Related
Just a general warning to those who seek out APK's on the internet.
I've noticed an increasing number of people posting APK links on XDA-developers using 3rd party hosting such as multi-upload instead of the official developers websites. This is a potential security risk to your own phone, because Android code CAN be decompiled, and dodgy code can be added before re-uploading. You at a greater risk of downloading compromised APK's if you download them from an untrusted party.
Many of these APK's seem to be hosted officially by the developers already, so please link directly to the developers OWN servers when possible, and those who use their phone for business or store sensitive data on it, should avoid using APK's from sources which weren't set up by the original developers.
andrewluecke said:
Just a general warning to those who seek out APK's on the internet.
I've noticed an increasing number of people posting APK links on XDA-developers using 3rd party hosting such as multi-upload instead of the official developers websites. This is a potential security risk to your own phone, because Android code CAN be decompiled, and dodgy code can be added before re-uploading. You at a greater risk of downloading compromised APK's if you download them from an untrusted party.
Many of these APK's seem to be hosted officially by the developers already, so please link directly to the developers OWN servers when possible, and those who use their phone for business or store sensitive data on it, should avoid using APK's from sources which weren't set up by the original developers.
Click to expand...
Click to collapse
First off: Who's to say the original developer can't put this so-called "dodgy code" in their own apks?
Secondly: The Android marketplace doesn't have any strict rules as to what someone can post, and the code isn't even checked. You have just as high a chance of getting this "dodgy code" from any app you download straight from the market.
Nobody. But it is a hell of a lot safer from a trusted first party, than being passed down a chain of untrusted people before it makes it's way to you. Especially since apk's don't seem to be digitally signed (I may be wrong).
I'm just concerned that you can post any APK you want here which have an official website, insert a trojan, and nobody would be none the wiser. I'd simply like to see a change in attitude.. If someone posts an unofficial link to an APK which is already available by developers, I'd like to see people stand up and point to the OFFICIAL website.
At the moment, people are actually ENCOURAGING bad security practices, and doing so makes XDA a target ripe for future attack. And I don't want to wake up to a forum of people *****ing about Samsung, for a problem caused because of a trojaned copy of Angry birds beta on XDA.
We should build awareness now for people to get files from the last link in the chain, rather than wait for someone to try it (which they probably will, and may have already done)
andrewluecke said:
Nobody. But it is a hell of a lot safer from a trusted first party, than being passed down a chain of untrusted people before it makes it's way to you. Especially since apk's don't seem to be digitally signed (I may be wrong).
I'm just concerned that you can post any APK you want here which have an official website, insert a trojan, and nobody would be none the wiser. I'd simply like to see a change in attitude.. If someone posts an unofficial link to an APK which is already available by developers, I'd like to see people stand up and point to the OFFICIAL website.
At the moment, people are actually ENCOURAGING bad security practices, and doing so makes XDA a target ripe for future attack. And I don't want to wake up to a forum of people *****ing about Samsung, for a problem caused because of a trojaned copy of Angry birds beta on XDA.
We should build awareness now for people to get files from the last link in the chain, rather than wait for someone to try it (which they probably will, and may have already done)
Click to expand...
Click to collapse
Are you familiar with modifying an APK? It is not nearly as easy as you make it seem. If the developer doesn't release the source code, it can't easily be functionally modified minus a few graphics and the like. Not to mention, this is how the iPhone jailbreak system works in regards to getting content. And has been going on with PC for years.
I really do not think it's something we have to worry about. Just install an anti-virus on your phone if you're worried.
1) Grab 7zip to decompress your apk package.
2) And yep, there are tools to decompile dex files too. Technically it seems to be more like disassembly, but can probably easily be modified to cause the app to ring russian phone sex numbers every 10 minutes without your consent, or do other nasty things. There are some security mechanisms in place, but that doesn't make them invincible.
You tell me, what is the advantage of encouraging reposting of APK's with already existing websites? Because it doesn't seem to have any advantages, but can have BAD security implications.
Good thing to raise awareness among users, but alas - most of them don't even bother to read the permissions requested by apps downloaded from the market.
There are actually quite few people that have an idea of what could happen if they had a rouge app on their phones. I recently tried to give a similar general warning in another forum that people should take care when flashing "beta" firmwares downloaded from some hosting site and not from the developer... You think most of them cared? Sadly they didn't...
There's nothing wrong with being a bit cautious and smart about the way we do things. I'll trust the app if I see the dev is in "the" community.
Sent from my GT-I9000M using XDA App
andrewluecke said:
1) Grab 7zip to decompress your apk package.
2) And yep, there are tools to decompile dex files too. Technically it seems to be more like disassembly, but can probably easily be modified to cause the app to ring russian phone sex numbers every 10 minutes without your consent, or do other nasty things. There are some security mechanisms in place, but that doesn't make them invincible.
You tell me, what is the advantage of encouraging reposting of APK's with already existing websites? Because it doesn't seem to have any advantages, but can have BAD security implications.
Click to expand...
Click to collapse
So, obviously you've never tried to actually edit one of those XML files within it. try that and get back to me.
APK's are not open source and cannot be decompiled and edited. The only way for what you are suggesting can happen, to happen, is if the APK in question had its sources released so someone else could release an edited version of the program, made from scratch, in java.
"can probably" is not very sure. The chances of someone posting a completely separate app with the name of a well known app is much more likely than someone editing an existing app (assuming the sources were available).
If you have no clue about android apk development why even bother arguing?
opensourcefan said:
There's nothing wrong with being a bit cautious and smart about the way we do things. I'll trust the app if I see the dev is in "the" community.
Sent from my GT-I9000M using XDA App
Click to expand...
Click to collapse
Agree 100%. Much better said! You don't know who's releasing what, so watch what you're installing and just make sure it looks like the program you were looking for in the first place..
Electroz said:
So, obviously you've never tried to actually edit one of those XML files within it. try that and get back to me.
Click to expand...
Click to collapse
Refer to apktool Link
Or Apk Manager (My Signature)
Xml's can be 100% decompiled/recompiled from binary to human readable and back thanks to apktool.
2 options to make sure ur safe :
1. Dont install root applications (they require 0 upfront standard android api permissions hence u won't know what its doing behind the scenes)
2. Install apps by transferring them to ur phone and using the package manager, that way you can see standard permissions (if any) and judge accordingly.
You know what would be cool, if superuser could log the "su" commands a root requiring app executes
Daneshm90 said:
Refer to apktool Link
Or Apk Manager (My Signature)
Xml's can be 100% decompiled/recompiled from binary to human readable and back thanks to apktool.
Click to expand...
Click to collapse
Wow, my bad.... But no wonder major game companies aren't developing for the platform yet.
But even if the apk that u downloaded from the net have a virus (eg. sends SMS to get money), you will still see the permission when installing so an antivirus isnt needed, or am i wrong?
leoon said:
But even if the apk that u downloaded from the net have a virus (eg. sends SMS to get money), you will still see the permission when installing so an antivirus isnt needed, or am i wrong?
Click to expand...
Click to collapse
If its a non-root requiring app then yes, it must disclose its permissions prior to installing it through package manager not if u use adb to install.
You just have to judge, if a wifi toggle app is asking for email/sms permissions, you might want to be careful
As for root-requiring apps, theres not much you can do other than read reviews for that app or decompile and try to understand what its doing behind the scenes.
Electroz said:
Wow, my bad.... But no wonder major game companies aren't developing for the platform yet.
Click to expand...
Click to collapse
It's quite easy to modify disassembled app code as well - trust me ;-) Also I think we will have possibility to decompile to Java code in the future.
Just don't think of your phone as a smaller PC (especially Windows), because this isn't true. There will never be antiviruses for Android and your only protection are permissions. Anyone could create market account and upload malicious app.
About game companies: they usually write in native code and it's really hard to decompile (or maybe even impossible for now). Besides... did you heard about gameloft's recent games? They're really awesome. Note that first 3d-gaming capable Android phones were released just ~10 months ago, so it's still quite early.
leoon said:
But even if the apk that u downloaded from the net have a virus (eg. sends SMS to get money), you will still see the permission when installing so an antivirus isnt needed, or am i wrong?
Click to expand...
Click to collapse
It should, however, what if it is an alternate launcher, in which case, you'd expect it to be able to send SMS's and make phone calls. That's all fine, until you realise the copy of launcherPro you downloaded using a multi-upload in XDA is having phone sex with a russian operator costing you hundreds of dollars.
It's actually good Brut spoke here. Brut[Maps] is relevant, because it introduces new features which distinguishes it from Google's version. However, can we trust Brut as much as we can trust Google? He seems trustworthy yes, but as trustworthy as Google? Questionable. (Btw Brut, good work on your mod). Of course, his mod does have considerable benefits showing he is interested in helping the community and he hasn't caused any problems thus far. That only means his official multi-upload posts are safe though, if I repost them elsewhere, you shouldn't trust my copies.
It's common sense that programs should pass by as few hands as possible to remain secure. We need to build awareness about security practices (particularly for business users who may compromise their companies security or information). I'm not saying all rom's are safe.. Think about it though, if an APK is already readily accessible, why would someone go through the effort of re-uploading it?
Furthermore, we should encourage people using their phone's for important purposes to use the official Kies releases, not random firmware's available from Samfirmware's (which may not even be final versions).
Remember, trojans are common in the warez world, and it's better to change the attitude of the community before they become a problem here too (otherwise, people will be stuck in a poor mindset that compromises herd immunity). XDA is a website targeted at the technical crowd, and we should set a good example.
@Electroz. Haven't disassembled them myself, but checked a tutorial. But someone has responded already anyway.. Just because I don't have experience doing it myself anyway, doesn't mean it isn't widely known to be possible.
Several big guys already launched Antivirus For Android
Norton, Trend, and a few more
i think we are pretty safe with those
however... it's suck if they run in the background all the time eating the juice+cpu power away
Anti-virus only helps for known trojans anyway, and since so few people have it installed, it doesn't help much. When Android has it built in though, it may be more useful.
Anti-virus should be considered a last line of defense anyway. And either way, I'm not concerned, because I try to minimise the risks of my own sgs. However, it's a concern that people here don't believe such a risk exists, and are actually encouraging a global attitude which might make the Android population ripe for social engineering attacks in the future.
@andrewluecke
I understand you, I don't say there is no problem with security. I say it doesn't matter you will get malicious software from mirror or Market itself. We could assume apps downloaded from WWW are more dangerous, but this problem is general one: people should be cautious whenever they install something with critical permissions. If they won't they will have problems anyway - it's just a matter of time.
I agree with you: it's important to aware people of that problem. This is actually only one thing we can do: be aware and cautious.
Ahh and in many situations it's possible to protect yourself against problem with redistribution. First, you could check md5 - many developers give it to people, I do. Second: signatures. Each app is signed by its author, so you could check its authenticity. You could check signatures of downloaded apk using public key uploaded by dev to his WWW or using "safe" apk you downloaded earlier. Unfortunately there are no tools to do that easily :-/ Also Android does this check automatically when you install new software. So if you have installed e.g. GM modded by me, then you have downloaded new version from some mirror and succeed at installing it, you can be sure it was also from me and nobody modified it.
AllGamer said:
Several big guys already launched Antivirus For Android
Norton, Trend, and a few more
Click to expand...
Click to collapse
Hmm? I think it's impossible, cause apps can't get to data and resources of others apps. And creating an app for root users only wouldn't have much sense.
I have found Norton Smartphone Security for Android and it's anti-theft protection, not anti-virus.
I'm not a coder and came from IT field so I have lots of general questions about apk security and found this thread...great discussion. TY
Just a general question about apk security...how easy is it to alter apk for malicious intent? And is it possible for spyware writers to turn some freebie apk or rom into a bunch of botnet drone? ...just kinda scary to imagine
the news about android virus gets me nervous about installing any apk released from any individual
http://www.talkandroid.com/24949-new-android-trojan-virus-discovered-dubbed-gemini/
kobesabi said:
how easy is it to alter apk for malicious intent?
Click to expand...
Click to collapse
Quite easy for a good developer.
kobesabi said:
And is it possible for spyware writers to turn some freebie apk or rom into a bunch of botnet drone?
Click to expand...
Click to collapse
Yes, but I think that would be quickly noticed by people and then these apks, roms and developers would be banned from every forum in the internet.
Brut.all said:
Quite easy for a good developer.
Yes, but I think that would be quickly noticed by people and then these apks, roms and developers would be banned from every forum in the internet.
Click to expand...
Click to collapse
Wow, scary. Unless there is something else, that they can't get away, I don't think banning would deter much, they just laugh at the weak security as a fun challenge. If they already got tons of ip under their control...banning by account, ip, or email will not help much...they can always get new ones.
Is there a way user can authenticate/verify apk signing from authentic author/writer? Many just post apk but did not post md5 or sha sum so how can a user find out if it is original or not?
Anyway to test these apk without loading up to real phone?
So for quite some time, there has always been issues and complaints about users not being able to download roms from the links posted by the devs on new releases and/or updates (4shared, Rapid share, Mega upload to name a few)
with that being said they are always complaining and begging for someone who gets a complete download to re-upload with a mirror, to make their lives easier...understandable. But if there's one thing I know, "Most" devs hate it when users fill their threads up with a bunch of links...why? well that’s simple:
It confuses others (especially noobs) as to which link is the correct one and the one intended for download by the OP. This means that if someone put a faulty link/mirror that contained a bad file, un-signed zip, or their own custom version of the rom/mod that they decided to play "dev" with and screwed it up rendering it full of bugs...the Dev and/or OP has to deal with the complaints when that user comes back to post. Leaving him confused and dumbfounded as to what the hell they are talking about because nobody else is reporting these issues.
Download count just so happens to be very important to a lot of devs. It gives them a general idea of how many users are flashing their work, which can not only make them feel appreciated and needed by the community because of all the attention...but also create a ratio of problems to success. Example, 300 users download, only 50 come back to report bugs, the rest either don't post at all (I call them ghost readers) or give good feedback. Now, out of that 50 only 7 reported bugs can be legitimately confirmed, which means the other 43 people either did not follow directions clearly, or already had some other stuff going on that effected their experience. Why are these numbers important? Because, if the numbers of bugs are high...the dev knows to update quickly and correct things, if the number of user errors are high...the dev knows he needs to re-adjust his instructions or make them more clear and descriptive so that nobody misunderstands. And if the number of successful flashes are high...well...you know. And all of this can be based on number of downloads...which other users screw up when they post their own links!
Lost and forgotten is what all these mirrors, linked threads/topics, and uploaded fixes by random users become when the topic is over populated (especially big named threads like Eugene, CM, Wes Garner etc). So if the thread has 105 pages and an important link was dropped by a user that proved to be helpful way back on say...page 23! How in the hell is anyone who hasn't been following the entire topic to know that? And nobody in their right mind, who has a life, is going to sit there and skim all 105 pages. So if you must, or feel, that you have a useful link pertaining specifically to the topic that can help others, the best resolution would be to PM it to the OP, so that they can update the first post where all users can easily refer back to if need be.
Now with the why covered, let's move on the the what. And the what is what I have to offer:
A hosting service that I paid for out of my own pocket. This is my way of contributing to the community, as I do not offer donations, sorry. But for the exchange of helpful information, resources, mods, and great roms! I hereby offer all devs, and I do mean DEVS ONLY (yes that includes themers) the use of this hosting service is at no cost to them.
How beneficial is this you ask?
For Devs:
unlimited online storage space for all zips, rar's, and other files that are specifically related to the xda development (No personal storage like mp3's, movies, and family portrait please)
direct download links! No pop-ups, No ads, No human text box verifications
unlimited links- they never run out of time or number of downloads they will stay on the internet forever!!!! (or until you remove it)
Detailed info- keeps track of number of clicks, page views, downloads, you name it, you get your own personal page to view this statistics at any time
No size limit! Big or small, you upload it all (multiple uploads at once supported as well) I have not seen anything in any of these forums over 200mb...so if you're running up 1-2 gigs of use in a matter of days I will be investingating your usage!
For users
No more 4shared yay! Lol
No time wait (30 secs, 90 secs or whatever) Downloads start immediately after clicking the link!
No pop-up or separate browser pages to go to, download starts without the need to open a new page or tab, so you can easily continue on reading through the forum you are in
Links are never broken-they will always work until the OP removes it
No signing up, no memberships.. paid or free, just download. Same benefit as downloading links uploaded directly through Xda, except you don't have to be logged in to click these!
To keep things under control and fair I will only allow 3 request per week for access to this service. I'm not sure how many devs are registered and active but I'm quite sure there are a lot. Eventually all devs who are interested will have the opportunity, but for my own conveyance I will only take 3 request a week, because I will not be online everyday to take all request, this also give me the time to help each individual to get set-up and answer any questions they may have.
I do not discriminate by phone make or model. All devs are welcome to this offer regardless of what phone they developed for. However; I will only post this thread here in the Vibrant forums, well, because that's the phone I use. But Mods are more than welcome to sticky it or link the word to other locations so that all devs can read. My only rules are:
Must be and already have been a member of XDA for at least one year.
Must provide at least two links to their work contributed here in the xda forums
Must have a valid email address and/or twitter account. (simply so that I can contact and update you if any changes or problems occur)
Must only use this service for the development of roms/themes/mods. Please do not take advantage of my kind heart, and use this hosting service for your own personal purpose, I will know, and I will take away privileges.
How to sign up for this?
Simply PM me if you are interested... with the above^^ requirements, and I will give you all the details and instructions you need.
Unfortunately, I will not start taking request until Monday of next week, a relative has just passed away a couple of days ago, and I am closing a deal on a new home, trying to fit time for a funeral, and moving all in one week can be a headache. But you are welcome to start sending me request if you like, but as I said I will only deal with 3 at a time. So if you send a request and don't hear back, please do not continue sending me your inquiry. Your voice has been heard and will be responded as soon as I get to you. Thank you.
Wow, I'm not a dev or anything like that but this is real nice of you. Kudos to you sir.
Working in the er its nice to know when your help is appreciated. So thank you.
Sent from my SGH-T959 using XDA App
bguzmanz2 said:
Wow, I'm not a dev or anything like that but this is real nice of you. Kudos to you sir.
Working in the er its nice to know when your help is appreciated. So thank you.
Sent from my SGH-T959 using XDA App
Click to expand...
Click to collapse
+1
This will not only help the devs, but the forum community in general, making it much more easier on both ends, so i thank you for this. Kudos to you.
TL;DR
You might also want to post this in the Dev sub-forum too. It's over here --> Vibrant Android Development.
Thanks for providing the service.
I hope you have some serious monthly download allowences. I do some hosting not related to XDA and I'm easily pushing 30Gig a month, which spikes even more depending on releases.
What your doing is awesome none the less.
If you find that you are pushing some serious downloads you could always turn some builds into torrents and use your machine as the master seed and let others help out that want to help out. Lord knows my machine at home has been seeding many Linux builds over the past months.
http://burnbit.com/
Not to disrespect you in any form or way, I appreciate this thread to the developers but this idea has been made quite a while ago since the first-generation of Android phone (G1).
http://forum.xda-developers.com/showthread.php?t=665957
AndroidSPIN has been around for a long time and has provided hosting for developers and their ROMs as well as a pretty organized database.
zephiK said:
Not to disrespect you in any form or way, I appreciate this thread to the developers but this idea has been made quite a while ago since the first-generation of Android phone (G1).
http://forum.xda-developers.com/showthread.php?t=665957
AndroidSPIN has been around for a long time and has provided hosting for developers and their ROMs as well as a pretty organized database.
Click to expand...
Click to collapse
Yes, I already know this. But please understand this is specifically for xda...androidspin is its own website in itself, also still has its limitations as well as ads and opens new pages/tabs for downloads. My service does not do that, and is without limits.
Sent from my SGH-T959 using XDA App
That is very helpful, and I appreciate it. But no I have no monthly cap, and I pay for my services once per year.
Sent from my SGH-T959 using XDA App
kizer said:
I hope you have some serious monthly download allowences. I do some hosting not related to XDA and I'm easily pushing 30Gig a month, which spikes even more depending on releases.
What your doing is awesome none the less.
If you find that you are pushing some serious downloads you could always turn some builds into torrents and use your machine as the master seed and let others help out that want to help out. Lord knows my machine at home has been seeding many Linux builds over the past months.
http://burnbit.com/
Click to expand...
Click to collapse
Sent from my SGH-T959 using XDA App
Kudos to you sir
Sent from my Samsung Vibrant
try it and soon you will get email from your hosting company of over usage. Unlimited in your contract means nothing.
They might make you pay for overusage by saying that you abused their network.
Klyentel said:
That is very helpful, and I appreciate it. But no I have no monthly cap, and I pay for my services once per year.
Sent from my SGH-T959 using XDA App
Sent from my SGH-T959 using XDA App
Click to expand...
Click to collapse
Congrats I wish I had an unlimited bandwith host. I can get away with gigs of storage, but they caped me around 60gig a month.
Anyways hope it works out.
good luck, ive tried this a few times but seems like devs like those crappy upload sites. i'm gonna take a guess and say you are on a site like hostgator or something with "unlimited" bandwidth, watch it cuz its only unlimited untill you use to much resources.
Just an idea.
Why don't we create a distributed system using available tools/software like torrent files.
We need one or more torrent server/tracker and list of volunteers to be reliable seeders. Once you sign as a seeder, you will receive a list of # files you'll seed 24/7 until you receive an updated list.
I don't mind seeding 5-10 files 24/7.
We can retire any file at any time if there is no interest and archive it.
By archiving i mean switch to more "standard" way of hosting it like http or ftp access.
And when a new release is out the downloading will be even faster.
/!\ BE AWARE OF YOUR APP, DavinciDevelopers try to steal them and sell them on the market !!
Hello guys,
Be careful, if you post an apk of your free app here, somebody will try to take the apk, remove the signature, and upload it as a paid version on the market !
The proofs : (edited to add new stolen softwares)
Llamadroid
- http://forum.xda-developers.com/showthread.php?p=10113570#post10113570
- http://www.androlib.com/android.application.com-kebab-llamadroid-zzjjD.aspx
(removed today, on 5th january)
Typo clock
- http://forum.xda-developers.com/showthread.php?t=814054
- http://www.appbrain.com/app/beautiful-clock-widget-3d/com.semicuda.typoclock
Iron soldiers
- http://forum.xda-developers.com/showthread.php?t=862875
- http://www.appbrain.com/app/iron-soldiers/vuxia.ironSoldiers
(removed from market today, on 5th january, but still referenced)
Championship racing 2010
- http://www.vividgames.com/sub_game.php?id=42
- http://www.androlib.com/android.application.com-vividgames-championship_racing_2010-zzxwq.aspx
(removed today, on 5th january)
Liquid wallpaper
http://forum.xda-developers.com/showthread.php?t=878252
http://www.appbrain.com/app/liquid-physics/livewallpaper.liquid
Bluetooth Scanner
http://forum.xda-developers.com/showthread.php?t=900923
http://www.androidzoom.com/android_games/casual/bluetooth-scanner_pvqg.html
(New !! Now, we have proof that ALL his apps are stolen)
And even Gameloft best sellers (paid games) :
http://www.androlib.com/android.app...ndroid-gand-gloftspaw-heroofsparta-zjCDi.aspx
(removed from market today, on 5th january, but still referenced)
http://www.androlib.com/android.application.com-gameloft-android-gand-gloftavar-avatar-zjCEx.aspx
(removed from market today, on 5th january, but still referenced)
Minigore
http://minigore.blogspot.com/2009/07/what-minigore-is.html
http://www.appbrain.com/app/minigore-hd/com.ambushgames.minigore
http://www.androlib.com/android.application.com-ambushgames-minigore-zzjqD.aspx
Zuma's revenge
Original
http://www.zumasrevengegame.com/
http://store.steampowered.com/app/3620/
Scammers
http://www.appbrain.com/app/zumas-revenge-hd/com.popcap.zumas_revenge
http://www.appbrain.com/app/zumas-revenge/com.fox.game.zumasrevenge
How is it possible ?
Google does not check your apk signature when you upload a software.
Even if you signed yous apk with you key, somebody else can put this on his google account.
The signature can be deleted easily if needed.
He can change the title of your app, so nobody see it, but he can't change the apk name nor the icon.
Why do we post our apk here ?
To have testers, to correct bugs, to have a perfect look and feel before put it on the market.
Because on the market people are rude, we have only one chance, so we need to avoid bugs.
And when we put our app online, we want to choose if it's paid or free (with ads or not).
What is the problem ?
If DavinciDevelopers steal and upload your app, he will lock your pak name.
2 apps can't have the same name on the market.
You may have a name like com.myname.myapp.apk
Where "myname" is the same in every app you do.
If he take that, this is a major issue for you because you will be associated to him on every search (google.com, market...).
So, you will have to change your app name and maybe your company name....
Within 1 or 2 days, the market is parsed from androlib, androidzoom, appbrain... and it's done. Google.com will see those websites, and you are trapped.
You will have your buggy app on the market, some people will pay for that, the thief will have some money, and every users will have a bad opinion of your app.
Why DavinciDevelopers does this ?
To make benefit from your work.
Because he doesn't care you are working from a long time on your app.
Because he doesn't care if your work is ruined, he will find somebody else.
How can we be protected ?
Because 2 apps can't have the same name, you should put your app on the market first.
If your app is in development stage, you can upload it as "draft", so it will not be visible on the market, but the name will be locked.
Who is DavinciDevelopers ?
Somebody that have 83 apps on the market !
Almost all of them are themes.
If you look the package name you can see for example :
com.nd.android.pandatheme.p__3d_android_theme
at :
http://www.androlib.com/android.application.com-nd-android-pandatheme-p__3d_android_theme-qAmiz.aspx
google search : "pandatheme", first link :
http://home.pandaapp.com:888/
So he is not a developer. He makes themes with a free online tool and sell them... nice.
And for the real apps he uploaded (about 5), they all are stolen, coming from poland, germany, and other places.
Almost every of them comes from XDA dev forums.
ps : this message should be marked as sticky in every development section.
Is it worth marking all these apps as objectionable to draw Google's attention to this issue?
Sent from my Desire HD using XDA App
Today, 2 of those links has been removed already !
Maybe somebody sent emails to every publishers...
I hope google will understand this and ban this thief.
I have posted about it on reddit
http://www.reddit.com/r/Android/comments/ew4e8/android_market_is_still_the_wild_west/?sort=hot
Someone who works for google replied and said they're looking into it.
@jgittins
Could you please link this post to you post ? Or give to the "google man" the list of the apps we found here ?
This kind of guy should be banned from google forever (if it's possible )
One thing I don't understand :
Google should give to every developer a private key that we could use to compile the apk.
Something we should not be able to remove.
So the developer who generates the apk could be sure it would be uploadable only into his account.
It sounds simple but...
thanaos2042 said:
@jgittins
Could you please link this post to you post ? Or give to the "google man" the list of the apps we found here ?
Click to expand...
Click to collapse
I've linked to this thread from the reddit story.
Also, you have written that Zuma's Revenge is by Blue_sprit. But the real zuma's revenge is a famous game from popcap, I think blue_spirit is actually another scammer.
http://www.zumasrevengegame.com/
http://store.steampowered.com/app/3620/
Well done post edited !
thanaos2042 said:
Google should give to every developer a private key that we could use to compile the apk.
Something we should not be able to remove.
Click to expand...
Click to collapse
It's not possible to add something, that is impossible to remove. Cryptography makes possible to check that something was created by someone, but not that it wasn't.
Dang that sucks that people are ripping dev's off. I have high respect for Dev's. Not being one, I don't know all the ins and outs of developing apps but I'm sure it's a very deeply involved process that nobody should rip off. Jeez. I hope these idiots are banned from the market. Is there a formal process that someone can start to get these apps credited to their rightful owners?
Thank you for informing the community of this!
Thanks a lot! As a developer, this information I will be very useful.
This is absolute putrid behavior. This is one of the downsides to having an open-source OS and Google being so hands-off. There better be some justice in this matter......
PS - moderators/admins should require this to be a stickie in EVERY forum
I post it to tweeter.
This is disgusting.. I will make comments on all his posted apps in the market and warn people how this guy rips them off..
jhepoy said:
This is disgusting.. I will make comments on all his posted apps in the market and warn people how this guy rips them off..
Click to expand...
Click to collapse
thats not going to stop many people if they want the app.....thats what sucks
TopShelf10 said:
thats not going to stop many people if they want the app.....thats what sucks
Click to expand...
Click to collapse
if more of us from xda will post comments how douche this guy is, then maybe we could prevent others from patronizing his posted apps.. being a frustrated programmer also, I know how hard it is to code.. and I am very grateful to devs who gives us free apps over here at xda..
These davincidevelopers retards are also releasing retail gameloft games on the market, we need to stop these fuken retards, get them banned from the market.
What a penga ! We want to protect our community from the pirates, Thank you for the heads up,
Lets spam this Guy!! Anybody got his email??
Sent from the almighty Vibrant!!!
Rootgenius is a shuame's development of a separate root software, after dozens of versions of the iterative update, now supports more than 3000 models a key root,
And is also rapidly increasing. Goal is to make the most powerful, safest, most hassle tool.
Updated to version 1.4.2, the first support for Samsung Galaxy Note 3 full range of models rooted.
Supported models include:
*SM-N900(intl)
*SM-N9002
*SM-N9006
*SM-N9008
*SM-N9009
*SM-N9005
*SM-N900S(LTE)
*SM-N900W8(Verizon)
*SM-N900T(T-Mobile)
*SM-N900P(Sprint)
maybe you can try it and do not thank me.
Mod Edit
link removed
malybru
Forum Moderator
bbbnsj520 said:
Supported models include:
*SM-N900(init)
*SM-N9002
*SM-N900S(LTE)
*SM-N900W8(Verizon)
*SM-N900T(T-Mobile)
*SM-N900P(Sprint)
maybe you can try it.
Click to expand...
Click to collapse
Mod Edit
link removed
malybru
Forum Moderator
:good:
Yeah, because this looks really kosher doesn't it?
Member for 18 months with only 4 posts to your name, and you're posting an EXE with no instructions of how to use, and no description of what it does and how it works. That's then followed up by two practically identical "Good" posts from completely new users with very similar "style" user names.
Anyone who downloads and runs this is insane, because this appears to be all kinds of wrong. I may well be paranoid, but I'd advise anyone reading this thread to steer clear unless you've a particular penchant for malware.
DO NOT DOWNLOAD THIS. THIS HAS NO CREDIBILITY.
MODS PLEASE CHECK THESE USERS.
Sent from my SM-N900W8 using XDA Premium HD app
1sagain said:
DO NOT DOWNLOAD THIS. THIS HAS NO CREDIBILITY.
MODS PLEASE CHECK THESE USERS.
Click to expand...
Click to collapse
You're absolutely right. So I checked the exe and at least it doesn't seem to be malware.
The exe is signed by www.shuame.com and originates from affiliated site www.sjroot.com - both sites seem quite legit, albeit using Google translate to interpret snippets of information.
The exe in question prompts you to connect the phone and enable USB debugging, after which it opens a root shell over ADB and correctly identifies the phone. THIS IS AS FAR AS I WENT! There is a potential for malware being delivered to the phone at this point but I think that would be an exceptionally elaborate ruse considering the established sites linked with this program. Someone else may want to check this but I need my phone for work today so I stopped short.
All seems well so far.
:good:
[email protected] said:
:good:
Click to expand...
Click to collapse
Hmm, these endorsements from "gmail" users (as in username) really add an air of credibility to this thread, don't they?
Download and run at your own risk!
Sent from my SM-N9005 using Tapatalk
.....:good:
Mod Edit
Thread closed
malybru
Forum Moderator
Although there is no (yet) statistics showing the real number to how bad the piracy on Android is, there are reports saying more than 90% of installs on Android were not paid for (Google). There have been lots and lotsa blows exchange between developers and hackers (and for gods sake this is never gonna end). Anti-piracy solutions are being discussed here and there, all the discussions are (eventually) pointing towards server authentication as the only way to counter piracy effectively.
As a developer, I am not excused from all this hack-and-anti-hack things. And (obviously) I have no better solution than anyone else. Here, I am gonna share a small library that I have coded to help scan for pirate apps on the device. This library is really simple, what it does is to grab a list (I called it pirate-app-list) from the internet and scan it through the device to determine whether an offended app is installed on the device.
This project is actually a product from the 1st suggestion in this XDA thread. In the thread, it recommends to search for the pirate apps and force the user to uninstall it. I implemented the former part of the suggestion, while leaving the latter to the developers to decide. The only difference that I have made is to put this static list on the internet instead of hard-coding it to save us the trouble of updating the app for the purpose of updating the list.
This project is by no means a solution to anti-hacking. Rather, its a hope that developers can work together to make sure users stay away from those apps (by forcing/reminding them to uninstall it). I believe those apps will not survive if it does not gain enough active users? Or maybe it does..
This project is open-sourced on GitHub together with the pirate-app-list. Feel free to check it out.
Currently, only "Lucky Patcher" and "Freedom" are listed on the pirate-app-list (with filters). Anybody interested in the project are free to join so we can work on the list and more importantly, the definition of what a pirate app is.
Your feedback is very much appreciated.
Thank you.
reserved
reserved
Lucky patcher is also used for functions that do not concern piracy, such as running two versions of the same app... I think that you can't force or continuosly remind a user to uninstall an app that he needs.
Edit: Also, I think that most of the piracy is based on pirated apk, not apps like LP or Freedom, which only act for IAP. The solution to prevent IAP piracy is server validation, but for pirated APK it's not.
Coraz said:
Lucky patcher is also used for functions that do not concern piracy, such as running two versions of the same app... I think that you can't force or continuosly remind a user to uninstall an app that he needs.
Edit: Also, I think that most of the piracy is based on pirated apk, not apps like LP or Freedom, which only act for IAP. The solution to prevent IAP piracy is server validation, but for pirated APK it's not.
Click to expand...
Click to collapse
Thank you for your reply.
Actually, as I have pointed out in the thread, this project implements only the scanner part, it doesn't act for the developers. Developers have to decide what they want to do with the detected piracy. Its really nice to be able to run 2 versions of the same app on 1 device, I believe ChelpuS should make another app with this feature, or without other features in Lucky Patcher.
I'm sorry, but if an app tells me to uninstall something - I'm uninstalling that app first
DANIEL TAN said:
Although there is no (yet) statistics showing the real number to how bad the piracy on Android is, there are reports saying more than 90% of installs on Android were not paid for (Google). There have been lots and lotsa blows exchange between developers and hackers (and for gods sake this is never gonna end). Anti-piracy solutions are being discussed here and there, all the discussions are (eventually) pointing towards server authentication as the only way to counter piracy effectively.
As a developer, I am not excused from all this hack-and-anti-hack things. And (obviously) I have no better solution than anyone else. Here, I am gonna share a small library that I have coded to help scan for pirate apps on the device. This library is really simple, what it does is to grab a list (I called it pirate-app-list) from the internet and scan it through the device to determine whether an offended app is installed on the device.
This project is actually a product from the 1st suggestion in this XDA thread. In the thread, it recommends to search for the pirate apps and force the user to uninstall it. I implemented the former part of the suggestion, while leaving the latter to the developers to decide. The only difference that I have made is to put this static list on the internet instead of hard-coding it to save us the trouble of updating the app for the purpose of updating the list.
This project is by no means a solution to anti-hacking. Rather, its a hope that developers can work together to make sure users stay away from those apps (by forcing/reminding them to uninstall it). I believe those apps will not survive if it does not gain enough active users? Or maybe it does..
This project is open-sourced on GitHub together with the pirate-app-list. Feel free to check it out.
Currently, only "Lucky Patcher" and "Freedom" are listed on the pirate-app-list (with filters). Anybody interested in the project are free to join so we can work on the list and more importantly, the definition of what a pirate app is.
Your feedback is very much appreciated.
Thank you.
Click to expand...
Click to collapse
Sorry to tell you. But XDA rule number 6 States that you are not allowed to talk about apps like Lucky Patcher and Freedom. I hope the moderators will ignore you for a noob.
Regards,
PoseidonKing
PoseidonKing said:
Sorry to tell you. But XDA rule number 6 States that you are not allowed to talk about apps like Lucky Patcher and Freedom. I hope the moderators will ignore you for a noob.
Regards,
PoseidonKing
Click to expand...
Click to collapse
You are misinformed. We allow threads such as these because they are educational and are about preventative purposes against those applications. I would suggest you actually read what the purpose of this thread is about before telling other users about what the XDA rules say, which incidentally is not your 'job' to do.