I released a Windows 8 metro 2-step authentication app - Windows 8 General

App store link: http://apps.microsoft.com/windows/en-us/app/authenticator-open-source/e299a743-b066-4b75-be37-619ee448a988
GitHub Link: https://github.com/mepis/Windows8OauthAuthenticator
Background: I wanted a companion 2-step authentication app for my laptop and tablet. Authentication apps exist on the Windows 8 store, but due to the nature of 2-step, I choose to err o the side of caution and not use the published apps. I wasn't familiar with the developers. So, I decided to make my own. I released out to the app store because others might find it useful.
App mission: This app will always be free and not supported by any ads nor will I ever take any donations for it. This app is completely open source and published under the GPL v.3. Any changes I make to this app will always be published in the source code and all changes will be as future compatible as possible
Warning: Though I have decided to utilize this app on my laptop, it's not considered to be good practice to keep the TOTP authentication mechanism on the same device that is used to log into accounts with. With that said, I have taken steps to the best of my knowledge to secure secret keys and keep this app safe. All secret keys are stored in the Windows Credential Password Vault.
Future plans:
- I am debating creating a page to list all secret keys in the app. There are inherent security risks doing this though. I'm debating the pros and cons.
- I'm considering running the keys through an AES encryption scheme before storing them to the Windows Credential Password Vault. This would require the user to enter a password when starting the app though. This creates an extra step and is not as friction free of an experience. I'm debating the pros and cons.
V1.1.0.8 Update
I found an issue where the leading zeros of the generated OTP where removed before being displayed. I fixed that.
V1.1.0.4 Update
I added copy and delete functions for the one time passwords. The update has been submitted to Microsoft and will be available in a day or two.

nice
nice

Thanks.
I made a few small updates to the app and have everything functioning well enough. I'll work on some more stuff later. I'm debating adding in an area to display secret keys as well, something to make the app act as a place to save them safely. I'm debating the pros and cons of the security risks for that. I would love others input on that as well.
As always, if anyone has any questions or comments, let me know. Even if it's only to say that the app sucks. I won't know what to fix or change unless people tell me.

Related

Protecting Privacy - Compiling TaintDroid into Kernel to find leaky apps

Most people don't yet know that many Android software leak all sorts of information to the internet with only scant user acknowledgement (basically what you accept when you install the app).
Due to this and the fact that there are already privacy information harvesting apps for Android on the marketplace - a team of security experts have created TaintDroid:
What is TaintDroid?
From the project's web page: "A realtime monitoring service called TaintDroid that precisely analyses how private information is obtained and released by applications "downloaded" to consumer phones."
From: http://appanalysis.org/index.html
How can I install TaintDroid?
As TaintDroid is currently compiled into the kernel, you cannot easily install it, but you have to cook your own kernel. Instructions (for Nexus 1) are available at the project web site: http://appanalysis.org/download.html
How does TaintDroid work?
Here's a video demonstrating how TaintDroid works once it is installed and configured:
http://appanalysis.org/demo/index.html
Why would you want to install this?
There can be many reasons for installint TaintDroid:
- You want to learn about privacy features and play with Android kernel
- As it is currently impossible to differentiate between innocent and sneaky Android apps based only on what access rights they request, you may want to dig in deeper
- You are worried about what apps are doing behind your back and you want to know which apps to uninstall
- You want to help create Android a more secure and privacy-protected platform, instead of the swiss cheese it currently is
What can you do?
As compiling kernels is mostly beyond the reach of mere mortals currently, consider cooking TaintDroid into your kernel, if you are cooking one yourself and offering it available for others to try and use.
Hopefully increased awareness and usage will bring this program eventually into other modders and perhaps even Google's attention and something more easily accessible is offered for the public at large.
BTW, I'm just a user, interested in getting TaintDroid on my own Galaxy S. I'm not affiliated with the research program, but I like what they are doing. This information is purely FYI.
+1 for the idea
Sent from my GT-I9000 using XDA App
+1
Since we cannot expect information gatherer Google to come up with a good privacy protection mechanism soon I think we are forced to take measures ourselves.
I also learned that several of my bought applications are constantly forcing me to enable synchronisation and/or 3G internet. They either randomly uninstall (Asphalt 5), their icons disappear (for example: Mini-squadron) or won't start, with (Schredder Chess) or without a message. Angry Birds Beta2 lite (free game) and Hungry Shark are 2 more examples. So much for an incentive to buy games...
It would be great if applications used a well-defined mechanism to check their validity on-line, and not have this sneaky, lingering attack from all sides to any privacy or battery consumption aware user.
I can not cook Kernels, but this is something i want to use.
Not that i am worried, but i dont know what apps are sending when you open them. Thats something i want to know!
I am sure i am not the only one.
+1
Yes please... This should be in all android phones... as a security option you could turn on!!!
Antonyjeweet said:
Not that i am worried, but i dont know what apps are sending when you open them. Thats something i want to know!
Click to expand...
Click to collapse
And do some of these applications only send stuff when you open them?
--
From a user perspective it currently is really difficult to judge applications that need to start at boot-up and deal with many facets of your computer (Launchers, tools combining lots of divers features).
Do you know some ROM where Taindroid is included?
I've posted in hardcore and laststufo kernel threads to ask if they could add it.
We just need more people wanting it so they think about adding it
exadeci said:
I've posted in hardcore and laststufo kernel threads to ask if they could add it.
We just need more people wanting it so they think about adding it
Click to expand...
Click to collapse
glad you did that
+1 support the idea. hope some of our hardworking kernel builders will add this in.
My concern is how much another real time service will affect battery life. For people trying to make the leanest, fastest kernel I'm not sure it's viable.
I have been wanting TaintDroid built into android by default since the day it was announced, but I really do not think google cares about this, so please, please ROM cookers out there (Maybe Doc?), lets add this into our galaxy S roms.
Well, this seems to work only on android 2.1
Make it so.
+1
Combined with walldroid (or other firewall) this could put back power into users hands. Would really love to see this inside hardcores kernel. Maybe as an option for the stable releases?
+1
This should be the next standard in aAndroid
idea about spoofidroid application
how about a program to spoof or make the phone send fake:
GPS location,
IMEI,
phone number,
simcard id,
etc... information to applications that ask without permission.
this way you can feed these application with information they want but without breaking your privacy. (both end sides are more than happy)
-----
nice option to have:
1) enable/disable auto generate different id every time.
2) allow list / ban list of application to have real or fake id.
3) enable/disable notify for application request.
-----
there are all ready applications that fake your simcard PLMN mobile network codes without the need of kernel rights, but you need to enable disable the flight mode to restore the default code.
===========
good luck to spoofidroid or similar applications.
Jumba said:
My concern is how much another real time service will affect battery life. For people trying to make the leanest, fastest kernel I'm not sure it's viable.
Click to expand...
Click to collapse
I hope there will be developers out there who prioritize privacy/security over speed/battery and storage usage.
I'm the project lead of the TaintDroid system. We are currently working on a few extensions of TaintDroid but unfortunately are short on engineering resources to port TaintDroid onto other systems than Nexus One that we originally developed. We'd greatly appreciate it if XDA developers would take on this effort! Many ongoing projects would hugely benefit from having easy-to-run TaintDroid ROM available for many different devices and upcoming Android systems let alone user benifit.
Thanks,
Jaeyeon
Research Scientist @ Intel Labs Seattle
Ettepetje said:
I also learned that several of my bought applications are constantly forcing me to enable synchronisation and/or 3G internet. They either randomly uninstall (Asphalt 5), their icons disappear (for example: Mini-squadron) or won't start, with (Schredder Chess) or without a message. Angry Birds Beta2 lite (free game) and Hungry Shark are 2 more examples. So much for an incentive to buy games...
Click to expand...
Click to collapse
beta2 lite? i think that was malware, make sure it came from rovio otherwise it's fake and you should delete it.
It's really scary to see with the lookout app how many apps can access to your imei, telephone number "Read Identity Info", can access your contacts, track your position, and can send out all this data.
Here a HTC Desire user, asking for some privacy.
Best regards!

[FAQ]FingerPrint Scanner SDK for Apps

The Fingerprint Scanner SDK (originally posted at http://forum.xda-developers.com/showthread.php?t=1202577) for Android has been released by Authentec. Currently there is only one device(Motorola Atrix) with a fingerprint scanner, but if you release your application with support for the fingerprint scanner (once you get the hang of it it is really not hard to use at all) then users of phones with fingerprint scanners will most likely be happier with your application.
Google has stated that Google Wallet will use fingerprints to unlock the payment system, so clearly more capable devices are on the way (source: http://www.qrcodepress.com/google-unveils-safety-measure-for-their-upcoming-mobile-wallet/853399/). Including fingerprint scanner capability in your application will also future-proof it as AuthenTec will have the same framework in place in other phones that will use their fingerprint scanner (Authentec is a leader in biometric security systems for lots of devices).
MotoDEV Article Guide:
http://developer.motorola.com/docstools/library/writing-fingerprint-enabled-apps
Read and Download the (simple) SDK at their site:
http://developers.authentec.com/
Example of SDK Usage (pulled from the SDK)​At the time of this writing, it is my understanding that before you release the application you need to have them review it to meet their security specifications... They don't want you using this fingerprint scanner library and making their work look bad. It's a fair deal to me. I'm not sure if this is how they want it though - maybe that is just for Advanced SDK or maybe I'm just wrong (taken from their site) It appears right now that there is a mismatch between the developers and the makers of the authentec site... apparently there is no requirement for using the fingerprint scanner, so develop away!
I have an Atrix and the fingerprint scanner is amazing, once you use it you will never go back to patterns or pins. As such this guide was written by a user of the Atrix - future devices might not use the exact methodology but it should be nearly identical.
I have the Advanced SDK but I have not used any of the advanced functions yet. After using the code (And getting it to finally work) I have found some things that are not documented or are documented incorrectly in the SDK docs and I have come here to post items that will save you great time. If you find others I hope to hear about them so I can add it to the list - I'll even credit you (maybe with a post number so you can score some thanks points!)
The swipe fingerprint screen won't show up - but I'm getting a result (mine was always 14)
AM2 (Authentec fingerprint framework - there are a lot of unsubscribed terms in the documentation so just go with me here) requires Internet Permission (perhaps to verify the key for the advanced SDK, it might not be done locally - without a key advanced SDK functions will not load). If you don't, all uses of the tsm.jar will not work. Not listed at all in documentation
AM2ClientLibraryLoaded() doesn't work with the code they provide!?
You must Instantiate Authentec.AM2ClientLibraryLoaded() - SDK Docs shows as static but it is not used in the example program they give.
It goes into verification but does not show anything and locks up the fingerprint sensor.
Do not change the 'screen' in the examples of sScreen... I thought that was the title of the window that would appear, but apparently those strings are built into it... it would work better as static fields passed as integers. For values look at the next answer.
What can I use for sScreen (viaGfxScreen(string))?
The documentation says nothing of this but these are different types of verification screens. There is fingerprint scanning only and then there is the unlock style one where you also get the PIN. I'm guessing a modifed version of this is how the lock screen works.
"lap-verify" is fingerprint and PIN
"get-app-secret" is fingerprint only - hit and miss right now... will update when I get it perfected
Why does it lock up?
Only 1 app at a time can access the fingerprint scanner. Motoblur seems to access it occasionally and I think that's why it died on the Atrix's Froyo 1.8.3. It seems mostly fixed but as you develop you will most likely lock it up as you debug. Having a wrong sScreen variable will kill your FP scanner. If it locks in your app you will lose the ability to unlock the device with the FP scanner.
Use DDMS to kill com.authentec.TrueSuiteMobile and the lock will work again. This might work on 1.8.3 but I'm not sure it works that way. If the application exits with the home button, it seems to also lock it up. I'm looking into a way to avoid this..
I can't register my application, it's failing with code 6 - (System Error)
I encountered this one myself when using my Api key for com.mgamerzproductions.gibbertalk - I changed it to com.mgamerzproductions.gibbertalk.testing and it no longer worked. They did tell me this in the email that it is only for one package - so make sure you choose wisely, or bribe the people giving out the API keys to give you another one. I wish it was more specific (API_KEY_NOT_AUTHENTIC or something)
I'm still having problems. What can I do?
You can use these tags for debugging in logcat:
AMJNI (AuthenTec Mobile - permissions - server)
TrueMobileSuite (some gfx log info - swipe fingerprint screen)
AndroidRuntime (will tell you crash related things, as debugging for errors will produce too much to read at once)
Any other things would be greatly appreciated for all of use Developers so speak up if you have something I don't have listed and I'll add it.
If you want to use the encrypted storage provided by the framework you'll need to apply for the Advanced SDK. You have to give them a description of your app, and it has to be security related (obviously that's the whole point of the fingerprint scanner and they don't want you to abuse it).
If you like the guide, and you are on MotoDev, I wouldn't mind a kudos in the contest http://community.developer.motorola...print-Enabled-Apps-quot-article-in/td-p/17206
RESERVED
Reserved for OP at a later date
Pictures of my use right now (more later)
Spoke to OP, moved to main Android development, as this would be of more interest to the development community in general, as I'm sure other phones will be using fingerprint scanning (and this sdk) in the near future.
Originally posted in the source thread:
heilpern said:
I tried to post in the linked thread, but as I'm a new XDA poster the system wouldn't allow me to.
The INTERNET permission is required, however there aren't any connections made off of the device. The system uses sockets internally and INET sockets are used rather than UNIX sockets.
> Why does it lock up?
> Only 1 app at a time can access the fingerprint scanner.
This should not cause the system to lock up; it should cause your app to delay briefly and either continue with your request or return to you with an error. If you can duplicate some other result reliably, please share details.
> If someone also can upload and create an eclipse project it would be must easier to import and view their source code they post. I tried but eventually gave up cause of so many problems.
The eclipse projects for these examples are very simple -- with the exception of the .project you have everything you need in the example directories. Worst case is you can create a new Android project and replace its manifest, sources and resources with those provided by the examples. Then point the build path at your tsm.jar and you'll be ready to go.
Click to expand...
Click to collapse
What I meant was that if an app is asking for the fingerprint reader (not the app entirely, but actively asking for the FP reader scan), and motorola does something in the background with the FP scanner (on atrix), it can lock it up. This was heavily apparent on Atrix 1.8.3 but in the new update it seems to have been mostly fixed.
Errors: If you bring up the window with anything but lap-verify or get-app-secret, the window will lock up (and i think fingerprint reader will lock up as well - if you return to the lockscreen you'll see it never finishes initializing it) I can attempt to reproduce this error but I want to finish some development I am doing now.
heilpern said:
com.authentec.TrueSuiteMobile drives the UI, directly or indirectly depending on exactly what's going on (indirectly in the case of the lock screen, for example). If this package is killed it will restart with the next fingerprint operation however it will disrupt any currently active verification attempt (causing the requesting app to receive an error -- probably the USER_CANCELED error).
Click to expand...
Click to collapse
I never really kill it except if it locks up. Haven't tested what it returns (perhaps null)
heilpern said:
Here's something you can do to experiment if you're using StoreCredential -- swipe one of your existing fingers (the index fingers) and you'll store data to that particular finger. Swipe a different finger (multiple times as prompted) and eventually (after three swipes if all goes well) you'll be asked which finger you just enrolled (and your credential will be stored to that finger). This new finger can be used for subsequent Store Credential requests (without the automatic training session) and to release data stored with Get Secret... but only the index fingers can be used to unlock the Atrix.
Click to expand...
Click to collapse
Yeah, in the original thread I had that image posted... It's in the framework but it never was used... I'm not sure if it was there for this purpose or was just cancelled at the end because it was incredibly confusing... I don't get why you would need all those credentials. It's not like your phone will get passed around that much. You swipe new fingers just like you would if you were registering a finger, then you choose the finger... but the accuracy of the 'pick a finger' one is pretty bad.
Would love to see a test apk where we can try this out...
Nothing available right now?
My application works with the FP scanner... its not done yet though.
These are the included APK's that are the code samples they use:
Download tsm-apk-pack.zip from Host-A
Will it support HTC Desire HD? It won't right?
The fingerprint scanner is a hardware device, just like a laptop fingerprint reader. Its not touchscreen, unfortunately.
Trolling from my ATRIX 4G on probably the crappiest main US carrier
Mgamerz said:
I can't register my application, it's failing with code 6 - (System Error)
I encountered this one myself when using my Api key for com.mgamerzproductions.gibbertalk - I changed it to com.mgamerzproductions.gibbertalk.testing and it no longer worked. They did tell me this in the email that it is only for one package - so make sure you choose wisely, or bribe the people giving out the API keys to give you another one. I wish it was more specific (API_KEY_NOT_AUTHENTIC or something)
Click to expand...
Click to collapse
I agree that a more telling error code would be a better option. Error 6 is eAM_STATUS_ACCESS_ERROR but that value can be returned for other problems as well.
Note that if a generic API key is needed, TSM-0E08085A-1210171A-001A7465-632E7473 can be used if you name your package com.authentec.tsmgetsecret. You cannot post that package to the Market however if you want a means of creating a test APK with a neutral package name that package/key combination will work.
Has AuthenTec claimed that package name on the market...?
they probably should or someone might take that package...
Mgamerz said:
Has AuthenTec claimed that package name on the market...?
they probably should or someone might take that package...
Click to expand...
Click to collapse
Yes, it's already claimed in an unpublished but uploaded entry.
Hi . question: is it possible to use fingerprint senzor as wake up function? My button is very very hard to push, this function would be great....

How homebrew can be achieved in WP8

Windows Phone 8 technically only allows apps to be installed from the marketplace.
However, Microsoft pretty much has left us with an avenue that would allow us to easily create our own custom 3rd party marketplaces.
With Windows Phone 8, Microsoft has introduced the "company app store" concept. This is originally intended to allow companies to easily distribute LOB applications to its employees.
http://www.windowsphone.com/en-US/business/custom-hub?wa=wsignin1.0
Note how the whole system pretty much relies on a certificate. Anyone with the certificate can sideload applications signed with said certificate.
Now this gives me the idea, why can't the homebrew community purchase their own certificate, and use it to create a 3rd party homebrew marketplace?
the_tyrant said:
Windows Phone 8 technically only allows apps to be installed from the marketplace.
However, Microsoft pretty much has left us with an avenue that would allow us to easily create our own custom 3rd party marketplaces.
With Windows Phone 8, Microsoft has introduced the "company app store" concept. This is originally intended to allow companies to easily distribute LOB applications to its employees.
http://www.windowsphone.com/en-US/business/custom-hub?wa=wsignin1.0
Note how the whole system pretty much relies on a certificate. Anyone with the certificate can sideload applications signed with said certificate.
Now this gives me the idea, why can't the homebrew community purchase their own certificate, and use it to create a 3rd party homebrew marketplace?
Click to expand...
Click to collapse
Let's bump this up, shall we? (Since I'm not going to bother making my own thread, if nobody is going to reply to it)
Here's what I've learned through my evaluation of the company app system. The requirements are simple:
-Company Dev Center account
--Requires that you have a legally registered company (e.g. an LLC), which is verified by Symantec
--$99 plus whatever fees are associated with the LLC
-Symantec Signing certificate
--Requires the company dev center account
--$299
This is actually much less than I thought, as I was expecting this to be limited to the enterprise. Rather, anyone with chump change and some legal papers can get a certificate that allows anyone to sideload apps.
The legal papers is where it gets complicated, unfortunately. If it were just the money, I'd honestly consider a fundraiser to start a homebrew store. The certificate simply needs to be used to sign the enrollment tokens (which are just provxml documents with the cert in them), the enrollment token needs to be distributed to the masses, and then the cert is used to sign all the 'brew. It could be setup pretty easily with an online system for registering devs, uploading xaps, and having them signed, for example.
But the requirement that I have an actual company makes things really complicated; I'm not sure how much verification Symantec does, but I'm under the impression a security firm like expects legal registration, which is not something I personally have, nor something I particularly want (LLC taxes are pretty steep these days)
So, here's the question. Does anyone out there have a "company" dev center account, or has played with "company apps", and is willing to experiment to see if this system would be at all useful for homebrew?
Curious to see if there's any interest. In theory, a WP8 Cydia-like app could be developed very easily
this sounds very interesting, though I do not have a company...yet. Does it have to be an LLC? I am thinking of starting an IT/computer repair company here in my town as a side business, not 100% sure yet, but considering it.
Jaxbot, you sly fox .
That's a great idea.
A couple issues to consider...
Might want to read through the WP Store T&C carefully. While those may very well be the only requirements to get a company account, I wouldn't be surprised if there are much more in the terms to keep one. In other words, distributing your app to non-employees could get your company account banned/disabled/revoked. I haven't done the leg work on this so not sure.
The VeriSign cert you get will likely have requirements to be maintained by a single person or group. Publishing the private key would almost certainly (and quickly) get this revoked. So you would either need to someone to manually sign/publish all the apps or figure out an automated process. That should be possible but would likely take a good bit of work to get going.
My $.02.
Jaxbot, did you get a WP8 device and if so, what model did you get ? I know you were trying to get one.
What would be interesting is to see what type of apps you can deploy with this. Could something like this open a full unlock or Interop unlock becase the corporate account could get those type of pemissions to their devices ?
Is this tyed to the Active Directory in anyway, knowing Microsoft each user might need an account in the Active Directory to be able to use the "Company Dev center"? There could be a lot of limits depending how you can connect to the server that runs it.
Do they have a test version ? Maybe that can be used in this case, just to see if it works and could use a deeper investment to get this working. If you could get me a full unlock from this, I surely would pay up a little for it.
DavidinCT said:
What would be interesting is to see what type of apps you can deploy with this. Could something like this open a full unlock or Interop unlock becase the corporate account could get those type of pemissions to their devices ?
Is this tyed to the Active Directory in anyway, knowing Microsoft each user might need an account in the Active Directory to be able to use the "Company Dev center"? There could be a lot of limits depending how you can connect to the server that runs it.
Do they have a test version ? Maybe that can be used in this case, just to see if it works and could use a deeper investment to get this working. If you could get me a full unlock from this, I surely would pay up a little for it.
Click to expand...
Click to collapse
I believe there are a few things you can do with corp apps that can't be done with regular ones but there's not much. Definitely not full interop unlock (at least not directly).
No. It's not tied to AD at all.
I don't think there's a "test" version. The $400 it would cost is chump change for any legit company. Microsoft could waive the $99 fee for someone they're working with but you'll still need the $299 cert and Symantec/VeriSign isn't gonna give that to you for free.
I'm just an end-user, but YEAH! Dev-unlock: $99. Full unlock: priceless. Definitely would pay a bit.
piaqt said:
I'm just an end-user, but YEAH! Dev-unlock: $99. Full unlock: priceless. Definitely would pay a bit.
Click to expand...
Click to collapse
This wouldn't be a full unlock. It would just allow devs to publish apps to an alternate marketplace and users that are not dev unlocked could easily download them.
RustyGrom said:
A couple issues to consider...
Might want to read through the WP Store T&C carefully. While those may very well be the only requirements to get a company account, I wouldn't be surprised if there are much more in the terms to keep one. In other words, distributing your app to non-employees could get your company account banned/disabled/revoked. I haven't done the leg work on this so not sure.
The VeriSign cert you get will likely have requirements to be maintained by a single person or group. Publishing the private key would almost certainly (and quickly) get this revoked. So you would either need to someone to manually sign/publish all the apps or figure out an automated process. That should be possible but would likely take a good bit of work to get going.
My $.02.
Click to expand...
Click to collapse
Correct. The ToS needs to be really well understood. Some people seem to imply that users outside the company are okay to enroll, but I'm not sure. However, I'm not really sure if the enrollment even touches MSFT's servers at all, and if T&C violations would cause a problem. Something that needs to be looked into. If it's a definite breach of T&C, I say it's not worth it. My $0.02
DavidinCT said:
Jaxbot, did you get a WP8 device and if so, what model did you get ? I know you were trying to get one.
Click to expand...
Click to collapse
Unfortunately no, all my research has been on the emulator. All my attempts to get my hands on a WP8 have proven fruitless so far.
What would be interesting is to see what type of apps you can deploy with this. Could something like this open a full unlock or Interop unlock becase the corporate account could get those type of pemissions to their devices ?
Click to expand...
Click to collapse
No, definitely not full unlock. Interop, I'm not sure. The apps are signed and installed, so I have no idea if ID_CAPs are limited. An app like Folders could definitely be deployed, though, with the new WP8 apis.
Is this tyed to the Active Directory in anyway, knowing Microsoft each user might need an account in the Active Directory to be able to use the "Company Dev center"? There could be a lot of limits depending how you can connect to the server that runs it.
Click to expand...
Click to collapse
No, you can enroll within active directory, it says that in the instructions.
Do they have a test version ? Maybe that can be used in this case, just to see if it works and could use a deeper investment to get this working. If you could get me a full unlock from this, I surely would pay up a little for it.
Click to expand...
Click to collapse
RustyGrom said:
This wouldn't be a full unlock. It would just allow devs to publish apps to an alternate marketplace and users that are not dev unlocked could easily download them.
Click to expand...
Click to collapse
What he said. Basically, it would give us homebrew apps that fit into the limitations of the SDK, but not necessarily the limitations of the certification requirements. Folders, Themes, etc. could likely be built. Apps such as CacheClearer and Tweaks, probably not, but again, I have no experimental research on this yet.
This presentation from BUILD (http://channel9.msdn.com/Events/Build/2012/2-014) should answer most of your questions. The phone does 'phone home' to Microsoft to check the publishers and apps installed. Also, capabilities are limited to "same as standard marketplace apps" however the 'company store' app can install apps and manage apps that have been published through it.
RustyGrom said:
This presentation from BUILD (http://channel9.msdn.com/Events/Build/2012/2-014) should answer most of your questions. The phone does 'phone home' to Microsoft to check the publishers and apps installed. Also, capabilities are limited to "same as standard marketplace apps" however the 'company store' app can install apps and manage apps that have been published through it.
Click to expand...
Click to collapse
55 minutes, exciting Thanks for that, though, clarifies a lot. In that case, then, it sounds like the company store app won't really have much useful information for us, as it sounds almost more restricted than I had originally hoped. In that case, then, "company apps" is probably not a worthwhile route to peruse. My 2 cents.
Terms and conditions for a company account
a. Internal Distribution. Subject to the terms of this Addendum and the Application Provider Agreement,
you may make Enterprise Applications internally available to your Employees. Enterprise Applications
may not be made available to consumers, other companies or the general public, except for vendors or
companies that are under contract with you to develop or test any Enterprise Applications. You are
responsible for any unauthorized distribution of the Certificate Software and Enterprise Applications
outside of the terms and conditions of this Addendum.
b. No Alternative Marketplace. You will not use the Certificate Software to: (i) make paid Applications that
are offered in the general Windows Phone Store available to your Employees; and (ii) make available
Enterprise Applications in a manner that harms the Windows Phone Store as determined by Microsoft
Yeah, MSFT thought about that idea WAY ahead already.
Termination. If you breach the terms of this Addendum and/or the Application Provider Agreement, Microsoft
may (a) revoke the certificates provided by Certificate Software; and/or (b) terminate your Enterprise Account immediately.
If that happens, every app installed will fail to work a day later.
Well it was a good thought guys. A damn good thought..
Since WP8 supports MMC, can we side load any temporary OS to read or execute from anything from it!?
nitin88g said:
Since WP8 supports MMC, can we side load any temporary OS to read or execute from anything from it!?
Click to expand...
Click to collapse
MMC? And seriously, go start another thread! Do NOT thread hijack! I can't stand it, seriously
MMC - Multimedia Card.
I am a MCSE, I wounder if there is a verson to learn how use it. Maybe they have a traning version so I could learn how to get it working on domain. This would be nice if I can try this and get a interop unlock by setting it up on my own domain..
DavidinCT said:
I am a MCSE, I wounder if there is a verson to learn how use it. Maybe they have a traning version so I could learn how to get it working on domain. This would be nice if I can try this and get a interop unlock by setting it up on my own domain..
Click to expand...
Click to collapse
Not possible. The apps you deploy will not get interop privileges.

Android Security Concerns

I'm hoping someone can point me in the right direction after spending a day reading about mobile phone security. I'm still confused as to what an app can do and how I can limit access. Some answers or a point in the right direction for more information would be helpful.
Apps that are granted permission "Modify/Delete SD Card" can pretty much read/write anything on my device? Could an app go through my sd card and see files, for example, music, movies, other data from different apps; file names/content? I have about 35 apps running on my phone with this access. I'd rather not leave it to "how much I trust the developer" and have some means to limit access to data.
I don't keep national security secrets on my nexus but there is work and personal information that is sensitive and I wouldn't want shared. It looks like if I use android to encrypt my data it only encrypts the /data folder and there doesn't seem to be much in there.
What about securing contact and calendar data? Is this possible? Not as critical as guarding my file data, but still important to me. Thanks.
Yes, files on the external sdcard are not protected, I.e. all apps which have the right to read/write sdcard can read/write everything there. One reason is just the filesystem type: on FAT you don't have access rights. On internal /sdcard it's a bit different, because it's using ext4 as a filesystem, so principally not all apps can read everything, but also here you have the problem that for example the camera, the gallery app, ... need access to the same files and directories. So at the moment you need to trust the apps in a certain way or not to install it at all.
Sent from my Nexus 7 using xda app-developers app
While it is difficult for someone with limited tech experience, it is plausible to protect your data with measures like XPrivacy or PDroid.
However, if you're looking for an answer without jumping through a few technical hoops, there aren't many good ones unfortunately. The best bet is as you already suggested, that is to be smart about where you browse the net, and only install trusted apps. Always think twice and review permissions carefully for any app even if it's from the Play Store.
And don't forget encryption only works similar to a house door. It's only good if you keep it locked. But if you let the bad guys into your house (i.e., installing a naughty app), it doesn't protect you much. It only keeps them out so long as you don't let them in (physical access). P.S. I'm assuming you're talking about the stock android encryption not actually having individual encrypted files on your device if not then ignore this paragraph (although I'm sure some will disagree that even having SHA-512 AES encrypted files with a extremely complex and long passwords is still not enough to protect data once a malicious user gets their hands on that file.)
Even on the internal SD card, it looks like once I give an app access to "modify/delete" the entire sd card is exposed; did I understand that correctly? It looks like grant access to everything or nothing.
After reading this:
http://appanalysis.org/
It seems that even trusted developers can't be trusted. I don't consider myself a novice user but I'm really surprised at how exposed the data is on phones and tablets. Its like leaving money on your front porch and hoping it isn't too tempting for someone to walk though a broken gate and grab.
Any idea what WP, iOS or BB10 offer in the way of data protection?
TheAltruistic said:
While it is difficult for someone with limited tech experience, it is plausible to protect your data with measures like XPrivacy or PDroid.
However, if you're looking for an answer without jumping through a few technical hoops, there aren't many good ones unfortunately. /QUOTE]
XPrivacy looks good, might be worth rooting for that app.
I'm not as concerned with an app downloading files and using a high level attack on my data. I am concerned about an app where the developer decides to go through my contacts, photos, and files which are unlocked and easily viewed. Then sell the data to whomever that can do whatever. No effort required, no ability to know the data was even accessed and no ability to lock the data. I think like most things, if there is more than a slight effort needed to access the data, they'll move on to something else.
I see Google offers encryption but I can't find information on exactly what is encrypted and if I install an app with say permission to contacts does that give them encrypted access to all contacts? For example, a program that can add a contact via sms I don't want to allow it to read all my contacts, just add a new one.
Maybe Android isn't the right platform for me.
Click to expand...
Click to collapse
mgerbasio said:
TheAltruistic said:
While it is difficult for someone with limited tech experience, it is plausible to protect your data with measures like XPrivacy or PDroid.
However, if you're looking for an answer without jumping through a few technical hoops, there aren't many good ones unfortunately. /QUOTE]
XPrivacy looks good, might be worth rooting for that app.
I'm not as concerned with an app downloading files and using a high level attack on my data. I am concerned about an app where the developer decides to go through my contacts, photos, and files which are unlocked and easily viewed. Then sell the data to whomever that can do whatever. No effort required, no ability to know the data was even accessed and no ability to lock the data. I think like most things, if there is more than a slight effort needed to access the data, they'll move on to something else.
I see Google offers encryption but I can't find information on exactly what is encrypted and if I install an app with say permission to contacts does that give them encrypted access to all contacts? For example, a program that can add a contact via sms I don't want to allow it to read all my contacts, just add a new one.
Maybe Android isn't the right platform for me.
Click to expand...
Click to collapse
Heh don't give up. To be honest at least android tells you when it grants a program certain permissions unlike some other OSes where you're in the dark in terms of security.
As far as I know, and I'm assuming we're talking about the same thing, the type of encryption Android offers only prevents people from gaining unauthorized access to your data if your device is mounted or accessed when your lock screen is up. (I'm sure someone will correct me if I'm wrong--please do). But if your device is not password protected (e.g., you set lock password to lock every hour and they get it when it's unlocked) then your data can potentially be compromised.
This encryption does not, however, protect your data as you're browsing the internet, or running apps like facebook.
If you're looking for something to protect your data from say facebook finding your GPS location without your permission, or accessing your contacts and doing God knows what with it, then XPrivacy and PDroid (links above) is your answer, and I'd say that's awesome.
I may not play around with an iPhone / iOS enough, but I'm confident enough to say that they don't offer the same privacy protection even from Cydia that you can get from communities like here on XDA. Perhaps for iOS users, ignorance is bliss?
Click to expand...
Click to collapse
TheAltruistic said:
mgerbasio said:
Heh don't give up. To be honest at least android tells you when it grants a program certain permissions unlike some other OSes where you're in the dark in terms of security.
Click to expand...
Click to collapse
Thanks again. I appreciate the comments.
All I'm really looking to do is prevent an app downloading all my contacts, photos, movies, files, etc. I have some work data on my tablet that isn't confidential but it is what I would call sensitive. Actually, I rarely use external memory, mostly just use in internal sd card.
It seems all the "good apps" grab more permissions than they need or, the permission they do need to operate gives them way more access than I'd like. I'm not so concerned that I'd start using Tor or duckduckgo, but just trusting a developer with an open door to data is more than I can to leave to chance.
From what I've been reading the sandboxing in iOS and WP provide good security and in BB you can remove permissions from apps; BB10 is still the most secure if you can believe the internet articles. I'd like to see Google make it more clear as to what encryption actually allows and prevents.
There seems to be apps that button up a lot of holes, like photos, but there still are gaping holes.
Click to expand...
Click to collapse
Hi guys,
Any progress? I use PDroid on my smartphone and find it unnerving to see how much and how often data is accessed not only by third party apps but by Google itself. With PDroid you can restrict permissions without bricking the app because it can provide fake data rather than none. I have to say that I am not entirely happy with it though. I hope that Firefox OS will have success in stopping the appification of our devices. Data wise, it is much safer to use web-based services than app-based services.
I think Google's Android is so successful with developers (also) because they can gather so much data. Our smartphones are unfortunately "data gold mines" for the ICT industry.
If you have any progress in improving privacy, safety and security of the Nexus 7 than I'd be happy to read about it.

[Guide] A little guide to security & privacy on Android - Update 01.08.15

A little intro:​I spent a lot of time with malware on windows and which apps/settings can actually protect you. By working with malware you also get a lot of background info on how people / companies / governments can steal your privacy from you and how to protect yourself against it. When I decided to care about all that, I noticed that a lot of "security forum experts for PCs" have no clue about Android and its risks although probably the same if not more data is stored on our phones than on our PCs. So I decided to do some background research, worked with Android malware and played around with the different ways and options that can protect your security & privacy.
When I am looking for a security setup then I want one that is reliable & easy-to-work-with but also lightweight on the system. I don't want my security setup to cripple down my system.
I have done similar guides for Windows and as I haven't seen anything likewise for Android I thought I would give it a go.
What can you do to protect your security & privacy:​Security - Firewall: To block incoming / outcoming traffic per app or per IP/DNS/Port. Can drain the battery and be a pain to configure on Android.
Security - Antivirus: To scan files after they have been downloaded or to scan files after they have been installed. Due to the way how Android is coded it is not possible to scan in real-time (while downloading, while installing) which means you can't detect malware based on their behavior. AV's on Android can only detect malware by their signature which is easy to bypass. However is still better than nothing and a one-time scan of downloaded files or an on-demand scan while your phone is charging won't hurt your battery or slow down the device. A lot of AV-Products come with multiple features built in. Some of them are often useless (e.g. maybe anti-theft), others are worth the usage (e.g. security audits for non-fixed exploit vulnerabilities or bad system settings e.g. USB-Debugging enabled).
Security - SuperSU: To actively manage which apps will get "unlimited" root access.
Security - Password manager: Use a password manager for all your passwords. Built in password managers (e.g. browser, ftp, mail ,etc) aren't really a save solution (even with the so called "master password"). Apps like KeePass offer a lot more than just having all your passwords stored safely. It lets me open apps + automatic login with just 2 clicks (e.g. FTP, SSH, Mail, Browser,...). It let's me create unique password so that I won't be using the same password on all websites. And there is still a lot more.
Security & Privacy - DNS: Change the DNS-Server you use to something like NortonDNS which will protect you from malware/phishing sites as well as semi-bypass the tracking of browsing behavior by your phone/internet provider. The DNS provider/resolver that you use (usually your phone/internet provider) will transform the domain you want to access into the IP adress of the desired server (the one which hosts the website you want to visit). This means that what ever domain you are going to browse will be transmitted to your DNS provider... so choose one carefully ! Also the better the connection to your DNS provider is (and the better the providers connection to the world-wide-web is) the faster your domain requests will be processed.
Security & Privacy - VPN: An easy way for attackers in your network (especially open & free wifi's) to steal data from you are MITM (Man In The Middle) attacks. They can modify SSL certificates which means even using HTTPS might not always be safe or simply read your network activity (such as logins which includes accounts + password). By using a VPN all the traffic that leaves your device will be encrypted and routed directly to a safe receiver which means no one can interrupt your traffic and sniffs (read) it.
Security & Privacy - SSH-Tunnel: Using an SSH-Tunnel has pretty much the same effect as using a VPN but the difference is you have to configure each app that you want to use the SSH-Tunnel. I prefer this method on Windows as I can encrypt only the traffic of my browser/mail/communicator while playing games or other apps will use the non-encrypted (and often faster) internet connection. Sadly there is no app on Android that in my opinion works flawlessly as SSH-Tunnel client.
Security & Privacy - Adblockers: We all know adblockers. They block ads and trackers to protect your privacy and some of them (e.g. mdl-malwaredomainlist) also protect you from malware & phishing websites.
Privacy - App Ops: App Ops or similar apps let you block permissions per app which means whatever app is installed / running can be forced to not use specific permissions. E.g. you can block Facebook from using your GPS and tracking your location.
Privacy - Android 5.x disable allowed certificates: Every website and every (good) app will have a certificate that Android and also AV's check online to see if the website/app is trustworthy. Out-of-the-box Android allows many questionable certificates from governments and companies that might sell their certificates to websites/app that are not so trustworthy. Since Android 5.x you can remove/add certificates to disallow governments or companies that sell their certificates to questionable websites/apps.
Privacy - Encrypt your phone: By encrypting your phone you ensure that no one who finds your phone will be easily able to read anything saved on your phone. Not even by entering the recovery mode. It may slow down the performance a bit and increase battery drain slightly, but for me (Nexus 6) I had no troubles so far.
You can make that list longer by using only secure apps for communication (e.g. encrypted chats with Telegram or using Firefox and add-ons such as HTTPS-Everywhere) but I think that is more advanced and takes away the freedom and choice of readers/users. So I will stop here as I think I have covered the basics and most important things.
Which setup should you choose?​Well first of all I recommend using only apps/services of companies that you can trust. E.g. companies that exist for a long time but haven’t done any questionable actions in the past. I have been a long-time-user of Comodo but looking at what Comodo has allowed itself in the past made me choose something different. On Android a good example are sms/call blockers. There are many options to choose from for example one is produced by a company named "NQ Security". Now do your google work and you will find some details that either makes you think of this company as trustworthy or not. Or maybe there are other companies with the same product which you would rather trust?
One thing to notice is that in the end your setup should cover most if not all aspects that I have mentioned above. Now you can either choose to use many different products (e.g. if they are free) or use on paid solution that covers everything at once. In any case, don't forget about stuff that might get installed but be useless to you. E.g. at some point I found my setup to have 3 different call blockers and 4 different sms blocker installed.
I have made a list of a few picks that I would recommend:
Must-Have​SuperSU / Rooted device (Click for Google play): 99% of all apps & configurations listed here will need your device to be rooted. Also SuperSU gives you a good overview about which apps have root access and is a good tool to configure those apps.
Override DNS (Click for Google play): It automatically changes the used DNS Server for 2G/3G/4G/WIFI to whatever you want (e.g. NortonDNS which has malware & phishing protection but also is one of the fastest DNS providers available world wide). Currently it is the only app that works with Android 5.x.
AdAway (Click for download link): Lets you block ads, tracking, malware and phishing sites. I recommend the standard sources + www.malwaredomainlist.com/hostslist/hosts.txt
App Ops (Click for Google play): App Ops lets you block permissions per app which means whatever app is installed / running can be forced to not use specific permissions. E.g. you can block Facebook from using your GPS and tracking your location.
KeePass2Android online/offline (Click for Google play): KeePass2Android comes as two different apps that you can choose from in the GooglePlayStore. One supports online syncing via various services so that you can sync your password database on all your devices (Android, Windows, OSX, Linux, iOS,... ). The other option is called "KeePass2Android offline" which completely removes all features that would require an internet connection. The App doesn't even have permissions for internet connections ! If you don't know KeePass, it is one of the oldest password managers around. It is opensource, has a lot of plugins and the leightweight but feature rich app supports nearly every device & operating system. On Android you can even log into websites from the browser via KeePass2Android by clicking -> Share -> KeePass2Android -> Log into your database -> it will automatically get the right login data for the website you are currently browsing and pastes it into the login fields. My personal setup: KeePass2Android offline with another syncing/backup app that will sync my passwords via my own server. On my laptop I use KeePass with a plugin which replaces my browsers built-in password manager with KeePass.
GSP - Good Security Practice (Recommendations)​Disable untrusted certificates (Android 5.x) (Mozilla Firefox list of allowed certificates): Use a source you trust and check what certificates they usually allow in their software (e.g. Mozilla Firefox). Then check that with what is enabled in your Android's security settings and disable whatever Android has enabled but e.g. Mozilla Firefox doesn't.
A very recommended app is "Trust Manager (Click for Google play)" by Bluebox. It lists all certificates on the phone and sorts them by categories which makes it easy to disable all untrusted certificates within two clicks.
Encrypt your phone: Enable encryption of your Android device.
Antivirus: You can check AV-Test.org for monthly security reviews on mobile security products and choose from there. But I recommend either "Bitdefender Free" for a simple file-scanner of downloaded files and installed apps as well as on-demand scanner or "ESET Free/Premium" which includes file-scanner, security audit, sms & call blocker as well as phishing protection and even anti-theft if needed. Both companies are in my option very trustworthy and provided good results over the past month/years (not only on the mobile market but also the PC market). Avast is a free option with lots of features from another trustworthy company but I found it to be heavier on my system than Bitdefender or ESET.
VPN if you use public WIFI: I also recommend the use of a VPN from a trustworthy VPN provider. They don't cost too much and improve your security & privacy on public wifi a lot. Avast offers a great VPN service. Actually their app makes their services superior to me comlared to other VPN providers and apps. You might want to try the Avast VPN 14-day-trial.
Firefox (HTTPS-Everywhere + Adblock Edge) > Chrome: Firefox seems to be the winner in terms of privacy and security. But on my system Chrome is a lot faster than Firefox.
TextSecure > Telegram > WhatsApp > Facebook: Telegram was my favorite choice until @muppetmania and @bmstrong informed me about flaws and trust issues with Telegram. Instead it is highly recommended to use TextSecure. It is available on iOS and Android. Feature wise it might not be as good as Telegram (e.g. missing desktop client for windows/osx/linux) but I believe that this is a fair trade for privacy.
The bottom line​
I tried to give a little overview of what kind of protection is available and what it does. I also added my choice of tools which will provide you with protection. It is up to you to decide whether it is useful in your case (based on your phone-behavior) and if you are willing to pay money for it or rather use free services. I will gladly help you with any questions or configuration/setup related things. Please let me know if you have any suggestion or corrections so that I can improve this thread !
Useful resources / links​
http://droid-break.info/
https://prism-break.org/en/categories/android/
https://guardianproject.info/apps/
https://people.torproject.org/~ioerror/skunkworks/moto_e/
https://blog.torproject.org/blog/mission-impossible-hardening-android-security-and-privacy
https://medium.com/backchannel/why-i-m-saying-goodbye-to-apple-google-and-microsoft-78af12071bd
http://crashoverridenetwork.tumblr.com/post/109948061867/account-security-101-passwords-multifactor
http://dimitritholen.nl/how-to-reclaim-your-privacy-on-the-internet/
http://www.alternet.org/print/news-...ng-encryption-isnt-enough-protect-our-privacy
https://youtu.be/seNHe5oMquw
https://pack.resetthenet.org/
https://jrruethe.github.io/blog/2015/03/29/protect-yourself-online/
http://www.privacytools.io/
https://tacticaltech.org/projects/security-box
https://bluebox.com/technical/quest...into-the-root-certificates-on-mobile-devices/
https://securityinabox.org/en
http://www.infoworld.com/article/29...managers-for-pcs-macs-and-mobile-devices.html
https://www.reddit.com/r/trackers/comments/30xtk9/trackers_security_and_you/
AV tests & comparisons:
http://www.av-test.org/en/antivirus/mobile-devices/
http://www.av-comparatives.org/mobile-security/
Thanks to:
Yuki2718 @wilderssecurity.com for teaching me a few things
@bmstrong for useful links and suggestions
@muppetmania for pointing out flaws and trust issues with Telegram !
Changelog:
01.08.2015 - Removed Telegram and replaced it with TextSecure
28.06.2015 - Updated useful resources & links
08.06.2015 - Updated useful resources & links
06.06.15 - Added "Trust Manager" by Bluebox to quickly and easily disable a punch of root certificates. Also added Avast VPN app
22.05.15 - Added a good link/explenation on non-trustworthy certificates that are installed on mobile devices out of the box ( https://bluebox.com/technical/quest...into-the-root-certificates-on-mobile-devices/ )
18.04.15 - Added ressources for AV tests and comparisons
07.04.15 - Added more useful resources & links
21.03.15 - Added more useful resources & links; fixed a typo in the changelog
14.03.15 - Added more useful resources & links; also changed the thread title to give an easier view for new updates
10.03.15 - Added useful resources & links
06.03.15 - Added "password managers" and "KeePass2Android online/offline" as recommended password manager
01.03.15 - Added a more detailed description of DNS and why you should care about it
28.01.15 - Fixed typos and grammar
zakazak said:
Changelog:
28.01.15 - Fixed typos and grammar
Click to expand...
Click to collapse
Interesting. Would like to see sections on GPG, U2F, 2FA applications, Android with Yubikey, etc.
bmstrong said:
Interesting. Would like to see sections on GPG, U2F, 2FA applications, Android with Yubikey, etc.
Click to expand...
Click to collapse
Thanks, I might add those later but I wanted to keep this guide as "easy" as possible so that every "normal" android user could increase his security and privacy with simple tools in a short time. E.g. yubikey is awesome and a very interesting topic but not very handy for the average guy?
01.03.15 - Added a more detailed description of DNS and why you should care about it.
http://crashoverridenetwork.tumblr.com/post/109948061867/account-security-101-passwords-multifactor
Really decent overview of general security.
bmstrong said:
http://crashoverridenetwork.tumblr.com/post/109948061867/account-security-101-passwords-multifactor
Really decent overview of general security.
Click to expand...
Click to collapse
Good suggestion, I have a few more and will add both (your link) and my stuff to the thread
KeePass2Android offline + KeePass on desktop + syncing via own server = win !
bmstrong said:
http://crashoverridenetwork.tumblr.com/post/109948061867/account-security-101-passwords-multifactor
Really decent overview of general security.
Click to expand...
Click to collapse
Aaaaand it's done ! Added password managers to the OP.
zakazak said:
Aaaaand it's done ! Added password managers to the OP.
Click to expand...
Click to collapse
Cool. You might want to touch on the open source vs. proprietary philosophy. Just being open source isn't necessarily better but I feel transparency is important part of security.
http://droid-break.info/
https://prism-break.org/en/categories/android/
https://guardianproject.info/apps/
https://people.torproject.org/~ioerror/skunkworks/moto_e/
https://blog.torproject.org/blog/mission-impossible-hardening-android-security-and-privacy
https://medium.com/backchannel/why-i-m-saying-goodbye-to-apple-google-and-microsoft-78af12071bd
http://dimitritholen.nl/how-to-reclaim-your-privacy-on-the-internet/
Another very good privacy and security article.
bmstrong said:
http://crashoverridenetwork.tumblr.com/post/109948061867/account-security-101-passwords-multifactor
Really decent overview of general security.
Click to expand...
Click to collapse
bmstrong said:
http://dimitritholen.nl/how-to-reclaim-your-privacy-on-the-internet/
Another very good privacy and security article.
Click to expand...
Click to collapse
bmstrong said:
Cool. You might want to touch on the open source vs. proprietary philosophy. Just being open source isn't necessarily better but I feel transparency is important part of security.
http://droid-break.info/
https://prism-break.org/en/categories/android/
https://guardianproject.info/apps/
https://people.torproject.org/~ioerror/skunkworks/moto_e/
https://blog.torproject.org/blog/mission-impossible-hardening-android-security-and-privacy
https://medium.com/backchannel/why-i-m-saying-goodbye-to-apple-google-and-microsoft-78af12071bd
Click to expand...
Click to collapse
Thanks ! I added all the links to the OP and mentioned you for giving such great feedback and suggestions
http://www.alternet.org/print/news-...ng-encryption-isnt-enough-protect-our-privacy
Interesting take on security in general.
bmstrong said:
http://www.alternet.org/print/news-...ng-encryption-isnt-enough-protect-our-privacy
Interesting take on security in general.
Click to expand...
Click to collapse
14.03.15 - Added more useful resources & links; also changed the thread title to give an easier view for new updates
Added your link... I will soon add a few of my links that I saved in my bookmarks. I will then split the "link category" in something like "good to know and what to do" and "privacy theory articles"... if you know what I mean
zakazak said:
10.03.15 - Added more useful resources & links; also changed the thread title to give an easier view for new updates
Added your link... I will soon add a few of my links that I saved in my bookmarks. I will then split the "link category" in something like "good to know and what to do" and "privacy theory articles"... if you know what I mean
Click to expand...
Click to collapse
Cool. Schneier has another book out now. Data and Goliath. This talk is worth the listen.
https://youtu.be/seNHe5oMquw
bmstrong said:
Cool. Schneier has another book out now. Data and Goliath. This talk is worth the listen.
https://youtu.be/seNHe5oMquw
Click to expand...
Click to collapse
21.03.15 - Added more useful resources & links; fixed a typo in the changelog
Thanks, took me some time to add the link, at the moment I don't have much time to improve the guide.
Utini said:
21.03.15 - Added more useful resources & links; fixed a typo in the changelog
Thanks, took me some time to add the link, at the moment I don't have much time to improve the guide.
Click to expand...
Click to collapse
As I'm concerned about privacy and security thanks for your thread but you forgot XPrivacy the best privacy manager I know it's not completely ready for Lollipop but works perfectly on Kitkat it's not about that fault it's Xposed it has a bug which I hope will be resolved soon.
Good luck! Regards.
Cyclu said:
As I'm concerned about privacy and security thanks for your thread but you forgot XPrivacy the best privacy manager I know it's not completely ready for Lollipop but works perfectly on Kitkat it's not about that fault it's Xposed it has a bug which I hope will be resolved soon.
Good luck! Regards.
Click to expand...
Click to collapse
You are right, XPrivacy seems to be a really nice tool but I haven't been able to try it myself (as it is not compatible with Android 5.x) which is the reason why I haven't added it to the list yet
I might give it a try on my Nexus 4 with Android KitKat !
https://pack.resetthenet.org/
https://jrruethe.github.io/blog/2015/03/29/protect-yourself-online/
http://www.privacytools.io/
https://tacticaltech.org/projects/security-box
bmstrong said:
https://pack.resetthenet.org/
https://jrruethe.github.io/blog/2015/03/29/protect-yourself-online/
http://www.privacytools.io/
https://tacticaltech.org/projects/security-box
Click to expand...
Click to collapse
Once again thanks for your input. I added them to the OP but I am still really busy with my job/reallife. I hope I can improve the OP soon.
Question about choices
Utini said:
Security - Antivirus: To scan files after they have been downloaded or to scan files after they have been installed. Due to the way how Android is coded it is not possible to scan in real-time (while downloading, while installing) which means you can't detect malware based on their behavior. AV's on Android can only detect malware by their signature which is easy to bypass. However is still better than nothing and a one-time scan of downloaded files or an on-demand scan while your phone is charging won't hurt your battery or slow down the device. A lot of AV-Products come with multiple features built in. Some of them are often useless (e.g. maybe anti-theft), others are worth the usage (e.g. security audits for non-fixed exploit vulnerabilities or bad system settings e.g. USB-Debugging enabled).
Antivirus: You can check AV-Test.org for monthly security reviews on mobile security products and choose from there. But I recommend either "Bitdefender Free" for a simple file-scanner of downloaded files and installed apps as well as on-demand scanner or "ESET Free/Premium" which includes file-scanner, security audit, sms & call blocker as well as phishing protection and even anti-theft if needed. Both companies are in my option very trustworthy and provided good results over the past month/years (not only on the mobile market but also the PC market). Avast is a free option with lots of features from another trustworthy company but I found it to be heavier on my system than Bitdefender or ESET.
Click to expand...
Click to collapse
Hi, I've been juggling this question for a few days now and I'm hoping you will have an answer to assist me. First, I have read your post and this is absolutely what I have been looking for for the past few weeks. Thanks has been given and I hope you keep this up. Second, I read the wildersecurity link but still do not have an answer to this question.
Why choose ESET Premium over BitDefender. Can you tell me what one offers that the other doesn't? I've been leaning to BitDefender only because I have and use an Android Wear device. Again, thank you for any assistance or time.

Categories

Resources