When I started to make programs with some SMS and phone features, soon I noticed that I can send SMS in hidden mode and dial phone too.

Even without user's attentions at all (no notification).
Without screen backlight turned on.
Without log of activities (no items on phone log and Sent folder).

We know that in MS Smarphone OS this is blocked in the program's "privilege". But on Phone Edition devices this is opened.


Just imagine:
- somebody (everybody?) can write the application like the game or popular PIM and put inside the hidden SMS. First, it can read your contacts, numbers, anything... and then send by SMS without your knowledge or just notification.
- another situation: some program can send SMS all night every minute and charge your cellular network account quickly and seriously.

Are you sure, you don't have such a kind of application inside your device right now?
:cry: I'm not.


I'm looking for solution. In panic!

Ok. I can turn-off the phone service and I'm sure nothing will go outside.
But of course in the same time nothing will come in too.

PPC2002 and WM2003 do not give any options to turn off only outgoing services, or to turn off SMS service only (with phone runs continuously).


My propose is:
- block all outgoing SMS except the original Inbox/New dialog
- block all outgoing Calls except the original Phone dialog

In most cases it should be an enough protection.

Of course, this is one side. Another one is: I want to occasionally use another software to send SMS and make a Call. So, the application should allows me to mark which other programs can send SMS or dial Call. These programs I must know as "trust". And this is my risk I unlock them. The example is MY|MESSAGE where I can quickly reply to last SMS just from Today Screen, without Inbox dialog opened.



Please share your opinions.
- is it a serious problem?
- is my solution is enough?
- is it necessary to mark another applications to use SMS?
- mark permanently or maybe temporary only?

Or maybe you have another solution?


===============================================
Below are screenshots of my proposition.
I think I will realize the personal version as freeware.

http://www.jgui.net/phones/screen_acc.jpg http://www.jgui.net/phones/screen_set.jpg http://www.jgui.net/phones/screen_apps.jpg

The application runs as "service proccess". You don't have to put it on Startup folder and (IMPORTANT) it does not take the running tasks limit on XDA. Additionally, just for "eye-catching" convenience I added the small icon on TodayScreen, to be sure it runs. The icon can be hidden. it does nothing.

http://www.jgui.net/phones/screen_tdy.jpg

1. Does it make a log file or show a message on block?
2. How much space does it take?
3. What about making a usual firewall - make all programs ask before they can use any of the wireless services (GSM, SMS, GPRS)?

In case there really will be a firewall (maybe as a plugin only) it should block unauthorized access from the internet. :idea:

in current status of developing:

11kB of service
20kB of settings dialog

(most) applications with GPRS features you can decide when you "connect"

so I focus on SMS and dialling

But if you can use phone

quote:
Even without user's attentions at all (no notification).
Without screen backlight turned on.
Without log of activities (no items on phone log and Sent folder)

you can probably use GPRS, too. Further more, if the program goes off while I'm sleeping, I can't stop it! :?
And what about the usual firewall?

PS: Are you planning to post it?

the firewall does not block SMS (or I dont know)

I mean a program, that would block all unauthorized access: phone, sms and both incoming and outgoing internet connections.
If any application wants to use one of things mentioned, user would see a message on screen and could customize apps that have free access.

I mean a program, that would block all unauthorized access: phone, sms and both incoming and outgoing internet connections.
If any application wants to use one of things mentioned, user would see a message on screen and could customize apps that have free access.

but you make me little nervous, if this is possible...

Good work, keep on going...

Thanks.

Journal bar managed to initiate a gprs call without me knowing last month on a daily basis and i didnt notice until it had used 16 meg of data updating itself every day for a week, this cost me £34 which i wasnt happy about, there doesnt seem to be any way of locking or passwording the gprs connection?, i've had other programs use the connection when i connected to check my email and cost me money when i didnt want them to use it

Hi JGUI,

perfect! When do you expect release, please?

buzz

Ultra Paranoid mode on:

Who garantees your application doesn't do exactly what it say's it should prevent ?

1] Create a program that calls high-rate servicephonenumbers
2] make people scared about automaticly calling phones
3] offer a 'solution' and give the program for free....

4] get rich real fast... ;)

Ok, i'm joking, but it could be just as real....

jpiek: absolute right

this is a very serious problem for me:
how to protect my application "solution" from that somebody can hack it and post the zip or setup file with the name of my application but with some hidden service inside.

Ok.
I can sign my setup with my PGP key, but... how many "mobile users" know and use PGP?

another way: if I post thie application as freeware there will be many web sites where they copy the file and give it away, this is the way where some hacked copies should appear. if I lock the freeware, and give away only a commercial setup, even with small price a few dollars, it should stop the above problem. becasue I decide where this setup will stay official, and users have not to ask me: "I downloaded your program from xxxx is it a good/latest copy?"

The problem in fact is also a feature :(

I can use a PC connection dialing my ISP provider, connecting to my MDA via bluetooth. On my MDA i see no notification at all that the modem is working (I do not use the Wireless Modem app, but simply use the MDA as a bluetooth modem)

"spb gprs monitor" controls your gprs connection and procesing

Have you considered releasing your app as donationware? (if that exists?)

Just let people download it and use it for free but ask for a small donation from people that use it regularly,

I'm not sure if this idea would work as it relies on trust, but maybe people would appreciate this method of release and it may sidestep the problem of cracked software?, not sure

jpiek: absolute right

this is a very serious problem for me:
how to protect my application "solution" from that somebody can hack it and post the zip or setup file with the name of my application but with some hidden service inside.

<cut>


Have you thought about a free registration online ? You could do a CRC check or whatever before handing out a free registratoncode. Then you can be shure the org. code of your application isn't changed...

Even signing with PGP/GPG is problematic; how do people verify that the key is yours? Application signing (like the process mandatory for smartphone apps) "solves" that by having "trusted" CA keys in the device; but I doubt it even displays who signed an app. And if it did, would people notice that it was signed by Joe Bob, and not JGUI?

And even if it IS signed by JGUI, that doesn't tell me anything either. Perhaps his key was stolen, maybe his development pc was infected with a virus that ended up in the executable, perhaps even JGUI himself is a nasty hacker, there's simply no way to know..

Of course, something is better than nothing, but a simple SHA1 hash of the setup file on the author's website isn't that much worse than the whole PKI thing. That would mean a hacker would have to hack both the application AND the website, at least for those who check that sort of thing.

Smartphone code signing in practice: http://www.msmobiles.com/article.php/52.html

i think i should hit the panic button, i think the best way is for this SW to track such services, so say i installed it & it cought a program trying to do that it reports it to me telling me SW so & So was trying to call or send SMS or soforth, in this case we avoid these programs all together

I'm sure, I will not sleep tonight... (I see myself sitting in the dark and dialing customer service all night just to have my account balance)

do not make (at least) your own life harder!! :lol:

ym