FORUMS
Remove All Ads from XDA

[APP][XPOSED][6.0+] XPrivacyLua - Android privacy manager

17,542 posts
Thanks Meter: 36,022
 
By M66B, Recognized Developer on 5th January 2018, 04:32 PM
Post Reply Email Thread
7th July 2019, 09:08 PM |#4491  
Senior Member
Thanks Meter: 207
 
More
Quote:
Originally Posted by dope77

Hey, i have this question and it'll be great if i get an answer. I noticed this behavior in multiple apps and games downloaded from google play (downloaded for the first time on my device, never used them before!!!!! ).

Yesterday i was bored, i installed a game (beach buggy racing 2),applied restrictions and opened it. When i opened it, i saw that the data inside the app doesn't belong to me at all(first time i play this game), i saw that i have 800k coins and gems and most of the things unlocked.
Same thing for a vpn app i used before, after applying restrictions, i opened it and found out that i got premium (also used for the first time).

Today i installed a game(shadow fighter 3) , same thing happened, got some cash and progress that doesn't belong to me.

A card game I once downloaded, after applying restrictions i opened the app, same thing happened. But this was the weirdest one bcz this game had chatting system where people can send and receive messages..., believe when i say that this was definitely someone's profile,it's like I'm using his profile, i saw the messages he sent and the chat with his friends, he was lvl 34 i think.

Happened with some other apps

So, is this caused bcz of faking the device id? Is it normal also?

Are you using the official Play Store? This sounds like you're logges in with a wrong account and that data is being synced.
The device id (or anything that XPL restricts) is not something that any normal app should use for user authentication.
 
 
8th July 2019, 01:41 AM |#4492  
Senior Member
Thanks Meter: 32
 
More
Quote:
Originally Posted by Namnodorel

Are you using the official Play Store? This sounds like you're logges in with a wrong account and that data is being synced.
The device id (or anything that XPL restricts) is not something that any normal app should use for user authentication.

Yes official play store, and only my Gmail account is on the device.

---------- Post added at 01:41 AM ---------- Previous post was at 01:08 AM ----------

Forgot to add that this happens without signing in to the games, just after installation is done, i open the app and it happens (no Google play games installed)
9th July 2019, 08:00 AM |#4493  
M66B's Avatar
OP Recognized Developer
Thanks Meter: 36,022
 
More
In the past I said a few times that apps could theoretically access data through "sister" apps. This appears to be not so theoretically after all and is called a "Covert channel technique":

Study: Over 1000 Android apps on Google Play accessed user data without proper permissions
The Following 13 Users Say Thank You to M66B For This Useful Post: [ View ]
9th July 2019, 03:59 PM |#4494  
Cerberus_tm's Avatar
Senior Member
Flag Amsterdam, LG G2, Kitkat 4.4.2, CloudyG2
Thanks Meter: 25
 
More
Hmm I wonder to what extent Xprivacy LUA could protect us against these threats? Another quotation from Tweakers.net:

"maar andere apps konden via wifitoegang het mac-adres en ssid van de router zien en op basis daarvan de locatie achterhalen. De onderzoekers beschrijven ook hoe sommige apps advertentienetwerken inzetten om geolocatie te verzamelen via googleapis.com."
https://tweakers.net/nieuws/154936/o...-omzeilen.html
9th July 2019, 04:28 PM |#4495  
M66B's Avatar
OP Recognized Developer
Thanks Meter: 36,022
 
More
Quote:
Originally Posted by Cerberus_tm

Hmm I wonder to what extent Xprivacy LUA could protect us against these threats? Another quotation from Tweakers.net:

"maar andere apps konden via wifitoegang het mac-adres en ssid van de router zien en op basis daarvan de locatie achterhalen. De onderzoekers beschrijven ook hoe sommige apps advertentienetwerken inzetten om geolocatie te verzamelen via googleapis.com."
https://tweakers.net/nieuws/154936/o...-omzeilen.html

There is a hook definition in the repository to fake the MAC address, so XPrivacyLua can protect you against this.
9th July 2019, 04:30 PM |#4496  
Cerberus_tm's Avatar
Senior Member
Flag Amsterdam, LG G2, Kitkat 4.4.2, CloudyG2
Thanks Meter: 25
 
More
Good to know.
12th July 2019, 12:08 PM |#4497  
Senior Member
Thanks Meter: 18
 
More
Hi, I am not in details following the whole thread and I can't know if it's been already discussed, but is there a way to check what information is read by each application no matter if the application is restricted or not?
12th July 2019, 12:12 PM |#4498  
M66B's Avatar
OP Recognized Developer
Thanks Meter: 36,022
 
More
Quote:
Originally Posted by Stoyanski

Hi, I am not in details following the whole thread and I can't know if it's been already discussed, but is there a way to check what information is read by each application no matter if the application is restricted or not?

XPrivacyLua will not hook apps/functions when no restriction is being applied. So, there will be no logging without restrictions.

Some background information can be found here: https://forum.xda-developers.com/sho...ostcount=18741
The Following 2 Users Say Thank You to M66B For This Useful Post: [ View ]
12th July 2019, 09:37 PM |#4499  
Senior Member
Thanks Meter: 773
 
More
Quote:
Originally Posted by Stoyanski

Hi, I am not in details following the whole thread and I can't know if it's been already discussed, but is there a way to check what information is read by each application no matter if the application is restricted or not?

Quote:
Originally Posted by M66B

XPrivacyLua will not hook apps/functions when no restriction is being applied. So, there will be no logging without restrictions.

Note that nothing prevents you from writing or modifying hooks that will just log without modifying anything that the app does or sees.
18th July 2019, 03:51 PM |#4500  
Senior Member
Thanks Meter: 135
 
More
I get it that you want to propose the ability to randomize fake identification values at will as a paid feature. However it would be great to generate a random value ONCE for the free version as well, as otherwise they are shared among users which means that some app will ban you instantly as they wrongly recognise you as being the same person as another one.

One of those apps is Jodel, which use phone permission for anonymous account creation (not sure what it uses in detail).
18th July 2019, 04:02 PM |#4501  
M66B's Avatar
OP Recognized Developer
Thanks Meter: 36,022
 
More
Quote:
Originally Posted by difto

I get it that you want to propose the ability to randomize fake identification values at will as a paid feature. However it would be great to generate a random value ONCE for the free version as well, as otherwise they are shared among users which means that some app will ban you instantly as they wrongly recognise you as being the same person as another one.

One of those apps is Jodel, which use phone permission for anonymous account creation (not sure what it uses in detail).

In general there is little support for this project, so there will be bug fixing only.
The Following 2 Users Say Thank You to M66B For This Useful Post: [ View ]
Post Reply Subscribe to Thread

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes