Related
First of all: I'm an OSS advocate and love the idea of open source. Don't forget that while reading this.
Some 2 month ago, I got myself a Galaxy S. It's not exactly cheap, but on the other side, it's really good hardware. This thread is not about Samsung or the Galaxy S. It's about the missing parts of android security.
We all know it from our home computers: Software sometimes has bugs. Some just annoy us, others are potentially dangerous for our beloved data. Our data sometimes gets stolen or deleted due to viruses. Viruses enter our machines by exploiting bugs that allow for code execution or priviledge escalation. To stay patched, we regularly execute our "apt-get update;apt-get dist-upgrade" or use windows update. We do this to close security holes on our systems.
In the PC world, the software and OS manufacturers release security bulletins to inform users of potentially dangerous issues. They say how to work around them or provide a patch.
How do we stay informed about issues and keep our Android devices updated?
Here's what Google says:
We will publicly announce security bugs when the fixes are available via postings to the android-security-announce group on Google Groups.
Click to expand...
Click to collapse
Source: http://developer.android.com/guide/appendix/faq/security.html#informed
OK, that particular group is empty (except for a welcome post). Maybe there are no bugs in Android. Go check yourself and google a bit - they do exist.
"So why doesn't Google tell us?", you ask. I don't know. What I know is that the various components of Android (WebKit, kernel, ...) do have bugs. There's nothing wrong with that BTW, software is made by people - and people make mistakes and write buggy code all the time. Just read the changelogs or release notes.
"Wait", I head you say, "there are no changelogs or release notes for Android releases".
Oh - so let's sum up what we need to stay informed about security issues, bugs and workarounds:
* Security bulletins and
* Patches or Workaround information
What of these do we have? Right, nada, zilch, rien.
I'll leave it up to you to decide if that's good common practise.
"But why is this important anyway", you ask.
Well, remember my example above. You visit a website and suddenly find all your stored passwords floating around on the internet. Don't tell me that's not possible, there was a WebKit bug in 2.2 that did just that. Another scenario would be a drive-by download that breaks out of the sandbox and makes expensive phone calls. Or orders subscriptions for monthly new ringtones, raising your bill by orders of magnitute. Or shares your music on illegal download portals (shh, don't tell the RIAA that this is remotely possible).
The bug is probably fixed in 2.2.1 - but without changelogs we can't be sure.
But that's not all - there's a second problem. Not only are we unaware of security issues, we also don't have automated update mechanisms.
We only receive updates when our phone's manufacturers release new firmware. Sadly, not all manufacturers support their phones in the long run.
In the PC world, most Distros have a central package management - that Google forgot to implement in Android. Agreed, some phones can receive OTA updates, but that depends on the carrier. And because of the differences in Android versions it's not possible to have a central patch management either. So we do not know if our Android devices might have security issues. We also have no easy way to patch them.
Perhaps you knew this before, then I apologize for taking your time.
What do YOU - the computer literate and security aware XDA users - think about this? Do you think that's a problem? Or would you rather say that these are minor problems?
Very intresting, thanks! The update problem should be fixed with the next release, no more custom UIs and mods from phone manufacturers,at least google said that
Sent from my Nexus One using XDA App
Excellent post and quite agree with you. The other significant problem looming is the granularity (or rather, lack thereof) in app permissions which can cause problems you describe without bugs and exploits. I install an app that does something interesting with contacts and also has internet access to display ads. How do I know that my contacts are not encrypted, so making sniffing useless, and beamed back to mummy? Nothing other than blind trust!
I love Android but it's an accident waiting to happen unless the kind of changes you advocate are implemented and granularity of permissions significantly increased. I don't like much about Apple but their walled garden app store is something they did get right although IMHO, they also abuse that power to stifle competition. Bring out the feds!
simonta said:
The other significant problem looming is the granularity (or rather, lack thereof) in app permissions [...]
How do I know that my contacts are not encrypted, so making sniffing useless, and beamed back to mummy? Nothing other than blind trust!
Click to expand...
Click to collapse
I agree, although I'm not sure that less experienced users might have difficulties with such options.
simonta said:
I love Android but it's an accident waiting to happen
Click to expand...
Click to collapse
Sad but true. I'm just curious what Google will do when the first problems arise and the first users will have groundshaking bills.
If that happens to just a few users, it'll get a kind media coverage Google surely won't like.
I've seen quite a few android exploits posted on bugtraq over the years. It's a high-volume email list, but with some filtering of stuff you don't care about, it becomes manageable. It's been around forever and is a good resource if you want the latest security news on just about anything computer related.
http://www.securityfocus.com/archive/1/description
People are bashing a lot about the Android security model but the truth is you can never have 100% protection with ANY solution.
Apple is not allowing any app in their store. Fine. but mostly they are only filtering out apps that crash, violate some rules or they just don't like them or whatever. but they can never tell what an app is really doing. Therefore they would neeed to reverse-engineer every app they get etc. That's just impossible considering the amount of apps....
Speaking again of Android. I think the permission model is not bad. I mean, no other OS got such detailed description about what an app can do or not. But unfortunately it can only filter out very conspicuous apps, i.e. a Reversi game asking for your location and internet access. But then you never know... if the app is using ads it requires location and internet access, right? so what can you do?
RAMMANN said:
Apple is not allowing any app in their store. Fine. but mostly they are only filtering out apps that crash, violate some rules or they just don't like them or whatever. but they can never tell what an app is really doing. Therefore they would neeed to reverse-engineer every app they get etc. That's just impossible considering the amount of apps....
Click to expand...
Click to collapse
Not really, they do blackbox testing and let the apps run on emulated devices they then check if the app "behaves" as desired...
Of course you can't get 100% security and I don't think that's what we're saying, but there is a lot you can do.
Take for example internet access which is the biggest worry I have. The only reason most apps request internet access is to support ads. I now have a choice to make, don't use the app or trust it. That simple, no other choice.
If I installed an app that serves ads but did not have internet access, then the only way that app can get information off my phone is to use exploits and I'm a lot more comfortable knowing that some miscreant needs to understand that than the current situation where some script kiddy can hoover up my contacts.
However, if internet access and ad serving were separate permissions, you could in one hit address, taking a wild guess, 90% of the risk from the wild west that is Marketplace. With a bit more design and work, it would be possible to get the risk down to manageable and acceptable levels (at least for me).
I absolutely agree with you on Apple, one of the main reasons that I chose a Desire instead of an iPhone, but the Android approach is too far the other way IMHO.
Just my tuppence, in a hopeless cause of imagining someone at Google paying attention and thinking you know what, it is an accident waiting to happen.
marty1976 said:
Not really, they do blackbox testing and let the apps run on emulated devices they then check if the app "behaves" as desired...
Click to expand...
Click to collapse
Well, so why did a tethering app once make it into the appstore?
Also I think there are many possibilities for an app to behave normal, and just start some bad activity after some time. Wait a couple months until the app is spread around and then bang. Or remotely launch some action initiated through push notifications etc.
If there is interest, then there is always a way....
simonta said:
However, if internet access and ad serving were separate permissions, you could in one hit address, taking a wild guess, 90% of the risk from the wild west that is Marketplace. With a bit more design and work, it would be possible to get the risk down to manageable and acceptable levels (at least for me).
Click to expand...
Click to collapse
I agree that a seperate permission for ads would be a good thing.
But there are still many apps which need your location, contacts, internet access.... all the social media things nowadays. And this is where the whole thing will be going to so I think in the future it will be even harder to differenciate.
Getting back on topic: I just read that Windows 7 Phone will get updates and patches like desktop windows. That means patchday once a month plus when urgency is high...
simonta said:
However, if internet access and ad serving were separate permissions, you could in one hit address, taking a wild guess, 90% of the risk from the wild west that is Marketplace. With a bit more design and work, it would be possible to get the risk down to manageable and acceptable levels (at least for me).
Click to expand...
Click to collapse
But, how do you distinguish them? Today, (as a developer) I can use any ad-provider I want. In order to distinguish ads from general internet access, the OS would need one of:
A Google-defined ad interface, which stifles "creativity" in ad design. Developers would simply ignore it and do what they do now as soon as their preferred ad-provider didn't want to support the "official" ad system or provided some improvement by doing so.
An OS update to support every new ad-provider (yuck^2).
Every ad-provider would have to go through a Google whitelist that was looked up on the fly (increased traffic, and all ads are now "visible" to Google whether Google is involved in the transaction or not). This would also make ad-blocking apps harder to implement since Google's whitelisting API might not behave if the whitelist was unavailable. On the upside, it would make ad-blocking in custom ROMs be trivial.
Even if Google did one of these things, it still wouldn't provide any real increase in privacy or security. The "ad service" would still need to deliver a payload from the app to the service (in order to select ads) and another from the service to the app (the ad content). Such a mechanism could be trivially exploited to do anything that simple HTTP access could provide.
http://code.google.com/p/android/issues/list
issues submitted are reviewed by google employed techs... they tell you if you messed up and caused the issue or if the issue will be fixed in a future release or whatever info they find.
probably not the best way to handle it but its better then nothing.
twztdwyz said:
http://code.google.com/p/android/issues/list
Click to expand...
Click to collapse
Knew that bug tracker, but the free tagging aka labels isn't the best idea IMHO.
You can't search for a specific release, for example...
twztdwyz said:
probably not the best way to handle it but its better then nothing.
Click to expand...
Click to collapse
Ack, but I think Google can do _much_ better...
Two more things to have in mind:
1. I doubt that many Android users bother much about what permissions they give to an app.
2. Using Google to sync your contacts and calendar (and who knows what else), is a bad, bad idea.
The fingerprint sensor in the Galaxy S6 and the Galaxy S6 edge has a neat little feature. Some of the uses that were advertised include securing access to the device as well as authorizing PayPal and Samsung Pay payments. It also has another feature which will allow users to log into websites by simply using the fingerprint that they have already set up. This means that users will no longer have to enter username and passwords on websites that they regularly visit. Simply tap to login and then use the fingerprint sensor.
The Galaxy S6 and the Galaxy S6 edge will automatically ask users if they want to use this feature when they log into a website for the first time using their credentials. If they accept from that moment onwards whenever they have to log into that website they simply use the fingerprint sensor. Those who don’t want this feature can continue to use their credentials. This isn’t groundbreaking stuff, iPhone users can already do this courtesy of iCloud Keychain, but it certainly adds more value to the fingerprint sensor on Samsung’s latest flagships.
https://www.youtube.com/watch?v=0IuJbBtDZvA
This was already a possibility on the Note4...but I agree a good option to have!
The concern here is security. Both Apple and Samsung have had their security snafus. That can be a very real concern when it regards how its possible to snag the fingerprint ID hash created if that portion is not secured well.
Marketing security can be nice and feel goods, but from a technical standpoint, what is the reality?
As much as I want this phone, I also don't need my personal information getting swiped because of poorly implemented security.
I will get the phone regardless, and likely will spend some time testing the security features.
It's a good idea!
opieum said:
The concern here is security. Both Apple and Samsung have had their security snafus. That can be a very real concern when it regards how its possible to snag the fingerprint ID hash created if that portion is not secured well.
Marketing security can be nice and feel goods, but from a technical standpoint, what is the reality?
As much as I want this phone, I also don't need my personal information getting swiped because of poorly implemented security.
I will get the phone regardless, and likely will spend some time testing the security features.
Click to expand...
Click to collapse
you must watch the video
Yes, you must watch it
Ha! Yep I found a virus and both Avast and Norton did not detect it.
The outragious part of it, is that it is a children's game. I am not a gamer, but had been transfering apps from one device to another. Found the game in question had privlages to contacts, email and system info. I blocked it thinking well it may be for developer needs. Since I was getting tired of big name anti virus apps that are too robust for being called an anti virus app. I looked at small and efficient single duty or very close in operation that can properly do the job, google fails miserably at.
Believe it or not I was able to install the app on two other devices that were not rooted and had google app security enabled. So now ya all can see why I disable google internal services as they suck both in battery power and in being capable.
Well anywho... if ya gots childeren below 13, mostlikely their devices or your own have a virus ridden app or two. Good uck if you dont have a proper anti virus app!
what virus?
what does it do?
Donno... just killed it and the game pronto. Game is still on Google Play. Wont advertise the name as many will sendvthe game to their friends and family. Plus I am not paid by google to do their security work. problem is this game is for peeps under 10, so I figure about 20,000,000 kids have it or at least had it on both their tablet or parents phone.
I'm confused. So it wasn't a virus, it was just a game that had permissions to system, and you didn't feel it should?
Sent from my Nexus 6P using Tapatalk
Doesn't sound like a virus...just an app with permissions...
HikingMoose said:
I'm confused. So it wasn't a virus, it was just a game that had permissions to system, and you didn't feel it should?
Sent from my Nexus 6P using Tapatalk
Click to expand...
Click to collapse
My anti virus app noticed it had some sort of virus known by them as infectious. Had already been installed by the end user. I did not bother with isolating further. Killed it and made sure the tablet was good to go. Problem is google, Norton and Avast did not detect it. So I gave up ever using them since then on android. I noticed the anti virus I use on windows now makes a good app for android. Low and behold being simple and small foot print, which I had to hand pick from the mess online... It found what was going on with slow down, over heating and other troubles with network speeds. Once removed, i did not need to wipe and reload a new firmware or factory reset.
I tested a few times, soon after removing it, with my tablet and anti virus app used in cleaning, to find Google was still allowing the virus ridden app to be distributed.
Obviously a game made for below 10 year of age does not get much looks at by the Android community. Thinking kiddie gamers are safe. They have no credit info, contacts worth spamming, and are filled with junk pix. Low and behold kiddie gamers are gold for spyware, hackers, and thieves as they are a true Trojan Horse to get into infrastructures on bring you kids day at corporate places, and sniff home systems behind firewalls.
I may sound a bit too out there, but this stuff has always been my fear since 2000. We ignore kids on their devices and allow them to do what they want as far as downloads that don't cost money, or share files between themselves indescriminently.
Virus on Android is near impossible without root due to the way android runs app in sandbox. Less so on the app store. I doubt that it was a true virus, maybe Spyware depending on how your scanner defines it.
Those free children's games are full of ad analytics and collect way too much information. Many of them are spamy but I wouldn't go so far as to say it's a virus.
I am unaware of any virus on Android that has spread via the app store. Either way better safe than sorry with those poorly made junk games.
Sent from my GT-N5110 using Tapatalk
Now that I have a new 4.4 build that is more locked down, I will attempt to install the app once more, to verify if it is a Virus or Trojan... the later could then attach like a virus through messaging. Since the new stagefright hack that effects media server can hit 80% of all android devices being used to date. No it may not self replicate, but do the damage without really having to send itself to others. Just send a payload. The new and better way for virus architecture. Will look up if I can remember the game, and post my findings.
HA! They must have found the virus... As of end of March the new update corrected the issue. They did not release any info about the fix, but stated there was a bug fix. Bug is loose term for virus in this case.
Well let's see... the first iteration was about 6 months older than the one I updated with in early March. So who knows how many peeps got it and did not know.
Pretty sad that developers will not tell you what they fix when releasing updates. They blind cover with needed fixes and improvements. Bah! Sux hind tit my friends.
Speaking at the RSA security conference in San Francisco*on Tuesday, Adrian Ludwig, director of Android security, said the*Stagefright hole*– which prompted the Chocolate Factory to start emitting low-level security patches on a monthly basis – did put 95 per cent of Android devices at risk of attack. However, there have been no “confirmed” cases of infections via the bug, Ludwig claimed
https://www.theregister.co.uk/2017/02/15/google_stagefright_android_bug_zero_success/
Nothing but hype as I said before no confirmed cases of anyone able to use the Stagefright bug in a attack in the wild.
Sent from my GT-N5110 using Tapatalk
jasonf1984 said:
Speaking at the RSA security conference in San Francisco*on Tuesday, Adrian Ludwig, director of Android security, said the*Stagefright hole*– which prompted the Chocolate Factory to start emitting low-level security patches on a monthly basis – did put 95 per cent of Android devices at risk of attack. However, there have been no “confirmed” cases of infections via the bug, Ludwig claimed
https://www.theregister.co.uk/2017/02/15/google_stagefright_android_bug_zero_success/
Nothing but hype as I said before no confirmed cases of anyone able to use the Stagefright bug in a attack in the wild.
Sent from my GT-N5110 using Tapatalk
Click to expand...
Click to collapse
I was speaking of the media server bug. Simple code from java script or email to open a media file can break media server, which allows code to be executed at root level. Just clicking on a link opens the back door. There Is a lot of peeps worried about this high level bug within android, and was found of recent. Probably bigger than stagefright and heart bleed combined.
I think that the last release of 4.4.2 with country code of BRI will have a wee more fixes... Only 3 that stands out that need to be applied for kitkat to be bug free.
Unfortunately I am not in Taiwan and rather have UK firmware. Maybe a good dev can make a recovery flash file to allow verification between the fixes I see as pending.
I think you are just overreacting.
an app had broad permissions that likely didn't need. So it was a shady app.
that's not a virus. just lousy practice on the programming side. Don't install it and be done, many many apps like that. But not a virus.
that or your definition of virus is not the usual one (for instance, it did not replicate itself).
profedrini said:
I think you are just overreacting.
an app had broad permissions that likely didn't need. So it was a shady app.
that's not a virus. just lousy practice on the programming side. Don't install it and be done, many many apps like that. But not a virus.
that or your definition of virus is not the usual one (for instance, it did not replicate itself).
Click to expand...
Click to collapse
It did have a variant name to the virus when detected. No other anti virus app detected it. Permissions is one thing but this was a virus.
Give me a break! No wonder android peeps are so blind, permissions are permissions and should not be detected as a virus, though if detecting security that is a different thing all together.
I think anti virus apps that have extra features like security checks confuse the bajeebus out of peeps on detection. Don't know the difference between virus and permissions when obviously being told a virus is found, they jump to app permissions.
A virus does not need to replicate to the system to be a virus. Just send a script to launch on another device to have the device infect its self by action. Pretty simple and very effective, especially when the anti virus app does not detect the media script crashing media server and starting the mess of running root and loading what ever off of some server.
Backstory: I've always used iPhones, was tired of the bull****, and wished for Android especially the S8. Was shocked, and I'm rarely shocked, but the agressive violation of privacy, the crazy amount of bloatware, and the unoptimised UX and system services overall.
Now, I'm in charge of a wide ecosystem of people using smartphones in our company as well as other companies I consult for. While people always blab about personal privacy (which is a concern of course), what I don't understand is how people dealing with either sensitive, contractual or strategic informations could use Android devices given that it *excuse but there's no better terms* rapes your privacy in every, but also I'm pretty sure, illegal, ways.
For exemple the Sound Detector app, even when disabled, is constantly listening to your environment without your priori knowledge or permissions. In fact it's mainly the permissions scheme that baffles me: on iOS or any PC or Mac, you can install any app without being constrained to accept giving out information or accessing functions that have nothing to do with the app, THEN you can choose what precise permissions, when and why. And of course there's the whole wider problem of usage and data tracking (which I apparently have to install...a firewall??) or even malware (I have to install a separate antivirus for...on a smartphone). Worst exemple being that of course: www.theverge.com/2018/1/2/16842294/android-apps-microphone-access-listening-tv-habits
Now I like Android for all their efforts, development and implementation, as well as Samsung efforts...but I'm on the verge of having to present a report to ban all Android phones (for a "leave at door" Policy or either iPhone, BBMs and any other "more" secure smartphones) like I just realise they did in the US government and other official institutions as well as some corporations...or...understand very well how it works, and devise a clearly guide on how to completely optimise and secure Android smartphones like I would for PCs/Macs.
So here's my mission if you accept to help me:
1. I want to deconstruct how Android works in a very simple scheme for noob.
2. From that I want to list all the system packages and services, to determine those that are critical, optional or bloatware, and actually describe exactly what they're for so people have a clear idea.
3. I want to list all the base applications, stores or packages apps, to determine those that are critical, optional or bloatware, then what they're for and most importantly the best alternative apps to these.
4. I want to list and make a simple schemes of how the device components (sensors, cam, mic...), the different data canals, and the the different permissions are circulating or violating privacy while screwing cpu time, battery and data.
5. Finally I want to learn, understand and create a simple noob introduction to the different tools like Xposed (and XprivacyLua which seems to be the best options), package disablers (I personally went for BK), Firewall, Adblockers and Antivirus (honestly didn't even think I would need those on Android).
So I guess first, I'll list all the apps, packages (and sub-services) that my Galaxy S8 came shipped with that overwhelmed me, so as to know for a basic Galaxy S8/+/Note what is a consensus of what to disable, why, how and by what to replace if there's alternative, while listing basic how-to's of the tools to that. Note that I only know about BK Disabler as of now.
Reserved
Upd: I haven't had time, but I'm starting to do a table with all the packages, what they're for and wether to disable them.
You do know that Silverpush do affect both iPhone and Android, right? And "leave at the door" policy or either iPhone or BBM? There's two errors in this sentence. Are you really what you claim to be? Or just someone with an agenda who just created an XDA account?
why would you need an antivirus for a phone if you stick to play store apps?
rashat999 said:
why would you need an antivirus for a phone if you stick to play store apps?
Click to expand...
Click to collapse
There are plenty of play store garbage apps with spy ware and crap in them
vladimir_carlan said:
You do know that Silverpush do affect both iPhone and Android, right? And "leave at the door" policy or either iPhone or BBM? There's two errors in this sentence. Are you really what you claim to be? Or just someone with an agenda who just created an XDA account?
Click to expand...
Click to collapse
iPhone (pretends to) be safe and secure and doesn't straight-up violate your privacy by forcing unneeded permission even before installing the app and running tons of spyware as per unbox while giving all your infos out to apps that demand it and more. It's also a question of procedure: iPhone are really easy to fix/secure with a jailbreak, I didn't even root this Android I got and realised how terribly aggressive their violation of privacy is.
But again, I just want to give people the choice as long as their device is secure, that's why I'm learning all the quirks of Android and how to secure them. All our IT guys confirmed that unless you know exactly how to secure Android devices like we did for our computer park, employees better go for an iPhone.
There's a difference between Apple that might have backdoors to the NSA, and Android that is a crazy open buffet for -permitted- informations stealing without even talking about spyware or silverpush. My Galaxy S8 came with apps and packages that were constantly listening through the mic without my prior knowledge, installation or authorisation, this is intolerable. But I switched for a reason, I'll see if using Android is easily manageable or if it's better to ban them from inside use.
OgreTactic said:
iPhone (pretends to) be safe and secure and doesn't straight-up violate your privacy by forcing unneeded permission even before installing the app and running tons of spyware as per unbox while giving all your infos out to apps that demand it and more. It's also a question of procedure: iPhone are really easy to fix/secure with a jailbreak, I didn't even root this Android I got and realised how terribly aggressive their violation of privacy is.
But again, I just want to give people the choice as long as their device is secure, that's why I'm learning all the quirks of Android and how to secure them. All our IT guys confirmed that unless you know exactly how to secure Android devices like we did for our computer park, employees better go for an iPhone.
There's a difference between Apple that might have backdoors to the NSA, and Android that is a crazy open buffet for -permitted- informations stealing without even talking about spyware or silverpush. My Galaxy S8 came with apps and packages that were constantly listening through the mic without my prior knowledge, installation or authorisation, this is intolerable. But I switched for a reason, I'll see if using Android is easily manageable or if it's better to ban them from inside use.
Click to expand...
Click to collapse
Mate my question still stand: are you really what are you claiming to be or you just have an agenda? Some badass company appointed you to decide what is secure and what not. Really? You? In Op you are talking about thinking to allow only iOS and BBM (it's Bbos BTW) only. BBOSS? Really? BBOS was discontinued one year ago...no more updates no more security patches, no more nothing.
vladimir_carlan said:
Mate my question still stand: are you really what are you claiming to be or you just have an agenda? Some badass company appointed you to decide what is secure and what not. Really? You? In Op you are talking about thinking to allow only iOS and BBM (it's Bbos BTW) only. BBOSS? Really? BBOS was discontinued one year ago...no more updates no more security patches, no more nothing.
Click to expand...
Click to collapse
That's not my job, but that's part of mine to decide or push in front of committees what tool we should use, purely from a utilitarian, managerial and system POV. None of us beside IT guys ever realised how Android were intolerably insecure, I've had my head in Apple buttock for years thinking "yeah, that's too limited and I heard Android is now as stable and well made".
But I don't want to go back to iPhone either, so here I am sitting with a Galaxy S8 I'm still not using because I don't where to start to secure it, whether I should try to fix everything on the factory rom or just root it.
OgreTactic said:
That's not my job, but that's part of mine to decide or push in front of committees what tool we should use, purely from a utilitarian, managerial and system POV. None of us beside IT guys ever realised how Android were intolerably insecure, I've had my head in Apple buttock for years thinking "yeah, that's too limited and I heard Android is now as stable and well made".
But I don't want to go back to iPhone either, so here I am sitting with a Galaxy S8 I'm still not using because I don't where to start to secure it, whether I should try to fix everything on the factory rom or just root it.
Click to expand...
Click to collapse
Okay...what exactly makes you to feel insecure? I understand you're bothered that some apps are accessing your microphone. That's easy... Settings-Apps. Tap on those three dots and chose app permission. You'll see what apps have access to microphone and deny permission for them. Job done. What else makes you to feel insecure?
vladimir_carlan said:
Okay...what exactly makes you to feel insecure? I understand you're bothered that some apps are accessing your microphone. That's easy... Settings-Apps. Tap on those three dots and chose app permission. You'll see what apps have access to microphone and deny permission for them. Job done. What else makes you to feel insecure?
Click to expand...
Click to collapse
I put my S8 away for now I went back to an iPhone. I'm using it off-grid to still try and figure out how it works.
Basically my problems are clear:
1. There's no transparency in background processes/services, the component they use and the data they send.
2. The way permissions are managed is intolerable: forcing you to accept non-necessary and arbitrary access to connected components or private information BEFORE installing the app is a form of extortion. The same goes when running the app: forcing permissions that are not critical to the app code actually running is a form of extortion. Baffles me how Google even allows that today.
3. The fact that there's even a need for a firewall and antivirus, and that the official stores is filled with illegal (copyright infringing app so blatant) and therefor myriads of potential malicious apps like Silverpush-enabled one, without any store control or curation on Google's part.
All this means there is no way I will use an Android rather than an iPhone and allow anyone dealing with private or "sensitive" commercial informations using one inside the company. I'm still trying to figure out if going straight to root is the solution, if I'll have to use cryptography for documents and coms, or if I'll have to spend days figuring out Xposed+Xprivacy, Packages Disablers, MicroG alternative libraries, Firewall and Antivirus and god knows what to make it decently secure like an iPhone (which doesn't aggressively violates your privacy and is really easy to secure with a jailbreak...unless there are hidden backdoors which is still far from the probably illegal open-buffet of private and sensitive informations Google provides to any potential malicious websites, scripts or apps).
Hi guys.
Does anyone know of a trust worthy app to store login details for different sites, banks ect? Even one I can store my card details for when I'm away without my wallet. Obviously has to he 100% trust worthy.
Cheers in advance.
Well, I do not think you will find one, that ist 100% trustworthy. Nevertheless, there are several Passwordmanagers, that are used by a lot of people.
Here is a link to an article, where the most used ones are introduced. Sorry, it's german, you can translate it with DeepL
Or you can google the managers, mentioned in this article to find out more yourself.
The basic qustions are: Do you trust your passwords to the Cloud? Do you want it to be open source or not? What kind of encryption should be used?
Hope it helps
Try LastPass https://lastpass.com
I love this app. I set all my credentials and logins with it.
I store all my data with google. Since they are basically a part of everyones life right now, I think that security for them is the no. 1 priority.
I'm using SafeinCloud app. There is no any problem with that.
bitwarden. Same as LastPass but open source.
I use keepass, it's open source and you can keep it local or use cloud storage like Google drive. There's a decent app in the play store and app for Windows.
https://play.google.com/store/apps/details?id=keepass2android.keepass2android
Sent from my SM-G950F using Tapatalk
Samsung pass and Samsung pay should be enough. I won't go for logmein or last pass as they have had security issues in 2017!
Sent from my SM-G950F using Tapatalk
Lastpass for sure. Been using them forever...
They, like keepass, and a few others had potential security issues which were not found to ever be explored. The issues were fixed months before public release, so no harm no foul...
Judging a software by having potential security issues alone is a garbage policy, BTW....
Karlinski said:
Lastpass for sure. Been using them forever...
They, like keepass, and a few others had potential security issues which were not found to ever be explored. The issues were fixed months before public release, so no harm no foul...
Judging a software by having potential security issues alone is a garbage policy, BTW....
Click to expand...
Click to collapse
Well I don't think it's a rubbish policy to judge commercial software's on security issues. Especially if you are planning to hand over your banking details! Plus the ones i have mentioned are proprietary so others can't even audit it unlike open-source applications. I will be wary of using them.
Sent from my SM-G950F using Tapatalk
Samsung pay is closed source
Samsung pay gets security updates
Samsung pay has not been released to be verified
What's the difference....
1password. The large internet company I work for trusts it's passwords to it. They were exposed by cloudbleed and did not get compromised becsuse they had the foresight to not trust ssl.
I use VeraCrypt on my desktop. Creates an encrypted partition and I have an Excel file with my passwords. I just remote in to open the file if I need a pwd when I'm not at home.
I believe their are mobile apps using their API: https://www.veracrypt.fr/en/Android & iOS Support.html
Thanks for all the suggestions guys, will check them all out