
However, like anything, don't believe everything you read. Someone who comes into a forum telling you an app is the "best" may be what's referred to as a sockpuppet or shill. I tend to be wary of people with low post counts, or who have unreasonably high praise for what seems a simple app, or anyone using the word "best" in a forced context.
Now these people are not all bad, some may just be excited, or not speak english as their first language. But it's common for sockpuppets to use the term "best" to try and get better search rankings on Google. Saying things like "Best Android App" "Best GPS." Other tell-tale signs include when they mention software for iPhone or other platforms without actually answering questions. Or just generally seem like their post is out of context or overly general (think about how horoscopes are made for everyone to relate to them). I often get spam on my blog that says things like "best blog post! love your writing style, you put things in perspective for me" which makes no sense when my blog was about my new app.
This is a fine line a very much a grey area though. Sometimes it can be very hard to tell if someone is a spammer. If you see a post or comment in the market you suspect is spam on a forum, report it to the mods, don't reply and start an argument.
Posting your own comments
After you have downloaded an app you can post you own comments. The comment will be visible to all other android users but it will only show your first name. To do this go into the Market and press [menu] > [downloads]. You should see five empty stars at the top which you can tap to rate the app. Once you have rated the app you should see an option to add a comment under the stars.
Being a good user
While this guide is about security, I think it's important to point out how to be a good user too. Android is a community and stems from open source and will only ever be as good as both it's developers and it's users.
So, if an app is crashing on you, try emailing the developer before uninstalling and posting an angry comment. Anything you post in the market will stay even if you have uninstalled the app, and you could do serious harm to a developer's reputation if you post very negative comments.
If you think the developer just made a mistake, or didnt support your phone, work with them. If they are unhelpful, then you can consider giving them a bad rating. This is especially true for free apps in the market. Remember that you, as a user are not "entitled" to perfect free apps. Most developers do not have Google's enginnering and QA team backing them up and even Google makes mistakes.
And while it's frustrating when things don't work, imagine how frustrating it is when you put long hours into something but make a mistake -- and then because of that mistake you can never fix the damage done by a rude commenter.
What does Google do to protect us?
Unfortunately at the moment, not a lot. They do police the market to a small extent and investigate any reports of malware. They several instances of Malware and actually remotely uninstalled the applications from users phones.
However, the Market is not like the Apple App Store or Amazon Appstore, there is no screening of applications before they are posted to the market. There are no draconian procedures or lengthy approval processes that developers have to go through to post applications. All that a developer needs to do is to 'digitally self sign' his or her application before posting it. This helps Google track any developers with ill intent, but it's just a way to manage malware after it is discovered.
What about Wi-Fi?
One of the things to remember when trying to keep yourself safe is to be very careful with public Wi-Fi. Whenever you connect to the internet through a public Wi-Fi you should never use any website that requires a password to sign into. The danger here is because you have no idea who is connecting you to the website your are trying to connect to. A good analogy would be like trying to mail a letter to your friend by giving it to a stranger in the street.
[guide continues below]
Permissions
When you install an application the Market will tell you all of the permissions it needs to function. These are important to read as it can give you an idea if the application is asking for permission to do more than it needs. While some legitimate apps often ask for more permission than they need, it should at least raise an eyebrow when deciding if an application is safe and of good quality.
NOTE: there are also some backwards compatibility decisions Google has made that will grant apps targeting 1.5 or earlier two permissions you may never see requested. It is my belief this is a security hole, but not a large one. The permissions are Read Phone State and Identity and Write/Delete files from the SD. I will elaborate on those below.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Services that cost you money
make phone calls
This permission is of moderate to high importance. This could let an application call a 1-900 number and charge you money. However this is not a common to cheat people in today's world. Legitimate applications that use this include: Google voice and Google Maps
Services that cost you money
send SMS or MMS
This permission is of moderate to high importance. This could let an application send an SMS on your behalf, and much like the phone call feature above, it could cost you money. Certain SMS numbers work much like 1-900 numbers and automatically charge your phone company money when you send them an SMS.
Storage
modify/delete SD card contents
This permission is of high importance. This will allow the applications to read, write, and delete anything stored on your phone's SD card. This includes, pictures, videos, mp3s, and even data written to your SD card by other applications. However there are many legitimate uses for this permission. Many people want their applications to store data on the SD card, and any application that stores information on the SD card will need this permission. You will have to use your own judgment and be cautious with this permission knowing it is very powerful but very very commonly used by legitimate applications. Applications that typically need this permission include (but are not limited to): camera applications, video applications, note taking apps, backup applications.
WARNING: Any app targeting Android 1.5 or below (possibly 1.6 as well) will be granted this permission BY DEFAULT. And you may not ever be warned about it. It is important to pay attention to what version of Android an app is targeting to know if this permission is being granted. You can see this on the Market website in the right hand column.
Your personal information
read contact data, write contact data
This permission is of high importance. Unless an app explicitly states a specific feature that it would use your contact list for, there isn't much of a reason to give an application this permission. The one exception to that rule includes typing or note taking applications and/or quick-dial type applications. Those might require your contact information to help make suggestions to you as you type. Typical application that require this permission include: social networking apps, typing/note taking apps, SMS replacement apps, contact management apps.
Your personal information
read calendar data, write calendar data
This permission is of moderate to high importance. While most people would consider their calendar information slightly less important than their list of contacts and friends, this permission should still be treated with care when allowing applications access.
Phone calls
read phone state and identity
This permission is of moderate to high importance. Unfortunately this permission seems to be a bit of a mixed bag. While it's perfectly normal for an application to want to know if you are on the phone or getting a call, this permission also gives an application access to 2 unique numbers that can identify your phone. The numbers are the IMEI, and IMSI. Many software developers legitamately use these numbers as a means of tracking piracy though.
WARNING: Any app targeting Android 1.5 or below (possibly 1.6 as well) will be granted this permission BY DEFAULT. And you may not ever be warned about it. It is important to pay attention to what version of Android an app is targeting to know if this permission is being granted. You can see this on the Market website in the right hand column.
Your location
fine (GPS) location
While not a danger for stealing any of your personal information, this will allow an application to track where you are. Typical applications that might need this include (but are not limited to) restaurant directories, movie theater finders, and mapping applications. This can sometimes be used for location based services and advertising.
Your location
coarse (network-based) location
This setting is almost identical to the above GPS location permission, except that it is less precise when tracking your location. This can sometimes be used for location based services and advertising.
Network Communication
create Bluetooth connection
Bluetooth (Wikipedia: Bluetooth - Wikipedia, the free encyclopedia) is a technology that lets your phone communicate wirelessly over short distances. It is similar to Wi-fi in many ways. It itself is not a danger to your phone, but it does enable a way for an application to send and receive data from other devices. Typical applications that would need bluetooth access include: Sharing applications, file transfer apps, apps that connect to headset out wireless speakers.
Network Communication
full internet access
This is probably the most important permission you will want to pay attention to. Many apps will request this but not all need it. For any malware to truly be effective it needs a means by which to transfer data off of your phone, this is one of the setting it would definitely have to ask for.
However, in this day and age of cloud computing and always-on internet connectivity, many, many legitimate applications also request this.
You will have to be very careful with this setting and use your judgment. It should always pique your interest to think about whether your application needs this permission. Typical applications that would use this include but are not limited to: web browsers, social networking applications, internet radio, cloud computing applications, weather widgets, and many, many more. This permission can also be used to serve Advertising, and to validate that you app is licensed. (See DRM for more info).
Network communication
view network state, view Wi-Fi state
This permission is of low importance as it will only allow an application to tell if you are connected to the internet via 3G or Wi-Fi.
System tools
Prevent phone from sleeping
This is almost always harmless. An application sometimes expects the user to not interact with the phone directly sometimes, and as such would need to keep the phone from going to sleep so that the user can still use the application. Many applications will often request this permission. Typical applications that use this are: Video players, e-readers, alarm clock 'dock' views and many more.
System tools
Modify global system settings
This permission is pretty important but only has the possibility of moderate impact. Global settings are pretty much anything you would find under Android's main 'settings' window. However there are a lot of these setting that are perfectly reasonable for an application to want to change. Typical applications that would use this include: Volume control widget, notifications, widgets, settings widgets.
System tools
read sync settings
This permission is of low impact. It merely allows the application to know if you have background data sync (such as for Facebook or Gmail) turned on or off.
System tools
Write Access Point name settings
I need a bit of clarification on this setting myself. I believe this relates to turning on and off wifi and your 3G data network. (if someone can comment and clarify I would greatly appreciate it and update this guide to reflect). Essentially however I believe this to be similar to the 'modify global settings' permission above.
System tools
automatically start at boot
This permission is of low to moderate impact. It will allow an application to tell Android to run the application every time you start your phone. While not a danger in an of itself, it can point to an applications intent.
System tools
restart other applications
This permission is of low to moderate impact. It will allow an application to tell Android to 'kill' the process of another application. However that application should have the option of immediately restarting itself.
System tools
retrieve running applications
This permission is of moderate impact. It will allow an application to find out what other applications are running on your phone. While not a danger in an of itself, it would be a useful tool for someone trying to steal your data. Typical legitimate applications that require this permission include: task killers and battery history widgets.
System tools
set preferred applications
This permission is of moderate impact. It will allow an application to set the default application for any task in Android. For instance clicking on a hyperlink in your email will bring up a browser. However if you have more than one browser on your phone, you may want to have one set as your 'preferred' browser. Typical legitimate applications that require this permission include any applications that replace, compliment, or augment default Android functionality. Examples of this include web browsers, enhanced keyboards, email applications, Facebook applications and many more.
Hardware controls
control vibrator
This permission is of low importance (but could be lots of fun). As it states, it lets an app control the vibrate function on your phone. This includes for incoming calls and other events.
Hardware controls
take pictures
This permission is of low importance. As it states, it lets an app control the camera function on your phone.
Your accounts discover known accounts
This permission is of moderate importance. This allows the application to read what accounts you have and the usernames associated with them. It allows the app to interact with permission related to that account. An example would be an app that was restoring your contact, would discover your google account then sned you to Google's login screen. It doesnt actually get to see your password, but it gets to work with the account.
Development Tools read logs
This permission is of very high importance. This allows the application to read what any other applications have written as debugging/logging code. This can reveal some very sensistive information. There are almost no reasons an applications needs this permission. The only apps I might grant this permission to would be Google apps.
What Does it All Mean? This Sounds so Scary!
It might sound that way but it is not, by any means, scary. The power of the market is actually due to the fact that developers are free to post updates and applications much more quickly and easily. But despite the security risks that this model creates, there is an incredibly powerful deterrent to malware in the community itself. Lots of people on these boards and in the market eagerly try out new apps and report back the safety and quality.
Again, the community is your best anti-virus app.
last updated: March 23, 2011
This guide by Lost Packet Software is licensed under a Creative Commons Attribution-No Derivative Works 3.0 United States License.
Good post.
Yes, well written and informative. As a developer, it's good to get this information into user's hands who may not know how permissions work. And the author makes some good points on how to be safe without massive fear of EVER downloading an app
Thanks to OP for a nice article. Do you mind if I copy it and post it on my website? You can send me a PM. Of course, I will cite you as the original source
Thanks much guys,
@Rootstonian
Yes you can copy it, but copy the one from my site http://alostpacket.com/2010/02/20/how-to-be-safe-find-trusted-apps-avoid-viruses/ as it has a few less typos.
It is licensed under the creative commons license (no derivative works, must attribute to me). This means you are free to copy/republish but you have to copy the whole thing and not change it.
Well written and informative! Thanks.
Ok, thanks. I'll either copy it in its entirety or just use the link you provided if that's ok.
Regardless, you work will be properly cited
Again, well done.
thanks much guys.
Also curious if anyone has found any errors or inaccuracies or misrepresentations etc.
Brilliant post.

Security breach found on htc devices

The Vulnerability
In recent updates to some of its devices, HTC introduces a suite of logging tools that collected information. Lots of information. LOTS. Whatever the reason was, whether for better understanding problems on users' devices, easier remote analysis, corporate evilness - it doesn't matter. If you, as a company, plant these information collectors on a device, you better be DAMN sure the information they collect is secured and only available to privileged services or the user, after opting in.
That is not the case. What Trevor found is only the tip of the iceberg - we are all still digging deeper - but currently any app on affected devices that requests a single android.permission.INTERNET (which is normal for any app that connects to the web or shows ads) can get its hands on:
the list of user accounts, including email addresses and sync status for each
last known network and GPS locations and a limited previous history of locations
phone numbers from the phone log
SMS data, including phone numbers and encoded text (not sure yet if it's possible to decode it, but very likely)
system logs (both kernel/dmesg and app/logcat), which includes everything your running apps do and is likely to include email addresses, phone numbers, and other private info
Normally, applications get access to only what is allowed by the permissions they request, so when you install a simple, innocent-looking new game from the Market that only asks for the INTERNET permission (to submit scores online, for example), you don't expect it to read your phone log or list of emails.
But that's not all. After looking at the huge amount of data (the log file was 3.5MB on my EVO 3D) that is vulnerable to apps exploiting this vulnerability all day, I found the following is also exposed (granted, some of which may be already available to any app via the Android APIs):
active notifications in the notification bar, including notification text
build number, bootloader version, radio version, kernel version
network info, including IP addresses
full memory info
CPU info
file system info and free space on each partition
running processes
current snapshot/stacktrace of not only every running process but every running thread
list of installed apps, including permissions used, user ids, versions, and more
system properties/variables
currently active broadcast listeners and history of past broadcasts received
currently active content providers
battery info and status, including charging/wake lock history
and more
Let me put it another way. By using only the INTERNET permission, any app can also gain at least the following:
ACCESS_COARSE_LOCATION Allows an application to access coarse (e.g., Cell-ID, WiFi) location
ACCESS_FINE_LOCATION Allows an application to access fine (e.g., GPS) location
ACCESS_LOCATION_EXTRA_COMMANDS Allows an application to access extra location provider commands
ACCESS_WIFI_STATE Allows applications to access information about Wi-Fi networks
BATTERY_STATS Allows an application to collect battery statistics
DUMP Allows an application to retrieve state dump information from system services.
GET_ACCOUNTS Allows access to the list of accounts in the Accounts Service
GET_PACKAGE_SIZE Allows an application to find out the space used by any package.
GET_TASKS Allows an application to get information about the currently or recently running tasks: a thumbnail representation of the tasks, what activities are running in it, etc.
READ_LOGS Allows an application to read the low-level system log files.
READ_SYNC_SETTINGS Allows applications to read the sync settings
READ_SYNC_STATS Allows applications to read the sync stats
Theoretically, it may be possible to clone a device using only a small subset of the information leaked here.
I'd like to reiterate that the only reason the data is leaking left and right is because HTC set their snooping environment up this way. It's like leaving your keys under the mat and expecting nobody who finds them to unlock the door. For a more technical explanation, see the section below.
Additionally, and the implications of this could end up being insignificant, yet still very suspicious, HTC also decided to add an app called androidvncserver.apk to their Android OS installations. If you're not familiar with the definition of VNC, it is basically a remote access server. On the EVO 3D, it was present from the start and updated in the latest OTA. The app doesn't get started by default, but who knows what and who can trigger it and potentially get access to your phone remotely? I'm sure we'll know soon enough - HTC, care to tell us what it's doing here?
Technical Details
In addition to Carrier IQ (CIQ) that was planted by HTC/Sprint and prompted all kinds of questions a while ago, HTC also included another app called HtcLoggers.apk. This app is capable of collecting all kinds of data, as I mentioned above, and then... provide it to anyone who asks for it by opening a local port. Yup, not just HTC, but anyone who connects to it, which happens to be any app with the INTERNET permission. Ironically, because a given app has the INTERNET permission, it can also send all the data off to a remote server, killing 2 birds with one stone permission.
In fact, HtcLogger has a whole interface which accepts a variety of commands (such as the handy :help: that shows all available commands). Oh yeah - and no login/password are required to access said interface.
Furthermore, it's worth noting that HtcLogger tries to use root to dump even more data, such as WiMax state, and may attempt to run something called htcserviced - at least this code is present in the source:
/system/xbin/su 0 /data/data/com.htc.loggers/bin/htcserviced
HtcLoggers is only one of the services that is collecting data, and we haven't even gotten to the bottom of what else it can do, let alone what the other services are capable of doing. But hey - I think you'll agree that this is already more than enough.
Patching The Vulnerability
... is not possible without either root or an update from HTC. If you do root, we recommend immediate removal of Htcloggers (you can find it at /system/app/HtcLoggers.apk).
Stay safe and don't download suspicious apps. Of course, even quality-looking apps can silently capture and send off this data, but the chance of that is lower.
Affected Phones
Note: Only stock Sense firmware is affected - if you're running an AOSP-based ROM like CyanogenMod, you are safe.
EVO 4G
EVO 3D
Thunderbolt
EVO Shift 4G? (thanks, pm)
MyTouch 4G Slide? (thanks, Michael)
the upcoming Vigor? (thanks, bjn714)
some Sensations? (thanks, Nick)
View 4G? (thanks, Pat)
the upcoming Kingdom? (thanks, Pat)
most likely others - we haven't verified them yet, but you can help us by downloading the proof of concept above and running the APK
HTC's Response
After finding the vulnerability, Trevor contacted HTC on September 24th and received no real response for five business days, after which he released this information to the public (as per RF full disclosure Policy). In my experience, lighting fire under someone's ass in public makes things move a whole lot faster, which is why responsible disclosure is a norm in the security industry. (This is where we come in.)
As far as we know, HTC is now looking into the issue, but no statement has been issued yet.
HTC, you got yourself into this mess, and it's now up to you to climb out of the hole as fast as possible, in your own interest.
The ball is in your court.
Credit
ANDROID POLICE
Huge thank you to Trevor Eckhart who found the vulnerability and Justin Case for working with us today digging deeper.
Hi there, I need help, someone is consistently hacking into my phone, htc evo 4g, they are penetration testers and pc savvy, currently I cant login to the phn for trying to do a factory reset. They kept intercepting me and now my password does not work. Who knows maybe they changed it on their side. I wrote down everything I saw. I was seeing all these process running for the same app. in my applications. My phone was getting hot, freezes but its people that live in my apt complex and at work. can you help?
zzm5 said:
Hi there, I need help, someone is consistently hacking into my phone, htc evo 4g, they are penetration testers and pc savvy, currently I cant login to the phn for trying to do a factory reset. They kept intercepting me and now my password does not work. Who knows maybe they changed it on their side. I wrote down everything I saw. I was seeing all these process running for the same app. in my applications. My phone was getting hot, freezes but its people that live in my apt complex and at work. can you help?
Click to expand...
Click to collapse
Is your device rooted?
I used root explorer and removed the HtcLoggers.apk and other than the forced close loop that removing it caused (requiring me to remove the battery), after rebooting all seems to be working fine.
EDIT: Actually I didn't just delete HtcLoggers.apk but moved it to a safe location on the SD Card in case there was a problem and it needed to be restored. I highly suggest you do this instead of just deleting it, or better yet, a nandroid backup.
there are a few good ROMS out there that have the ICQ loggers removed already.
Do we really need three threads on the front page about the same thing?

[Q] Call for entries:: A Football (Soccer)Mobile App.

We seek developers from any part of the world for an innovative mobile app project.
This project is dedicated solely on Football in a country in Africa.
For the eventual developer of this app, all the payment will be done through this medium. Although we are willing to pay between $1500-$1800 or maximally pays $2000 on this job
PROJECTS’ MAJOR COMPONENTS
News feeds, Videos/highlight shows, live score, Interactive communities, Feedback/suggestions
OVERVIEW
To design, built, operate and later transfer a football (soccer) mobile app.
OBJECTIVES
To pull news and other specified contents from web-portals, blog sites to the app. All this must be done without slowing down the app. invariably; we are talking about a sorting algorithm that is robust, fast and easily assessable to the app. IT MUST NOT SLOW DOWN THE APP.
Alternatively, creating a pool at which the app can interact with. All the news, videos et al will be aggregated in that pool and the app can eventually interact with it.
SPECIFICATIONS
The major components will make use of strong sorting algorithm because for instance, all the news components will be sourced from different web sources.
For LIVE-SCORE components, we are looking at an sms-based auto-app-update-lives-core. For instance match updates can be sent via sms to a dedicated phone number which must have been programmed to automatically update on the app. However, we will always appreciate if there are better, and cost effective options to achieve this feat.
OUR REQUESTS
The design must be simple but captivating,
The navigation must be easy
Must be on different version of Androids, iOS, Window Phone and Blackberry
Please when applying, endeavor to email me for further briefing.
The match fixtures, result and league table components must be easily navigable and more importantly, easily updatable.
The featured football/soccer clubs must have their logos attached to them. (We will supply those logos)
The app logo and naming must be unique. We will welcome inputs from you on this.
We are proposing a back-end kind of connection to match-day videos/highlights on a website. This app must have proper referencing of the source website, same goes for the news too.
The feedback component of the app must be able to send feedbacks/suggestions to the app admin.
We are yet to decide if the app will have an authentication pane with it, where one can sign-up, have a profile and log-in and out. But if it will, then it must be very simple- Username, phone number, email address, supported football club. The user log in page must be able to allow each user to log in automatically.
The app must have an interactive community, where app user can intearact based on the football/soccer clubs they support.
CONCLUSION
Please note that we are more interested in anyone/group that can achieve our BOT (Build, Operate and Transfer) option for us. We will strictly follow your own proposed remuneration afterwards.
There will be an MOU to be jointly signed by both party before the start of the project . This MOU must state your specified time frame for setting up the project, and also operating it.
Please note that all financial consideration will be paid to you ONLY when you are about to transfer the project to us.
More importantly, the App must be able to have specified sizes of Advertisement pane (This is a very important component).
For the eventual developer of this app, all the payment will be done through this medium. Although we are willing to pay between $1500-$1800 or maximally pays $2000 on this job
Signed
Fapohunda Olufemi John
Solution Provider,
JMS Technologies
[email protected]
Twitter: @iamfOJ
Whatsapp/Phone: +2348066920770

APK installs/Android traffic monetization solution

Hi there!
Let us introduce ourselves. We specialize in monetizing APK installs as well as any other Android traffic.
We are in the business for over 6 years already and this is what we can offer you right now:
-NET0 payouts
-Automatic ads integration/mass integration into any APK file
-0 detections
-APK tuning (changing package name, app name, icon e.t.c)
-Flexible ads behavior (settings delays, ads frequency, hide app icon, don't show ads for GP installs e.t.c.)
-For GP app updates our ads start after the update, without the need to launch the app itself, thus covering the whole userbase with the single update
-Sub IDs support,postbacks and direct download links for mediabuyers
-Advanced reporting system with GEO/CPM/APPS breakdown as well as average system CPM rates
-Flexible referral system starting from 7% and more
-Great support
-Up to 20 ads per day.
Please feel free to contact us at support[at]madmobile.biz
hey thanx for your knowledge
Hi, mad.mobile
I have developed SDK with proxy inside. I have TOS and SLA. It very big project with proxy buyers, app owners, dashboard, per-week payments and so on. I asking user to give to me access to his internet connection and working absolutely with white solutions. Does it interested for you to have additional profit with me by injecting my SDK to your APKs?
check out here: monkeysocks.net/sdk/ (please copy and paste because i have not 10 posts to post links)
MadMobile-APK installs/Android Download traffic monetization. Auto-SDK and Smartlinks
We are glad to introduce new type of ads, which is not connected in any way with our automatic SDK: Smartlinks.
This is a well-known format on the market and, if you used it, you should probably know how it works and we hope that you will like it.
What we can offer you in terms of smartlink ads is:
-No irritating endless redirects
-All OS are accepted: Android, iOS, Win, MacOS, Other mobile/desktop devices (Java, WM e.t.c.)
-NET0 by default. Bi-weekly/weekly payouts, depending on your volumes
-Average daily smartlink system rates per GEO
-Decent CPM rates
-100% fill rates for all GEOs
Please feel free to sign up and check it out yourself. We will help you squeeze out the maximum from your traffic.
Hello MadMobile! I would like to discuss a potential partnership. Please contact me on skype for the further details: juliacnv.
custom links and landings
Hello!
Due to multiple demands from our partners we released a separate section with landing pages. Now all you have to do is simply launch the traffic, landings will handle the rest! Currently we have 50 landings in public and over 50 landings in a row to be integrated, and we will do our best to have at least 3-5 of them integrated daily. Please note that all landings are multilingual.
Also, if you have a demand for some specific landings, or if you have any landings that you world like to be integrated with us, please feel free to contact us.
Please note, that our landings also have a {post} variable, which is extremely useful for any torrent/download/mp3 traffic, which might requite to pass a user a specific variable file name (e.g. if a user looks for "witcher-the-movie.torrent" file, he will be redirected to a torrent download landing page with "witcher-the-movie.torrent.apk" file name). Such variable will increase clicks-to-downloads conversion rate dramatically.
We are ready to offer our partners CPI payouts! (For verified partners only). You can get up to 10 cents for US install instantly! However, please keep in mind that revshare will eventually get you much more.
If you have any questions, please contact us [email protected]. We will be happy to assist you with the integration or answer any of your questions.
skype:mad.mobile1
[email protected]
tg://madmobile_support
retention
Hello!
Few words about retention:
This information will be useful for our traffic brokerage partners, who are able to target the traffic by manufacturers. Let’s talk about the retention – the ability of our service to generate ads on various types of devices.To put it simple, there are two types of retention – technical and human based. While we are taking care of the latter, it’s up to our partners to improve the technical retention.
Doing this is simple – just target the right manufacturers.
The best performing vendors are the ones that are mostly present in Tier 1 and Tier 2 countries and less – in Tier 3 countries.
The best one is, of course, Samsung.
Our service will keep running for months - at least approximately 25-30% of initial installs.
The same good retention can be observed on Motorola, Asus, LG, Nokia, Lenovo, Sony, Alcatel, HTC, Asus and others international vendors.
The bad retention is typical for Chinese vendors, largest of which are Huawei, Xiaomi, Oppo and Vivo.
Please avoid targeting these ones, because it would be just a waste of money and, while targeting good-performing vendors, you would increase your ROI dramatically.
traffback
We are glad to announce, that we have added a traffback URL to all of our landings and custom links.
With its' help you are able to boost your monetization heavily and drive the significant part of your traffic (normally, it is 10%-40% of the total number of clicks on your landing page) anywhere you want - for example, to push subscription landings.
Technically, this traffback is a popunder, which pops up when a user hits "download" button or any other part of the LP. This popunder is shown only when a user closes the LP. That means, that the traffback URL doesn't affect the conversion rate in any way. Also, our tests showed, that the traffback converts very good.
Properly speaking, this is not a traffback remnant low quality traffic, but more like a proper HQ additional popunder traffic.
our rates
Dear partners, you keep asking us, how much can you get for this or that number of installs for a specific geo.
If you already have an account with us, you can find the answer in the “Rates” section. Specifically, you can see system average CPM rates for the last 7 days, as well as estimated CPI rates, which you can keep in mind while buying the traffic from ad networks. For example, such data is super useful if you work with Smart CPM. You can set those rates per each geo and ad network will do the campaign optimization by itself.
Also, please keep in mind, that those CPI rates are calculated for a one month pay-off period, considering standard traffic structure and behavioral pattern. In other words, if you work on a revshare, you should get those rates within the first month of the install, but, eventually, for the whole life cycle of the install, you will get twice more revenue.
Currently our rates are following:
Formats?
Demand for which all ad formats do you support? I might have something we can discuss about.

My phone is hijacked and under control of maniacs. I need to identify and stop them!

For some time now, many years, I have experienced problems with my cellular telephone that I could not explain or rectify. I know I am being hacked and no matter how many times I factory reset the phone the problems still exist. My phone has been lost and stolen in which insurance has replaced the phone and in no time or immediately I experience the exact same problems. My videos and pictures are altered, deleted or hidden. All the programs or applications seem to be altered or customized with options that are not the genuine developer or creator options and images. The graphics associated with the applications and web pages are not the genuine images and I am sure that violates trademark, copyright, intellectual property rights and other laws I am not aware of. Web pages information, contact information, address information, and content are altered and changed which can affect all sorts of areas such as personal safety, product safety, access to information is blocked, altered or displayed in ways that make it impossible to get directions, product availability, law enforcement help, legal help and information. When I use Google Maps for directions, it will take me down one way streets the opposite direction toward oncoming traffic,, have ludicrous directions, unnecessary turns, wrong speed limits, and out right wrong directions or even switch my end point without my knowledge. I tried to order cleaning gloves and masks today, and no store in my city was in stock, and delivery was not until July the 5th, 2020. I am also experiencing the same things with all my electronics such as my computer, smart televisions, printers and gps units. I did a screen recording of the applications on my phone, and the about phone section. I know from that it is apparent that my phone is hacked and under control of some other party or person. Someone is either maliciously attacking me with the purpose to cause extreme harm for reasons of personal enjoyment, or my name, reputation and activities have been purposely misled and lied about in a gross manner where a cellular telephone developer, or a technology hacker, or information pirate or mercenary developed and/or gave someone or some group a program and knowledge on how to capture my phone and all other electronics and hold it hostage. I have tried to root the phone in order to put a custom rom on it, but my searches and efforts are blocked and never get any traction or success. I am attaching the screen capture video- it is 20+ minutes and will show the extent of the hacking. Someone is perverting and illegally using developers tools, programs, applications and code in ways that were never intended and can only lead to extreme problems of which in all honesty death or terminal scenarios are all real possibilities. I am hoping to identify these people with your help, and bring them to justice and alleviate my life problems that this has caused and stop the illegal and intentional perversion of the original intent for cellular development which is the fruitful search for knowledge and advancement of useful and legal technology. Please help me in this battle to which all operations on my device are unsuccessful, disheartening, and uncontrollable. Thank you in advance and if this should be posted in another area or forum please advise, however I am posting it in a few that I think are relevant. I live in Houston, Texas- so if there is a group of developers, or some people that can help me combat this locally please message me their contact information. Take care. - Dale-
Screenshots attached and a link to the video of my phone and it’s contents.
Here is the link to the screenshots of applications, programs and phone information: wwwdotdrive.google.com/drive/folders/1OImrdp64ndMzJGN74v7K4G6H4zc2DzV9?usp=sharing
Here is the link with the video of the screen shots and a little narration: wwwdotdrive.google.com/file/d/1i7GU9TVUnqfJvgyLq5roaaPR08EkBf0z/view?usp=sharing
Hey what does the "participated" in blue text color mean listed in front of my post?

Categories

Resources