I've used Sony Ericsson phones before I went over to WM-phones, and on the SE phones there is a standard app that is very simple, but genious.
It is a very simple app to remember your pin numbers and/or passwords.
It works kind of like this:
At first use, you select a password and a control word. You enter the password every time you enter the program and it then displays your control word so you can check that you wrote the right password.
Whatever password you enter at program startup will get you inside, no error messages or anything. But entering the wrong passord will also display your control word wrong - whatever it might be. When inside all stored pins/passwords are displayed, but only if you write the correct password when entering they are correct. That way someone not knowing the password will not be able to tell if they actually guessed the password as the "pin numbers" show anyway, but with completely randomized numbers. So they are basically just waisting their time.
Not sure if I managed to explain so anyone can understand or if there is such an app already? I've tried dosens of wallet apps, but not succeded in finding one that is as simple and good as the one in SE phones.
I've been wanting something like this for a while. I can't use the last one I had (Flexwallet) since I had to hard reset and lost the registration number.
There are bunch of free apps to do this on your Windows Mobile device:
Cryptowallet
http://www.freewarepocketpc.net/ppc-download-cryptowallet.html
KeePassPPC
http://www.freewarepocketpc.net/ppc-download-keepassppc-v0-4-4.html
LockCrypt
http://www.freewarepocketpc.net/ppc-download-lockcrypt.html
Blender
http://www.freewarepocketpc.net/ppc-download-blender-v1-1.html
eSec
http://www.freewarepocketpc.net/ppc-download-esec-v1-0.html
You can also browse some more security related apps here:
http://www.freewarepocketpc.net/ppc-tag-secur.html
Hope that helps !
If you are interested in iPhone like interface, check this out
Password Safe
It's free too.
Question to all devs, android and winmo alike:
would it be possible to create a rom for a davice with a large (3"+) touchscreen that gives the option of calling only a few preprogrammed numbers and receive incoming calls from only a few programmed numbers?
also, restrict access to all the advanced features like web browsing etc?
something that will respond to an sms from a certain number with a certain content by performing an action? like silent callback or sending gps fix?
this would be for a child.
as for older users, a large number keypad on the touchscreen with a list of contacts? displaying none of the more advanced info that would scare an older luddite using it?
think jitterbug phone, just better.
I would love to be able to get my 6 year old son and an old friend of the family a phone that is tailored exactly to their needs without having to go for some ridiculously xpensive scheme lie jitterbug.
regards,
Resopalrabotnick
Why do you need a child carry a WM or an Android device? You may "restrict" the access to a browser simply by not including a browser in a rom. Let's disable in registry installing new programs by running a .cab and the problem is solved?
You may have a look at Spb Kiosk too.
Dunno how to restrict numbers, you may try a Call filtering app, put some white-listed numbers there and exclude the program from the start menu. Or just don't include the shortcut into rom. No idea how to restrict outgoing calls.
I saw a phone creeper app that can track you down the smses that the phone receives, so I think that's worth a try too.
I hope I explained a little.
it seems to me like it would be easiest to create a solution for ease of use and in the case of the youth version restrictability by customizing a smartphone versus trying to customize a featurephone.
the old age version is basically intended to be something as easy and intuitive to use as an old bakelite phone.
Follow these steps to dump all of your phone's memory. What use is this? It can be used to locate your MSL code if other methods fail. This method should work even if your phone is "bricked". This could potentially be used to retrieve lost information. At the very least it contains all your texts.
I am also currently exploring a possible security fail on the part of android/google. My phone dump contains my google account password in plain text....not just once. It has my password in plain text over 120 times. I am investigating how this could be. My google password is unique to that one account, and it is paired with my google login in the phone dump. I have not input the password in any other place outside of when I first setup my phone. I have not input that password in any app or browser. You may want to check if your login credentials are also being mishandled and possibly logged.
Phone Dump: (portions of this were taken from the PRL guide)
Connect your phone to your computer using a USB cable.
Open Device Manager.
Ports > LGE Android Platform USB Serial Port > Properties > Port Settings > Advanced > COM port number
Make a note of your COM port number.
Download and install QPST v2.7.
Open "QPST Configuration".
In the "Ports" tab, if your com port isn't listed, select "Add New Port" and write in your com port as "COM#" (# being the number you noted in step 4). Verify that your com port is listed.
Make sure your phone appears in the the "Active Phones" tab.
Run the "Memory Debug" program from QPST.
With your phone connected via USB and selected via the "Browse" button, press "Get Regions".
This will reboot your phone into "Download mode". You will most likely lose the connection to your phone because download mode uses different drivers and possible a different port. Go into device manager -> Ports (COM & LPT) and find your phone's new COM port.
Go into the QPST configuration and setup the new port.
Go back to the "Memory Debug" program, browse for your phone again, and select "Get Regions" again.
This time it will show you a bunch of options. Leave them all checked and select "SaveTo" and pick an empty folder to dump your phone memory to. This will take up a little over 500 megs.
It will take a good amount of time to finish (possibly 30 min to an hour).
When you are done, you will have the following files:
Code:
adsp_rama.bin, adsp_ramb.bin, adsp_ramc.bin, adsp_rami.bin, mdsp_rama.bin, mdsp_ramb.bin, mdsp_ramc.bin, mdsp_regs.bin, load.cmm, ebi_cs0.bin, and ebi_cs1.bin
If you want your MSL code, open ebi_cs0.bin with a hex editor. Look at the following HEX addresses:
Code:
0162ABCE
01BA6BDC
Both should contain your 6 digit MSL code in plain text.
If you want to find your ESN:
Code:
0104B5C2
What is more interesting is when you search in both ASCII and Unicode for your google account password in ebi_cs0.bin and ebi_cs1.bin. This is a raw dump of your phone memory. It will contain your contact list and other person information, but I see no reason for your account password to be logged in plain text. Another user has already reported finding his password using this technique. Please search for yourself and report back what you find. My guess is that this is not unique to the Optimus V.
Update:
I changed my account password. My phone then prompted for my new password. I entered it in. I then synced my contacts, rebooted, and then dumped the contents of my phone. My new password was in there in plain text twice. The old password was still there too. Something is logging my internet traffic or my keyboard inputs.
I can confirm my email address and password are together in plain text in multiple locations. I don't know much about mem dumps, but it appears to indicate it is google's sync service:
ebi_cs1.bin
0D565490 .... 8 NOOP..TCH 48(
0D5654A0 .... UID FLAGS)...."p
0D5654B0 .... assword"........
All other instances were preceded by imap or smtp.
JerryScript said:
I can confirm my email address and password are together in plain text in multiple locations. I don't know much about mem dumps, but it appears to indicate it is google's sync service:
ebi_cs1.bin
0D565490 .... 8 NOOP..TCH 48(
0D5654A0 .... UID FLAGS)...."p
0D5654B0 .... assword"........
All other instances were preceded by imap or smtp.
Click to expand...
Click to collapse
Thanks! With you that makes 3 of us to experience this. The address for the password(s) are different for me which is expected. Where as the MSL code would be located in a certain unchanged portion of the phone, this mysterious log would constantly be changing and could even be fragmented over the flash drive. I don't have (UID FLAGS) anywhere in either file.
What I also have is many Groove IP references with my Groove IP related google login and password. This looks like it is capturing it as internet traffic. I don't see why Google or Groove IP would log a password they both have encrypted access to.
mmarz said:
Something is logging my internet traffic or my keyboard inputs.
Click to expand...
Click to collapse
It's the keyboard. The OS isn't logging your passwords, at least as far as I can tell. If you select a different keyboard than the default, you will see a security warning popup which says that the keyboard can log everything, including your passwords. Well, this is normal, because softkeyboards need to be able to store words you enter into their dictionary/history to enhance their spelling and prediction. This is why your old password is still there after you changed it, and why they are stored in plaintext (because dictionaries are never thought to be encrypted).
Whether or not the softkeyboard is storing "words" that your entered in password fields in plaintext is not an Android security hole, it's the keyboard's, so complaints and/or advisories should be directed to them. They should at least give us the option of marking password fields as something not to store, and if we do want them remembered, for jimminey cricket's sake store them in a separate encrypted dictionary.
obijohn said:
It's the keyboard. The OS isn't logging your passwords, at least as far as I can tell. If you select a different keyboard than the default, you will see a security warning popup which says that the keyboard can log everything, including your passwords. Well, this is normal, because softkeyboards need to be able to store words you enter into their dictionary/history to enhance their spelling and prediction. This is why your old password is still there after you changed it, and why they are stored in plaintext (because dictionaries are never thought to be encrypted).
Whether or not the softkeyboard is storing "words" that your entered in password fields in plaintext is not an Android security hole, it's the keyboard's, so complaints and/or advisories should be directed to them. They should at least give us the option of marking password fields as something not to store, and if we do want them remembered, for jimminey cricket's sake store them in a separate encrypted dictionary.
Click to expand...
Click to collapse
There are a few reasons I don't buy this as being the cause.
Where would this unencrypted keyboard log be? I have data2ext going. My password was found on my internal phone partition. Whatever is doing this has permission to modify files outside of the data folder.
My password was present repeatedly. Even when I changed my password, it appeared twice even though I had only entered it once.
You have to manually select when you want to add words to the dictionary, otherwise all your misspelled tweets would be added. In password fields, this is not possible because only a single letter is inputted at any given time. No word is ever developed.
My other passwords are not in this log file. For example, my titanium backup password that I have to constantly use when I restore backups is not in here. Also my internet search phrases and other relevant items that I have typed in.
Update:
I just got this from KSmithInNY:
http://androidcentral.com/android-passwords-rooted-clear-text
Any app with root access has the ability to get your google credentials because android stores them in plain text. Wonderful!
mmarz said:
I just got this from KSmithInNY:
http://androidcentral.com/android-passwords-rooted-clear-text
Any app with root access has the ability to get your google credentials because android stores them in plain text. Wonderful!
Click to expand...
Click to collapse
Use the 2-step verification for your Gmail account and also set up an application specific password for your android device.
http://www.youtube.com/watch?v=zMabEyrtPRg
csrow said:
Use the 2-step verification for your Gmail account and also set up an application specific password for your android device.
http://www.youtube.com/watch?v=zMabEyrtPRg
Click to expand...
Click to collapse
Wouldn't this mean that you have to enter a verification code when entering your normal password, but if malware were to steal your application specific password that you created just for your phone, they could access your account using it and bypass the verification process?
Application specific password will only work on that phone. If you lose your phone, you can revoke that password for that phone which will block the access.
csrow said:
Application specific password will only work on that phone. If you lose your phone, you can revoke that password for that phone which will block the access.
Click to expand...
Click to collapse
No, they work on any device. There is no way for google to know what device is using it. You personally assign them for that phone, but if the password were to be stolen, then it can be used on any device. Also, if your account were to be compromised, you wouldn't know which password was stolen. With each application password you create, you are allowing another passcode that can be used to access your account. This seems very unsafe.
Update: I just tested this and I am right. I can use the same application specific password on all my apps and phones. So if this password were to be stolen, anyone could use it to login to my account. This is a major fail on the part of google....again.
Update2: Application specific passwords can be used to create login tokens. That means you can use a program like trillian to log into your gtalk using it, and then use the login token it produces to get access to your main google account through a web interface.
Well, that completely defeats the purpose of 2-part authentication. Oh well.
I hope you've reported this security hole... because obviously the intent is to be more secure than it actually is.
Which hole are you referring to? How google's two step verification is worthless because of one step passwords they force you handout to automated login apps? How Android's own password storage system keeps passwords in plain text and protects it by setting the file permissions to "please don't read this"? Or are you taking about how putting all these issues aside, I can still see my password in plain text in some sort of data capturing log that I found in a data dump of my phone's internal memory?
If you are talking about the last one, I'm still trying to find out exactly where the password is being stored in the dump and by what process. I've been searching through my phone's internal memory while it is on, but I can't seem to find it. I also want to rule out malware or something stupid that I might be doing before I start yelling about the sky falling. If more of you guys try this out, maybe we can rule out malware since all of us can't have the same bug. It really can't hurt your phone to dump it. It only takes 40 mins of your time.
(The more I learn about this stuff, the angrier I get.)
so after 3 tries i was able to dump the memory and after hours of searching i cant find my mn_aaa or mn_ha shared secrets,does anyone know the location of these? i have tried qxdm and after sending the spc i send
requestnvitemread ds_mip_ss_user_prof
and i get
22:53:26.203DIAG RX item:
22:53:26.203requestnvitemread - Error response received from target.
or is there another way to find them?
ummkiper said:
so after 3 tries i was able to dump the memory and after hours of searching i cant find my mn_aaa or mn_ha shared secrets,does anyone know the location of these? i have tried qxdm and after sending the spc i send
requestnvitemread ds_mip_ss_user_prof
and i get
22:53:26.203DIAG RX item:
22:53:26.203requestnvitemread - Error response received from target.
or is there another way to find them?
Click to expand...
Click to collapse
Any luck? I have the same issue with the Optimus V, e.g. I used another phone and reading the NV item was no issue. Seems to be specific to the LG.
srmuc69 said:
Any luck? I have the same issue with the Optimus V, e.g. I used another phone and reading the NV item was no issue. Seems to be specific to the LG.
Click to expand...
Click to collapse
well i think ive gotten further with qpst i opened service programming and put in my spc read the phone then saved to file. i double clicked the file and a viewer opened and i viewed it in text format i seen alot of nv items there but have yet to figure out which ones they are.
ummkiper said:
well i think ive gotten further with qpst i opened service programming and put in my spc read the phone then saved to file. i double clicked the file and a viewer opened and i viewed it in text format i seen alot of nv items there but have yet to figure out which ones they are.
Click to expand...
Click to collapse
Any luck? I did the same thing but as I have read in many other blogs the LG Optimus V times out in qpst, so did mine too.
I still have information in the file and I found the NV_ITEM_ARRARY in the file. What I do not know is how that array is built, e.g. is there a developer guide for CDMA phone where they detail the information. I was looking for the 1192 nv item and it should start wit the length like 0A for 10 digits of the AA Password. No luck so far without knowing what the bytes are and from just locking for 0A you get tons of hits.
What are you guys trying to accomplish? What is that code used for?
The dump should contain everything that is in the phone's memory. If the code is not encrypted or compressed in any way, it should be in there. The problem is that if you don't know the code, then you can't look up its location. Kind of a catch 22.
mmarz said:
What are you guys trying to accomplish? What is that code used for?
The dump should contain everything that is in the phone's memory. If the code is not encrypted or compressed in any way, it should be in there. The problem is that if you don't know the code, then you can't look up its location. Kind of a catch 22.
Click to expand...
Click to collapse
I'm trying to get the NV_ITEM 1192 and 466 from the LG Optimus V which is on Virgin Mobile. When I do that with CDMA Workshop it says access denied once you save the file. Now I'm tyring to find what these values are on my LG Optimus V. Do you think the dump will have this and how would I go to find the NV ITEMs, e.g. in which file are they and at what hex position?
srmuc69 said:
I'm trying to get the NV_ITEM 1192 and 466 from the LG Optimus V which is on Virgin Mobile. When I do that with CDMA Workshop it says access denied once you save the file. Now I'm tyring to find what these values are on my LG Optimus V. Do you think the dump will have this and how would I go to find the NV ITEMs, e.g. in which file are they and at what hex position?
Click to expand...
Click to collapse
yeah the dump should have all nv items.the hard part is figuring which ones are which.
mmarz said:
What are you guys trying to accomplish? What is that code used for?
The dump should contain everything that is in the phone's memory. If the code is not encrypted or compressed in any way, it should be in there. The problem is that if you don't know the code, then you can't look up its location. Kind of a catch 22.
Click to expand...
Click to collapse
well the mnha and mn aa are paswords needed to get your data working when you want to use a different phone ie the Samsung Epic on virgin mobile.you can clone all info from the optimus v to the epic but with out those password data will not work.i may not be inclined to do this anymore since the motorola triumph is coming out.meaning i wont need to find a better phone and clone this one.
Hello everyone,
I'm used to the LineageOS on my previous phone and now I've upgraded recently to this phone but I feel my personal info too much available to Google and MI system apps and I don't want that, thats why I went to LineageOS on my previous phone but, like others custom firmwares, it have several bugs which limits the potential of the phone.
Even not using an google account I can feel my life is being spied because a few things happen:
- if someone calls me, a friend or whatever, and its not in my contacts list it asks me if its spam. For what? To send the info somewhere using the internet connection and warns others if its spam? If it reads my contacts for this it can read those for anything, like copy my whole contacts list which I'm not comfortable with and I'm not able to control. I'm afraid that later if i use the regular browser to access Gmail for instance, I'm afraid the OS is prepared to warn google that all the info that' I've shared so far belongs to that particular Google account and that phone IMEI is also used but that account. I'm crazy? Maybe, but all this is possible and I want to make it impossible.
- If i do not allow Google services from accessing my text messages APP (built-in app) i keep getting a warning from the system that something it will not go OK if I do not turn on that access from Google services. Why the hell should google services needs to access my texts? My first phone, 20 years ago, could send SMS without google, why the hell google needs to see my texts now?
The list continues but I'm not willing to loose the nice things this OS have too, but for me personal info is too valuable and I dont want to give away any information from my contacts list, SMS texts, the places I visit, my tastes and so on, all this is my personal life and no one needs to know about it, not even just for statistics. Some people on my contacts list doesn't use Android and dont want the personal phone number stored somewhere and connected to me somehow, not that Im a criminal or something like but all this combined together its like a personal "Facebook" for Google and MI to use, they know who are the persons who I connect with, who are near me at a certain period of the day, where I usually do shopping, well, all my life is being stored somewhere, and I want to end this.
Is there a way to keep the current OS and block every outgoing info coming from the phone? I've made some research and i come to this so far
- AFwall can be a solution, but how good it is?
- Removing google services is not an option using ADB, the OS will not work
- Disable google services is not working. The system keeps turning it on automatically
Please give me your feedbacks with your experiences about this security issue, I think several people feels the same way, and how did you managed a work around to this keeping the original OS.
PS: For now I didnt unlock the bootloader, but I will if the solution goes that way.
Thank you everyone
Tomalamix
Living in the age of Google, one cannot use phone & Internet without your info being collected for ad purposes or whatsoever.
Ad purposes i can live with that,. what I cant live with is my personal data being stored by a 3rd party company besides my cell operator
Ive been watching the Anti-Gapps group but it seems discontinued i guess, i think this is a task fitted for them