Develop Bugs

Windows Phone 7 DRM for Apps Cracked with Proof of Concept Program [Video]!

Security is an important aspect of anything that gets used by anyone, at any given moment around the world. For developers of applications that get purchased through a digital storefront, like Microsoft’s Windows Phone 7 Marketplace, making sure that it’s not easy, next to impossible in fact, to steal apps and put them on a device free-of-charge is just as important. But, as WPCentral reports, it looks like the Digital Rights Management (DRM) security tools set in place by Microsoft have been cracked!
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Fortunately, though, the program that is being used to do so is not known to the general public. In point of fact, the “white hat” developer that created it is just showing it as a proof of concept. If the program were to make it out into the world, then it would be possible for some people out there to strip the DRM from applications available in the Windows Phone 7 Marketplace, and then download them for free.
As of the time of this writing, Microsoft hasn’t made an official comment regarding the security hole. WPCentral has been in contact with Brandon Watson from Microsoft, but so far they have not heard back from him. The video demonstrating the proof of concept program making short work of DRM for the Windows Phone 7 applications can be viewed below.
www.youtube.com/watch?v=flqB9WCkGiQ

The depressing thing is it's so disturbingly easy. I stumbled on it getting HTC Apps to work on my Samsung, and it's far too easy. I think it'll probably be a matter of time before piracy becomes public on WP7, so to speak.
And for any doubters as to whether it is genuine (seen a few in my travels) - It works. A paid-for, commercial application running in the Windows Phone 7 emulator, after being deployed from a cracked XAP.
Still, it's good to see that WP7 seems to attract the sort of user that isn't a rabid pirate. Despite the ground being laid for some time, and despite people having independently developed methods of piracy, No-one has yet put such information into the public domain, seeking a way of solving the problems, rather than exploiting them.

Microsoft have made an official comment, by email to every developer, on the 16th November, titled "Windows Phone 7 App Protection". It included a white paper on the topic which pretty much said it was easy to steal apps but was a limited risk because of a developer unlocked phone is needed, a limit to how many side loaded apps, basically a couple of steps which would turn off the casual pirate.
I suppose what's new here is a simple one click tool that exploits MS's oversight in this statement: "all signed applications on an unlocked phone still require a license acquired through Marketplace to run". Basically they didn't realise that if you strip the signature, no license is required.
Another thing is they shouldn't have made paid apps on unsecured URLs, they should have put more effort into a secure download system like Apple or pretty much anyone else has.
I guess the main problem, that was a fatal flaw in the design of the platform, is they don't allow native apps only .NET apps, which means almost every single app available can easily be decompiled back to source form. It's a much bigger problem if other developers can steal your code than a few users stealing your app. It's for this reason WP7 can't be taken seriously as a development platform. Oh also it means 3rd party apps launch too slow compared to the built in ones, 1 minute to launch Tetris what a joke.

If you could somehow exclude the paid apps from this "FreeMarketplace" it would be really helpful for people who live in countries where the marketplace isn't as good content wise as in the usa.
That way everyone could download those free apps without the region problems.
These are just my thoughts on this. I'm not a developer or anything so I don't really know if this is actually possible without hurting the developers in any way.

indiekiduk said:
Microsoft have made an official comment, by email to every developer, on the 16th November, titled "Windows Phone 7 App Protection". It included a white paper on the topic which pretty much said it was easy to steal apps but was a limited risk because of a developer unlocked phone is needed, a limit to how many side loaded apps, basically a couple of steps which would turn off the casual pirate.
I suppose what's new here is a simple one click tool that exploits MS's oversight in this statement: "all signed applications on an unlocked phone still require a license acquired through Marketplace to run". Basically they didn't realise that if you strip the signature, no license is required.
Another thing is they shouldn't have made paid apps on unsecured URLs, they should have put more effort into a secure download system like Apple or pretty much anyone else has.
I guess the main problem, that was a fatal flaw in the design of the platform, is they don't allow native apps only .NET apps, which means almost every single app available can easily be decompiled back to source form. It's a much bigger problem if other developers can steal your code than a few users stealing your app. It's for this reason WP7 can't be taken seriously as a development platform. Oh also it means 3rd party apps launch too slow compared to the built in ones, 1 minute to launch Tetris what a joke.
Click to expand...
Click to collapse
You still need a dev unlocked device to sideload the cracked apps. Chevron7 doesn't really do the job as the phone relocks itself every week? which gets a bit annoying and might put people off, and also delete all the sideloaded apps with it. Imagine that, all your save games, app settings and history being reset every week.
Unless someone improves on Chevron7 I don't think piracy is much of a danger.

thats a great revolution, wp is now jailbreaked )) have funnn

digger1985 said:
You still need a dev unlocked device to sideload the cracked apps. Chevron7 doesn't really do the job as the phone relocks itself every week? which gets a bit annoying and might put people off, and also delete all the sideloaded apps with it. Imagine that, all your save games, app settings and history being reset every week.
Unless someone improves on Chevron7 I don't think piracy is much of a danger.
Click to expand...
Click to collapse
If it relocks, it doesn't delete any sideloaded apps, it just prompts you to uninstall when you attempt to run them (though you can escape from the prompt of course). Also, you can avoid it relocking by putting the phone in Flight Mode before syncing.

hounsell said:
I stumbled on it getting HTC Apps to work on my Samsung, and it's far too easy.
Click to expand...
Click to collapse
THAT is very useful. Sharing HTC, LG and Samsung oem apps across platforms should be allowed.

hounsell said:
If it relocks, it doesn't delete any sideloaded apps, it just prompts you to uninstall when you attempt to run them (though you can escape from the prompt of course). Also, you can avoid it relocking by putting the phone in Flight Mode before syncing.
Click to expand...
Click to collapse
Any chance of sharing the (Free) HTC Youtube app? That's the only I desire desperately.

This "proof of concept" shows only one thing (according to youtube video) - guys intercepted search requests from Zune, parse the responce and make a simple app to duplicate Zune's functionality. Anyone who can spend 30 minutes to WireShark and couple hours for coding can do the same app (actually, I've already posted a direct URL's to the marketplace apps on this forum).
As far as I understand, that's it, nothing more. No DRM crack, no "apps cracked", no "security hole" - just nothing!
As for .NET apps vulnerability: does anybody here have an experience to disassemble and compile back a really complicated and large application, obfuscated by the latest commercial version of Dotfuscator (actually, the wp7 devs can obtain it for free until March 2011)? I've tried once (of course I'm not a "some hat - white or black, just a pro developer)... Results are negative. In theory it's possible but... We saw a lot (no, A LOT!) of commercial native apps for win32, mac etc. successfully cracked and hacked. Just visit any pirate tracker for proof. So, it's not a "big .NET problem".

digger1985 said:
Any chance of sharing the (Free) HTC Youtube app? That's the only I desire desperately.
Click to expand...
Click to collapse
Without real hack (hacking license verification etc.) it's not possible. Simple downloader described here as "WP7 ultimate crack" can't help. If you want you may search my posts here, I've already posted direct link to HTC's youtube xap...

I think it's real.
Another guy also did the same
http://forums.create.msdn.com/forums/t/70704.aspx
He cracked an app on request and loaded into the emulator.

sensboston said:
Without real hack (hacking license verification etc.) it's not possible. Simple downloader described here as "WP7 ultimate crack" can't help. If you want you may search my posts here, I've already posted direct link to HTC's youtube xap...
Click to expand...
Click to collapse
I believe Hounsell managed to run the HTC stocks app on a Samsung
http://www.neowin.net/news/htc-wp7-app-ported-to-other-wp7-hardware

digger1985 said:
I think it's real
Click to expand...
Click to collapse
Real what? Read my post above... If someone "hacked" non-obfuscated small application by removing or blocking IsTrial() requests, it's not a real hack.
Ask this guy to "hack" NeedForSpeed Undercover ;-)

sensboston said:
As for .NET apps vulnerability: does anybody here have an experience to disassemble and compile back a really complicated and large application, obfuscated by the latest commercial version of Dotfuscator (actually, the wp7 devs can obtain it for free until March 2011)? I've tried once (of course I'm not a "some hat - white or black, just a pro developer)... Results are negative. In theory it's possible but... We saw a lot (no, A LOT!) of commercial native apps for win32, mac etc. successfully cracked and hacked. Just visit any pirate tracker for proof. So, it's not a "big .NET problem".
Click to expand...
Click to collapse
You didn't see any source code for commercial native apps because there are no automatic tools that do it, but you can see source code for all WP7 apps, using a free utility called Reflector. You choose the app, and it generates a visual studio project containing the code, simple as that.
In my experience developers don't readily use .NET obfuscators because they generally introduce instability which leads to increased development time.

indiekiduk said:
You didn't see any source code for commercial native apps because there are no automatic tools that do it, but you can see source code for all WP7 apps, using a free utility called Reflector.
Click to expand...
Click to collapse
Huh? HexRays has an ARM decompiler which can produce readable C. It is possible to get back to similar to the source equivalent (with a lot of manual tweaking). If MS used a strong packer on the native code then it would make reversing it much harder/time consuming. At the end of the day it still needs to execute.

I've used .NET Reflector for years (and I do have another one, for Java/.NET written by my friend - sorry, can't announce it here).
My question is: have you ever tried to disassemble and re-assemble big, obfuscated application? Or you just theorizing? I did, and it's very complicated/not possible (at least by using Reflector tool only). This method is good for small non-obfuscated application only.
For the topic: here is my "proof of concept"
- use this url to browse Zune market for apps:
http://catalog.zune.net/v3.2/en-US/apps?q=Ebook Reader&clientType=WinMobile 7.0&store=zest
replace Ebook%20Reader to any your search term, don't exactly know about "store" field and en-US. You'll get an XML in response with found apps info.
To get an app full download url, I believe, you'll need some additional requests but I don't have time (and interest!) now to play with Wireshark and track Zune's and WP marketplace requests...

sensboston said:
This "proof of concept" shows only one thing (according to youtube video) - guys intercepted search requests from Zune, parse the responce and make a simple app to duplicate Zune's functionality. Anyone who can spend 30 minutes to WireShark and couple hours for coding can do the same app (actually, I've already posted a direct URL's to the marketplace apps on this forum)
As for .NET apps vulnerability: does anybody here have an experience to disassemble and compile back a really complicated and large application, obfuscated by the latest commercial version of Dotfuscator (actually, the wp7 devs can obtain it for free until March 2011)? I've tried once (of course I'm not a "some hat - white or black, just a pro developer)... Results are negative.
Click to expand...
Click to collapse
Really? You should be able to decompile it and recomplie it with Reflector though, right? Even if the actual meaning of the code is hard to deduce after that point.....The CIL is stack-based, so you should be able to break it up into functions if nothing else.....
sensboston said:
This "proof of concept" shows only one thing (according to youtube video) - guys intercepted search requests from Zune, parse the responce and make a simple app to duplicate Zune's functionality. Anyone who can spend 30 minutes to WireShark and couple hours for coding can do the same app (actually, I've already posted a direct URL's to the marketplace apps on this forum)
Click to expand...
Click to collapse
Ya, this guy is lame. Let's ignore him and get back to work getting real stuff done.

n0psl3d said:
It is possible to get back to similar to the source equivalent (with a lot of manual tweaking) ... At the end of the day it still needs to execute.
Click to expand...
Click to collapse
This ^^
Reflector is great, but it's not a one-stop-recompile-shop. It still takes a massive amount of restructuring to get even an un-obfuscated application back together.
Also, WP7 business logic is almost always in the cloud. For 90% of applications, XAPs are basically just UIs - especially with the intense restrictions imposed on development right now.

digger1985 said:
Any chance of sharing the (Free) HTC Youtube app? That's the only I desire desperately.
Click to expand...
Click to collapse
I've got it running, but it doesn't function at the moment because HTC decided to use their own native functions tied to their driver, rather than the inbuilt .NET classes. All the network requests the app makes fails. Thinking of possible ways round this, but it would probably end up being so much work, it might just be quicker to create a clone.
Blade0rz said:
This ^^
Reflector is great, but it's not a one-stop-recompile-shop. It still takes a massive amount of restructuring to get even an un-obfuscated application back together.
Also, WP7 business logic is almost always in the cloud. For 90% of applications, XAPs are basically just UIs - especially with the intense restrictions imposed on development right now.
Click to expand...
Click to collapse
This. Reverse-engineering, and even modifying an existing app is one thing in Reflector, but copy/pasting code will never work in large quantities, it's just not that accurate in my experience. So sure, your tips and tricks might not be safe, but your app as a whole isn't going to be just duplicated and reuploaded to the marketplace.
Of course, "cracked" for piracy is a whole other matter.

The WP7 app list needs grouping - NOW!

I'm a WP7 user, who also owns an iPod touch. Overall I like the WP7 experience, except for the app list - in my opinion it's killing the system.
On my Ipod I have probably around 200 apps. They are organised by page - so I have a page for games, a page for music apps, a page for productivity apps etc. With the newer version of iOS I've also made sub-folders on each page, but the point is; when I need X app I just swipe to the relevant page, then look for its icon.
This also has a nice side effect; when i'm bored, it's easy just to flick through the screens and find an app I want to play with.
On WP7 there is no quick way to find an app without knowing its name. For example, I installed a currency converter but to run I have to browse through a list of around 40 apps, looking for it. I don't remember what its icon looks like or its name as I use it infrequently - this process takes ages, and defies the point of having a smart phone, which you can quickly take out your pocket and look up something.
There is no real way you can memorise the names of 100+ apps, so the only choice is scrolling. However, having one long list is broken from a usability point of view, as every time you install a new app everything below in the list it gets pushed down a little bit. Therefore if you do learn how far down to scroll to find a specific app, it will eventually move and you won't find it again.
Finally, already there are tons of apps on my phone that I have forgotten I have installed. The list is not easy to flick through when bored, so infrequently used apps get neglected. Bare in mind I only have around 30 apps installed, and already I'm confused / lost..
All this could be solved so easily by adding groups, like the people hub has in Mango. Imagine being able to add groups at the top of the list like "Games", "Productivity", "Sound" etc, and a killer feature would be that you can add each app to multiple groups. Newly installed apps could even go in a default group called "Programs", bit like Windows.
This simple change would make the phone about 1000x more productive than now - thoughts?

Whatever do you need two hundred applications for???
I have around 50 apps installed on my WP7, and everything I need it for is covered. It is significantly easier to remember the names of 50 apps than 200, especially considering most apps on WP7 have reasonable names "London Travel", "Groceries", etc...
With the jump list feature in mango, it will become easier to page through a long list of apps as the app list will replicate the naviation of the people list, where you can click on any letter, then the letter you want, and jump straight to where you need to be.
I personally like the simplicity of the tiles and apps. I agree that another page on the left, where you could select a bunch of "frequently used, but not so frequently that I want them as live tiles" apps, would be a definite improvement though.
Aphasaic2002 said:
I'm a WP7 user, who also owns an iPod touch. Overall I like the WP7 experience, except for the app list - in my opinion it's killing the system.
On my Ipod I have probably around 200 apps. They are organised by page - so I have a page for games, a page for music apps, a page for productivity apps etc. With the newer version of iOS I've also made sub-folders on each page, but the point is; when I need X app I just swipe to the relevant page, then look for its icon.
This also has a nice side effect; when i'm bored, it's easy just to flick through the screens and find an app I want to play with.
On WP7 there is no quick way to find an app without knowing its name. For example, I installed a currency converter but to run I have to browse through a list of around 40 apps, looking for it. I don't remember what its icon looks like or its name as I use it infrequently - this process takes ages, and defies the point of having a smart phone, which you can quickly take out your pocket and look up something.
There is no real way you can memorise the names of 100+ apps, so the only choice is scrolling. However, having one long list is broken from a usability point of view, as every time you install a new app everything below in the list it gets pushed down a little bit. Therefore if you do learn how far down to scroll to find a specific app, it will eventually move and you won't find it again.
Finally, already there are tons of apps on my phone that I have forgotten I have installed. The list is not easy to flick through when bored, so infrequently used apps get neglected. Bare in mind I only have around 30 apps installed, and already I'm confused / lost..
All this could be solved so easily by adding groups, like the people hub has in Mango. Imagine being able to add groups at the top of the list like "Games", "Productivity", "Sound" etc, and a killer feature would be that you can add each app to multiple groups. Newly installed apps could even go in a default group called "Programs", bit like Windows.
This simple change would make the phone about 1000x more productive than now - thoughts?
Click to expand...
Click to collapse

Here's what grouping the app list looks like -
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}

you can artificially group them on your start screen by doing something like this:
http://www.wpcentral.com/organise-your-start-screen-live-tiles
personally, the ability to add something to a hub, or to just have the option for folders would be helpful for people who want more control over the organization of apps, but i have maybe 50 apps installed and rarely do i find i'm missing an app for something.

andrewkeith5 said:
Whatever do you need two hundred applications for???
I have around 50 apps installed on my WP7, and everything I need it for is covered. It is significantly easier to remember the names of 50 apps than 200, especially considering most apps on WP7 have reasonable names "London Travel", "Groceries", etc...
With the jump list feature in mango, it will become easier to page through a long list of apps as the app list will replicate the naviation of the people list, where you can click on any letter, then the letter you want, and jump straight to where you need to be.
I personally like the simplicity of the tiles and apps. I agree that another page on the left, where you could select a bunch of "frequently used, but not so frequently that I want them as live tiles" apps, would be a definite improvement though.
Click to expand...
Click to collapse
So now we are being judged for having too many apps? What business is it of yours (or anyone's) how many apps someone else has on their phone?
For people who have more use for their phone than 50 apps can satisfy, the current system, even with the jump list, is woefully inadequate. Too many app developers think they can be "clever" by giving their app a name that really has little bearing on its use. When you get too many of these on your phone, it becomes annoyingly difficult to remember the obscure names of all of these apps, so even the jump list and search features don't really help much.
Adding the option to pin apps to the top of the list (and then be able to drag them into a preferred order, similar to the way live tiles can be dragged around) would be a huge benefit to many of us. Even a "most recently used" list or the ability to group by marketplace category would help.

Aphasaic2002 said:
I'm a WP7 user, who also owns an iPod touch. Overall I like the WP7 experience, except for the app list - in my opinion it's killing the system.
On my Ipod I have probably around 200 apps. They are organised by page - so I have a page for games, a page for music apps, a page for productivity apps etc. With the newer version of iOS I've also made sub-folders on each page, but the point is; when I need X app I just swipe to the relevant page, then look for its icon.
This also has a nice side effect; when i'm bored, it's easy just to flick through the screens and find an app I want to play with.
On WP7 there is no quick way to find an app without knowing its name. For example, I installed a currency converter but to run I have to browse through a list of around 40 apps, looking for it. I don't remember what its icon looks like or its name as I use it infrequently - this process takes ages, and defies the point of having a smart phone, which you can quickly take out your pocket and look up something.
There is no real way you can memorise the names of 100+ apps, so the only choice is scrolling. However, having one long list is broken from a usability point of view, as every time you install a new app everything below in the list it gets pushed down a little bit. Therefore if you do learn how far down to scroll to find a specific app, it will eventually move and you won't find it again.
Finally, already there are tons of apps on my phone that I have forgotten I have installed. The list is not easy to flick through when bored, so infrequently used apps get neglected. Bare in mind I only have around 30 apps installed, and already I'm confused / lost..
All this could be solved so easily by adding groups, like the people hub has in Mango. Imagine being able to add groups at the top of the list like "Games", "Productivity", "Sound" etc, and a killer feature would be that you can add each app to multiple groups. Newly installed apps could even go in a default group called "Programs", bit like Windows.
This simple change would make the phone about 1000x more productive than now - thoughts?
Click to expand...
Click to collapse
Nah man, it's just because you're so used to working with the 4x4 grid. Your brain is gonna pick up working with WP7 and you'll start remembering the names of apps, at least ones that you use frequently.
Worst case my friend, use the voice option to open the name of the app
OR
Hit the Magnifying glass and do a search of the functionality that you're looking for. Mango has it where it'll suggest apps for the tasks that you want to do.
As a tangent, I can't even imagine drilling down through so many levels of folders to find what I'm looking for, at least on a phone, that just sounds nuts to me.

ScottSUmmers said:
Hit the Magnifying glass and do a search of the functionality that you're looking for. Mango has it where it'll suggest apps for the tasks that you want to do.
.
Click to expand...
Click to collapse
i didn't know mango had that as a feature, neat!

tired of these threads with these lousy childish complaints. use the jumplist, search feature or pin your most used apps to the start screen!!!! and be done with it, that's what it's there for!

Ok, so everyone always says "use the jump list" or "use the search function...
There is no jumplist. I have 86 apps in my applist and there's no jumplist.
There is no search. When I press the search button, I get the bing search. If I enter the name of any of my apps, all it gives me is bing search results. "Web" and "News". There's no option to search/find apps.
So please either stop telling use to use these non-existing features or tell us how to enable them. Until then: I want groups as well!

Not to pile on, but if you can't find a currency converter app on your phone that you installed in a list of 40 apps, maybe the phone isn't the problem. Additionally, if you believe finding an app within multiple pages with multiple sub genres is less confusing, I just don't know what to say.
Sent from my SGH-i917 using XDA Windows Phone 7 App

It's not too bad of a suggestiong, not sure why some are taking it so personally. Right now it's not a big deal but later on when you have a lot of apps, then it may be nice to have grouping. It will also probably look better visually, then just a plain list.
On the other hand, as others have already mentioned there are ways to get around it now, use the voice command.. it's works great. Or use the search grid. Or pin if you have too.

N0MN0M said:
use the voice command.. it's works great.
Click to expand...
Click to collapse
while voice launching works surprisingly well, I'd just feel stupid in public (city, train) to yell "start nyan!"...

Localhorst86 said:
while voice launching works surprisingly well, I'd just feel stupid in public (city, train) to yell "start nyan!"...
Click to expand...
Click to collapse
then PIN THE APP!!!!!

eric12341 said:
then PIN THE APP!!!!!
Click to expand...
Click to collapse
And needlessly clutter the start screen. Brilliant idea, that one.

Localhorst86 said:
Ok, so everyone always says "use the jump list" or "use the search function...
There is no jumplist. I have 86 apps in my applist and there's no jumplist.
There is no search. When I press the search button, I get the bing search. If I enter the name of any of my apps, all it gives me is bing search results. "Web" and "News". There's no option to search/find apps.
So please either stop telling use to use these non-existing features or tell us how to enable them. Until then: I want groups as well!
Click to expand...
Click to collapse
I'm assuming you don't have Mango. In Mango, you have the following
1. Jump list is activated when you have greater than 4X (I forget the exact number) apps
2. I just did a search for "restaurant reviews" and the first result is the Yelp icon with the ability to launch the app. It is under the web tab. In addition, there is a search button in the app list (under the arrow)

munkeyphyst said:
Not to pile on, but if you can't find a currency converter app on your phone that you installed in a list of 40 apps, maybe the phone isn't the problem. Additionally, if you believe finding an app within multiple pages with multiple sub genres is less confusing, I just don't know what to say.
Click to expand...
Click to collapse
You are piling on, and you know it .
But let's take your specific example. I have the XE currency converter app on my phone. The problem is, in an effort to be clever, they put the "XE" in the icon, and called the app "Currency". So, looking at it in the list you still see "XE Currency".
If I used it every day, I'd get used to that. But I don't use it every day (and therefore DON'T, I repeat DON'T want to pin it to the start screen). And, the few times I have used it, my mind has focused on the fact that it is XE (since that has always been its name on the web site I've used for the past ten years, i.e. xe.com). Unfortunately, you won't find it under X in the list, but under C. And in a list of 150+ apps, it tends to get lost fairly quickly.

Seriously people, stop bashing others for not wanting to just settle for something less or not be like everyone else. Having groups/folders/etc. is a good suggestion. Also, a lot of your suggestions are for Mango, which many of us don't want to run yet as you loose a lot of homebrew on it nevermind it's Beta. So, in the end, stop crying because someone has a complaint or is giving constructive criticism. While you may like it exactly as is, not everyone does & having choices is better.

PG2G said:
2. I just did a search for "restaurant reviews" and the first result is the Yelp icon with the ability to launch the app. It is under the web tab. In addition, there is a search button in the app list (under the arrow)
Click to expand...
Click to collapse
And you really don't see how monumentally inefficient it is to have to open bing and type in "restaurant reviews" and wait for the search results, just to launch an app that is already installed? I think that new feature of bing is more intended to help people recognize that an app they already have offers a feature they didn't know about or to allow them to install the app if they don't already have it, not to provide an efficient means to launch an app that you are already familiar with.

RoboDad said:
And needlessly clutter the start screen. Brilliant idea, that one.
Click to expand...
Click to collapse
apps u most commonly use on a daily basis aren't " needless clutter" and its not MS' problem that u don't want to actually use the start screen.

eric12341 said:
apps u most commonly use on a daily basis aren't " needless clutter" and its not MS' problem that u don't want to actually use the start screen.
Click to expand...
Click to collapse
You really need to pay more attention to what is written in the thread before responding. Read this again:
RoboDad said:
If I used it every day, I'd get used to that. But I don't use it every day (and therefore DON'T, I repeat DON'T want to pin it to the start screen).
Click to expand...
Click to collapse

Potential Security Issue with S-Memo and JB

I was poking around my GS3 today (ATT version but running the Sprint Official JB release LJ7) and I found something pretty shocking. I was poking around the S-memo databases when I opened a table using SQLIte editior. When I opened the table I was shocked to see my Google account username and password in clear plain text. Now, I did have the option to sync to Google drive and the app did prompt for my google username and password so obviously it stores it somewhere. I was just shocked to see it stored in plain text and not encrypted.
I know someone who checked his ATT GS3 running ICS and he did not have these entries in his DB which makes me think it's a JB thing.
To check you need to be rooted and have SQLite editor installed.
Steps to check
1. Set up S-Memo to sync with your Google account
2. Use SQLite editor and navigate to /data/data/com.sec.android.provider.smemo/databases
3. Open the Pen_memo.db file and select the CommonSettings table. Look to see if your Google account info is stored in plain text.
This could potentially be a serious issue. If people running JB on their GS3 can check this that would be awesome. Someone already checked the latest ICS build for the ATT variant but if others on ICS or with a different variant can check that would be great. I will get to check my GF's I-9300 running JB tomorrow when I see her.
Also I'm not sure how app permissions work on android, meaning if one app could access the data/database of another app(without root, because obviously with root another app can, in this case SQLite opened the file). Since the DB is in the /data partition and the permissions are r/w by default I'm thinking it wouldn't be difficult for a malicious non root app to access this database and query it for the information unless there is something built into android that wont allow that.
I have attached a SS of what my table looked like. Obviously I blacked out my PW and also the Google auth ID
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}

Actually, while /data is available for you to browse, that is because you have root. It's RW but only within the packages that each app is sandboxed. If you disable root you will not be able to view that database.
It is possible for the same developer to access the /data files of another one of their apps if they use the same namespace.
So, while this is indeed a risk, it would not be trivial for another app to gain access without asking for root or cracking root itself.

ViViDboarder said:
Actually, while /data is available for you to browse, that is because you have root. It's RW but only within the packages that each app is sandboxed. If you disable root you will not be able to view that database.
It is possible for the same developer to access the /data files of another one of their apps if they use the same namespace.
So, while this is indeed a risk, it would not be trivial for another app to gain access without asking for root or cracking root itself.
Click to expand...
Click to collapse
Ahh OK. Yeah I wasn't sure if another app would be able or not. Ive never not been rooted so I wasnt 100% sure about that. So I guess this issue would just concern root users. I still think though the data should have been encrypted before the record was inserted. It did kinda freak me out to open that table and see my google password staring at me.

I don't use S-Memo much but thanks for the heads up.

ViViDboarder said:
Actually, while /data is available for you to browse, that is because you have root. It's RW but only within the packages that each app is sandboxed. If you disable root you will not be able to view that database.
It is possible for the same developer to access the /data files of another one of their apps if they use the same namespace.
So, while this is indeed a risk, it would not be trivial for another app to gain access without asking for root or cracking root itself.
Click to expand...
Click to collapse
There are on Play and on the net "free apps" which needs root access to work. Once you grant access to any of them those can get your info and sent it to anyplace.
Sent from my O=O

csmasn said:
There are on Play and on the net "free apps" which needs root access to work. Once you grant access to any of them those can get your info and sent it to anyplace.
Sent from my O=O
Click to expand...
Click to collapse
Agreed but that is why you should be checking carefully what root apps are doing. Also not just willy-nilly granting Superuser permissions. Half of XDA would be at risk cause they see the SuperUser popup and most of the time just press grant not ever thinking 'What does that mean?' yes they want to test an app, but FFS check what it wants to do. That is the screen that pops up (another one people ignore - yes I am guilty of it my self sometimes thinking nothing has changed between one version to the next) just as you are installing the app. If it is wanting to do things in areas you don't want it to be then don't install it and confront the developer about it.
In this case you can't really confront Samsung devs about this, but the thing is we know what it is for, and secondly your not installing it comes pre-installed. But you get my point. I doubt that the Samsung devs have malicious intensions, where as other developers that your are granting SuperUser permissions to...who knows?

Yikes! Good news, this is not as bad as it seems. The data is not accessible without root.
Once an app has root, it is all over. You have to trust the app to use it wisely (trust me a lot of root apps are unsafe). With this kind of issue, it is probably safer to notify the OEM before publishing, allowing them time to fix it. This is exactly why I am not one to run root apps without a review of them myself.
I took the liberty to forward this on to those that can get it fixed. Nice find.

This should probably use a token-based authentication system, rather than the ACTUAL google account username and password...
Still not brilliant for security, but at least it's not your ACTUAL password in plaintext...

Jarmezrocks said:
Agreed but that is why you should be checking carefully what root apps are doing. Also not just willy-nilly granting Superuser permissions. Half of XDA would be at risk cause they see the SuperUser popup and most of the time just press grant not ever thinking 'What does that mean?' yes they want to test an app, but FFS check what it wants to do. That is the screen that pops up (another one people ignore - yes I am guilty of it my self sometimes thinking nothing has changed between one version to the next) just as you are installing the app. If it is wanting to do things in areas you don't want it to be then don't install it and confront the developer about it.
In this case you can't really confront Samsung devs about this, but the thing is we know what it is for, and secondly your not installing it comes pre-installed. But you get my point. I doubt that the Samsung devs have malicious intensions, where as other developers that your are granting SuperUser permissions to...who knows?
Click to expand...
Click to collapse
Agreed with you.
But about Google's Devs, because it's a Google's flaw. Encryption is old enough, so they can implement it.
Sent from my O=O

graffixnyc said:
I was just shocked to see it stored in plain text and not encrypted.
Click to expand...
Click to collapse
Suppose they were to encrypt it, where would they store the decryption key?

If somebody knowledgeable stole your GS3, and mounted it in Linux using adbfs, would make a bad situation worse, if they got your Google account login. Passwords in plaintext are bad in any case, I still don't trust either Android or iOS for really sensitive apps like banking.

Great job, samsung.
Why the heck you needed those creds anyway? Use tokens.

Checked mine (4.1.1 International version though), and these are the entries in my CommonSettings table...
IS_BOOT_COMPLETED
IS_MEDIA_MOUNTED
SAVED_PAPER
tutorial_view_state
_pref_list_type_before_tag
serialization_hashcode
serialization_canvas_mode
serialization_tag_mode
...nothing about my Google ID.

So I'm on cm10 tmous and don't use smemo... but I can confirm this issue is the same for com.android.email in databases in the email provider.db is a HostAuth.. and when I open that up sure as sh!t there is ALL my email accounts and listed PW in plain text... not secured... really jacked up its not just an s-memo issue..

da-pharoah said:
So I'm on cm10 tmous and don't use smemo... but I can confirm this issue is the same for com.android.email in databases in the email provider.db is a HostAuth.. and when I open that up sure as sh!t there is ALL my email accounts and listed PW in plain text... not secured... really jacked up its not just an s-memo issue..
Click to expand...
Click to collapse
I just pulled that up on mine too! Wtf!
Generating random authentication keys

Has anything been done about this or basically can anyone with any clue about phones easily get your goggle password if they nick your phone?

cybergaf said:
Has anything been done about this or basically can anyone with any clue about phones easily get your goggle password if they nick your phone?
Click to expand...
Click to collapse
Yea just uninstall s-memo. You really don't need it that bad. And if so use other notepad apps that have voice to text capability or use the aosp keyboard. Anything but s-memo
.:Sent from the Hellfire Galaxy of S & 3:.

da-pharoah said:
Yea just uninstall s-memo. You really don't need it that bad. And if so use other notepad apps that have voice to text capability or use the aosp keyboard. Anything but s-memo
.:Sent from the Hellfire Galaxy of S & 3:.
Click to expand...
Click to collapse
Ummm thought you said above you didn't use s-memo so it's not just an s-memo problem or am I reading it incorrectly?
I've also just checked s-memo and can only see an option for syncing to Samsung account not Google?

xiaomi spying

just read this article, whats your opinion.
https://www.dailymail.co.uk/science...rowsing-data-millions-people-web-browser.html

meanwhile Google (Android OS), Apple, Amazon + basically any company which sells any item with a camera or microphone which connects to the internet
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}

bluefender said:
just read this article, whats your opinion.
https://www.dailymail.co.uk/science...rowsing-data-millions-people-web-browser.html
Click to expand...
Click to collapse
I'm already aware of it not only xiaomi if you have FB installed it does so same for google apps or almost any apps, Im using some tool to monitor my network and im not even using my phone and I see that it's always exchanging data on the internet just to know that I didn't enable any cloud thing or any sync also I have put some Data on my phone when I was away from home and it went out so fast after I checked the apps that used it I found that almost 200 Mb of data is missing but it wasn't used by any app so there is an exchange but it's hidden, im thinking of using another rom and check

bluefender said:
just read this article, whats your opinion.
https://www.dailymail.co.uk/science...rowsing-data-millions-people-web-browser.html
Click to expand...
Click to collapse
that's why i tell people to use gappless custom roms ...
brownm121 said:
What about the apps described here https://realspyapps.com/phone-tracker/? How to protect your data from such spy apps? They can get all your data as I've understood. Is it possible to protect a phone from hacking and data theft?
Click to expand...
Click to collapse
don't give apps data permission
and restrict all from internet access
if you have an app that need both ensure it dosn't have trackers
if you still don't trust use riru storage isolation ...

Agree generally @loopypalm however I have been using AFWall+ and whitelisted (allowed) supposedly only 4 installed apps - but no system stuff. According to the logs it is blocking literally 000's of requests from the kernel/system and others. However I installed GlassWire the other day and it is showing it exchanging data in and out daily for "Android System".......... :-(
If accurate not sure there is any way to stop that as it must be buried very deep?

loopypalm said:
that's why i tell people to use gappless custom roms ...
don't give apps data permission
and restrict all from internet access
if you have an app that need both ensure it dosn't have trackers
if you still don't trust use riru storage isolation ...
Click to expand...
Click to collapse
Karma Firewall, freeware that uses almost no battery.
China and the CCP are one in the same. The risk of embedded hardware, firmware and software spyware or back doors is high.
The CCP is insidious and nefarious... if you haven't noticed it already

sabei said:
However I installed GlassWire the other day and it is showing it exchanging data in and out daily for "Android System".......... :-(
If accurate not sure there is any way to stop that as it must be buried very deep?
Click to expand...
Click to collapse
there is an app+process called 'NetworkStack' , that is responsable for app to use internet and it's consomation is counted under "Android System"
blackhawk said:
Karma Firewall, freeware that uses almost no battery
Click to expand...
Click to collapse
i read that it dosn't require root, so i'm not sure if it operate at a system level or just does this :

loopypalm said:
i read that it dosn't require root, so i'm not sure if it operate at a system level or just does this :
View attachment 5356179
Click to expand...
Click to collapse
It's a VNP based firewall. It runs best on Pie or lower. With Q and above you lose it's logging function. I'm running Pie so I haven't tested that... and don't plan too anytime soon

loopypalm said:
there is an app+process called 'NetworkStack' , that is responsable for app to use internet and it's consomation is counted under "Android System"
Click to expand...
Click to collapse
yes that shows as a separate process on mine (1073) and is blocked/not allowed along with the rest
(I am still running AEX 7.3 - thanks again for the original recommendation)

sabei said:
yes that shows as a separate process on mine (1073) and is blocked/not allowed along with the rest
(I am still running AEX 7.3 - thanks again for the original recommendation)
Click to expand...
Click to collapse
you can block the package ,yes but not the process
it's the one thing that make you able to connect to wifi/4g ...

{Mod edit: Quoted post has been deleted}
You have quoted an article written by someone selling spy apps...............hardly the most credible and has nothing to do with what I was referring to.

i think people should start editing the apps they work with to remove trackers and useless stuff ...
if you don't have the skills you can use the "mobilism" or "4pda forums" releases, i don't think i have the right to post their links here
other than that nobody can spy on you unless you r an idiot or if they use "Pegasus"

loopypalm said:
i think people should start editing the apps they work with to remove trackers and useless stuff ...
if you don't have the skills you can use the "mobilism" or "4pda forums" releases, i don't think i have the right to post their links here
other than that nobody can spy on you unless you r an idiot or if they use "Pegasus"
Click to expand...
Click to collapse
Easiest thing to do is either don't load crapware or firewall block it.
Amazon, WhatsApp, FB, Instagram, LinkedIn etc never are installed on my device.
Lots do then wonder why their battery life sucks and they have no privacy

blackhawk said:
Easiest thing to do is either don't load crapware or firewall block it.
Amazon, WhatsApp, FB, Instagram, LinkedIn etc never are installed on my device.
Lots do then wonder why their battery life sucks and they have no privacy
Click to expand...
Click to collapse
well , It is easier to escape from a problem than to solve it ...
lot of people can't live without wsp and fb,and i agree, that's a problem ...
that's why i suggested to use storage isolation
(you give an app just one folder to access instead of the whole SD)
and use mod like fouadmod for wsp and cleaned Friendly for Facebook ...
and for identity i don't think there is much you can do unless feed it fake info or create a new identity ...
and if you are a government target just destroy your phone and don't even think ...

loopypalm said:
well , It is easier to escape from a problem than to solve it ...
lot of people can't live without wsp and fb,and i agree, that's a problem ...
that's why i suggested to use storage isolation
(you give an app just one folder to access instead of the whole SD)
and use mod like fouadmod for wsp and cleaned Friendly for Facebook ...
and for identity i don't think there is much you can do unless feed it fake info or create a new identity ...
and if you are a government target just destroy your phone and don't even think ...
Click to expand...
Click to collapse
The problem with those social apps is two fold. All the personal data the user willingly supplies that can then be weaponized against them is the primary issue.
People shouldn't know everything you do and think.
These virtual trash apps have ruined many careers and lives. They are now a source of disinformation and are heavily censured unless you think "correctly". It is a means of controlling the masses by a few.
You're not the customer... you are the product.
Fk that $hit.

loopypalm said:
i think people should start editing the apps they work with to remove trackers and useless stuff ...
Click to expand...
Click to collapse
I've been using some (very few) mobilism apps for years without any ill effects.
Even if you don't use FB yourself, that by itself doesn't exempt you from its tracking, as you'll notice if you follow the tip below.
If you're rooted, another way (which doesn't always work, sadly) would be to get OSS App Manager from F-Droid, see what trackers are there for any given app (you're clear if none are listed) and block some or all of them... YMMV.

pnin said:
see what trackers are there for any given app (you're clear if none are listed) and block some or all some of them... YMMV.
Click to expand...
Click to collapse
Anybody else tried using Warden - app on XDA to remove trackers/beacons etc?

pnin said:
I've been using some (very few) mobilism apps for years without any ill effects.
Even if you don't use FB yourself, that by itself doesn't exempt you from its tracking, as you'll notice if you follow the tip below.
If you're rooted, another way (which doesn't always work, sadly) would be to get OSS App Manager from F-Droid, see what trackers are there for any given app (you're clear if none are listed) and block some or all some of them... YMMV.
Click to expand...
Click to collapse
If FB, Amazon etc is preinstalled either package block it or firewall block.
I prefer using Package Disabler to kill them although you can use ADB to do it.
I keep locations disabled unless I need maps which is rare. Helps battery life too.
Lol, FB is pure poison...

blackhawk said:
Package Disabler
Click to expand...
Click to collapse
Is this the paid for app?

sabei said:
Is this the paid for app?
Click to expand...
Click to collapse
Yes, annual subscription. Use the none Samsung variant. I can't say how well this variant works. The Samsung version works well but won't block Google play Services. I've been using it for over 2 years.
They do respond to emails promptly.
{Mod edit: Link to paid app removed @blackhawk )

Hidden Google Account + Hidden Systemadminapp in LineageOS | Privacy infiltrated?...

Is the builtin app named "Storagemanager" a hidden system administrator in LineageOS 19.1?
I ask this because in LineageOS 14.1 Storagemanager is a systemadministrator app.
In LineageOS 14.1 under > settings > apps > special app access > deviceadministrators, nothing showed up by default, but then i pressed the three dots on the top right and selected "show system", then storage manager was shown as active system administrator app.
I had the option to disable it, which i did, as i dont want ANY app to be administrator as i consider myself as the device owner being the administrator in place, no need for an app to have any such administrative permissions.
Now in LineageOS 19.1 when you navigate to > settings > apps > special app access > deviceadministrators > the three dots on the top right corner to show system apps ARE GONE.
This makes me think storage manager is a secret/hidden system administrator that cannot be disabled in lineageOS 19.1 because the three dots at the top right have been removed in 19.1 basically making it IMPOSSIBLE to the device owner to remove unwanted systemadministrator apps.
If infact storagemanager is a secret systemadministrator app, why is that so, why was the option to disable this app from being a system administrator removed??
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Another question, in LineageOS 14.1 when i tried to open the calendar app, there was a prompt/popup saying "to use the calendar app you must add atleast one google account to your phone".
To be honest that scared me... considering that i use LineageOS purely for privacy and Google is the opposite of privacy.
That being said please keep in mind (this is very important), in LineageOS 14.1 when i opened the calendar app i was asked to add a Google account...
Here comes the things, in LineageOS 19.1 when i open the calendar app the prompt/popup says this: "before you can use the calendar app you must add atleast one calendar account".
That sounds very suspicious to me, because in 14.1 it was called google account and now in 19.1 its called callendar account, obviously my question is now... is the callendar account a google account just being called out in another way...?? If yes this is obviously a major manipulation because not naming google here will trick most likely any LineageOS user to creating a callendar account without even knowing that in reality what they just did was to create a goolge account on their privacy phone...... what sort of manipulative person would make such a nightmare come true? At this point i must ask if LineageOS even is a privacy option anymore... or has it been inflitrated by google already...
Another suspicous change i detected after switching from LineageOS 14.1 to 19.1 is that under > settings > apps > special app access > useage access, zero apps are listed, but once i pressed the three dots in the top right corner, bluetooth, media storage, nfc service, package installer, permissions controller, phone services, shell, storage manager, and systemui where ALL shown as "access to useage data = allowed". This really makes me woonder what is going on with LineageOS, what reason is there to grant all these apps access to useage data by default?? In LineageOS 14.1 there was not a single app even the system ones, that had useage data access set to allowed, infact in 14.1 all apps where set to be not allowed to access useage data. What is going on here and why??
Another change i noticed from LineageOS 14.1 to 19.1 is that under > settings > privacy, in 14.1 i was able to edit individual app permissions and enable or disable the privacy mode, in 19.1 there seems to be a new service so called "trust" which is responsible for privacy, im fine with that, however i am missing a very important privacy setting that was present in 14.1 but is not in 19.1 and that is "start on boot". On 14.1 i was able to select any specific app and deny or allow it's access to start itself on boot. Why is this important setting not present in 19.1?
In 19.1 under > settings > privacy > permissions manager, there is no option to deny apps to "start on boot".
My guess is, either 19.1 blocks all apps from starting on boot by default, or it allows it by default for all apps and there is simply no option to stop that which would be a major privacy downgrade compared to older versions...

thank you for posting this, my eyes have been opened.

Already 100+ views but only 1 comment, hmm...
Nobody knows anything?
I seriously want to get ansers to the above questions... these are real concerns to me.

My questions don't seem to get to much attention here, not even to mention a reply.
Does anyone know a forum or another place where i can ask what is written above?
I wan't answers, these are real privacy concerns!

Hmmm. I don't have answers to your specific questions. In another thread, you posted, generally, that most people don't care about your concerns. Very true. I wholeheartedly support you advocating your views; however encourage you to tread lightly if you want people to reply to you.
The only sure answer to your situation, and for me, also, is to grab the source of the rom which suits you, one without gapps, and then hire a dev to help go through the source to answer your questions. Then edit as needed and re-compile.
I am familiar enough with the process in general however don't have the skills to do it myself. LOS and its variants are probably a good place to start. I am using a vanilla build of RROS on A10 on a Oneplus8 pro. Since we have tools for A11 that is good but the tools generally aren't available for some time after a new Android release.
Your question might be asked of the Lineage devs, though I am sure they are busy and they are not forcing you to use their (free) product. There are also Linux phones available, although so far the hardware I have seen is not great.
What phone are you using? If you are serious about this, and are willing to support a dev project as above, we would have to settle on one or two similar OSes on the same Android version, and hire someone for a few days. This would be expensive. I, for one, would contribute. If we found 10 or 20 like minded people a crowdfunding page could be set up. If we did not reach the necessary amount then the money could be refunded.
To tell the truth, G keeps putting more obstacles in the way of modders and I am getting to the point where its not worth the trouble. Hopefully the hardware for Linux phones will improve.
Thoughts??

gregpilot said:
Hmmm. I don't have answers to your specific questions. In another thread, you posted, generally, that most people don't care about your concerns. Very true. I wholeheartedly support you advocating your views; however encourage you to tread lightly if you want people to reply to you.
The only sure answer to your situation, and for me, also, is to grab the source of the rom which suits you, one without gapps, and then hire a dev to help go through the source to answer your questions. Then edit as needed and re-compile.
I am familiar enough with the process in general however don't have the skills to do it myself. LOS and its variants are probably a good place to start. I am using a vanilla build of RROS on A10 on a Oneplus8 pro. Since we have tools for A11 that is good but the tools generally aren't available for some time after a new Android release.
Your question might be asked of the Lineage devs, though I am sure they are busy and they are not forcing you to use their (free) product. There are also Linux phones available, although so far the hardware I have seen is not great.
What phone are you using? If you are serious about this, and are willing to support a dev project as above, we would have to settle on one or two similar OSes on the same Android version, and hire someone for a few days. This would be expensive. I, for one, would contribute. If we found 10 or 20 like minded people a crowdfunding page could be set up. If we did not reach the necessary amount then the money could be refunded.
To tell the truth, G keeps putting more obstacles in the way of modders and I am getting to the point where its not worth the trouble. Hopefully the hardware for Linux phones will improve.
Thoughts??
Click to expand...
Click to collapse
My knownledge on programming is very limited, i would not be able to contribute to any meaningful software really. Indeed my language can quickly become not so nice when it comes to privacy, i don't like how the masses throw away their freedom.
Think about it, google chrome holds around 60% market share, then combine all chromium browsers and we are at around 90% while Firefox is at around 4%. Then think about how many people use Gmail and how many use privacy alternatives like Protonmail. Think about how many people use the standard google android os on their phone and how many have iphones and compare that to how many people use a linux phone or a custom os like lineage or graphene...
Anyone can protect their privacy, there are many great videos on youtube.
Here are some examples:
The Hated One
Creating deeply researched and well-sourced essays critiquing some of the most important issues of our time in a non-partisan, non-sectarian way. Mass surveillance is a backdoor into freedom of speech. Knowledge is power. And power corrupts. https://twitter.com/The_HatedOne_...
yewtu.be
Rob Braxman Tech
I'm the Internet Privacy Guy. I'm a public interest hacker and technologist. I use my extensive knowledge of cybersecurity and tech to serve the public good. I care about privacy. I warn you of digital manipulation, disinformation, mass surveillance. I also discuss alternative communication...
yewtu.be
Techlore
Techlore was built to prove privacy & security are not just achievable - but simple and accessible. We manage several projects, communities, and content to spread privacy & security to the masses. Visit our Website: https://techlore.tech
yewtu.be
Mental Outlaw
Only cool people visit https://based.win/
yewtu.be
Naomi Brockwell: NBTV
www.nbtv.media NBTV teaches people how to reclaim control of their lives in the digital age. We give people the tools they need to take back their data, money, and free online expression. - Your Money - Your Data - Your Life Empower Yourself. Created and hosted by Naomi Brockwell Our...
yewtu.be
Louis Rossmann
I discuss random things of interest to me. This is, and always will be, my personal variety show. I teach Macbook component level logic board repair from a common sense, everyman's perspective. I try to make it seem viable, and entertaining. I also go over business concepts & philosophy that...
yewtu.be
The Linux Experiment
Making Linux accessible: no techno lingo, no super technical content. Just Linux desktop news, simple tutorials, application spotlights, and opinion pieces trying to stay positive, without gatekeeping. 👏 SUPPORT THE CHANNEL: Get access to a weekly podcast, vote on the next topics I cover, and...
yewtu.be
I use yewtu.be over youtube.com to avoid google.
See, google chrome and google search know all of your browsing history, there is no privacy, they make a profile of everyone who uses any of their services. Even if you use google without an account chances are they can identify you and your device. Same with gmail... it reads (scans) all of your emails and sell the content to adverstisers. I don't know how people can be ****** enough to use these services when you can simply switch to alternatives that are working perfectly flawless and don't spy on you.
Privacy can be easy.
Instead of google chrome > Firefox or even better Librewolf
Instead of google search > brave search or duckduckgo
Instead of gmail > protonmail
Instead of google android > lineage or graphene
It's not that hard...
Nobody forced me to use lineageos obviously i installed it on my own, i don't like the changes from 14.1 to 19.1 as they seem very suspicious to me, but i will still preffer LOS at any time over the standard google crap.
Before using a google phone id rather not use a phone at all.
Speaking about phones, people who buy iphones have lost their mind, i mean it.
My phone is a samsung S7, as long as it is functional i will not buy a new phone, besides i don't have the money now... your suggestion sounds interesting but i'm not into that really.
In the mean time i will repeat what you said, we can only wait for linux phones to support modern hardware and get one of those in the future.
GrapheneOS seems like the best choice as of now but it's really ironic that it works only on google pixel phones...

Most people don't care that they are been spied on. They are after the they easy life. Want all the mod cons to make things easier. Unfortunately you can't change peoples habits. Have started seen a lot of custom rooms with suspicious files, that makes a person wonder if google is paying the devs to include their software.

ShaunSmit said:
Most people don't care that they are been spied on
Click to expand...
Click to collapse
Well, plenty of people do. For example, just see XDA's thread for FairEmail:
https://forum.xda-developers.com/t/...en-source-privacy-oriented-email-app.3824168/
Privacydroid said:
builtin app named "Storagemanager" a hidden system administrator in LineageOS 19.1?
Click to expand...
Click to collapse
Privacydroid said:
My questions don't seem to get to much attention here
Click to expand...
Click to collapse
Well, I am interested in and have subscribed to this topic... it's just that LOS19 is still not really a hot topic for me yet (still fighting with LOS18, lol).

SigmundDroid said:
Well, plenty of people do. For example, just see XDA's thread for FairEmail:
https://forum.xda-developers.com/t/...en-source-privacy-oriented-email-app.3824168/
Well, I am interested in and have subscribed to this topic... it's just that LOS19 is still not really a hot topic for me yet (still fighting with LOS18, lol).
Click to expand...
Click to collapse
My bet lineage 1.18 is also affected by what i described above.

there might be some privacy oriented custom roms. have you checked ?
e Foundation - deGoogled unGoogled smartphone operating systems and online services - your data is your data
your data is YOUR data
e.foundation
or
Purism– Librem 5
Introducing the – Librem 5 by Purism
puri.sm

Fytdyh said:
there might be some privacy oriented custom roms. have you checked ?
e Foundation - deGoogled unGoogled smartphone operating systems and online services - your data is your data
your data is YOUR data
e.foundation
or
Purism– Librem 5
Introducing the – Librem 5 by Purism
puri.sm
Click to expand...
Click to collapse
Never heared about https://e.foundation/ will have a look at that one.
The librem 5 has outdated hardware and is expensive, but that's not the problem... the shipping times are totally ******. Can take years for you to ever recive that phone.
Besides, that doesn't anser any of my above questions about LOS, guess that wasn't your intention anyways.

Privacydroid said:
Never heared about https://e.foundation/ will have a look at that one.
The librem 5 has outdated hardware and is expensive, but that's not the problem... the shipping times are totally ******. Can take years for you to ever recive that phone.
Besides, that doesn't anser any of my above questions about LOS, guess that wasn't your intention anyways.
Click to expand...
Click to collapse
about your privacy related inquiries, i recon that Lineage, while it used to stand for privacy in the first years, it started to be seen more as a way to get updates on no longer supported devices. and given that almost every user that uses lineage also had flashed gapps, makes sense for them to add gapps in their everyday custom rom as well. Google has its sets of downsides and upsides. Privacy is good, but functionality is more important. a lot of good apps rely on google implemented functionality. Say that i would need to drive around the country. Privacy is my preference, but i need a fully functional bugless waze. Waze without google play services is a mess, if you get it working. Android Auto without gapps isnt possible.

For my devices, at least, Lineage did not have gapps baked in. For me, a good thing. There are a few vanilla roms left out there. Even without gapps, there are still leaks to google (the captive portal connectivity check, for one) but the footprint is much smaller.
For me, I have found open source alternatives to ALL of googles bloat and spyware. Not as convienient, sure. Pain in the a** sometimes, yes. Wayze? Host your own cameras, use openstreetmap (osmand) instead. google has made it very convienient with their ecosystem. I, for one, do not wish to share my life with them.

Fytdyh said:
about your privacy related inquiries, i recon that Lineage, while it used to stand for privacy in the first years, it started to be seen more as a way to get updates on no longer supported devices. and given that almost every user that uses lineage also had flashed gapps, makes sense for them to add gapps in their everyday custom rom as well. Google has its sets of downsides and upsides. Privacy is good, but functionality is more important. a lot of good apps rely on google implemented functionality. Say that i would need to drive around the country. Privacy is my preference, but i need a fully functional bugless waze. Waze without google play services is a mess, if you get it working. Android Auto without gapps isnt possible.
Click to expand...
Click to collapse
No idea why people use gapps or microg, it's anti privacy so i do not ever use any of that.
I do not use any google services in my life and i don't miss them or need them for anything, i have alternatives.
I have to disagree on this phrase "Privacy is good, but functionality is more important".
If you are forced to give up privacy to use a service or product then the service or product is not worth being used.
Privacy is way more important than functionality, besides 90% of the time you can find perfectly working privacy friendly alternatives for almost anything.
Instead of google maps for example i use these:
Map at DuckDuckGo
DuckDuckGo. Privacy, Simplified.
duckduckgo.com
OpenStreetMap
OpenStreetMap is a map of the world, created by people like you and free to use under an open license.
www.openstreetmap.org
Not sure if that is helpful while driving, would be fine for me, never heared about waze.
I banned Google of my life and im happy with that, wasn't that hard after all.

gregpilot said:
For my devices, at least, Lineage did not have gapps baked in. For me, a good thing. There are a few vanilla roms left out there. Even without gapps, there are still leaks to google (the captive portal connectivity check, for one) but the footprint is much smaller.
For me, I have found open source alternatives to ALL of googles bloat and spyware. Not as convienient, sure. Pain in the a** sometimes, yes. Wayze? Host your own cameras, use openstreetmap (osmand) instead. google has made it very convienient with their ecosystem. I, for one, do not wish to share my life with them.
Click to expand...
Click to collapse
My lineage version also doesn't have gapps in it, atleast nothing that is visible or accessable to me..
Not sure about the calendar thing described above..
What do you mean by captive portal connectivity check, what's that?
I beleve LOS uses Googls SUPL Server's too.
Great to meet someone with the same mindset, way to many people throw away their privacy which is equal to freedom, for "convienience"... It's crazy.

What do you mean by captive portal connectivity check, what's that?
I beleve LOS uses Googls SUPL Server's too.
Click to expand...
Click to collapse
Every time your device makes a network connection (wifi or cellular) it pings "connectivitycheck.gstatic.com". Not really a ping, its a http request to check for internet connectivity. Successful completion will remove the "x" by the wifi and/or cell data icon. Although if the address is blocked on your router the "x" will remain, and your device will complain about not having internet access....but it does! (so long as your wifi router/cell net has access). But wifi calling won't work.
For more, go here:
https://forum.xda-developers.com/t/guide-how-to-avoid-the-captive-portal-checkin-to-google.3927561/
You can host your own check server, or....just disable the check.
I have confirmed this works on A9 and A10 AOSP roms. There are different variants of this command for different roms. You may have to try several of them.
From an adb shell: (needs root)
Code:
:/ # settings put global captive_portal_mode 0
***********THIS DISABLES GOOGLE CONN CHECK***** A9 and 10
To verify it is disabled:
Code:
:/ # settings list global | grep portal
Should return "captive_portal_mode=0"
If you do connect to a captive portal page (public wifi, open connection) where the owner wants a login cred then the side effect of this is that it won't work.
The issue is that everytime the check is run, google will get your IP address and browser/OS and can infer your coarse location even if location services are turned off. I have all google domains blocked on my wifi so to keep my wife happy I disable the check on her phone also so she does not get the "no internet" notification.
Another hole is the agps (assisted gps) database downloaded from google or your phone carrier regardless of enabled location. I believe you can edit the server which is contacted, again, will require root.
This post says you can edit the gps.conf file:
https://forum.xda-developers.com/t/a-gps-supl-protocol-and-privacy-breaching.3602863/
Anyone try that? What abour removing "supl" from the apn type?
But I'm not there, yet, I usually have location selected off. Rob Braxman has a good vid here, use freetube:
https://github.com/FreeTubeApp/FreeTube
https://www.youtube.com/watch?v=vbBkZ-MROEk?
Again as stated earlier the best fix is to find a AOSP source of a rom you like, edit (or hire a dev) to edit out all of the bloat and google tracking which may remain, and re-compile.

gregpilot said:
Every time your device makes a network connection (wifi or cellular) it pings "connectivitycheck.gstatic.com". Not really a ping, its a http request to check for internet connectivity. Successful completion will remove the "x" by the wifi and/or cell data icon. Although if the address is blocked on your router the "x" will remain, and your device will complain about not having internet access....but it does! (so long as your wifi router/cell net has access). But wifi calling won't work.
For more, go here:
https://forum.xda-developers.com/t/guide-how-to-avoid-the-captive-portal-checkin-to-google.3927561/
You can host your own check server, or....just disable the check.
I have confirmed this works on A9 and A10 AOSP roms. There are different variants of this command for different roms. You may have to try several of them.
From an adb shell: (needs root)
Code:
:/ # settings put global captive_portal_mode 0
***********THIS DISABLES GOOGLE CONN CHECK***** A9 and 10
To verify it is disabled:
Code:
:/ # settings list global | grep portal
Should return "captive_portal_mode=0"
If you do connect to a captive portal page (public wifi, open connection) where the owner wants a login cred then the side effect of this is that it won't work.
The issue is that everytime the check is run, google will get your IP address and browser/OS and can infer your coarse location even if location services are turned off. I have all google domains blocked on my wifi so to keep my wife happy I disable the check on her phone also so she does not get the "no internet" notification.
Another hole is the agps (assisted gps) database downloaded from google or your phone carrier regardless of enabled location. I believe you can edit the server which is contacted, again, will require root.
This post says you can edit the gps.conf file:
https://forum.xda-developers.com/t/a-gps-supl-protocol-and-privacy-breaching.3602863/
Anyone try that? What abour removing "supl" from the apn type?
But I'm not there, yet, I usually have location selected off. Rob Braxman has a good vid here, use freetube:
https://github.com/FreeTubeApp/FreeTube
https://www.youtube.com/watch?v=vbBkZ-MROEk?
Again as stated earlier the best fix is to find a AOSP source of a rom you like, edit (or hire a dev) to edit out all of the bloat and google tracking which may remain, and re-compile.
Click to expand...
Click to collapse
Thank you for this interesting reply, i will attempt to remove captive portal connectivity check / connectivitycheck.gstatic.com with adb by following your provided command
settings put global captive_portal_mode 0
settings list global | grep portal
However you mentioned this needs root, my device is not root so this basically wont work without root?
I could use magisk for rooting.
Rob Braxman is great, watching all of his content. But i couldn't find any instructions to disable googles SUPL.
I also don't think rob has a video for captive portal connectivity check, or does he?
From my experience with his videos he acts as if degoogled phones with lineage are 90% better than normal phones, so i guess the other 10% are things like SUPL and captive portal connectivity check which are not that easy to disable..? If google knows my locations on a degoogled device with lineageos by using captive portal connectivity check then hell, that#äs really disturbing i had no idea that they still know where my phone is / where i am, very scary...

However you mentioned this needs root, my device is not root so this basically wont work without root?
Click to expand...
Click to collapse
Yes, the command needs root. Also there are some differences based on your version of Android.
The following is old, but has some good stuff:
https://www.reddit.com/r/privacy/comments/cldrym
The biggest help for this is to not install google services, and use a vanilla rom without it.
As far as captive portal, that is fixable.
The DNS servers can be changed from googles, but it is less straightforward.
NLP is not present without gapps, from what I have read
The SUPL issue, for me, is a WIP. I will happily deal with slow GPS TTFF. What I don't know:
1. Editing (removing) the supl entry in the APN file, what affect, if any;
2. Editing /vendor/etc/gps.conf (newer roms have the file in /vendor) to show a non g server;
3. the big question, which GPS radio chips may or may not have SUPL on the hardware level and therefore, if so, we are unable to fix.

gregpilot said:
Yes, the command needs root. Also there are some differences based on your version of Android.
The following is old, but has some good stuff:
https://www.reddit.com/r/privacy/comments/cldrym
The biggest help for this is to not install google services, and use a vanilla rom without it.
As far as captive portal, that is fixable.
The DNS servers can be changed from googles, but it is less straightforward.
NLP is not present without gapps, from what I have read
The SUPL issue, for me, is a WIP. I will happily deal with slow GPS TTFF. What I don't know:
1. Editing (removing) the supl entry in the APN file, what affect, if any;
2. Editing /vendor/etc/gps.conf (newer roms have the file in /vendor) to show a non g server;
3. the big question, which GPS radio chips may or may not have SUPL on the hardware level and therefore, if so, we are unable to fix.
Click to expand...
Click to collapse
I just tried using your solution for the onnectivitycheck.gstatic.com issue by using the provided command
:/ # settings put global captive_portal_mode 0
Before i that i rooted the phone with magisk, the command did not work (i attempted executing the command on cmd in windows inside the adb/fastboot folder, usb drivers are also installed.
I was able to start the daemon by using adb devices but the command you provided didn't work.
The phone was booted normally during the test, maybe i should instead go to downloadmode or recovery mode? The link you send for more instructions says we should use a cmd app on the phone to exectue this command (a pc is not mentioned), however i don't find any cmd app on the phone (lineageos 19.1).

Privacydroid said:
I just tried using your solution for the onnectivitycheck.gstatic.com issue by using the provided command
:/ # settings put global captive_portal_mode 0
Before i that i rooted the phone with magisk, the command did not work (i attempted executing the command on cmd in windows inside the adb/fastboot folder, usb drivers are also installed.
I was able to start the daemon by using adb devices but the command you provided didn't work.
The phone was booted normally during the test, maybe i should instead go to downloadmode or recovery mode? The link you send for more instructions says we should use a cmd app on the phone to exectue this command (a pc is not mentioned), however i don't find any cmd app on the phone (lineageos 19.1).
Click to expand...
Click to collapse
No, the command is made from a root shell on the phone directly, or through an adb shell.
First:
open a cmd window on your pc, cd to your adb folder. Do you have "minimal adb and fastboot" installed on your pc? Its on the forums here.
Plug in your phone to USB, do not boot to recovery or download mode. Just the normal system.
From the open cmd window, issue "adb devices". What appears?
If "unauthorized", you have to enable adb debugging in developer options. You have that enabled, right? If you do you will get a prompt on the phone to allow adb debugging access when you connect over USB.
If you get "device XXXXX", I do not recall the number of characters, then you can proceed.
issue "adb shell"
you should get a shell prompt (your phone cmd shell)
Issue "su"
If you are rooted magisk may prompt you to allow root
issue "whoami", this has to return "root".
Then issue the command I gave you. " settings put global captive_portal_mode 0"
The second string "settings list global | grep portal" is only to verify the success of the first command.
You don't need adb for this, you can also enable the "local terminal" in developer options. Or use your favorite terminal. I like Termux.
Open the terminal from your app drawer
issue "su"
Again, you should get a magisk prompt requesting permissions, allow it
issue "whoami" , verify root
then issue the same two commands.
What version of Android are you on?