Develop Bugs

EVO Security Questions

This is not troll baiting or OS Slamming...
Looking for knowledgeable and constructive feedback regarding device security. I'm thinking in terms of an Executive or VP or Network Admin or such loosing the device. a piece of software
1) to do more to control access than a squiggly line
2) to allow for remote GPS tracking and/or device data wiping
3) that is stealthy and/or hard to remove.
I know there are a few "security services" out there but that leads me into "how do i know whose who and who can be trusted in the android segment". I place a great deal of trust in the developer of my ROM. That he/she/they are benevolent and not including by intent or negligence loggers or other malware. then i have a companies like Wave and Norton and Good all angling to get installed on my device. i don't know Wave nor Good and I have no luv for Norton.
The EVO allows for RDC and VNC sessions. It allows for VPN access and has the pwd's to my personal and work email. meebo has me signed into all my chat networks. As a long time Windows person I guess it's just a lil disconcerting when i stop and think on it. this device can easily be configured to hold everything needed to access a secured network. Perhaps this is a reflection on my lack of understanding the system in depth. perhaps i'm not sure how well the opensource community will communicate "problem" apps and developers.
Also, and kinda sorta related. Applications in the marketplace. sometimes you get an application and the types of security access it is asking for seems a bit "off". occasionally in the comments the developer may comment that "i need to access X in order to provide Z". It usually makes sense (whether true or not i cannot say), but is there any nice cross-reference of what types of actions require what access level. or why so many apps need to know the phone state and identity or general location or full network access and what exactly that means to me as the end user. this second paragraph is proving difficult to put to paper..i may come back and edit for clarity.
and lastly, i guess is a question on how to protect from apps like this...
http://www.networkworld.com/news/2010/060210-android-rootkit-is-just-a.html?page=1
http://www.zdnet.com/blog/security/commercial-spying-app-for-android-devices-released/4900

looking for something kinda like this, but useful...
http://www.downloadsquad.com/2010/06/28/understanding-the-android-market-security-system/

Cloud Computing is not optional

Back in 2003, I came across a feature quietly tucked away in a service pack update I got for Win XP. They called it Microsoft Groove. It was a means of storing info online in case it was too big to send,you could upload pretty much anything(contacts,folders,etc.) and access the info remotely from any internet enabled computer in the world. Thanks but no thanks, I thought. My info, and that of others, is my responsibility to administrate.
Cut to 2012, now the contacts I had synchronised with Outlook back then,were associated with my Windows live account, which saved them online "as a backup". I cant sync contacts directly with my PC, now the info goes straight to the cloud platform. The cloud storage is the common meeting point for my devices, for years you could not take files directly from your 'high-tech' WP7 device and put them in your PC, you were ushered into the cloud computing framework and convinced that the whole thing was your idea all along. Real control over personal information is synonimous with older devices, the more advanced and current your device is,the less control you get over info. Sounds like a lame trade-off to me.

Vukile said:
Back in 2003, I came across a feature quietly tucked away in a service pack update I got for Win XP. They called it Microsoft Groove. It was a means of storing info online in case it was too big to send,you could upload pretty much anything(contacts,folders,etc.) and access the info remotely from any internet enabled computer in the world. Thanks but no thanks, I thought. My info, and that of others, is my responsibility to administrate.
Cut to 2012, now the contacts I had synchronised with Outlook back then,were associated with my Windows live account, which saved them online "as a backup". I cant sync contacts directly with my PC, now the info goes straight to the cloud platform. The cloud storage is the common meeting point for my devices, for years you could not take files directly from your 'high-tech' WP7 device and put them in your PC, you were ushered into the cloud computing framework and convinced that the whole thing was your idea all along. Real control over personal information is synonimous with older devices, the more advanced and current your device is,the less control you get over info. Sounds like a lame trade-off to me.
Click to expand...
Click to collapse
Many years ago I came across a little used feature called email, all sounded a bit "fantastical" to me at the time, I mean, we had pens, we had paper, letter boxes in every home, if we all sat around typing on monochrome screens our eyes would bleed, we'd get radiation burns and we'd all forget how to write and besides, it hadn't been THAT long since telegrams were sent on mass, and interestingly they would still have been a bigger user base for that too compared to "email"
needless to say we didn't all go blind or forget how to write (although that at least is partially debatable!) and now we send these fandangled electronic letters everywhere instead, so much so in fact, our postal service is just about broke.
I do hear what you are saying, but this IS the world we live in, we need to move with it an to be perfectly honest, the cloud has saved my bacon more than once, in situations that a direct sync with a computer would have been as useful as a chocolate teapot.
im curious
what is it that you don't like about cloud? is there any actual reason other than the "idea" of dumping your stuff on a third party service that can arguably can look after your data in a much more secure location than a home computer

I happen to like having full control of what goes in and out of my device. I dont live too far from the beach,but I rarely go. The idea of not having that option anymore would drive me over the edge, its as logical as having a pool at your house. My rant was spurred on by an article that suggested that our devices would merely be shells. Remember when gmail crashed a while back, or RIM, Facebook,Twitter,etc.? Bothered the hell out of me. If Im likely to fall prey to that again,I should at least be able to keep operating independently of those vices, otherwise my phone will turn into an overpriced flashlight.

Vukile said:
I happen to like having full control of what goes in and out of my device. I dont live too far from the beach,but I rarely go. The idea of not having that option anymore would drive me over the edge, its as logical as having a pool at your house. My rant was spurred on by an article that suggested that our devices would merely be shells. Remember when gmail crashed a while back, or RIM, Facebook,Twitter,etc.? Bothered the hell out of me. If Im likely to fall prey to that again,I should at least be able to keep operating independently of those vices, otherwise my phone will turn into an overpriced flashlight.
Click to expand...
Click to collapse
and yet, the flip side to that coin is that, yes you could sync directly to your computer to stay in "control" but should the server go down you still wont get your email in either case. If my server goes down my device keeps the contacts on it, it keeps the emails going back as far as I tell it too, I do not need to have the a connection to the server other than to get new data, which would screw both methods if that were to happen.
The other thing is that whilst direct syncing has benefits to some degree although personally I don't notice the difference any more as I cant even remember the last time I fired up outlook... anyhow, yes you can sync, but lets say you were on the beach and your phone goes tits up, I bet I can reset and be synced before you got off the beach unless the server is down in which case yes you could sync all your old data but your just as stuck for anything new as I would be, of course my other email account would be able to sync its contacts, so that would have to go down too, or perhaps the whole network stops...and wifi,,,
I do see what your saying, I used to think the same until I actually stood back and looked at it objectively, I asked myself some honest questions and added a second layer of redundancy by having my live and gmail accounts sync contacts and calendar info periodically. There really is only so much you can do and the benefits of cloud storage for me far out weigh the downsides.
Sorry my friend, but one way or another, direct syncing like the good old days is a relic of a time that's soon to be forgotten

I get you,dazza,really. My point is, though, that if theres a loss or unavailability of data, I want to be 100% responsible. I dread the day when I have to periodically look at a notification that says "Our technicians are working on it". This crap has gone down with every major cloud computing service or derivative since the innovation was thrust upon the masses. I just want my phone back,man. Screw the innovations, let me take my under-utilised hardware and be on my way.

Vukile said:
I get you,dazza,really. My point is, though, that if theres a loss or unavailability of data, I want to be 100% responsible. I dread the day when I have to periodically look at a notification that says "Our technicians are working on it". This crap has gone down with every major cloud computing service or derivative since the innovation was thrust upon the masses. I just want my phone back,man. Screw the innovations, let me take my under-utilised hardware and be on my way.
Click to expand...
Click to collapse
rip pimp c

I completely understand, but the reality is that is unlikely to come back, although I do see a future where the location of cloud can be changed, think along the lines of corporate domains with AD setup, companies may be ok with you taking work home an accessing via a phone but only on their terms, on their servers, if that were possible I could see a windows server extension to allow that, an thus potentially have it on a home server too... Maybe
Sent from my Samsung Focus S using XDA Windows Phone 7 App

Vukile said:
I get you,dazza,really. My point is, though, that if theres a loss or unavailability of data, I want to be 100% responsible. I dread the day when I have to periodically look at a notification that says "Our technicians are working on it". This crap has gone down with every major cloud computing service or derivative since the innovation was thrust upon the masses. I just want my phone back,man. Screw the innovations, let me take my under-utilised hardware and be on my way.
Click to expand...
Click to collapse
I used to feel the same way about print and electronic media. Think about it.

What I don't like is everything being dumbed down and the options being removed (Or made astronomically expensive) that used to exist before.
Microsoft has the technology (And the phone even supports it for corporates).
The fact is in terms of real usefulness palm os offline had far more innovative applications. (And didn't try to make everything moron proof).
---------- Post added at 02:59 AM ---------- Previous post was at 02:56 AM ----------
gentry33 said:
I used to feel the same way about print and electronic media. Think about it.
Click to expand...
Click to collapse
Realistically the consumer should get outlook connectivity / lync / sharepoint / office 365 in a hosted manner not the dumbed down experience that we do get.
(Even the old activesync system was preferable in a lot of ways).

And yet dumbed down is exactly what people want, you are not not the target user
Sent from my Samsung Focus S using XDA Windows Phone 7 App

dazza9075 said:
And yet dumbed down is exactly what people want, you are not not the target user
Sent from my Samsung Focus S using XDA Windows Phone 7 App
Click to expand...
Click to collapse
Schaps had the gameplan years ago, but we were too busy sleeping. Imma donate the hell out of itParticipate.
I fell for this this "We're not updating xxxxxxx device" crap afew times. I had an iMate Jam (largest selling PDA of its time) and I let it go because it was never gonna get a WM5 update. Nowadays, I see cats doing backflips and handstands with their WM6.5 iMate Jams like its the most natural thing in the world. When it comes to devices, N.E.R.D

You can still have a modern "PDA" and live completely off the "cloud", your data haphazardly fragmented across devices, if you really feel the need to live in the past. Ironically though, Microsoft is no longer the company that will provide you the platform with which to do so.

I wonder how many former HTC Leo owners wish they never listened to that. Btw, since starting this thread, I managed to achieve my goal. A little Chinese ingenuity here,a little Vietnamese there, a dollop of Russian app and add some Italian and Egyptian flair.... Tasty.

history is cyclical, that's how humanity progresses, we do learn mistakes from the past, but will find news ways to make it again. In XX years time, we might end up going back to individual storage again.

[Q] Is our information really secure from theft?

If you are like me, you should have all your favorite apps, documents, pictures etc. stored right on your phone that basically gives a full picture of who you are as an individual. You also have been pretty satisfied with the pattern, pin number, password or face unlock or all of these together as a security you have in place to prevent unauthorized access. But here is something that happened by accident that led me down this thought process. While trying to yank out the phone from my pocket while driving (which when you are getting a phone call especially becomes the most impossible task), I noticed that the phone "Power Down", "Restart", "Airplane Mode" pop up was on. This is on top of my regular swipe to unlock with pin number lock screen. This made me curious and noticed that the back button will work to close this pop up and also the power button works to reactivate this pop up. I hope everyone is with me till here. What surprised me was that the phone will actually turn off or restart from this point without the need for an unlock code. This means anyone with rooting and backup knowledge can steal my phone, restart my phone into recovery and wipe it to make the phone their own or just create a backup (CWM) and through that access my personal information. I know that photos and documents stored on the external card is open unless encrypted. But I hoped the internal data would be secure.
What do you guys think about this? Is there any app that would prevent access to the phone while locked via hard keys? What do you do to keep your information safe?

TL;DR version
If phone is stolen and person has knowledge of android they can factory reset your phone, even if you have a password setup. If they enter recovery they can wipe data and factory reset your phone and now it is usable for them.
My theory if you have your phone rooted I wish there was a way to lock the recovery with a password. Unfortunately ODIN will always be available able to get back to stock. Cerberus is a great app to have full control of phone if stolen FYI

DesperateScorpion151 said:
What do you guys think about this? Is there any app that would prevent access to the phone while locked via hard keys? What do you do to keep your information safe?
Click to expand...
Click to collapse
As soon as I realize it is missing I would activate the wipe feature in this software.
https://play.google.com/store/apps/details?id=com.lookout&hl=en
If I have your phone in my possession I guarantee I can hack it regardless of any security measure you make take, so the best solution is to be able to wipe it remotely.

technically even a remote wipe is not enough if the thief is knowledgeable. I accidentally wiped flashing in Odin with nand erase checkd and recovered everything that was on it using this
http://forum.xda-developers.com/showthread.php?t=1994705 so your never completely safe

Exactly my point like everyone else confirms it here. We have advanced so much to a point that even a 9 year old (not that 9 is too young to know computer basics) who is familiar with basics on rooting after reading through forums after forums can get away with stealing a smart phone now a days. At this point the only way I could think of protecting my data (first priority) and then track my phone is if the tracker is incorporated into the boot loader or recovery itself on top of what ever software you have installed in the OS. So if the thief tries to unlock my phone after a restart, the installed software should take care of the rest but If he/she is smart enough to go via boot loader or recovery then the incorporated tracker can do its thing. Anything of that sort exists?

Did you forget you could just pull the battery to get into recovery?

Why do you need to pull the battery?

Aerowinder said:
Why do you need to pull the battery?
Click to expand...
Click to collapse
You don't, but its easier than going through all of the steps OP posted.

I really doubt my data is worth anything. Pictures of my cats aren't exactly hot commodities and I don't store anything on my phone that I wouldn't publicly reveal, anyway.
I wouldn't be worried about my worthless information, just annoyed I was dumb enough to let it get stolen. Yeah, I know that basically anyone with half a brain can wipe a phone and re-sell it - it always amazes me when people think that thieves aren't smart enough to do that.
I'm cynical. Saves a lot of worry since I just expect the worst, I guess.

They get into your email where it may be more info to compromise.
Sent from my SGH-T999 using xda app-developers app

I would be less worried about the minute possibility of a phone thief targeting your personal information than I would be about your personal data being mined from your phone by numerous applications.
Bottom line is, if you use Google or Facebook, you personal information is already in the hands of giant corporations who will never be held accountable for the theft of your personal info.
Take Facebook for example - within the app, the only time it should ever ping your location is if you are using FB chat and have the location setting enabled. However, even when you disable location within FB chat, every single time you open Facebook it uses your GPS to get your location. Every time.
In addition, although you are unable to see it in action because there is no notification icon for it, I would bet a million bucks it's also pulling your network location if your GPS is off.
Facebook is constantly working in the background - even if you never opened it.
Google? I won't even begin to try and explain the amount of data they are collecting from you. As is T-Mobile, Sprint, Verizon, ATT, etc. every single second that your phone is on with data enabled.
Should we be concerned with some random thief who knows the ins and outs of Android pulling your data? Sure, we should think about it. But the reality is, if you own a smart phone your information is already out there in the hands of companies who will use it to any end they can in order to turn a profit. Period.

ButWhile I see the pros and cons of different parts involved in using social networks and so forth, one thing we can (at least for now) be certain of is that they won't use your credit card information etc. to make illegal purchases and so forth. I know of a person who routinely used the credit card app to check balance, pay bill etc. and next thing he was getting phone calls to see if the purchases made at a casino in Spain are OK?! This is without ever losing the phone!!. So, it could be worse in the case of phone loss. Sure, personal data, pictures and even email to some extent is not as bothersome to me as identity theft. Thank to some anti-fraud features of the banks etc. one can deny and simply not be associated with that activity (of course in legitamate cases). My friend ended up getting another card with different number and they closed the online banking account. He had to re-register all over with another id. So, it can be a big hassle. I heard of cases where people had to hire lawyers and run around courts to prove their innocence due to identity theft. Of course if you keep a picture of your driving licence on the phone, you are really asking for it so... (trust me, one girl was doing this because she didn't want to carry her purse/wallet on night outs)
Having said that, I am always worried if the roms we download here in XDA have trojans or backdoors built into kernels and system files... I know that it is like doubting even the good devs but how do we know for sure? Unless you are really an in-depth expert and figure out all the details such as processes and ports that are open and so forth, how do you really know? The phone's data icons keep pinging back and forth every now and then and at times I wonder what's being sent and what is it receiving... just sync'ing contacts...or...??
Call me paranoid but, after what happened to my friend, and similar stories, I am a bit skeptical about the security and integrity of the ROMs in the first place... Now, mostly I download and try different roms and settle on one that suits my preferences. I use the phone for calls as well as to make general tasks easier in many aspects except financial transactions. In short, I don't trust my smart phones.
For those of you wondering what Google is tracking, (not by any means the only place to look) login to your gmail account and look around different settings. You'll see web history, phone data to name a few..

[Q] Phone Encryption

Anyone have any experience with encryption on the One? My work email is requiring it and I've heard bad things about speed and battery life on other phones.

ewong90 said:
Anyone have any experience with encryption on the One? My work email is requiring it and I've heard bad things about speed and battery life on other phones.
Click to expand...
Click to collapse
I'm a network admin at my work, and I setup our Exchange policy, also requiring encryption on mobile devices. I added my work email to my personal One, and the encryption process took around 30 minutes (rough guess). Only had the phone a few days before I did this, but I haven't really noticed any performance of battery difference. I think this was a problem on older devices, but I've never used encryption previously on my personal devices, so I can't speak for anything else for sure. But, this phone is a beast, no issues for me.
I ran a AnTuTu Benchmark test on the stock ROM (I'm not unlocked ), with the result: 26044.
Attached some photos, 1 of the benchmark, 2 showing proof on the Exchange policy and encryption.
Edit: It wouldn't let my upload more than one image, not sure what's going on...
I have the other pictures saved with same date and time, maybe I can upload them in a few mins.

There exists an app that sandboxes exchange so you can enable all their nonsense but it does not actually touch anything. I do not remember what it is called sadly.

Putting your work exchange email on your personal phone is a dumb move. As soon as you do this you no longer "own" your phone, your employer does. They can fully wipe your phone at any time. People need to stop allowing this practice entirely. If your work requires you to have exchange email on a mobile device, make them provide it. Stop using YOUR device, and footing the bill, for a tool and service that THEY should provide. It's amazing how you get to pay for it, but they want complete control.
Sent from my HTC One using xda app-developers app

c5satellite2 said:
Putting your work exchange email on your personal phone is a dumb move. As soon as you do this you no longer "own" your phone, your employer does. They can fully wipe your phone at any time. People need to stop allowing this practice entirely. If your work requires you to have exchange email on a mobile device, make them provide it. Stop using YOUR device, and footing the bill, for a tool and service that THEY should provide. It's amazing how you get to pay for it, but they want complete control.
Sent from my HTC One using xda app-developers app
Click to expand...
Click to collapse
for some people its a personal choice for convenience.
For others, their employer pays their cellphone bill while allowing the employee to choose the device. My wife's work is like that, but they don't seem to require even a secure lockscreen.

Put me on the "Personal Choice" list. I have been running exchange on my devices for years for my corporate email. No encryption forced but the security does require a pass-code. The other option would be to carry 2-3 devices...not my cup of tea.

I highly recommend Moxier Mail. My company requires that my entire phone is encrypted and this program was a good way to circumvent this. They have no way to tell that you are using the program. It is a bit pricey, but to fully encrypt a phone can take up to 16 hours depending on what you have.

nrfitchett4 said:
for some people its a personal choice for convenience.
For others, their employer pays their cellphone bill while allowing the employee to choose the device. My wife's work is like that, but they don't seem to require even a secure lockscreen.
Click to expand...
Click to collapse
Just giving a heads up. Few people are aware that your entire phone can be wiped once you do this.
Sent from my HTC One using xda app-developers app

Like I said, I'm a network administrator at my work, and I created our Exchange policy, requiring a PIN and encryption. Exchange also has the option to control certain available features on the mobile device, such as the camera, or wifi, as well as preventing unsigned apps on the device. Like others have said, there is also the ability to remotely wipe the device from the Exchange server, or just remove the active sync account from the device.
I agree mostly with the above statements. I do not have a company supplied mobile phone, and don't really need one, but I did choose to have my work email setup on my phone for convenience, and for calendar entries. We do allow staff to add their work email to their own personal device, and that is why these type of options are available, so the company has a better control on the security and privacy of their digital property. I do not feel in any way that because I choose to add my work email to my own personal phone, that it is now company property, and I can remove my account at any time. I do agree, if the company requires you to have your work email on your mobile device, they company should at the very least pay the mobile bill, if not supply the device to begin with.
As far as the encryption, my HTC One took around 30 minutes to encrypt, and I have not seen any performance difference.
Attached are a few shots of the policy properties screen.
Edit: Another shot of the remote wipe screen.

Another thing to note, remote wipe is not necessarily a bad thing. I take some security in knowing I can wipe my device instantly should it go missing. Our setup has the option in the Outlook web interface so end-users can manage the device.
The longest encryption I ever did was an hour. 16 seems way too much but I guess it would depend on the phone and what was on the storage at the time.

calash said:
Another thing to note, remote wipe is not necessarily a bad thing. I take some security in knowing I can wipe my device instantly should it go missing. Our setup has the option in the Outlook web interface so end-users can manage the device.
The longest encryption I ever did was an hour. 16 seems way too much but I guess it would depend on the phone and what was on the storage at the time.
Click to expand...
Click to collapse
+1, forgot to mention users can also remotely wipe their own device in the OWA.

calash said:
Another thing to note, remote wipe is not necessarily a bad thing. I take some security in knowing I can wipe my device instantly should it go missing. Our setup has the option in the Outlook web interface so end-users can manage the device.
The longest encryption I ever did was an hour. 16 seems way too much but I guess it would depend on the phone and what was on the storage at the time.
Click to expand...
Click to collapse
It is a long time but when you have a 32 gig on storage w/ 32 gig sd card filled with vids, pics, and music it will get take a while for it to go.

[Cellcrypt App] -Encrypts Voice Calls and SMS

Just curious if there are any fellow Note 3 users of this app: Cellcrypt
And if so, what your thoughts are on it? This is the first that I've seen with voice encryption.
It seems pretty legit, but it's interesting how there's an office in the state of Virginia.
Just thinking outside of the box: If I was one of the three letter gov @GenTcies and wanted to create a platform to lure in those who's wanting secure communication, wouldn't it be proactive to create or have your hands in with a company who develops these kind of things?
I just have a trust issue with big companies and the you know who's being so nosy. Heck, I don't even trust our carriers...
So the big question is, for those who need secure communication (encrypted) what would be the best way to go?
Cellcrypt uses your data pipeline.

Your common sense already gave you the answer to your question. It may be nice encryption for general privacy but the big 3 letter gov agencies will surely have access to anything you say. If you don't believe it then try the men in black litmus test. Say something naughty that you know people dare not say and see if men in black show up to greet you
Knowing all this I still sometimes use redphone and textsecure.

Granted, using a VPN with Cellcrypt or RedPhone would make it a heck of a lot harder for intruders.
The only way I see it possible for anyone (carrier and them) to get anything from you is obviously from the carrier themselves being in bed with "them," to sell themselves out upon their request. (Logs etc...) However, with your phone connecting to the tower and the data being encrypted along with a vpn (already encrypted data within a vpn encrypted tunnel), I'm still having a hard time comprehending how the data can be cracked? We're talking some serious encryption that would even take super computers thousands++++ of years to even 'not even make a dent.'
Looking at it from a birds eye view:
Phone -> VPN -> Cellcrypt or RedPhone App -> Encrypted Data -> Tower -> VPN exit server -> Encrypted Data -> www/sms/voip
The only point of interception is the companies themselves..ie..Cellcrypt / RedPhone etc...
But, even then how would they be able to crack the encryption? (Probably because they hold the encryption keys?)
It would be interesting to get some insight on all this from the fellow members who are well versed in this stuff....
:good:
the-Mike_D said:
Your common sense already gave you the answer to your question. It may be nice encryption for general privacy but the big 3 letter gov agencies will surely have access to anything you say. If you don't believe it then try the men in black litmus test. Say something naughty that you know people dare not say and see if men in black show up to greet you
Knowing all this I still sometimes use redphone and textsecure.
Click to expand...
Click to collapse