Related
Had the thought that perhaps the new feature, to send your nexus a direct link from your computer, might be exploitable by some unfriendly people.
What do you all think the risks are, if any?
If it can tell your phone to open the browser and launch a website, whats to stop someone from telling your phone to buy ten thousand copies of Conan the Barbarian, or destroying itself and catching on fire. Kidding of course, but you get what i mean.
Very difficult. It'd be just as likely as someone stealing your Gmail account.
Mmm, ok. Thought I would ask
It has the potential, under the right circumstances, to be used for evil though! EVIL!
I'm not entirely sure, but from what I understand all intents go through google servers. I assume google is doing checks for malicious behaviour on their end.
Don't you have to register a phone to a gmail account and be logged into that account to send to the phone?
Haven't tried the app myself make it wouldn't make sense any other way ;-)
You have to be logged in. And i thing info is sendt via google servers, so unless someone steals your google account, i think you should be safe
it only triggers the browser or maps. I guess the risk would be real, but on the phone side you have the option to set it to do nothing but notify you FIRST prior to any action. If you didn't initiate anything, then you could click cancel at that time.
chromiumcloud said:
it only triggers the browser or maps. I guess the risk would be real, but on the phone side you have the option to set it to do nothing but notify you FIRST prior to any action. If you didn't initiate anything, then you could click cancel at that time.
Click to expand...
Click to collapse
one of the things being worked on is making the phone dial a number selected on the browser. that could get interesting
I believe that Google are running a closed beta at present too, so the only people that can write apps that use cloud messaging will have been vetted by Google.
All the components of the extension (chrome extension, android application and application server) are open source, what prevent anyone from developing an other extention that use google cloud service to communicate with android ?
ludo218 said:
All the components of the extension (chrome extension, android application and application server) are open source, what prevent anyone from developing an other extention that use google cloud service to communicate with android ?
Click to expand...
Click to collapse
All of the messages go through the Google servers
As I understand, the application engine part of the extension (which runs on google application engine) register itself to "the cloud" using google api. Anyone should be able to use these api, no?
It most certainly could be exploited. I can think of a javascript exploit that would work right now.
However the consequences of an exploit are severely limited by the security model that Android uses. Something can not run in another security context unless you allow it to.
The day "Chrmoe2Phone" asks for root access is the day it should be removed from your phone. Until then they most it could do is tell an app to do something that you've already allowed that app to do (which could arguably be undesirable things).
The user needs to explicitly permit all security privileges in Android remember (read that app install page with security details!). If it can do something, you've permitted it to do so.
tanman1975 said:
one of the things being worked on is making the phone dial a number selected on the browser. that could get interesting
Click to expand...
Click to collapse
That is true, but if i recall correctly, when you choose a phone number link from the browser, it will bring the number up in your dialer application, but you must initiate the call with the green call button, so there is a level of security there.
actually this could be a pretty nifty security feature. Is the phone gets stolen how great would It be to able to enable the gps, camera or mic? Given proper security protocols of course...
@tanman1975
Didn't think of that one. T'would be a very powerful tool against the robbers out there. Nice.
I have a question about data privacy while using Android and/or any Google service or application. My concern was prompted after installing Google Sky last night and seeing their warning about data collection when starting up.
As a marketing professional, I don't particularly care that Google gathers anonymous data such as browsing history and so on to improve their products and services. They're a business providing employment to others, paying taxes, and contributing to our economy therefore they have both a right to, and deserve to, profit from that. But I do have a very large concern over my privacy where personalized information is concerned.
In particular, I'm talking about whether or not Google has access to my contact, calendar, email, or documents data either on the phone, or especially when synchronizing to their servers. My worry is that Google might be 'snooping' around to see my personal information.
Are my fears unfounded? Do any of you know how the OS and their services are working?
Google will gather all the data it can, including emails and contacts, from your phone, browser, chrome os or any other google product you use. Didn't you read news? Google was even sniffering all traffic from open WI-FI networks.
We can hope that this data is gathered anonymously, but I don't think so. Good thing is that me and you are not interesting to google, so they will collect data, but only use it for targeting advertisement etc.
I guess this is a strong argument for staying with WM, WP7 or even iPhone. Privacy is one of our most valuable assets, and should be protected.
BillTheCat said:
I guess this is a strong argument for staying with WM, WP7 or even iPhone. Privacy is one of our most valuable assets, and should be protected.
Click to expand...
Click to collapse
No, WP7 would send all your data to Microsoft as it's all in a cloud. Dunno about iPhone, but probably same, Apple would get everything. And even if you won't be using a phone, goverment is still watching you.
So forget about it and use Android.
Hence why Im not moving to Android yet. I still just want a solution to sync my tasks, calendars at a local level, aka Outlook. Lawl.
The best way for a company to check for trends and how their product is used isn't by creating polls or questionaires of some sort. They almost all, whenever possible, use automatic and passive mechanisms. Yes, google does parse my whole mail. I remember having received a email from my collegue principal and on the ad side of Gmail reading an about about "Tired of putting up with your boss". Facebook does the same think, like many other. Thing is, would you rather have free stuff WITH custom tailored publicity or paying for something to be completly free? Google earns with publicity, and since you are in the marketing area you know better than I that trends are everything. They're just trying to make the best (for their own purposes) of us using their tech. Is it creepy? Yes it is... Will it get worse? You betcha... Just check Google's or Facebook's TOS. Google looks like an angel next to facebook's...
Dear fellow members,
Just to inform you about Dropbox privacy policy because I know that a lot of you rely on Dropbox (info received via Twitter today): Dropbox issue
Feel free to comment but most likely, to delete your Dropbox account if you feel like you've been fouled.
f.
Yes, I read about this and was rather angered by it..... But.... the service is so slick and useful, cancelling my usage would be like cutting off my nose to spite my face. I'll just continue to use it for non-sensitive data only.
The fact is, we need to be careful about the data we store in any cloud-based service - they all seem vulnerable. Even Android itself can't be trusted: http://www.bbc.co.uk/news/technology-13422308
Plus you did seriously think the files on servers were really inaccessible for anyone having complete access to databases and filesystem ? If that wouldn't be possible, then the system wouldn't be able to work at all.
Im still unconvinced about Cloud Storage. Yes it can be convenient, but Id rather have full control over my data and where it actually is.
Ill be saving my sensitve data on local off line storage i.e. external HDD's.
Yeah have never stored anything sensitive to Dropbox but the consept is nice and our data ain't that secure anyways nowadays
it has it's ups and down. But using dropbox to store you entire business on, dont know, maybe its not smart. But it can be very useful if you have some files you share with people outside your company, which you dont want to grant access to your server.
I was never in the illusion dropbox couldnt be accessed by hacking or anything, but this easily by employees of dropbox itself :S.
In dropbox, I store things like lyrics for my band, guitar scores or similar. Things where I don't care who looks at them. Nothing else.
For me, every cloud storage is basically open as a postcard.
Just my 2 cents...
is there any similar software as titanium media sync which can store my data (photos etc) on alterntive services? E.g. other cloud services or own ftp ?
I've been using SugarSync. Anyone have information on them and how they operate? Seems that cloud storage is a mixed bag at best. Users should always be cautious about what they put up there. However, if law enforcement has a valid warrant, I understand how a company would be required to comply.
https://whispersystems.org/blog/cyanogen-integration/
The client logic is contained in a CyanogenMod system app called WhisperPush, which the system hands outgoing SMS messages to for optional delivery. The Cyanogen team runs their own TextSecure server for WhisperPush clients, which federates with the Open WhisperSystems TextSecure server, so that both clients can exchange messages with each-other seamlessly. All of the code involved throughout the entire stack is fully Open Source.
"All of the code involved throughout the entire stack is fully Open Source."
So any possibility of seeing this in omnirom?
SHAWDAH said:
https://whispersystems.org/blog/cyanogen-integration/
The client logic is contained in a CyanogenMod system app called WhisperPush, which the system hands outgoing SMS messages to for optional delivery. The Cyanogen team runs their own TextSecure server for WhisperPush clients, which federates with the Open WhisperSystems TextSecure server, so that both clients can exchange messages with each-other seamlessly. All of the code involved throughout the entire stack is fully Open Source.
"All of the code involved throughout the entire stack is fully Open Source."
So any possibility of seeing this in omnirom?
Click to expand...
Click to collapse
Hmm.
1) All of it would have to get reviewed for security. I know pulser has looked at some of CM's other solutions and found vulnerabilities.
2) Since it sounds like it needs some server infrastructure, it would take some time and planning before we could get it up and running.
TextSecure definitely looked interesting until seeing that it requires gapps.
wkwkwk said:
TextSecure definitely looked interesting until seeing that it requires gapps.
Click to expand...
Click to collapse
Yea its stupid, he partially justifies it here https://github.com/WhisperSystems/TextSecure/issues/127
He also said this
"If you want alternatives to things like GCM, you have to either build them or help the people that are. I would love to use a different push service, but they don't exist.
Likewise, if we want an alternative to Play, we have to build it. What exists now (f-droid) has a centralized trust model, so we're building something else."
Entropy512 said:
2) Since it sounds like it needs some server infrastructure, it would take some time and planning before we could get it up and running.
Click to expand...
Click to collapse
For whatever it is worth, Moxie Marlinspike has said that Open WhisperSystems has a TextSecure server that they will let other ROMs use. Sadly I am unable to link, but /r/Android/comments/1shejv/as_of_today_cyanogenmod_is_integrating/cdxlnck should give you the info and context you're after. I hope that helps alleviate some concerns, or at least makes this somewhat more doable--I would love to see this adopted much more widely!
I just wish they could add return receipt functionality, and fall back to SMS if data delivery doesn't provide one in a reasonable time frame.
palpitations said:
For whatever it is worth, Moxie Marlinspike has said that Open WhisperSystems has a TextSecure server that they will let other ROMs use. Sadly I am unable to link, but /r/Android/comments/1shejv/as_of_today_cyanogenmod_is_integrating/cdxlnck should give you the info and context you're after. I hope that helps alleviate some concerns, or at least makes this somewhat more doable--I would love to see this adopted much more widely!
I just wish they could add return receipt functionality, and fall back to SMS if data delivery doesn't provide one in a reasonable time frame.
Click to expand...
Click to collapse
Ok, that's useful.
I'll let pulser do final judgement on this. He's our resident tinfoilhatter.
I got myself a tinfoil wide-brim to match my duster...
I'll have to get a 4.4 capable phone in the future so I can get OMni.
Entropy512 said:
Ok, that's useful.
I'll let pulser do final judgement on this. He's our resident tinfoilhatter.
Click to expand...
Click to collapse
Resident tinfoil hat responding to duty...
The issue I've seen with this system (and I must say, it is good that work is done on this, and I commend that it has been done) is the implementation.
Once again, a solution has been made, which is smart, has good features, but is crippled in the security area, due to making things "easy to use".
The specific issue is that, from what I can see, at least right now, there is no way to tell if a message is going to be sent encrypted or unencrypted. It's no good knowing AFTER the fact - you need to know before it is sent how it will be sent.
Additionally, if you are using encryption, from what I can see, the message is actually sent over the internet. This means there is a central repository of users stored on a server somewhere. That is centralisation, centralisation is bad... As I raised back at the time, there are side-information risks.
While the new implementation may well eliminate some of these, I am not convinced this system provides the level of anonymity that some may desire. My worry is that since the original idea was conceived, where a user's phone number being available to CM was not seen as a concern, that any solution has been architected without considering every aspect of security.
Securing correspondence via SMS would be very nice to have done properly. But this is simply a "hook", that takes what you *think* is an SMS, and sends it over the internet. There are plenty of people in the world (particularly developing nations), where they have poor, or limited, access to the internet. SMS can be a lifeline for them.
There are also many places (some incredibly large), which regularly and routinely block internet services they disagree with (not at all looking at China here...) - it is important that any system works worldwide, and is resistent to easy "blocking".
I would personally prefer to see the actual messages sent over SMS... That means if you have no internet connection, you can still send the SMS. And you can do so ENCRYPTED, rather than unencrypted.
At the end of the day though, until you can tell 100% whether something will be sent encrypted or unencrypted, you can't trust a system. The server operator may also gain useful metadata in this case (though not ideal, your carrier already gets metadata for SMS).
Tl;dr, it looks nice, but we need to look at everything here, and consider that not everyone has internet access all the time. After key-exchange is complete (I would like offline key exchange via NFC and QRcode (on the screen) as well, for in-person identity verification), we need to ensure that a user can securely communicate without internet connectivity.
Until then, this is just a smaller rival to iMessage. And hey, maybe that's a good thing... But for my money, it's not a secure SMS system...
Thoughts welcomed.
pulser_g2 said:
Resident tinfoil hat responding to duty...
The issue I've seen with this system (and I must say, it is good that work is done on this, and I commend that it has been done) is the implementation.
Click to expand...
Click to collapse
Great criticism Pulser but surely this system (even with its flaws) is better than traditional SMS, where everything you send and receive is logged by your carrier?
slashslashslash said:
Great criticism Pulser but surely this system (even with its flaws) is better than traditional SMS, where everything you send and receive is logged by your carrier?
Click to expand...
Click to collapse
The thing is, since everything is sent via the Internet, there are plenty of other existing ways to send encrypted messages over the Internet where *you can be sure the message is encrypted*.
Pulser touched on my initial concern (which I held off on voicing until he chipped in) - To determine whether to send a cleartext SMS or send the SMS via an Internet message, the app needs to know whether the recipient is "enabled" with this service. There are two ways to do this:
1) The sender explicitly configures the app to say that recipient Y is capable of receiving encrypted SMS
2) The app does some form of peer-to-peer negotiation
3) The app sends data associating your phone number with an account on another service to a centralized server. This appears to be what CM's solution is doing. Which is kind of silly - This is an app for extremely privacy-conscious people, that is enabling widespread data collection of mappings between a users' phone number and other accounts.
Stay away from this app and developer, who in my view, has been compromised. In the latest release (which I compiled about an hour ago), he removed the ability of the user to regenerate identity key. In the last couple of releases, the app would crash unless you allow it to use the internet. He also introduced Google Cloud Pushing services, which means that everyone who is using textsecure will be recorded in centralized Google/Nsa database. That is if you compiled the app from the source. If you download the app from the store, you wouldn't be able to use it at all without Google account and GSF. Having GSF defeats any encryption as every keystroke is recorded and regularly submitted Home (Google/NSA). Stay away and look for alternatives. I am checking Tinfoil sms app.
optimumpro said:
Stay away from this app and developer, who in my view, has been compromised. In the latest release (which I compiled about an hour ago), he removed the ability of the user to regenerate identity key. In the last couple of releases, the app would crash unless you allow it to use the internet. He also introduced Google Cloud Pushing services, which means that everyone who is using textsecure will be recorded in centralized Google/Nsa database. That is if you compiled the app from the source. If you download the app from the store, you wouldn't be able to use it at all without Google account and GSF. Having GSF defeats any encryption as every keystroke is recorded and regularly submitted Home (Google/NSA). Stay away and look for alternatives. I am checking Tinfoil sms app.
Click to expand...
Click to collapse
Stop spreading this your uninformed opinion everywhere.
I answered each and every one of your "arguments" in your original thread:
http://forum.xda-developers.com/showpost.php?p=51818980&postcount=10
I had the Google account login issues that many had in here, after contacting Joying they sent me a link to two changed files to copy onto their original firmware update. I updated with this new "firmware" and my Google account worked.
Then 2 days later (March 16th 2021) my Google account was compromised for the first time in 15 years. I only use this password for my Google account so I don't know how it was hacked but the Google Admin audit logs say the hacker just input my password.
They opened up a Google Adwords account and started selling fortnight ads, then attempted to get into my brokerage account, then logged into a dormant Etsy account and tried to do something with Square before I caught on (40min total in my account). They were quickly deleting any account change emails that came in so I wouldn't receive notices of changes.
I am highly suspicious of this new update to my head unit. The timing is spot on, and I haven't used my Google account anywhere other than my Pixel phones, Nvidia Shield, Laptop and this Joying unit.
I am very concerned now about the security of this device. I also don't understand the claim by Joying that "Google updated their servers" and that's why their firmware wasn't working with Google accounts. Smells very fishy to me, and I hope somebody that knows more about device security can help figure this out. I still have copies of the update that they sent me, but I will not be using this brand new head unit anymore with my Google Account.
I posted this thread because I have seen other comments about Google accounts being hacked and concerns about third party device security and thought it would be best to consolidate them here in one thread rather to take other threads on a tangent.
Just be aware that Joying in particular didn't have anything to do with it, they are just resellers and pass on software given to them by the actual manufacturer of the hardware, FYT. Also be aware, that data breaches are happening very often nowadays so that is also a possibility. I'm not defending the manufacturer in any way, but there's too many variables in order to single out the headunit itself. You did mention that you use this google account on your phone as well. It could be that you installed an app on your phone that stole your account information as well. Also a new "virus" has been discovered that disguises itself as a system update that can steal your info. Info here: https://www.androidpolice.com/2021/...retends-to-be-a-system-update-for-your-phone/
Only way to know for sure if it was the headunit itself is to use a new dummy Google account on it and see if it gets taken over as well. Also, I don't see the purpose of needing to login to Google on these devices anyways since we're not using them like phones and, me in particular, I don't consume streaming media on it so i don't give it network access at all. These new units have spotty GPS reception at best and sometimes i find myself forced to use Android Auto anyways so the only streaming media consumed is straight from my phone.
What I can recommend you do is install a firewall app on your headunit and monitor where it tries to connect and determine if it needs to access it or not. To put yourself at ease, I would change your password and enable 2 step authentication on your account.
Let us know if you decide to sideload a firewall app and post your results. With that info, we can take this concern up to Joying/Teyes/etc and have them press their supplier for information. I can assure you that with the proper evidence, the resellers will put some effort into fixing this wrongdoing, since they wouldn't want to tarnish their reputation and possibly lose out on some sales.
I was also hacked in mid March soon after installing a joying unit and connecting to my google account. The hacker opened a google ads account and used a credit card associated with my google account to charge 260 dollars to my visa. They would have charged more but my limit on the card is low for just this reason. Visa had to cancel my card and send me a new one. I never even connected the hack in my mind to the joying head unit until explorer_200 happened to post his experience, but this seems like far to much of a coincidence given that we both have had the same experience at the same time and all we have in common is the joying unit.
I agree that it may not be something joying knows about, but its probably a good idea to see how many have been affected by this hack. For now I will be setting up a locked down google account just for the joying box and my head unit will only be connected to apps that are no real risk to my passwords and personal data.
I need to login to google to use voice commands and google assistant as well.
explorer_200 said:
I posted this thread because I have seen other comments about Google accounts being hacked and thought it would be best to consolidate them in one thread.
Click to expand...
Click to collapse
Could you please link to these other comments. Right now there is just your say so which is a sample size of one. Not doubting what you are saying, but correlation is not necessarily causation.
6KayZee9 said:
I never even connected the hack in my mind to the joying head unit until explorer_200 happened to post his experience, but this seems like far to much of a coincidence given that we both have had the same experience at the same time and all we have in common is the joying unit.
Click to expand...
Click to collapse
That is flawed logic.
Allow me to use similar thinking in another way.
I notice that everytime I go outside when it is raining, there are people with umbrellas. I deduct that it is too much of a coincidence to see people with umbrellas when it is raining to think they are not linked. I don't see these same people carrying umbrellas when it is not raining. I can only conclude that the umbrellas are causing the rain.
You say that you and one other have the same head unit and have been hacked therefore it is the headunit's fault. DO a survey on how many people with Samsung phones were hacked yesterday and get back to me to let me know if the number was greater than two.
We can then move on from there.
Once bitten, twice shy... learn or get burned.
If you had a secure password that you managed well until 2 days ago that should narrow down your list of suspects substantially.
Time to take out the trash...
Results are all that matter; take out anything that might have been involved. The napalm method.
Overkill yes, but it's effective.
Breaching your Google account is completely unacceptable and I go nuts on anything/one that was potentially involved.
explorer_200 said:
I had the Google account login issues that many had in here, after contacting Joying they sent me a link to two changed files to copy onto their original firmware update. I updated with this new "firmware" and my Google account worked.
Then 2 days later (March 16th 2021) my Google account was compromised for the first time in 15 years. I only use this password for my Google account so I don't know how it was hacked but the Google Admin audit logs say the hacker just input my password.
They opened up a Google Adwords account and started selling fortnight ads, then attempted to get into my brokerage account, then logged into a dormant Etsy account and tried to do something with Square before I caught on (40min total in my account). They were quickly deleting any account change emails that came in so I wouldn't receive notices of changes.
I am highly suspicious of this new update to my head unit. The timing is spot on, and I haven't used my Google account anywhere other than my phone and this Joying unit.
I am very concerned now about the security of this device. I also don't understand the claim by Joying that "Google updated their servers" and that's why their firmware wasn't working with Google accounts. Smells very fishy to me, and I hope somebody that knows more about device security can help figure this out. I still have copies of the update that they sent me, but I will not be using this brand new head unit anymore with my Google Account.
I posted this thread because I have seen other comments about Google accounts being hacked and thought it would be best to consolidate them in one thread.
Click to expand...
Click to collapse
If you're not using MFA/2FA on your account(s) expect it be a matter of time until your account(s) be compromised again.
The joying update is what I would call purely coincidence and post hoc (Post hoc ergo propter hoc.)
Exactly this, without hard evidence that the Joying/Teyes/etc update is the cause of your Google account getting hacked, this is all pure coincidence. So far I'm aware of only 2 reports of accounts getting hacked, @explorer_200 and @6KayZee9. I've been lurking "the other" forum and i haven't seen any reports there either. Get some evidence to back up your claims and then start pointing fingers and have fyt (the software comes from them) be held accountable.
gamer765 said:
Exactly this, without hard evidence that the Joying/Teyes/etc update is the cause of your Google account getting hacked, this is all pure coincidence. So far I'm aware of only 2 reports of accounts getting hacked, @explorer_200 and @6KayZee9. I've been lurking "the other" forum and i haven't seen any reports there either. Get some evidence to back up your claims and then start pointing fingers and have fyt (the software comes from them) be held accountable.
Click to expand...
Click to collapse
It's not so much as proving anything as it is plugging the most probably source(s) of the leak to prevent it from ever happening again for the user.
If that means never using the software even the hardware, it's a small price to pay.
An OS reload may also be good idea at this point on all potentially infected devices and another password reset. Go nuts... this could get real messy if it's in the data drive and gets into the backups.
The perp may only target high value targets and leave the smaller fish be giving the illusion the site, software or whatever is safe.
blackhawk said:
Once bitten, twice shy... learn or get burned.
If you had a secure password that you managed well until 2 days ago that should narrow down your list of suspects substantially.
Time to take out the trash...
Results are all that matter; take out anything that might have been involved. The napalm method.
Overkill yes, but it's effective.
Breaching your Google account is completely unacceptable and I go nuts on anything/one that was potentially involved.
Click to expand...
Click to collapse
Have you considered aliens? Or ghosts? They both fit in with your assumptions thus far.
I guess you failed statistics 101. Your conclusion is flawed. You have failed to take into account the number of hackers in the world that were active 2 days ago and you have failed to take into account all the other apps you have attached to your account / sideloaded onto other devices that have access to that account.
Do that and then you are starting to get somewhere.
By all means change your password. But don't attempt to pass off your unsubstantiated claim as fact or anywhere in the realms of probability without some data to back it up.
ludditefornow said:
I guess you failed statistics 101. Your conclusion is flawed.
By all means change your password. But don't attempt to pass off your unsubstantiated claim as fact or anywhere in the realms of probability without some data to back it up.
Click to expand...
Click to collapse
If every 1 in 1k accounts gets hacked by an unscrupulous site or device and you're that one, you're still statistically 100% boned
The OP should suspect the use of their Google password; it's probably the most recent sites it was used on or the device.
I'd purged both, no remorse...
blackhawk said:
If every 1 in 1k accounts gets hacked by an unscrupulous site or device and you're that one, you're still statistically 100% boned
Click to expand...
Click to collapse
What does that have to do with the subject at hand? The ramification from being hacked has nothing to do with how one was hacked based on the OP.
And besides, the OP wasn't 100% boned as you put it. It was less than an hour before they realised and steps were taken to counter the hack. They had a couple of hundred dollars put on a card that will be reversed no doubt.
So that is another statistic failure. Friendly advice. Stop posting about stats in anyway until you get the fundamentals of them right
ludditefornow said:
What does that have to do with the subject at hand? The ramification from being hacked has nothing to do with how one was hacked based on the OP.
And besides, the OP wasn't 100% boned as you put it. It was less than an hour before they realised and steps were taken to counter the hack. They had a couple of hundred dollars put on a card that will be reversed no doubt.
So that is another statistic failure. Friendly advice. Stop posting about stats in anyway until you get the fundamentals of them right
Click to expand...
Click to collapse
You're the one that wanted a go at me.
Is that all you got?
All my data is redundantly* backed up without Google but some use it to back up everything.
Some have a lot to lose in just a couple minutes with a hacked Google account.
Don't trivialize it... on my account
Boy you guys are grumpy, neither of us are saying anything is definitively joyings fault, however its a much bigger coincidence when you consider that neither of us ever had a problem til now and ive had gmail since soon after it came online. Here is an alternate hypothesis I have carwebguru on my head unit as well. Maybe both explorer_200 and I have it on our head units and that code is the true culprit. Other than that all my apps ive had for a long time. Im not really sure that I believe this is all that sophisticated unless its on a huge scale since they only got a few hundred from visa and or google. And for that they have some pretty powerful entities who may now be taking an interest. We are just sending all this up the flag pole to see how many salute...
blackhawk said:
You're the one that wanted a go at me.
Is that all you got?
All my data is redundantly* backed up without Google but some use it to back up everything.
Some have a lot to lose in just a couple minutes with a hacked Google account.
Don't trivialize it... on my account
Click to expand...
Click to collapse
I'm not trivalizing being hacked at all. I think you need to reread my posts. Because your response tells me you haven't understood them.
Wow. I didn't expect this to be a controversial thread. I've seen a few posts in here from people who have gone through the code on these units and found Chinese URL's that don't appear to have any uses. I am not definitively saying anything here, but Reddit is full of people wary of running Android on these devices because they have such huge potential to be compromised.
I am VERY careful with my Google account information online. I am highly aware of phishing schemes, and haven't used an external device other than my Pixel2, Pixel4, Laptop, Nvidia Shield, to log into Google in over 5 years.
The attack was similar in both of our cases, and happened within a few days of us logging into Google with a new Joying head unit (that had verified Google Login issues from a 2021 firmware update)
Anyways... I've changed my Google password 3 times since this happened, and am monitoring my Google audit log multiple times per day. So far so good, but unfortunately I won't be using this head unit with my Google account going forward
After activating my Google account on the new Navifly headunit, I received a notification from Google that I need to change all passwords (about 350 pieces). In addition, all contacts from the phonebook (on the mobile phone) and automatic backup have disappeared. I deactivated the account on headunit, but it didn't help. I plan to contact Google to see if they can help me.
nenadhebiv said:
After activating my Google account on the new Navifly headunit, I received a notification from Google that I need to change all passwords (about 350 pieces). In addition, all contacts from the phonebook (on the mobile phone) and automatic backup have disappeared. I deactivated the account on headunit, but it didn't help. I plan to contact Google to see if they can help me.
Click to expand...
Click to collapse
This doesn't make any sense.
I'll say it again; enable 2fa/mfa on your Google account.
If not using multifactor authentication or doing questionable things like accepting apps access to your Google account, expect to be compromised.
nenadhebiv said:
After activating my Google account on the new Navifly headunit, I received a notification from Google that I need to change all passwords (about 350 pieces). In addition, all contacts from the phonebook (on the mobile phone) and automatic backup have disappeared. I deactivated the account on headunit, but it didn't help. I plan to contact Google to see if they can help me.
Click to expand...
Click to collapse
Actually I lost all my Google contacts as well with the Joying unit, but I found out it had to do with the bluetooth syncing from my phone to the head unit. You've gotta disable it.
Search for "head unit deleted all my Google Contacts" and you'll see lots of threads.