This is not troll baiting or OS Slamming...
Looking for knowledgeable and constructive feedback regarding device security. I'm thinking in terms of an Executive or VP or Network Admin or such loosing the device. a piece of software
1) to do more to control access than a squiggly line
2) to allow for remote GPS tracking and/or device data wiping
3) that is stealthy and/or hard to remove.
I know there are a few "security services" out there but that leads me into "how do i know whose who and who can be trusted in the android segment". I place a great deal of trust in the developer of my ROM. That he/she/they are benevolent and not including by intent or negligence loggers or other malware. then i have a companies like Wave and Norton and Good all angling to get installed on my device. i don't know Wave nor Good and I have no luv for Norton.
The EVO allows for RDC and VNC sessions. It allows for VPN access and has the pwd's to my personal and work email. meebo has me signed into all my chat networks. As a long time Windows person I guess it's just a lil disconcerting when i stop and think on it. this device can easily be configured to hold everything needed to access a secured network. Perhaps this is a reflection on my lack of understanding the system in depth. perhaps i'm not sure how well the opensource community will communicate "problem" apps and developers.
Also, and kinda sorta related. Applications in the marketplace. sometimes you get an application and the types of security access it is asking for seems a bit "off". occasionally in the comments the developer may comment that "i need to access X in order to provide Z". It usually makes sense (whether true or not i cannot say), but is there any nice cross-reference of what types of actions require what access level. or why so many apps need to know the phone state and identity or general location or full network access and what exactly that means to me as the end user. this second paragraph is proving difficult to put to paper..i may come back and edit for clarity.
and lastly, i guess is a question on how to protect from apps like this...
http://www.networkworld.com/news/2010/060210-android-rootkit-is-just-a.html?page=1
http://www.zdnet.com/blog/security/commercial-spying-app-for-android-devices-released/4900
looking for something kinda like this, but useful...
http://www.downloadsquad.com/2010/06/28/understanding-the-android-market-security-system/
Related
This is not troll baiting or OS Slamming...
Looking for knowledgeable and constructive feedback regarding device security. I'm thinking in terms of an Executive or VP or Network Admin or such loosing the device. a piece of software
1) to do more to control access than a squiggly line
2) to allow for remote GPS tracking and/or device data wiping
3) that is stealthy and/or hard to remove.
I know there are a few "security services" out there but that leads me into "how do i know whose who and who can be trusted in the android segment". I place a great deal of trust in the developer of my ROM. That he/she/they are benevolent and not including by intent or negligence loggers or other malware. then i have a companies like Wave and Norton and Good all angling to get installed on my device. i don't know Wave nor Good and I have no luv for Norton.
The EVO allows for RDC and VNC sessions. It allows for VPN access and has the pwd's to my personal and work email. meebo has me signed into all my chat networks. As a long time Windows person I guess it's just a lil disconcerting when i stop and think on it. this device can easily be configured to hold everything needed to access a secured network. Perhaps this is a reflection on my lack of understanding the system in depth. perhaps i'm not sure how well the opensource community will communicate "problem" apps and developers.
Also, and kinda sorta related. Applications in the marketplace. sometimes you get an application and the types of security access it is asking for seems a bit "off". occasionally in the comments the developer may comment that "i need to access X in order to provide Z". It usually makes sense (whether true or not i cannot say), but is there any nice cross-reference of what types of actions require what access level. or why so many apps need to know the phone state and identity or general location or full network access and what exactly that means to me as the end user. this second paragraph is proving difficult to put to paper..i may come back and edit for clarity.
and lastly, i guess is a question on how to protect from apps like this...
http://www.networkworld.com/news/2010/060210-android-rootkit-is-just-a.html?page=1
http://www.zdnet.com/blog/security/commercial-spying-app-for-android-devices-released/4900
If the app seems fishy don't download it you can allways get lookout from the market it will pull your phone up on the gps and tell you exactly where it is I've tested you can also make it chirp real loud as for them accessing your phone put the pattern lock on in stead most thiefs are not hackers so they probably won't be able to access your phone even if you hard reset you still have to draw the pattern I mean unless they full root the phone and wipe it in petty sure you will be ok hope that helped
Sent from my PC36100 using XDA App
Lookout kinda falls into the same category at Good or Wave. (at least to me thus far). All appear to be fine and yet somehow free products. I'm looking for a corporate solution, not end user solution. a free solution would be swell, so long as trust can be established.
i am looking at this from a corporate IT security perspective. not a young person, a enthusiast nor regular end user. heck, if I could get all of my users to actually know what is meant by "if the app seems fishy don't use it", most of my job would be completed. but to be honest, i'm still trying to get a grasp on that myself in the android world, hence the question about access levels in last paragraph of original post.
the zigzag is nifty and should protect from casual access. Froyo will provide an interface that a secured Exchange server would prefer to have. that will help.
( BTW ... if anyone knows how to make the red line not appear when you mess up the pattern lock...you'd be my personal hero for the day)
its not thieves that I'm worried about...it's my own end users that have to be protected from themselves. if a device was left in a bar or cab and did end up in the wrong hands....data could be sold, deals could be lost, people could be embarrassed, with the type of data that 'can very easily' exist on these devices...network security itself can be compromised. and sadly, i must assume that a good many end users will disable security if they are able to. for the same reason they ***** at automatic screenlocks on their desktop/laptop computers.
would you rather your IT team "hope/pray/expect the device will be picked up by some incompetent/benign/lawabiding citizen" or the opposite?
i choose to prepare for the worst...hope for the best. not the other way around. hence, my questions.
Isn't remote wipe being built into froyo somehow? Thought I read that somewhere.
I have my exchange email set up on my device and it requires me to use a passcode. I cannot disable it.
Sent from my PC36100 using XDA App
As for wiping data remotely wave secure will do that it might be close to what you need or something for the time being hopefully this will help
Sent from my PC36100 using XDA App
This is kinda sorta what I'm lookn for.
http://www.downloadsquad.com/2010/06/28/understanding-the-android-market-security-system/
So its all over the news that Iphones, and Ipads are tracking the coordinates of their users, along with timestamps 24/7 UNENCRYPTED. I was researching this topic and found an article clearly suggesting that the same thing is going on with the Rhodium/Tilt 2, this was hinted at by this site showing HTC Sense's "Privacy" policy, which clearly states that HTC has the right to collect, store, transmit, and share a users location data. So can anyone do some filesystem digging and figure out to what extent were being subjected to this on our phones? On the Iphone you cant turn off the automatic tracking at all, unless you jailbreak the phone. Im wondering if the same is the case for our phones?, also wondering where this location history file could be stored, how much is stored, how much its accessed/transmitted, and most importantly whether its encrypted or not? And anything else that may be interesting. We all have a right to privacy, having an unencypted history of everywhere you've been should be disturbing to anyone, because well, first of all its unencrypted. Second of all, this feels like the gov't's solution to not having to put a chip in each of our necks like a dog, one by one. You want your girlfriend snooping and seeing on a map that you were at the nudie bar? This can cause all kinds of problems in peoples lives. Access to a map like with the Iphones location history is a stalkers dream. Unencryptedly disturbing. So lets figure out how data is used, stored, and gathered on our phones, and what to do about it, based on what the Iphone does I'm not confident right now that turning off the location setting will stop this. Below is HTC Sense's "Privacy" Policy.
From HTC’s Sense Privacy Statement:
"To provide location-based services, HTC and its partners may collect, use, transmit, process, store and share precise location data about your device. Location information may be transmitted even when you are not using a third party location-sharing service. This information may include but is not limited to your device ID and name, device type and real-time geographic location of your device. This location data is collected anonymously in a form that does not personally identify you and is used by HTC and its partners to provide and improve location-based products and services. You may also be able to submit to HTC location data such as “Points of Interest,” voice notes to share with friends, and other information. HTC may also supplement the information it collects with information obtained from other companies. HTC may share geographic location data with application providers when you opt in to use their location-based services. By enabling or using the location-based services or features (such as displaying your phone location, posting Footprints, etc.) and applications that depend on location-based information, you agree and consent to HTC collecting, using, transmitting, processing, storing and sharing information related to your account and the devices registered to your account for purposes of providing such location-based services or features to you. You may withdraw this consent by turning off the “HTC Locate” function in the location settings (as applicable) on your device. Some location-based services that HTC offers, such as the “HTC Locate” feature and remote lock or remote erase functions, require your Personal Information for the feature to work. If you use third party services that use or provide location data as part of the Service, you are subject to and should review the third party’s terms and privacy policy regarding the third party’s use of location data. Location data provided by the Service is not intended to be relied upon. HTC and its partners do not guarantee the availability, accuracy, completeness, reliability, or timeliness of location data or any other data displayed by the Service. The “HTC Locate” feature is intended for your personal use only to locate, send a message to, or remote lock or remote erase your own device. The location-based services are not intended or suitable for use as an emergency locator system."
Turn GPS off, problem solved?
Would using a non HTC/Sense rom solve the problem, if it exists?
I use android, no problems on my end
rhod 110
ryannathans said:
I use android, no problems on my end
Click to expand...
Click to collapse
Hahaha!
Good one.
(Android tracks your location too)
toadlife said:
Hahaha!
Good one.
(Android tracks your location too)
Click to expand...
Click to collapse
I know, not as serious as everyone has made the iphone issue though
With the Iphone, turning off the GPS doesnt disable this, the phone will resort to cell tower triangulation instead, which is something even an old school Nokia can achieve, nevermind our phones. The only way to turn the tracking off w/ the Iphone is to jailbreak it, or take the battery out. Ill bet anything that our phones are the same way. Its so cute having the weather right on your phone displaying the exact town you're in and temperature, but i'm sure after reading that "privacy" policy that thats all recorded somewhere on the phone, coordinates etc. And even if you can somehow be sure the location feature is turned off and not recording, theres got to be a history file still left behind, which needs to get tossed.
Possibly a bit of a dangerous thing to ask about, but I heard about a researcher named Charlie Miller uncovering an exploit through which he could do some fancy hacking on Android phones just by having them scan a NFC tag. I am interested in these hacks, using the old saying "it's not a bug, it's a feature", it could not only be used to perform malicious activities, but also enhance the possibilities of NFC. I seek to use this enhancement. My biggest idea in mind yet is use a tag to make a phone connect to wifi. It may seem like a simple idea, but you need additional software just to make the phone connect to wifi, since giving the command to connect is not standardized. This does impede the potential of NFC a bit, and me being the sort of person who keeps on messing around with his phone ROMs (believe me, my S3's flash count is skyrocketing), computer hardware and Linux distro's because it is never good enough simply can't just leave untweaked hardware and unremoved limitations alone.
There should be a command to turn wifi on? That's the closest you can probably do without installing software
x10man
As far as I know, officially the command has to be launched from an app that has the permissions to do so. As far as I know a bit of hacking is required to do it in another way.
DroidSheep is an Android application that demonstrates security weaknesses (not using https) and is capturing facebook, twitter, linkedin , yahoo, and other accounts.
PS> this is NOT my work, nor do i intend it to be taken as my work, I just wanted to share with the community!
NOTE FROM THE GERMAN DEVELOPER:
DroidSheep was developed as a tool for testing the security of your accounts.
This software is neither made for using it in public networks, nor for hijacking any other persons account.
It should only demonstrate the poor security properties network connections without encryption have.
So do not get DroidSheep to harm anybody or use it in order to gain unauthorized access to any account you do not own! Use this software only for analyzing your own security!
So do not get DroidSheep to harm anybody or use it in order to gain unauthorized access to any account you do not own! Use this software only for analyzing your own security!
Now>
WHAT DO YOU NEED?
1. A rooted phone (no, it will for sure not work without root)
2. The App installed on the phone (latest build attached to the present post)
3. A WIFI network to test it on
How do you use it?
DroidSheeps main intention is to demonstrate how EASY it can be, to take over nearly any internet account. Using DroidSheep any user – even without technical experience – can check if his websession can be attacked or not. For these users it is hard to determine, if the data is sent using HTTPS or not, specially in case of using apps. DroidSheep makes it easy to check this.
This video demonstrates what DroidSheep can do:
http://droidsheep.de/?page_id=14
How does it work?
As already announced DroidsSheep supports almost every website – also “big” webservices like facebook and Yahoo.
How does that work this simple?
There are many users that do not known that air is the transmission medium when using WiFi. Therefore information is not only transfered to its receiver but also to any other party in the network within the range of the radio waves.
Usually nothing special happens because the WiFi users discard packets that are not destined to themselves. DroidSheep does not do this. It reads all the packets looking at their contents.
Is a website sending a clear recognition feature within a message’s content, which can identify a user (“SessionID”), then DroidSheep is able to read it although it is not intended to external users. Moreover DroidSheep can use this token to use it as its own. The server can’t decide whether the authorized user or DroidSheep has sent the request.
http://droidsheep.de/?page_id=424
How can I protect myself?
The only satisfying answer is: SSL respectively HTTPS.
Many providers already offer HTTPS, even facebook, however it must often be enabled in the settings first.
When using HTTPS the data are still sent to alle participants in the WiFi-network, too, but because the data has been encrypted it is impossible for DroidSheep to decrypt the contect of a message - remaining only a complete mess of letters, with which an attacker can’t do anything.
The real problem is that not every website provides SSL. What to do when you are in a public network (hotel, airport, etc.), you also want to use this and the site does not offer HTTPS though?
You can use a VPN-connection
For this the computer sets up an encrypted channel to a confidential computer which again transfers the data to the website.
You can also install DroidSheep Guard from the Market:
https://play.google.com/store/apps/details?id=de.trier.infsec.koch.droidsheep.guard.free&hl=en
A very interesting feature is the possibility to save cookies!!
Source> http://droidsheep.de
Imagine the possibilities....
This isn't good dude.
And 'air' isn't the 'transmission medium' for WiFi. We figured that out when we discarded the ether hypothesis around a century ago.
backfromthestorm said:
This isn't good dude.
And 'air' isn't the 'transmission medium' for WiFi. We figured that out when we discarded the ether hypothesis around a century ago.
Click to expand...
Click to collapse
-what exactly "isn´t good" ?
Ok you are correct, yes, WIFI (as any other electromagnetic wave) can also be transmitted through vacuum, so yes there is no need of "air"
Re-ported to a MOD I don't think this should be shown or talked about on XDA this isn't an hacking site like you might think for taking advantage of other peoples accounts.
XDA is a hacking community for the good like Rooting.
This app has been on XDA for quite a while http://forum.xda-developers.com/showthread.php?t=1593990
Even a portal article about it http://www.xda-developers.com/android/droidsheep-undresses-network-security-and-shows-how-its-done/
Please use the main thread to discuss this app, not this one.
@ shankly1985, we appreciate your concern, but people need to know how insecure important accounts can be. Thus enabling them to make the changes to fix them.
Thread Closed.
Just curious if there are any fellow Note 3 users of this app: Cellcrypt
And if so, what your thoughts are on it? This is the first that I've seen with voice encryption.
It seems pretty legit, but it's interesting how there's an office in the state of Virginia.
Just thinking outside of the box: If I was one of the three letter gov @GenTcies and wanted to create a platform to lure in those who's wanting secure communication, wouldn't it be proactive to create or have your hands in with a company who develops these kind of things?
I just have a trust issue with big companies and the you know who's being so nosy. Heck, I don't even trust our carriers...
So the big question is, for those who need secure communication (encrypted) what would be the best way to go?
Cellcrypt uses your data pipeline.
Your common sense already gave you the answer to your question. It may be nice encryption for general privacy but the big 3 letter gov agencies will surely have access to anything you say. If you don't believe it then try the men in black litmus test. Say something naughty that you know people dare not say and see if men in black show up to greet you
Knowing all this I still sometimes use redphone and textsecure.
Granted, using a VPN with Cellcrypt or RedPhone would make it a heck of a lot harder for intruders.
The only way I see it possible for anyone (carrier and them) to get anything from you is obviously from the carrier themselves being in bed with "them," to sell themselves out upon their request. (Logs etc...) However, with your phone connecting to the tower and the data being encrypted along with a vpn (already encrypted data within a vpn encrypted tunnel), I'm still having a hard time comprehending how the data can be cracked? We're talking some serious encryption that would even take super computers thousands++++ of years to even 'not even make a dent.'
Looking at it from a birds eye view:
Phone -> VPN -> Cellcrypt or RedPhone App -> Encrypted Data -> Tower -> VPN exit server -> Encrypted Data -> www/sms/voip
The only point of interception is the companies themselves..ie..Cellcrypt / RedPhone etc...
But, even then how would they be able to crack the encryption? (Probably because they hold the encryption keys?)
It would be interesting to get some insight on all this from the fellow members who are well versed in this stuff....
:good:
the-Mike_D said:
Your common sense already gave you the answer to your question. It may be nice encryption for general privacy but the big 3 letter gov agencies will surely have access to anything you say. If you don't believe it then try the men in black litmus test. Say something naughty that you know people dare not say and see if men in black show up to greet you
Knowing all this I still sometimes use redphone and textsecure.
Click to expand...
Click to collapse