[SECURITY] Android Security for Conscious Mind

Status
Not open for further replies.
Search This thread

Ultramanoid

Senior Member
Apr 24, 2011
3,716
6,009
日本
When they say Angela Merkel or Barack Obama are using a Blackberry, don't think for a second that means anything regarding what 'normal people' get from Blackberry.

Yes, you choose a hardware manufacturer, a carrier, and you exchange money and / or data for products / services, there is no other way to live unless you isolate yourself from society. Since I thought your specific worry was Google from what you first wrote, I mentioned the other companies, that is all.
 

sancho_panzer

Senior Member
Jul 11, 2014
721
828
So sense omni is a privacy concerned ROM does any other ROM based on omni follow.. Like DU
I've been using CyanogenMod+hacks like mentioned on OP with great success and that's my best choice if you ask me, even compared to Omni. Omni could be great but development is slow and support is scarce, they need more devs and a more enthusiastic philosophy.

Guardian ROM was promising but have huge limitations and seems lethargic on development:

Known issues:

- Superuser doesn't work properly (SU is only available over adb shell).
- Windows installer is not yet tested or released. Meaning windows user must manually flash using fastboot.
- No GUI for encryption (Must be done by installer or adb).

More about Guardian here.
 

polonordo

Member
Nov 1, 2011
47
31
Aptoide (Portugal) it's good but not consensual. Recently they're processing Google with Antitrust Complaint in EU proving they're concerned. You can only trust Aptoide IF you choose to install apps from their main centralized store (the default one, be ware and don't trust any other user store). http://m.aptoide.com/about


How can i browse their default store? on the web site i can only choose others people stores

beside f-droid and aptoide is there any other safe place where we can get apps?
 
Last edited by a moderator:

CHEF-KOCH

Senior Member
Jan 2, 2012
451
237
I wouldn't trust aptoide, most of the cracked apps come from there. You only need the "correct" uploader name/nick and bingo, you get a cracked app (with of course different signatures). I don't say all of the apps are cracked, but nobody would use it if there wouldn't be cracked apps (because you can download all from legit places and check yourself the "Top" stores, 99% are known cracker) Better stick with F-Droid or Raccoon and buy all apps you really need daily to help and motivate the developers.
D1wagFAH9qRghPu8SmAAAAAElFTkSuQmCC
 

sancho_panzer

Senior Member
Jul 11, 2014
721
828
@polonordo
First you should go to <CENSORED>and install the <CENSORED> app. When you open the app for the first time it asks if you want to install the official store <CENSORED>and you say yes. THIS IS THE ONLY STORE YOU SHOULD USE, all apps downloaded from here are official, just like Play Store. Even so you should always confirm if the app you're installing have the green seal "TRUSTED".

Aptoide gives everybody the chance to have its own store (you may call it repository) where you can upload your apps and share them if you want. And this is where bad things can happen if you install something from a repository you don't know. Yes, everybody knows many of them are focused on piracy but then you use them if you want, just like guys on iPhone use Cydia if they choose.

Aptoide is the oldest alternative store, it's trusted by millions and always evolving. It's so good that was the only store that had the balls to file a European antitrust complaint over Google dominance. I'm using it for years, already compared several signatures and decompiled many apps and I assure you it's the real thing.

@CHEF-KOCH
So, as you can use Google to search and Drive to download piracy... Google is a evil pirate boat!

Once again you talk to much about subjects you don't have a clue. It's becoming a classic and a shame on several threads. Learn something or keep your mouth shut please.

Thank you.

Edit: please show us the results of the security audit to Raccoon.
 
Last edited by a moderator:

Ultramanoid

Senior Member
Apr 24, 2011
3,716
6,009
日本
Hope CyanogenMod browser, Lightning, Tint, and any /all AOSP-based browsers developers are in on this :

Android Browser flaw a “privacy disaster” for half of Android users - Bug enables malicious sites to grab cookies, passwords from other sites.

Best and probably only comment needed about this, from the responses to the article :

No end-user app should ever be part of the operating system...period.

Edit : AOSP and WebKit vulnerable, WebView broken, Chromium only in data mining browsers, Firefox embracing AdMob... Android browsing looking better and better every single day. Sigh.
 
Last edited:
  • Like
Reactions: sancho_panzer

tga.d

New member
Sep 15, 2014
3
6
Hope CyanogenMod browser, Lightning, Tint, and any /all AOSP-based browsers developers are in on this :

Best and probably only comment needed about this, from the responses to the article :

If you look at the Hacker News thread on it someone posted a link to test your browser (new user, can't post links yet).

Firefox embracing AdMob
Haven't heard anything about this, what are you talking about?
 

Ultramanoid

Senior Member
Apr 24, 2011
3,716
6,009
日本
If you look at the Hacker News thread on it someone posted a link to test your browser (new user, can't post links yet).

Haven't heard anything about this, what are you talking about?

I don't use a browser affected by this, I was saying I hope developers of browsers affected by it do something about it, and fast.

You can post links as text.

Read through the thread to know about Firefox. Nightlies for Android come bundled with AdMob ( download one and check yourself ) and as for the rest of platforms, find the links on this thread or refer to Mozilla themselves and their program for "sponsored tiles"...
 
Last edited:

tga.d

New member
Sep 15, 2014
3
6
I don't use a browser affected by this, I was saying I hope developers of browsers affected by it do something about it, and fast.
I figured as much, the vulnerable browser doesn't even run on the latest versions of android afaik.

You can post links as text.
It's not letting me post that particular link, even in code tags.

Read through the thread to know about Firefox.
I did. The only mention of it is either you or people replying to you, and no source was ever provided for this information.
Nightlies for Android come bundled with AdMob ( download one and check yourself )
Did that too, no ad mob to be found. In fact, since it seemed so out of character to me (at least, it doesn't sound like something any of the Mozilla devs I've met would ever do), I grep'd the entire source code for any mention of admob, but found nothing. Figuring maybe they pulled the library after backlash, I searched the changelog as well. Nothing. And for one last stab, I searched Bugzilla, where such a matter would have been discussed (either by mozilla devs, or the random angry people who file a bug report for every slight, percieved or othehrwise). Still nothing. So maybe you can link me to a signed copy of Fennec with admob in it, but failing that, it sounds to me like you're spreading FUD, which I don't think is fair to the good people at Mozilla.
and as for the rest of platforms, find the links on this thread or refer to Mozilla themselves and their program for "sponsored tiles"...
You mean the "sponsored tiles" that weren't rolled into nightly until August 28th, weeks after you started posting all this nonsense? In any case, the only "tracking" done with those tiles is 1. geoip, for default language (which has been done for years on all major browsers), 2. how many times any tile is displayed, and 3. how many times a tile is clicked on - all of this done using simple http requests, no additional libraries needed. The latter two are collected in aggregate, and the whole thing can be easily hidden (meaning the only data collected would be "0, 0") by clicking the little button in the right hand corner, or be completely disabled by switching the asociated flag in about:config if you're super paranoid, or even examine the code yourself:
Code:
https://hg.mozilla.org/mozilla-central/log?rev=sponsored
 
Last edited:
  • Like
Reactions: jfmcbrayer

Ultramanoid

Senior Member
Apr 24, 2011
3,716
6,009
日本
I figured as much, the vulnerable browser doesn't even run on the latest versions of android afaik.

It does. There are dozens of AOSP-based browsers and compiled versions of the AOSP browser itself -- and applications including this code to render web pages within them.

Search for any, install it on KitKat, check yourself.

It's not letting me post that particular link, even in code tags.

Seriously ? You can't put spaces or otherwise write a link, to say anything dot com, anything .com or any other of various combinations of text to post a link even if it's not clickable ? Joke is on me for even replying with this paragraph.

https :// news.ycombinator.com/item?id=8321185

I'm not responding to anything else you write, as I don't want to give more arguments to someone starting a flame war. Enough of those all over XDA.

Edit : Just wanted to add this :

...which I don't think is fair to the good people at Mozilla.

I'm one of those "good people", myself. Not just contributor, but user of Firefox Mozilla since the 90s, which is why I'm furious about this development. And no, I won't give you my work address or my name to prove it.
 

Attachments

  • nightly.png
    nightly.png
    50.2 KB · Views: 187
Last edited:
  • Like
Reactions: sancho_panzer

jcase

Retired Forum Mod / Senior Recognized Developer
Feb 20, 2010
6,331
15,774
Sequim WA
Guys, lets be adult here, instead of slinging insults. I fought long and hard for us to even get a security forum, lets not turn it into a zoo.

FireFox Nightly does indeed have the admob library in it



Is it actually used? No idea.

qf5gH7O.png
 

traceless

Senior Member
Jun 4, 2014
56
17
Guys, a little off topic: what Linux distro would you recommend? I'd like to install one on my laptop instead of W7. Any idea which one focuses on privacy but also has a easy to use interface?
It should have a packet manager because I'm not that familiar enough with Linux to deal with the makefiles :/
Greetz
 

sancho_panzer

Senior Member
Jul 11, 2014
721
828
Guys, a little off topic: what Linux distro would you recommend? I'd like to install one on my laptop instead of W7. Any idea which one focuses on privacy but also has a easy to use interface?
It should have a packet manager because I'm not that familiar enough with Linux to deal with the makefiles :/
Greetz
If you're beginning with Linux Ubuntu is the most friendly but a "normal" distrito as concerned to security.

Here you can find a list of good and secure distributions.

But you can always run the system from a live CD, that way you don't leave any trails. ;)
 
  • Like
Reactions: Ultramanoid

Ultramanoid

Senior Member
Apr 24, 2011
3,716
6,009
日本
Guys, a little off topic: what Linux distro would you recommend? I'd like to install one on my laptop instead of W7. Any idea which one focuses on privacy but also has a easy to use interface?
It should have a packet manager because I'm not that familiar enough with Linux to deal with the makefiles :/
Greetz

As mentioned above, Ubuntu is arguably the friendliest. Mint is up there too, probably the most 'popular' these days. I haven't checked openSUSE, Mandriva / Mageia in the last few months but they were nice for newbies last time I did.

If you get comfortable, I'd suggest moving on to Debian, Fedora, or Arch. Fedora runs great from an encrypted USB drive, others do too.

Tails is probably the most secure one.

https://tails.boum.org/

Lots of info here as well :

http://distrowatch.com
 
Last edited:
Status
Not open for further replies.

Top Liked Posts

  • There are no posts matching your filters.
  • 20
    == THREAD PURPOSE ==

    I'm opening this thread to share and learn ideas about privacy solutions, please respect the purpose and keep this thread clean. My main language isn't English so if you spot errors or omissions please PM to me so I can correct them. Thank you.

    All trolling or demotivating posts, disbelieving about privacy concerns or defending Google honor will be reported for cleaning.


    == PROBLEM, HYPOTHESIS, TESTS, CONCLUSION ==

    For years I've been very annoyed about privacy abuse on Internet and since Snowden and Assange revelations my concerns raised. I'm sure my personal and professional life is common and boring but I want privacy with my things just like I don't want a guy next table in the coffee shop listening to my talking subjects.

    My first decision was to deploy a personal server, in my home, with OwnCloud. All went fine for some months until I realized the pain it was maintaining the system working, from server attacks and system fails to energy bills nothing could justify such paranoia. The OwnCloud Android client was also very bad those days.

    The second idea was hosting OwnCloud and mail services on a private host, but this didn't made any sense because data wasn't encrypted and every employee could easily see my thermonuclear projects and my banana pancakes secret recipes. It was also a paid solution for nothing.

    Finally I thought "If you're using German services you should be fine, Germany privacy data laws are the toughest in the world (even better than Swiss in this matter)". I'm in Europe so using European services was a no brainier decision, preferably in Germany and owned by German companies. Yes, I know you can't trust anyone but even so I think it's a well balanced solution.


    == SERVICES ==

    These are my services right now, share yours and try to justify why they're equal or even better. This list will be changed as needed:

    Mail - GMX (Germany)
    - Generally I really don't like 1&1 services but GMX is really good and working only on European servers. I advise you to don't use their other service, mail.com, because this one use USA servers. Unfortunately all other free German providers have low storage space. If you're willing to pay for privacy try Dutch StartMail but it's beta at the moment.

    Contacts & calendar - fruux (Germany)
    - Amazing services, great philosophy. For privacy and decentralization purposes I've opt for don't have this services on my mail provider. Unfortunately their servers are on Amazon Ireland, but I believe fruux have implemented cryptographic code on their system.

    Cloud - HiDrive (Germany)
    - I NEVER upload sensitive information to the cloud, even encrypted (remember Heartbleed and AES backdoor theory?). I was using Wuala for years but gave up after have been acquired by LaCie (USA). Tresorit shouldn't be trusted either, they're using Microsoft Azure servers, each uploaded and shared link pass through USA. Mega is darkness, I don't like the smell of it.

    Apps - F-Droid (UK/France)
    - FOSS is the way you should go, F-Droid is the obvious choice. F-Droid client was forked from Aptoide's source code.

    Aptoide (Portugal) it's good but not consensual. Recently they're processing Google with Antitrust Complaint in EU proving they're concerned. You can only trust Aptoide IF you choose to install apps from their main centralized store (the default one, be ware and don't trust any other user store). http://m.aptoide.com/about

    If you can't find what you're looking for then you can use Blank Store or Opera Mobile Store. Never choose Amazon Appstore, apps installed from there have proprietary code inserted.

    Search engines - DuckDuckGo (USA!)
    - Technically DuckDuckGo is a meta-search engine. It's amazingly good and you have lots of options to choose (did you know you can directly search images from Google if you search !gi [image you're searching for]?).

    Another great alternative is Startpage (Netherlands).


    == ANDROID SYSTEM ==

    My Android system:

    - CyanogenMod + freecyngn + NOGAPPS + SuperSU
    - TWRP recovery
    - Hardening Android for Security and Privacy


    == APPS ==

    My essential apps are:

    Apps client - F-Droid (FOSS)
    - See services above.

    Privacy and cleaning - AdAway and AFWall+ (both OSS)
    - Obvious choices on each privacy concerned system. Block almost everything, trust no one.

    Android browser - Boat (proprietary code)
    - I just love the options, specs, interface and speed. I know this choice will be highly controversial for some because it's a Chinese made browser, but isn't a cloud browser (like the also Chinese Maxthon) and it's really easy to firewall it from calling home (something somehow difficult with Dolphin). The obvious FOSS choice for almost everyone would be Firefox but I really hate their Android app and I have some bad thoughts about their Google connections. The FOSS best shot would be Tint or Lightning, but they're rather limited and AOSP it's even worse. Chrome it's obviously excluded for privacy sake.

    Boat devs also used to be active on Xda with many supporters. For security precautions block port range 192.241.158.0/24 and 211.151.0.0/24.

    Email app - K-9 (FOSS)
    - The oldest, most forked and trusted email client. Needs a deep design/interface Overhaulin' (hey, Chip Foose...)

    Contacts and calendar sync - Fruux + Birthday Adapter (FOSS)
    - See services above.

    Password & confidential safe - KeePassDroid (FOSS)
    - Believe me, I don't know a single password of my accounts and I have hundreds. The only really big and complex password I know is the one from KeePass.

    Antivirus - NONE, JUST DON'T
    - I will not discuss here about the needs or true benefits of these apps but I can assure your data is leaking each time you go online. All them claim about privacy but they're always collecting "unidentifiable data".


    == I will post links for everything soon. Please include links in your posts when justified. Thanks. ==
    9
    == Android Alternative FOSS ==

    This is a list of some well known apps and their open source alternatives. Incredibly some of them are even better than "official" or paid apps, some others are quite limited but evolving and much secure.

    It's impossible to put everything here, only the best apps I've tried with success will be listed. Please keep posting your suggestions.

    BitTorrent Sync > Syncthing
    Chrome > Firefox
    Dolphin > Tint Browser
    Dropbox > OwnCloud, Seafile
    Facebook > Tinfoil for Facebook
    Gmail > k-9 Mail
    Lux Auto Brightness > YAAB
    Tasker > SwiP
    Titanium Backup > oandbackup
    Twitter > Twidere
    6
    disconnect.me being used by blackphone/silentcircle lends a bit of credence to them. Take a look at the superhero team of security professionals that head silentcircle... the inventor of PGP encryption, for one..? They've a track record of consistent and clear intent to serve the light side of privacy. disconnect's NSA connection or not... lest we forget Snowden is associated with the NSA as well... was he a manchurian candidate? manufactured whistleblowing? or just a whitehat?.. a secretly abused whitehat? Who knows the argument could go both ways. All I'm saying here is that just because one has had ties to a high profile group adversarial of privacy, doesn't ensure they share the same modus operandi. I concede it doesn't ensure they don't either, but there's no credence to being an open source dev with your gear up for show on github either. Remember heartbleed? There's some sketchy origins of the pull request for the bits of code that caused it.

    further reading for consideration:


    desktop tools:
    openvpn(be sure to check for DNS leaks, disable ipv6 stack on all non-relevant interfaces, and setup a firewall config to block outbound connections if the VPN drops.)
    if you're stuck on windows, drop chrome, but consider chromium. there are builds for it compiled for winblows, and it's certainly a better secondary browser than internot exploder.
    bleachbit (built on linux, but compiled to windows as well. scrub the cruft regularly, as your cache can identify you. see information about E-Tags)
    privazer is another thorough crap cleaner
    chocolatey, a package management system for windows (apt-get for win)
    peerblock blacklist-based IP blocker
    hosts-file.net blacklist-based hosts blocker (blocks ads/adware/malware/spyware faster than ABP can even attempt to begin blocking a request.)

    past that... stop using windows for anything personal. set yourself up a windows gaming box if you need, but when it comes down to browsing, communications, banking, etc... all are juicy targets of the blanket observation by state, corporation, and cybermafia alike. If you've had a virus at ANY time since you've installed windows, STOP. Regardless if an AV says they caught it, you have no clue if the AV is capable of assuring you that nothing else in your system was modified to leave backdoors open. Hell, there's some speculation that M$ is in bed with the NSA and has left backdoors in the system explicitly for the purpose. Just because my audience here is likely not an enemy of the state, doesn't mean a cybermafia doesn't have full knowledge of baked-in backdoors.

    If you must, at least attempt to harden your windows machine:

    EMET 4.1 , produced by microsoft, is like SElinux and xprivacy for windows. install, read some howtos, configure, and forget it in the system tray.
    malwarebytes antiexploit, works in tandem with EMET.
    sandboxie for anything else you're handling sketchy files with.


    Or... on the other hand... Linux desktop systems have come a long way, and since Windows continues to disappoint with their offerings the mass exodus to linux is growing by the day. check out distrowatch.org, find a flavor that seems fun to play with, download an iso image, burn to disk, and boot it up for an hour or two.



    desktop firefox addons:
    eff.org "privacy badger"
    dephormation.org.uk "seceret agent"
    "random agent spoofer" does much of the same if you're uncomfortable with addons outside of the offical addons 'repo'
    "certificate patrol" for uber- micromanagement of SSL certficates received from servers
    "refcontrol" similar to the above, but removes x-forwarded-by http header (as opposed to altering the url your browser is about to fetch)
    "request policy" to micromanage what sites can sideload which content from other domains
    the following can also be found on FF for android
    "bluhell firewall" (regex minimalized version of an Adblock list tool, incredibly lower resource consumption)
    "ABEdge" is fine if you're terribly wary of closed source projects, but bluhell has worked a charm
    "cleanlinks" to auto-scrape referrer nesting off of links


    chromium desktop addons :
    http switchboard (open source on github, better than ABEdge, noscript, requestpolicy, self-destructing cookies, betterprivacy combined... i recently found this one and am astonished at how well it does the work it took 5 separate firefox addons to do. now if only we could get a per-request user agent rotator for chromium and i'd be almost comfortable using google's FOSS project as a regular browser...)

    same developer as switchboard also built a bluhell-style adblocker called ublock (mu / micro symbol, like utorrent)



    Android mods:
    AFwall (hmmm glad I've blocked the kernel itself from network requests after reading through this thread...)
    xprivacy
    unbelovedHosts, an xposed module hosts blacklist
    MOAAB Mother of all ad blockers recovery-flashable hosts file
    smarter wifi manager (produced by the kismet wifi tool people, well respected FOSS devs. protects android's propensity for constantly updating a 50 yard radius around you with every wifi SSID you've ever connected to, and saves battery.)
    Google Auth (2 factor authentication program that works with quite a few non-google services, basically a time based RNG keyring, probably some others out there but a nice implementation, IMHO, despite the Goo.)
    openvpn / tun.ko installer ... stop telCo/firesheep deep packet inspection. VPN services all over the place, check torrentfreak for up to date reviews. Don't stick your nic in the internet without a VPN on...

    stay away from minmin guard and the supposed poof an Adblock listrt of peerblock, both have publicly questioned sources and motives.

    if you're really really adventurous, consider replicant, a completely GNU android distribution sponsored by Free Software Foundation. if you have a device they support, and have some hair on your geek chest, it's going to be like a cabin in northern Canada, be ready to be off the grid.

    stay safe, san diego.
    6
    @dvdram I agree and don't understand why so much people just don't care to talk about it.
    Do you want to know what really annoys me? Those dorks that lie to themselves by repeating again and again "I don't have anything to hide!" :mad:

    Of course they do! Everone has something to hide in their lives. That's the dammed reason why we use houses and flats with non-transparent walls and doors, that can be shut and locked!

    Please excuse my rudeness, but what really pisses me off is the missing rage of our chancellor. She grew up in a country where no one was safe from being spied upon, where no one could be sure who else listens to that phone call other than the one you were talking to. She knows what it's like to live in such a country. And what does she do? NOTHING!

    If I were her I would become mad like the Hulk and give the American government an appropriate answer. But she's just sitting there and waiting until it's all over. That kind of phlegm and disinterest makes me puke!

    Thankfully I did not vote for her and her party.
    5
    Nice thread, thanks! :good:

    Some thoughts from my side:
    I generally distrust every online service, especially if I don't pay for them. I think it is better to decentralise services and host them on self managed servers in families, groups of friends,... and thus basically only give data to trusted persons you know in real life.
    Here are two good links that show alternatives to proprietary software/cloud services:

    == SERVICES ==
    Mail -
    I think mails are generally difficult to self-host. So you need a good mail service. Posteo was mentioned here, another similar reliable german mail provider (with english translation) is mailbox.org. They even encrypt unencrypted incoming mails with your PGP-key before they store them.

    Contacts & calendar -
    Posteo and mail.org also include contact and calendar synchronisation via CalDav/CardDav. Even better: Host it by yourself.

    Instant Messaging -
    XMPP (Jabber) is an open decentralised protocol with lots of implementations for almost every platform. You can host it by yourself or use an existing server. There are also very good clients for Android like Conversations or Xabber

    == ANDROID SYSTEM ==

    Two additions:
    Free Your Android! - campaign of the Free Software Foundation Europe
    IMSI Catcher/Spy Detector

    == APPS ==

    Android browser - Boat (proprietary code)
    Don't do this! Firefox for Android is also a good choice. And Orweb not to forget!

    I use aCal from F-Droid
    DAVdroid is also a very good FOSS CalDav/CardDav-provider that integrates with the contacts/calendar app of android. And it is under active development (in contrast to aCal)