[SECURITY] Android Security for Conscious Mind

Status
Not open for further replies.
Search This thread
By:
Advanced…
traceless

traceless

Senior Member
Jun 4, 2014
59
17
Google Nexus 5
OnePlus Nord
P

polonordo

Member
Nov 1, 2011
47
31
What a shame that AOSP Browser is so bad on the privacy front!! Because it is literally the fastest browser out there :(
Does disabling javascript solve the flaws?
 
Ultramanoid

Ultramanoid

Senior Member
Apr 24, 2011
3,716
6,010
日本
polonordo said:
What a shame that AOSP Browser is so bad on the privacy front!! Because it is literally the fastest browser out there :(
Does disabling javascript solve the flaws?
Click to expand...
Click to collapse

The problem is the AOSP browser is not the only issue, but its engine ( part of the OS ) on anything below KitKat ( Android 4.4.x ) is affected. It means not just the browser, but ANY application using pre-KitKat WebKit is affected.

The only sure solution right now is upgrading to KitKat and not installing any browser or application that uses an old version of Android's WebKit.

This is a tremendously serious security issue, not just about privacy. The flaw means a malicious site can steal and use any info from the browser. If you're logged into something in another page or tab, anything, they can access it too.

More info :

http://thehackernews.com/2014/09/new-android-browser-vulnerability-is.html

This article points to patches from Google for developers, carriers or anyone who wants to fix this in an older system ( which means 99% of users won't, can't, don't know how to use this code, but whatever... ) :

http://blog.digicert.com/android-browser-bug-allows-origin-policy-bypass/
 
Last edited:
sancho_panzer

sancho_panzer

Senior Member
Jul 11, 2014
721
828
aguaz said:
Ubuntu still is violating your privacy: http://www.gnu.org/philosophy/ubuntu-spyware.en.html
Also it's unfortunate that you promote CyanogenMod in your signature as it does not respect privacy as well.
Click to expand...
Click to collapse
Hum, let's see. If you take a privacy modded ROM like Omni will be fine, but if I take CyanogenMod and mod it myself like EXPLAINED on OP you find it unfortunate! Ok, I can't agree. Even so the dangers of CyanogenMod are very limited.

You also will see on OP that I'm using a Chinese browser as default and I didn't mentioned but my secondary browser is a well known Korean beast. Even knowing the dangers I still prefer them over the Chrome crap because I know and I'm able to control them much better than many others. I'm still waiting to see Atlas grow up.

In the end it's how you use your tools what determines who you are and what you're doing. Instead of criticizing CyanogenMod you should respect them for being the first one to take measures against big G.

Finally I'll remind you that this thread it's about using your devices with privacy, safely and to HAVE PLEASURE doing it. If you want be REALLY incognito use your old Nokia 3310 and buy a disposable SIM.

Peace.

EDIT: Click here and on the top left click on "CM11 Nightlies Changelog"... guess who's link below. Meanwhile I'll be waiting for your suggestions about good and safe ROM's and WHY (don't forget to tell us where are the changelogs and security audits).
 
Last edited:
  • Like
Reactions: sushidog and Ultramanoid
sancho_panzer

sancho_panzer

Senior Member
Jul 11, 2014
721
828
@Ultramanoid

a_rare_moment.jpg


Congratulations, this is a rare moment!
 
jcase

jcase

Retired Forum Mod / Senior Recognized Developer
Feb 20, 2010
6,331
15,774
Sequim WA
Ultramanoid said:
After iOS 8 strengthens encryption on devices, Android L will be implementing encryption by default.

http://www.washingtonpost.com/blogs...-offering-default-encryption-blocking-police/

This is competition where we all win. It's good that OSs copy each other's good features. But we need more than two major players in the game...
Click to expand...
Click to collapse

The android encryption feature has been in the works for some time, wasn't a result of copying, but logical maturing of an os
 
  • Like
Reactions: Ultramanoid
Ultramanoid

Ultramanoid

Senior Member
Apr 24, 2011
3,716
6,010
日本
snapper.fishes said:
Encryption is only as strong as the password. A 4 digit pin code is way too easy to crack.
Click to expand...
Click to collapse

There's a funny discussion about that over at Slashdot. Wrench mentions included. ( The post is originally about Apple's warrant canary though. )

http://slashdot.org/story/207407

jcase said:
The android encryption feature has been in the works for some time, wasn't a result of copying, but logical maturing of an os
Click to expand...
Click to collapse

Agreed. Plus it's obvious that software development and hardware design are both done months and years in advance. Was making more of a general comment about healthy competition and innovation prompted by an "arms race', and we might as well thank Snowden too. Suddenly everyone is encrypting everything.

Well, about time. (ノ ̄ー ̄)ノ
 
Last edited:
A

aguaz

Senior Member
Jan 16, 2014
136
31
sancho_panzer said:
... if I take CyanogenMod and mod it myself like EXPLAINED on OP you find it unfortunate!
Click to expand...
Click to collapse
No, in fact the opposite is the case, I appreciate your encouragement. As mentioned above I only find it unfortunate that you promote it in your sig along with "Privacy Matters", because people might not read OP and get a false sense of thinking CyanogenMod respects their privacy. Anyway I'm not here to attack you. It's just what came into my mind when I saw it.

I cut the rest of your post because it is way off-topic.
 
jcase

jcase

Retired Forum Mod / Senior Recognized Developer
Feb 20, 2010
6,331
15,774
Sequim WA
No, we are not going to link to nor discuss a piracy/piracy enabling site like aptoide in the security forum. No the APKs are not all "official", I have had to deal with pirated clients app through their service.

sancho_panzer said:
@polonordo
First you should go to <CENSORED>and install the <CENSORED> app. When you open the app for the first time it asks if you want to install the official store <CENSORED>and you say yes. THIS IS THE ONLY STORE YOU SHOULD USE, all apps downloaded from here are official, just like Play Store. Even so you should always confirm if the app you're installing have the green seal "TRUSTED".

Aptoide gives everybody the chance to have its own store (you may call it repository) where you can upload your apps and share them if you want. And this is where bad things can happen if you install something from a repository you don't know. Yes, everybody knows many of them are focused on piracy but then you use them if you want, just like guys on iPhone use Cydia if they choose.

Aptoide is the oldest alternative store, it's trusted by millions and always evolving. It's so good that was the only store that had the balls to file a European antitrust complaint over Google dominance. I'm using it for years, already compared several signatures and decompiled many apps and I assure you it's the real thing.

@CHEF-KOCH
So, as you can use Google to search and Drive to download piracy... Google is a evil pirate boat!

Once again you talk to much about subjects you don't have a clue. It's becoming a classic and a shame on several threads. Learn something or keep your mouth shut please.

Thank you.

Edit: please show us the results of the security audit to Raccoon.
Click to expand...
Click to collapse








Good reason not to trust them, you are hitting the head on the nail.
CHEF-KOCH said:
I wouldn't trust aptoide, most of the cracked apps come from there. You only need the "correct" uploader name/nick and bingo, you get a cracked app (with of course different signatures). I don't say all of the apps are cracked, but nobody would use it if there wouldn't be cracked apps (because you can download all from legit places and check yourself the "Top" stores, 99% are known cracker) Better stick with F-Droid or Raccoon and buy all apps you really need daily to help and motivate the developers.
D1wagFAH9qRghPu8SmAAAAAElFTkSuQmCC
Click to expand...
Click to collapse
 
  • Like
Reactions: simonbigwave, an0n981 and CHEF-KOCH
CHEF-KOCH

CHEF-KOCH

Senior Member
Jan 2, 2012
451
237
sancho_panzer said:
@polonordo
First you should go to Aptoide website and install the Aptoide app. When you open the app for the first time it asks if you want to install the official store http://m.apps.store.aptoide.com/ and you say yes. THIS IS THE ONLY STORE YOU SHOULD USE, all apps downloaded from here are official, just like Play Store. Even so you should always confirm if the app you're installing have the green seal "TRUSTED".

Aptoide gives everybody the chance to have its own store (you may call it repository) where you can upload your apps and share them if you want. And this is where bad things can happen if you install something from a repository you don't know. Yes, everybody knows many of them are focused on piracy but then you use them if you want, just like guys on iPhone use Cydia if they choose.

Aptoide is the oldest alternative store, it's trusted by millions and always evolving. It's so good that was the only store that had the balls to file a European antitrust complaint over Google dominance. I'm using it for years, already compared several signatures and decompiled many apps and I assure you it's the real thing.

@CHEF-KOCH
So, as you can use Google to search and Drive to download piracy... Google is a evil pirate boat!

Once again you talk to much about subjects you don't have a clue. It's becoming a classic and a shame on several threads. Learn something or keep your mouth shut please.

Thank you.

Edit: please show us the results of the security audit to Raccoon.
Click to expand...
Click to collapse


My argument is valid and you gave us the proof, everyone can upload infected and modified apk's, and of course cracked apps. That doesn't have anything todo with google. As I said in there Top 10 are most known cracker placed well, and sure, million people doesn't want pay anything for good apps (it's no secret that android user not pay as much as ios users) and there is no control from Aptoide itself. Or do you think thousend of people use boards with cracked apps because there download only free apps?

If you report something on Aptoide the file will be re-uploaded (on other repos as mirror) or the cracker upload his stuff under different account, such behavior is not present in F-Droid because every upload will be checked with signature, source and such mechanism. So yes, there is no control, green shield or antivirus does not help here, most android av's only scan for signatures and not all files get a deep scan or generally a scan if uploader not checked that option.

Raccon is open source, so for what do you need an audit? Compile yourself from the source if you don't trust. I better use this than other sites that uploads cracked/infected apk's use ads or whatever, personally I prefer original files "untouched".

Everyone can use what they want, just saying but to say Aptoide is trusted is really wrong and sounds you not know what you are talking about, the client also comes with ads since some versions now.
So raccoon does not comes with ads, it use original market api and download only legit stuff from google, I think it's a good solution.


Back to topic:
Test if your Android device is affected by recent SOP vulnerability!

A bug discovered recently in Android's Stock Browser allows websites to retrieve cookies and other information from other origins. Test your device to find out if it is vulnerable.
Click to expand...
Click to collapse

Read the full story over here.

D1wagFAH9qRghPu8SmAAAAAElFTkSuQmCC
 
Last edited:
Status
Not open for further replies.

Similar threads

L
Honda Connect Android System
Replies
4K
Views
2M
S
Silvinjo
U
[TUTO] How To Secure Your Phone
Replies
369
Views
91K
OldNoobOne
OldNoobOne
C
[SECURITY] Multiple Android Superuser vulnerabilities
Replies
10
Views
35K
D
diabolicalprophecy
jcase
  • Sticky
Android (and other) Security resources - Get your learning on
Replies
15
Views
35K
galaxys
galaxys
jcase
[CVE-2013-3685][Root]Multiple LG Android devices, Sprite Software Backup
Replies
81
Views
131K
C
c0k3r

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 20
    sancho_panzer
    sancho_panzer
    == THREAD PURPOSE ==

    I'm opening this thread to share and learn ideas about privacy solutions, please respect the purpose and keep this thread clean. My main language isn't English so if you spot errors or omissions please PM to me so I can correct them. Thank you.

    All trolling or demotivating posts, disbelieving about privacy concerns or defending Google honor will be reported for cleaning.


    == PROBLEM, HYPOTHESIS, TESTS, CONCLUSION ==

    For years I've been very annoyed about privacy abuse on Internet and since Snowden and Assange revelations my concerns raised. I'm sure my personal and professional life is common and boring but I want privacy with my things just like I don't want a guy next table in the coffee shop listening to my talking subjects.

    My first decision was to deploy a personal server, in my home, with OwnCloud. All went fine for some months until I realized the pain it was maintaining the system working, from server attacks and system fails to energy bills nothing could justify such paranoia. The OwnCloud Android client was also very bad those days.

    The second idea was hosting OwnCloud and mail services on a private host, but this didn't made any sense because data wasn't encrypted and every employee could easily see my thermonuclear projects and my banana pancakes secret recipes. It was also a paid solution for nothing.

    Finally I thought "If you're using German services you should be fine, Germany privacy data laws are the toughest in the world (even better than Swiss in this matter)". I'm in Europe so using European services was a no brainier decision, preferably in Germany and owned by German companies. Yes, I know you can't trust anyone but even so I think it's a well balanced solution.


    == SERVICES ==

    These are my services right now, share yours and try to justify why they're equal or even better. This list will be changed as needed:

    Mail - GMX (Germany)
    - Generally I really don't like 1&1 services but GMX is really good and working only on European servers. I advise you to don't use their other service, mail.com, because this one use USA servers. Unfortunately all other free German providers have low storage space. If you're willing to pay for privacy try Dutch StartMail but it's beta at the moment.

    Contacts & calendar - fruux (Germany)
    - Amazing services, great philosophy. For privacy and decentralization purposes I've opt for don't have this services on my mail provider. Unfortunately their servers are on Amazon Ireland, but I believe fruux have implemented cryptographic code on their system.

    Cloud - HiDrive (Germany)
    - I NEVER upload sensitive information to the cloud, even encrypted (remember Heartbleed and AES backdoor theory?). I was using Wuala for years but gave up after have been acquired by LaCie (USA). Tresorit shouldn't be trusted either, they're using Microsoft Azure servers, each uploaded and shared link pass through USA. Mega is darkness, I don't like the smell of it.

    Apps - F-Droid (UK/France)
    - FOSS is the way you should go, F-Droid is the obvious choice. F-Droid client was forked from Aptoide's source code.

    Aptoide (Portugal) it's good but not consensual. Recently they're processing Google with Antitrust Complaint in EU proving they're concerned. You can only trust Aptoide IF you choose to install apps from their main centralized store (the default one, be ware and don't trust any other user store). http://m.aptoide.com/about

    If you can't find what you're looking for then you can use Blank Store or Opera Mobile Store. Never choose Amazon Appstore, apps installed from there have proprietary code inserted.

    Search engines - DuckDuckGo (USA!)
    - Technically DuckDuckGo is a meta-search engine. It's amazingly good and you have lots of options to choose (did you know you can directly search images from Google if you search !gi [image you're searching for]?).

    Another great alternative is Startpage (Netherlands).


    == ANDROID SYSTEM ==

    My Android system:

    - CyanogenMod + freecyngn + NOGAPPS + SuperSU
    - TWRP recovery
    - Hardening Android for Security and Privacy


    == APPS ==

    My essential apps are:

    Apps client - F-Droid (FOSS)
    - See services above.

    Privacy and cleaning - AdAway and AFWall+ (both OSS)
    - Obvious choices on each privacy concerned system. Block almost everything, trust no one.

    Android browser - Boat (proprietary code)
    - I just love the options, specs, interface and speed. I know this choice will be highly controversial for some because it's a Chinese made browser, but isn't a cloud browser (like the also Chinese Maxthon) and it's really easy to firewall it from calling home (something somehow difficult with Dolphin). The obvious FOSS choice for almost everyone would be Firefox but I really hate their Android app and I have some bad thoughts about their Google connections. The FOSS best shot would be Tint or Lightning, but they're rather limited and AOSP it's even worse. Chrome it's obviously excluded for privacy sake.

    Boat devs also used to be active on Xda with many supporters. For security precautions block port range 192.241.158.0/24 and 211.151.0.0/24.

    Email app - K-9 (FOSS)
    - The oldest, most forked and trusted email client. Needs a deep design/interface Overhaulin' (hey, Chip Foose...)

    Contacts and calendar sync - Fruux + Birthday Adapter (FOSS)
    - See services above.

    Password & confidential safe - KeePassDroid (FOSS)
    - Believe me, I don't know a single password of my accounts and I have hundreds. The only really big and complex password I know is the one from KeePass.

    Antivirus - NONE, JUST DON'T
    - I will not discuss here about the needs or true benefits of these apps but I can assure your data is leaking each time you go online. All them claim about privacy but they're always collecting "unidentifiable data".


    == I will post links for everything soon. Please include links in your posts when justified. Thanks. ==
    View
    9
    sancho_panzer
    sancho_panzer
    == Android Alternative FOSS ==

    This is a list of some well known apps and their open source alternatives. Incredibly some of them are even better than "official" or paid apps, some others are quite limited but evolving and much secure.

    It's impossible to put everything here, only the best apps I've tried with success will be listed. Please keep posting your suggestions.

    BitTorrent Sync > Syncthing
    Chrome > Firefox
    Dolphin > Tint Browser
    Dropbox > OwnCloud, Seafile
    Facebook > Tinfoil for Facebook
    Gmail > k-9 Mail
    Lux Auto Brightness > YAAB
    Tasker > SwiP
    Titanium Backup > oandbackup
    Twitter > Twidere
    View
    6
    E
    entient
    disconnect.me being used by blackphone/silentcircle lends a bit of credence to them. Take a look at the superhero team of security professionals that head silentcircle... the inventor of PGP encryption, for one..? They've a track record of consistent and clear intent to serve the light side of privacy. disconnect's NSA connection or not... lest we forget Snowden is associated with the NSA as well... was he a manchurian candidate? manufactured whistleblowing? or just a whitehat?.. a secretly abused whitehat? Who knows the argument could go both ways. All I'm saying here is that just because one has had ties to a high profile group adversarial of privacy, doesn't ensure they share the same modus operandi. I concede it doesn't ensure they don't either, but there's no credence to being an open source dev with your gear up for show on github either. Remember heartbleed? There's some sketchy origins of the pull request for the bits of code that caused it.

    further reading for consideration:


    desktop tools:
    openvpn(be sure to check for DNS leaks, disable ipv6 stack on all non-relevant interfaces, and setup a firewall config to block outbound connections if the VPN drops.)
    if you're stuck on windows, drop chrome, but consider chromium. there are builds for it compiled for winblows, and it's certainly a better secondary browser than internot exploder.
    bleachbit (built on linux, but compiled to windows as well. scrub the cruft regularly, as your cache can identify you. see information about E-Tags)
    privazer is another thorough crap cleaner
    chocolatey, a package management system for windows (apt-get for win)
    peerblock blacklist-based IP blocker
    hosts-file.net blacklist-based hosts blocker (blocks ads/adware/malware/spyware faster than ABP can even attempt to begin blocking a request.)

    past that... stop using windows for anything personal. set yourself up a windows gaming box if you need, but when it comes down to browsing, communications, banking, etc... all are juicy targets of the blanket observation by state, corporation, and cybermafia alike. If you've had a virus at ANY time since you've installed windows, STOP. Regardless if an AV says they caught it, you have no clue if the AV is capable of assuring you that nothing else in your system was modified to leave backdoors open. Hell, there's some speculation that M$ is in bed with the NSA and has left backdoors in the system explicitly for the purpose. Just because my audience here is likely not an enemy of the state, doesn't mean a cybermafia doesn't have full knowledge of baked-in backdoors.

    If you must, at least attempt to harden your windows machine:

    EMET 4.1 , produced by microsoft, is like SElinux and xprivacy for windows. install, read some howtos, configure, and forget it in the system tray.
    malwarebytes antiexploit, works in tandem with EMET.
    sandboxie for anything else you're handling sketchy files with.


    Or... on the other hand... Linux desktop systems have come a long way, and since Windows continues to disappoint with their offerings the mass exodus to linux is growing by the day. check out distrowatch.org, find a flavor that seems fun to play with, download an iso image, burn to disk, and boot it up for an hour or two.



    desktop firefox addons:
    eff.org "privacy badger"
    dephormation.org.uk "seceret agent"
    "random agent spoofer" does much of the same if you're uncomfortable with addons outside of the offical addons 'repo'
    "certificate patrol" for uber- micromanagement of SSL certficates received from servers
    "refcontrol" similar to the above, but removes x-forwarded-by http header (as opposed to altering the url your browser is about to fetch)
    "request policy" to micromanage what sites can sideload which content from other domains
    the following can also be found on FF for android
    "bluhell firewall" (regex minimalized version of an Adblock list tool, incredibly lower resource consumption)
    "ABEdge" is fine if you're terribly wary of closed source projects, but bluhell has worked a charm
    "cleanlinks" to auto-scrape referrer nesting off of links


    chromium desktop addons :
    http switchboard (open source on github, better than ABEdge, noscript, requestpolicy, self-destructing cookies, betterprivacy combined... i recently found this one and am astonished at how well it does the work it took 5 separate firefox addons to do. now if only we could get a per-request user agent rotator for chromium and i'd be almost comfortable using google's FOSS project as a regular browser...)

    same developer as switchboard also built a bluhell-style adblocker called ublock (mu / micro symbol, like utorrent)



    Android mods:
    AFwall (hmmm glad I've blocked the kernel itself from network requests after reading through this thread...)
    xprivacy
    unbelovedHosts, an xposed module hosts blacklist
    MOAAB Mother of all ad blockers recovery-flashable hosts file
    smarter wifi manager (produced by the kismet wifi tool people, well respected FOSS devs. protects android's propensity for constantly updating a 50 yard radius around you with every wifi SSID you've ever connected to, and saves battery.)
    Google Auth (2 factor authentication program that works with quite a few non-google services, basically a time based RNG keyring, probably some others out there but a nice implementation, IMHO, despite the Goo.)
    openvpn / tun.ko installer ... stop telCo/firesheep deep packet inspection. VPN services all over the place, check torrentfreak for up to date reviews. Don't stick your nic in the internet without a VPN on...

    stay away from minmin guard and the supposed poof an Adblock listrt of peerblock, both have publicly questioned sources and motives.

    if you're really really adventurous, consider replicant, a completely GNU android distribution sponsored by Free Software Foundation. if you have a device they support, and have some hair on your geek chest, it's going to be like a cabin in northern Canada, be ready to be off the grid.

    stay safe, san diego.
    View
    6
    D
    dvdram
    sancho_panzer said:
    @dvdram I agree and don't understand why so much people just don't care to talk about it.
    Click to expand...
    Click to collapse
    Do you want to know what really annoys me? Those dorks that lie to themselves by repeating again and again "I don't have anything to hide!" :mad:

    Of course they do! Everone has something to hide in their lives. That's the dammed reason why we use houses and flats with non-transparent walls and doors, that can be shut and locked!

    Please excuse my rudeness, but what really pisses me off is the missing rage of our chancellor. She grew up in a country where no one was safe from being spied upon, where no one could be sure who else listens to that phone call other than the one you were talking to. She knows what it's like to live in such a country. And what does she do? NOTHING!

    If I were her I would become mad like the Hulk and give the American government an appropriate answer. But she's just sitting there and waiting until it's all over. That kind of phlegm and disinterest makes me puke!

    Thankfully I did not vote for her and her party.
    View
    5
    B
    bastei
    Nice thread, thanks! :good:

    Some thoughts from my side:
    I generally distrust every online service, especially if I don't pay for them. I think it is better to decentralise services and host them on self managed servers in families, groups of friends,... and thus basically only give data to trusted persons you know in real life.
    Here are two good links that show alternatives to proprietary software/cloud services:

    == SERVICES ==
    Mail -
    I think mails are generally difficult to self-host. So you need a good mail service. Posteo was mentioned here, another similar reliable german mail provider (with english translation) is mailbox.org. They even encrypt unencrypted incoming mails with your PGP-key before they store them.

    Contacts & calendar -
    Posteo and mail.org also include contact and calendar synchronisation via CalDav/CardDav. Even better: Host it by yourself.

    Instant Messaging -
    XMPP (Jabber) is an open decentralised protocol with lots of implementations for almost every platform. You can host it by yourself or use an existing server. There are also very good clients for Android like Conversations or Xabber

    == ANDROID SYSTEM ==

    Two additions:
    Free Your Android! - campaign of the Free Software Foundation Europe
    IMSI Catcher/Spy Detector

    == APPS ==

    sancho_panzer said:
    Android browser - Boat (proprietary code)
    Click to expand...
    Click to collapse
    Don't do this! Firefox for Android is also a good choice. And Orweb not to forget!

    traceless said:
    I use aCal from F-Droid
    Click to expand...
    Click to collapse
    DAVdroid is also a very good FOSS CalDav/CardDav-provider that integrates with the contacts/calendar app of android. And it is under active development (in contrast to aCal)
    View

New posts