Related
Had the thought that perhaps the new feature, to send your nexus a direct link from your computer, might be exploitable by some unfriendly people.
What do you all think the risks are, if any?
If it can tell your phone to open the browser and launch a website, whats to stop someone from telling your phone to buy ten thousand copies of Conan the Barbarian, or destroying itself and catching on fire. Kidding of course, but you get what i mean.
Very difficult. It'd be just as likely as someone stealing your Gmail account.
Mmm, ok. Thought I would ask
It has the potential, under the right circumstances, to be used for evil though! EVIL!
I'm not entirely sure, but from what I understand all intents go through google servers. I assume google is doing checks for malicious behaviour on their end.
Don't you have to register a phone to a gmail account and be logged into that account to send to the phone?
Haven't tried the app myself make it wouldn't make sense any other way ;-)
You have to be logged in. And i thing info is sendt via google servers, so unless someone steals your google account, i think you should be safe
it only triggers the browser or maps. I guess the risk would be real, but on the phone side you have the option to set it to do nothing but notify you FIRST prior to any action. If you didn't initiate anything, then you could click cancel at that time.
chromiumcloud said:
it only triggers the browser or maps. I guess the risk would be real, but on the phone side you have the option to set it to do nothing but notify you FIRST prior to any action. If you didn't initiate anything, then you could click cancel at that time.
Click to expand...
Click to collapse
one of the things being worked on is making the phone dial a number selected on the browser. that could get interesting
I believe that Google are running a closed beta at present too, so the only people that can write apps that use cloud messaging will have been vetted by Google.
All the components of the extension (chrome extension, android application and application server) are open source, what prevent anyone from developing an other extention that use google cloud service to communicate with android ?
ludo218 said:
All the components of the extension (chrome extension, android application and application server) are open source, what prevent anyone from developing an other extention that use google cloud service to communicate with android ?
Click to expand...
Click to collapse
All of the messages go through the Google servers
As I understand, the application engine part of the extension (which runs on google application engine) register itself to "the cloud" using google api. Anyone should be able to use these api, no?
It most certainly could be exploited. I can think of a javascript exploit that would work right now.
However the consequences of an exploit are severely limited by the security model that Android uses. Something can not run in another security context unless you allow it to.
The day "Chrmoe2Phone" asks for root access is the day it should be removed from your phone. Until then they most it could do is tell an app to do something that you've already allowed that app to do (which could arguably be undesirable things).
The user needs to explicitly permit all security privileges in Android remember (read that app install page with security details!). If it can do something, you've permitted it to do so.
tanman1975 said:
one of the things being worked on is making the phone dial a number selected on the browser. that could get interesting
Click to expand...
Click to collapse
That is true, but if i recall correctly, when you choose a phone number link from the browser, it will bring the number up in your dialer application, but you must initiate the call with the green call button, so there is a level of security there.
actually this could be a pretty nifty security feature. Is the phone gets stolen how great would It be to able to enable the gps, camera or mic? Given proper security protocols of course...
@tanman1975
Didn't think of that one. T'would be a very powerful tool against the robbers out there. Nice.
Does anyone know how to make an ASOP Rom support Exchange 2007 security requirements? Whenever I try to add the account I get a message which says something to the effect of "Exchange requires features you phone does not support". Exchange wants you to have to enter a passcode every time you unlock the phone.
Stock eris and stock-based roms support it and so does the motorola droid.
Is this something where I can possibly just copy over a system apk to make it work or is it deeper in the code? I changed the email apk to the one from the droid but that didn't do anything. Has anyone ever ported a version of the motorola droid to the eris? Am I way off on the approach?
Thanks in advance for any ideas!
You'll have to be more specific. I have not yet had problems getting my exchange account to work properly on any ROMs, including the Kaos 2.2 v24.
Sent from my Eris using XDA App
You have to enable security on them. When I used 2. 1 romsI used lockpicker from the market. It will disable the need from having to type in password every tIME you lock phone but still make the server think its enabled. FYI kaosfroyo works too and no need to enter password. Only draw back is you have to reenable everytime you power down phone.
Sent from my FroyoEris using XDA App
isaycrikey said:
You'll have to be more specific. I have not yet had problems getting my exchange account to work properly on any ROMs, including the Kaos 2.2 v24.
Sent from my Eris using XDA App
Click to expand...
Click to collapse
That's weird. Our company must have different security requirements if you are getting it to work on the Froyo ROM because I've tried every kind of lockscreen setting I could find. I found this thread which basically says Exchange is only partially supported by Froyo. I know we require password history and expiration which must be the culprit. code.google.com/p/android/issues/detail?id=9426.
So HTC and Motorola must have added something which adds that expiration and history feature. Since it's security related I'm guessing it's more than just an apk. Can the .so files be moved across ROMs? Anyone have a guess at which one may contain this feature?
vtjiles said:
That's weird. Our company must have different security requirements if you are getting it to work on the Froyo ROM because I've tried every kind of lockscreen setting I could find. I found this thread which basically says Exchange is only partially supported by Froyo. I know we require password history and expiration which must be the culprit. code.google.com/p/android/issues/detail?id=9426.
So HTC and Motorola must have added something which adds that expiration and history feature. Since it's security related I'm guessing it's more than just an apk. Can the .so files be moved across ROMs? Anyone have a guess at which one may contain this feature?
Click to expand...
Click to collapse
Exchange 2007 sync is working for me on KaosFroyo V24 as well. My company also enforces password history and expiration, but no issues here. By the way, no lockscreen security is set on my Eris.
Did the sync work for you on 2.1? If not, your Exchange admins may have to enable it on your account. Sounds like it could be something setup by your employer. It doesn't hurt to ping an admin and see what they say...
g00gl3 said:
Exchange 2007 sync is working for me on KaosFroyo V24 as well. My company also enforces password history and expiration, but no issues here. By the way, no lockscreen security is set on my Eris.
Did the sync work for you on 2.1? If not, your Exchange admins may have to enable it on your account. Sounds like it could be something setup by your employer. It doesn't hurt to ping an admin and see what they say...
Click to expand...
Click to collapse
The sync was working on HTC 2.1, but not on any 2.1 ASOP ones.
But, after talking to support they switched my policy group and, of course, now it works so my apologies for being an idiot and putting this in a development forum. I honestly thought the ASOP roms just didn't have that functionality and was hoping there was a way to flash something that would make it work.
Since I know most of us tend to do A LOT or reading on tech sites and Android-focused blogs, you are all likely aware of the new security problem that has recently been headline news (especially on Apple sites).
In a nutshell, it is possible for malicious unsecured WiFi APs and HotSpots to steal the AuthToken from your phone when your WiFi contacts it. This AuthToken then can be used for two weeks to gain access to your Google account, which in turn may make other accounts you have vulnerable. They do this by using very common SSIDs, such as Default or Linksys, to encourage passing Android phones and/or tablets to try an connect with them. Though the connection doesn't complete, just the sniffing that takes place in advance is enough for the theft to take place.
Fortunately Android phones don't automatically try and connect to every cheap, streetcorner HotSpot they see...but they do automatically connect to WiFi APs they have been connected to before. Since these malicious APs are using very common SSIDs, it is likely your phone has connected to an AP with the same name in the past, and it will therefore query the AP, allowing the Token to be swiped.
How do we prevent this? Well, there are a few precautions that can be taken to make it less likely your poor phone gets grifted for being too trusting.
Make sure your home AP and other APs you control do not have common names. If your home AP has the SSID default, or Wireless....change it.
Keep your WiFi OFF when not using it.
Do NOT log into APs when you do not know their origin, and certainly not ones you scan for with names like Free Public WiFi. SSIDs like Evil Hacker Out to Fleece You are right out too.
If you DO log into a legit public AP (especially one with a common SSID), but it isn't one you commonly use, after you are done go into your WiFi settings and have your phone forget it.
Lastly, keep an eye on your Google account for suspicious activity. Did someone just your Google account to pay for $5000 worth of Skype calling to the Canary Islands? If so, report it (unless you got a girlfriend in the Canary Islands). Also use the security features in your gmail account to keep track of what IP numbers are logging into your mail. If someone on the other side of the country suddenly accesses your inbox, change your account details and report it to Google.
Forewarned is forearmed..and the sooner we make this scam unprofitable, the sooner it will go away and the sooner iPhone users will shut up about it.
source?
10char
kepke said:
source?
10char
Click to expand...
Click to collapse
Background on the security problem? All over the interwebs. HERE for example, or HERE.
The suggestions and commentary are my own.
In 2.3.4 this problem is fixed. Is there any chance to use the fixed files in older android versions?
Sent from my GT-I9000 using Tapatalk
HiQ123 said:
In 2.3.4 this problem is fixed. Is there any chance to use the fixed files in older android versions?
Sent from my GT-I9000 using Tapatalk
Click to expand...
Click to collapse
Might be something for the devs to consider adding to their custom ROMS.
Google on the case
In an official statement, Google has said it is already rolling-out a fix for the security flaw, which could affect all Android users, except those already running Gingerbread.
"Today we're starting to roll out a fix which addresses a potential security flaw that could, under certain circumstances, allow a third party access to data available in calendar and contacts.
"This fix requires no action from users and will roll out globally over the next few days."
Read more: http://www.techradar.com/news/phone...-security-flaw-fixing-it-957143#ixzz1N5zq1K7S
HiQ123 said:
In 2.3.4 this problem is fixed. Is there any chance to use the fixed files in older android versions?
Sent from my GT-I9000 using Tapatalk
Click to expand...
Click to collapse
So is 2.3.3 still at risk ?
google already fixed it on their servers. danger averted
Sent from my GT-I9000M
Running CM11 nightly build for today 12/12/13, also was running the previous build and everything runs fine except I have no search icon on the default email app. Does anyone else have this issue?
Just wanted to follow up on this. I thought it might be a KitKat or CM issue so I flashed CM 10.2. Same issue, no search in default exchange mail app. I then flashed one of the LG based roms and same thing. Interesting note that as I was entering the server details I could see the little search Icon on the top but as soon as I entered the server specs it disappeared. I'm beginning to believe that it is something to do with my companies Exchange server now. Also note that when I first received the phone, I was totally stock using the LG email app and search was there. As a work around I have installed the Cloudmagic email app which is pretty good and has the search feature but one grip I have about it is that it doesn't search your companies global contacts like the default app does so your stuck with copying and pasting from another email or just replying to an older one. And before anyone asks, Yes I have tried Touchdown but the $20 asking price is ridiculous IMHO and I just think the interface is retarded. Again, my opinion. If you like it more power to ya!
fegar said:
Just wanted to follow up on this. I thought it might be a KitKat or CM issue so I flashed CM 10.2. Same issue, no search in default exchange mail app. I then flashed one of the LG based roms and same thing. Interesting note that as I was entering the server details I could see the little search Icon on the top but as soon as I entered the server specs it disappeared. I'm beginning to believe that it is something to do with my companies Exchange server now. Also note that when I first received the phone, I was totally stock using the LG email app and search was there. As a work around I have installed the Cloudmagic email app which is pretty good and has the search feature but one grip I have about it is that it doesn't search your companies global contacts like the default app does so your stuck with copying and pasting from another email or just replying to an older one. And before anyone asks, Yes I have tried Touchdown but the $20 asking price is ridiculous IMHO and I just think the interface is retarded. Again, my opinion. If you like it more power to ya!
Click to expand...
Click to collapse
After doing a little more research on this it seems that this might actually be an Android problem.
I managed to get two s5's rooted and annoyingly enough, unless I put my sims card in them, neither gmail or the playstore will connect or login via wifi. I only have one sims activated and that is my internet connection which I tether via wifi to my other devices.
Is there a way to work around this? If this is too remedial a question or unwelcome in this thread, I apologize.
I'd like to be able to set up a freshly flashed and rooted phone to accept my gmail account and work with playstore on wifi, sans a sims installed. Do I need to create a gmail account for each and every phone I wish to set up? Will this fix the problem of doing a phone not having a active verizon sims installed? For whatever reason, my playstore access and gmail push are wonky and dubious at best when having the same account being "registered" on multiple devices and I'm not sure if it started recently when gmail for some reason started sending notices to said email account of when another device logged in.
DroidinAndStuff said:
I managed to get two s5's rooted and annoyingly enough, unless I put my sims card in them, neither gmail or the playstore will connect or login via wifi. I only have one sims activated and that is my internet connection which I tether via wifi to my other devices.
Is there a way to work around this? If this is too remedial a question or unwelcome in this thread, I apologize.
I'd like to be able to set up a freshly flashed and rooted phone to accept my gmail account and work with playstore on wifi, sans a sims installed. Do I need to create a gmail account for each and every phone I wish to set up? Will this fix the problem of doing a phone not having a active verizon sims installed? For whatever reason, my playstore access and gmail push are wonky and dubious at best when having the same account being "registered" on multiple devices and I'm not sure if it started recently when gmail for some reason started sending notices to said email account of when another device logged in.
Click to expand...
Click to collapse
I too manage two S5's, rooted and I have no problems. The one without a Sim works great off of WiFi. Playstore works fine logged into the same account.
Tulsadiver said:
I too manage two S5's, rooted and I have no problems. The one without a Sim works great off of WiFi. Playstore works fine logged into the same account.
Click to expand...
Click to collapse
That's perversely encouraging and assures me I haven't lost my mind expecting something impossible that I thought I knew to be true. Neither of my S5's, my N4 or Z2 will reliably hook up with gmail and the play store both. This one S5 will not allow me set up a new gmail account on the device and gmail has stopped pushing to my DD S4. Remove account, clear cache, date force stop all google processes, reboot and same. Lots posted about it and I know google hasn't banned me as it is working on some devices. Besides, I behave.
Now if I can get supersu to install from an APK with a wifi connection, I can at least proceed.
Congrats on yours and thanks for confirming it should work.
Well I popped the sims card in the one, which had been flashed back to ngc from oa8 (my other one hadn't ever tried to OTA update from nk2) and playstore and gmail cooperated fine. However, SDM started downloading an update, which I'll assume is OTA to OA8 or OC4. The first time before I pulled the battery I got playstore hooked up and forced SDM to stop. Pulled the battery and SDM continued where it left off and I managed supersu and busybox. Deferred the install of the update and wonder how critical it is that the downloaded file be removed prior to safestrapping it and then OC4 rooting it with the tether addon.
The other S5 on nk2 hasn't tried to OTA update so it must be down on the list despite being readily activate-able with clean IMEI and no issues.
I wish I could figure out why google services such as gmail and playstore are being contumacious on my devices.
I had that same problem of an update trying to get on my phone before I could get it rooted ( an s4) and it messed my phone up bad. I had to finally take the update to get it working again
I would put all the files, towelroot, busybox, SuperSU, safestrap, and titanium backup on my ext SD card. Flash back to stock NGC. Don't use your Sim or log onto WiFi. Root your phone and freeze SDM.
Tulsadiver said:
I had that same problem of an update trying to get on my phone before I could get it rooted ( an s4) and it messed my phone up bad. I had to finally take the update to get it working again
I would put all the files, towelroot, busybox, SuperSU, safestrap, and titanium backup on my ext SD card. Flash back to stock NGC. Don't use your Sim or log onto WiFi. Root your phone and freeze SDM.
Click to expand...
Click to collapse
It never attempted the OTA until the active sim card was in place. I used it on wifi many times including several times today and had even worked fine with the playstore/gmail on wifi up until recently when gmail stopped pushing to my dd period, and every other device in which my DD's sims card wasn't inserted.
The OTA update file has been downloaded, but not installed. I deferred it to 5 am and didn't check automatic. I am assuming I can defer it again although I'd somehow feel better removing it and freezing SDM until I decide if I am going to OC4 it or do a custom rom. Nice would be native call recording, native tethering and being able to overclock it a bit. A lightweight lollipop and xposed would probably do the trick other than maybe overclocking. Too much reading for one day.
It is currently on NCG, rooted, supersu, busy box, and safestrap all installed. I think I'll install a root file explorer try to find it and also do Titanium Backup while I'm at it. I wish I knew where it was and if removing it was as simple as just deleting a file.
Any ideas? I have two in the same state and think I'm going to make one of them my DD since getting root on a verizon N4 doesn't look likely anytime soon. The N4 is kinda big anyhow. I have to have tethering and would like it easier than foxfi since I feel obligated to use as much of my unlimited data as possible. I think I read the native call recording can be enable from the dialer at the cost of the "add call" which I don't use or even know what it is.
DroidinAndStuff said:
It never attempted the OTA until the active sim card was in place. I used it on wifi many times including several times today and had even worked fine with the playstore/gmail on wifi.
The OTA update file has been downloaded, but not installed. I deferred it to 5 am and didn't check automatic. I am assuming I can defer it again although I'd somehow feel better removing it and freezing SDM until I decide if I am going to OC4 it or do a custom rom. Nice would be native call recording, native tethering and being able to overclock it a bit. A lightweight lollipop and xposed would probably do the trick other than maybe overclocking. Too much reading for one day.
It is currently on NCG, rooted, supersu, busy box, and safestrap all installed. I think I'll install a root file explorer try to find it and also do Titanium Backup while I'm at it. I wish I knew where it was and if removing it was as simple as just deleting a file.
Any ideas? I have two in the same state and think I'm going to make one of them my DD since getting root on a verizon N4 doesn't look likely anytime soon. The N4 is kinda big anyhow. I have to have tethering and would like it easier than foxfi since I feel obligated to use as much of my unlimited data as possible. I think I read the native call recording can be enable from the dialer at the cost of the "add call" which I don't use or even know what it is.
Click to expand...
Click to collapse
Try your root/cache folder to find your update.
Tulsadiver said:
Try your root/cache folder to find your update.
Click to expand...
Click to collapse
Getting on that this morning. I wish I could figure out why it keeps downloading and installing playstore on wifi and still won't work until I put my sims in it. I've gone through everything short of uninstalling all of google services and reinstalling them on several devices. My wifi only z2 tab acting stupid with google would be a vexation if I let things like that bother me.
Thanks and I'm popping the sims in it and going to try cleaning it up and locking down SDM.
___________________________________________________________________________________________________________________
Installed the root browser and the update zip was in cache.
Deleted.
Went to system with the display icon.
App then deleted the SDM apk and the SDM odex file.
Hopefully that will keep it from pulling that stunt again until I decide what to do with it.
Guess I should do it with the other one and figure out why that same sims won't make gmail push to my DD or the play station work in it or why my non-pc wifi only devices won't work except through their browsers. I think there must be some conflict with which devices the playstore is recognizing as being associated with my accounts.
Must be something in my google settings and what a conglomerated octopus google services has turned into.
Thanks again. Feel free to tell me if my down and dirty bandaid overlooked anything!
Good luck to you!
The only thing weird about my google account and gmail is that the email address I login with is not the one that shows up under "accounts" and the login email address is not a gmail address. Somehow the two different email accounts are linked together.
Tulsadiver said:
Good luck to you!
The only thing weird about my google account and gmail is that the email address I login with is not the one that shows up under "accounts" and the login email address is not a gmail address. Somehow the two different email accounts are linked together.
Click to expand...
Click to collapse
Yeah, I wish I know what Google was up to exactly. Acknowledging the 'this device logged into your account' and verifying that it's me, seems like should seamlessly eliminate issues. That doesn't appear to be the case and I think my problems started when I somehow agreed for them to send me such notices relative to the gmail account I use on my other devices, not both gmail accounts associated with my DD.
On my DD, I have two gmail accounts that I've had for ages. They have always worked fine on my android devices. Recently that changed and I'm not sure why but I know when. On my other many devices, I've just registered one of my gmail accounts to them, the same one each time, and they too all seemed to quit working at the same time, initially offering no problems to working on wifi.
However, I am curious as to your thoughts on Ricks Rom as I looked over the specs and it seems to be about what I'm looking for although for some unqualified reason, my mind has been thinking I wanted a rom based on lollipop. It says it has native or hacked hotspot and native call recording. Can it be overclocked? I don't use Facebook, Twitter or any of the gimmicky apps that come preinstalled on the phones and find most all of them, especially the Samsung redundant ones, to be annoying and intrusive.
Do you know for sure if Xposed will or will not work with it?
How many security certificates come system installed on Ricks Rom? My guess is that something like 200 come stock and I don't like the looks of many of them and wish I knew how come and why.
Thank you, I appreciate your sharing information. It is nice to gather up pieces to puzzles and hopefully being able to solve them. I'll get this gmail playstore thing fixed if it means I have to go fishing long enough to forget about it! Maybe somebody else finding themselves in a similar situation may find some of our particular details useful to fixing these oddities.
I'm running RicksRom (v19 right now) on my DD and have been using it since I first got my phone a year and a half ago. I don't have Xposed but don't know why it wouldn't work. This is a pretty lean ROM but it does have quite a few security certificates. I'm running MOAR on my spare phone that is currently on lollipop. I have this phone as a spare to play with but wouldn't run lollipop. Too quirky and I like the theming capabilities of KitKat better.
Tulsadiver said:
I'm running RicksRom (v19 right now) on my DD and have been using it since I first got my phone a year and a half ago. I don't have Xposed but don't know why it wouldn't work. This is a pretty lean ROM but it does have quite a few security certificates. I'm running MOAR on my spare phone that is currently on lollipop. I have this phone as a spare to play with but wouldn't run lollipop. Too quirky and I like the theming capabilities of KitKat better.
Click to expand...
Click to collapse
Thanks, lean sounds fine and overclocking a bit would be even nicer! I'll dig through that thread a bit more and see if anyone has verified Xposed to work with it conflict free and if it can be clocked.
I went through my gmail account settings on my PC and under Recent Activity/Notifications and Alerts... there is no way to uncheck any alerts that have been checked. I am pretty sure my issues started when I recently checked "Email" for Suspicious Attempt to Access Account. The password change email notice has been checked since forever.
Going to the Playstore on my PC, it lists all of my devices, past and present although it has dropped some that haven't accessed for a while, and now makes me think I need to give them all nicknames since I have multiples of the same Model Number devices. However, it lists all current and recent as well reconciles. What it won't do from my PC browser, is anything but sit there doing nothing when I hit install for a selected app. It will not give a pop down menu to select which device and the playstore account settings are very minimal. I will see if nicknaming them helps since there are multiple devices with the same model number. This type of online PC install used to work fine and would prompt with a pop down menu to select which device, regardless if they were online via the sims or wifi, and then download and install if the selected device was online. I don't recall ever doing that when I had multiple devices having access with the same model number.
Another interesting thing is that Verizon must have access to the playstore and/or gmail device list. I know this from speaking with a very helpful tech rep this week about my data connection speed on my DD. She verified seeing devices on this account even if they hadn't ever had my sims card installed. Merely been online with my one email account registered and playstore accessed from it. That kinda surprised me. I wonder if there is some Google Services/Verizon conflict that may be causing this.