Related
http://www.artfulbits.com/Android/antipiracy.aspx
If your a Dev please support them, if you need assistance msg me i can send u code that will allow your app to automatically send a message to this company with a users information that has stolen your app or tried to steal it.
pentace said:
http://www.artfulbits.com/Android/antipiracy.aspx
If your a Dev please support them, if you need assistance msg me i can send u code that will allow your app to automatically send a message to this company with a users information that has stolen your app or tried to steal it.
Click to expand...
Click to collapse
I'm all for cracking down hard on piracy, but there are three big flaws with this solution:
1) How would Artfulbits verify that an app reporting a device is a "dark" device is making that report in good faith? If a bunch of pirates wanted to render this service pointless, they could just create apps that flood the service with false positives.
2) It is possible (although difficult) to link IMEI to a user/owner. This makes a publicly accessible database of "dark" IMEIs somewhat shady in terms of being a breach of privacy.
3) Finally, if this service is to be useful, apps have to have some way of acting on the information in the database. That is just going to lead to folks "cracking" apks to remove the IMEI-checking routines, or simply using leakproof firewalls to prevent the app from accessin the IMEI database.
Thoughts?
There is not going to be a way to completely stop piracy. Google just needs to step up the way the market works to prevent some of the piracy.
I understand devs deserve money for their hard work (and the log of my google checkout shows I support them) but I personally dont want any app reporting any information about myself or my phone. If there is a list of which apps do I will find an alternative for better or worse and not use the app. Not to knock on those who support this method, I just personally dont like it.
rondey- said:
There is not going to be a way to completely stop piracy. Google just needs to step up the way the market works to prevent some of the piracy.
I understand devs deserve money for their hard work (and the log of my google checkout shows I support them) but I personally dont want any app reporting any information about myself or my phone. If there is a list of which apps do I will find an alternative for better or worse and not use the app. Not to knock on those who support this method, I just personally dont like it.
Click to expand...
Click to collapse
Well considering my app has been pirated 3x as much as it has been downloaded legally i would be willing to let go of the few that are not comfortable with their imei being registered on a website which only happens if u are stealing an app, most apps out there gather more information from you than that without you even knowing.
I don't get why people would install this program. If it detects pirated software on your phone then who the hell are you letting you use your phone? Lets say you know you have pirated software well then of course you wont install this program. If you know your running a clean rom and have no reason to suspect pirated software your giving up a lot of information for a false sense of security. So unless this is forcibly installed on everyone's phone I don't see what's the point.
psychoace said:
I don't get why people would install this program. If it detects pirated software on your phone then who the hell are you letting you use your phone? Lets say you know you have pirated software well then of course you wont install this program. If you know your running a clean rom and have no reason to suspect pirated software your giving up a lot of information for a false sense of security. So unless this is forcibly installed on everyone's phone I don't see what's the point.
Click to expand...
Click to collapse
It's not a program you install. It is a database. App developers write routines into their programs which access the database. If an application suspects that it was illegally pirated, then it will send the user's IMEI to the database.
This is stupid idea. Go to the source of piracy if you want to fight it.
Give people access to paid apps on market and they won't download illegal copies form rapidshare...
su27 said:
Give people access to paid apps on market and they won't download illegal copies form rapidshare...
Click to expand...
Click to collapse
Riiiight... because if you give pirates the option to pay they'll definitely all pay right?
This database thing bothers me.
Not because I might be stealing programs..
but because I might find one and not know its "dark"
Suddenly I'm on some blacklist because I thought an app was cool?
I just did a search on one of the torrent sites, and found a file to DL.
It has 231 apk files and 2 .bak files. (I'm assuming the bak files are for a cracked version of the paid apk) but many of these files are a)old versions or b) free already.
Normally I would say SCORE! I don't have to DL to the g1, then back up, uninstall, transfer to the pc, and store.
Last time I tried a file like that, more than half were for cupcake, and would not work on my donut. Recycle bin.
With this Database I would get tagged as a cheater the first time I tried to install any of those files that were marked. But I have no idea they are "dark" before hand.
While I thank the Dev's for the work they do.
{Seriously, Thank you Developers!}
I'm a student, and I'm poor, which means I'm cheap.
I have several free apks stored away. Hell, I still used youtube downloader 1.2...until it quit working last week. Why, because I don't want to spend money just to have a cool phone.
If you really want to make it hard on the thieves... someone make a program that cripples another program, until the user requests the full version. Then it reads the Imei number from the phone and sends an upgrade request to a server. The server requests payment. Server verifies payment. The server issues a hashed password based on the Imei, which is then sent back to the phone as a password. Customer never sees the password.
This is what Doc to go appears to do. I could be wrong.
Now make it so that program can be imbedded in any other program.
Now thieves need a whole crap load of hacking to find enough hashed passwords to find the hash.
If the hash is added to at random intervals, or a different hash is used based on the Imei number, they might never find the hash.
Besides that, how the heck does a program know if it has been stolen?
How can it tell between a stolen program and a wiped phone that is getting reinstalled with backed up apk's?
jashsu said:
I'm all for cracking down hard on piracy, but there are three big flaws with this solution:
1) How would Artfulbits verify that an app reporting a device is a "dark" device is making that report in good faith? If a bunch of pirates wanted to render this service pointless, they could just create apps that flood the service with false positives.
Click to expand...
Click to collapse
Exists several strategies, for example the most popular is "honey pot" strategy. When vendor especially making leak of software or prepare specially application to track piracy.
jashsu said:
2) It is possible (although difficult) to link IMEI to a user/owner. This makes a publicly accessible database of "dark" IMEIs somewhat shady in terms of being a breach of privacy.
Click to expand...
Click to collapse
For example in our country sufficient IMEI of the phone to find it owner and it location, of course if you have police under your shelders. That is why I am thinking that IMEI is a good identifier.
jashsu said:
3) Finally, if this service is to be useful, apps have to have some way of acting on the information in the database. That is just going to lead to folks "cracking" apks to remove the IMEI-checking routines, or simply using leakproof firewalls to prevent the app from accessin the IMEI database.
Thoughts?
Click to expand...
Click to collapse
Solution is not perfect, but can be easily enhanced. HTTPS protocol with certificate checks will make firewalls and redirections useless.
What functionality exactly you have in mind?
[email protected] said:
While I thank the Dev's for the work they do.
{Seriously, Thank you Developers!}
I'm a student, and I'm poor, which means I'm cheap.
I have several free apks stored away. Hell, I still used youtube downloader 1.2...until it quit working last week. Why, because I don't want to spend money just to have a cool phone.
Click to expand...
Click to collapse
Leave according to your money. what can I say... spend less, work more.
[email protected] said:
Besides that, how the heck does a program know if it has been stolen?
How can it tell between a stolen program and a wiped phone that is getting reinstalled with backed up apk's?
Click to expand...
Click to collapse
Several simple steps:
- install software only from well known web sites, Android Market, Handagoo, SlideMe, etc.
- try to use trials and if it does not exists but you want to try, contact with developers. In most cases developer will provide you version for testing.
- if your phone is placed into black list, then you can contact "blacklist" vendor for explanation and fixing.
jashsu said:
Riiiight... because if you give pirates the option to pay they'll definitely all pay right?
Click to expand...
Click to collapse
You see - that's your problem - you want to fight the enemy instead of prevent war.
In my country there are many people who would pay for android programs because they are quite cheap. But we have no access to paid market. That is why we download apps illegaly.
Now, what do you think will faster stop us from stealing apps:
A. Calling us pirates and thieves
B. Giving us access to paid apps
su27 said:
Now, what do you think will faster stop us from stealing apps:
A. Calling us pirates and thieves
B. Giving us access to paid apps
Click to expand...
Click to collapse
You are making the incredibly flawed assumption that piracy only happens because people have no access to the paid market. Are some people put in this situation? Yes, probably. But the majority of pirates likely DO have access to the paid market and simply don't want to pay.
I am a bit confused, what does this ban people from? The market in it's entirety?
If that is the case, I would think you'd see an outburst of pirating once people couldn't access the market anymore. And that would also prevent people who may not feel like dishing out $100 for a navigation solution from purchasing numerous $1-10 programs that they would actually use on a daily basis. I think this methodology is flawed.
Piracy will never be completely stopped. However, making it harder for people to pirate your software is the best prevention. Instead of saying "Oh, you might have installed a pirated copy of XXX on your device, so now you can't purchase any more programs legitimately, so keep on stealing!". Due diligence falls on the hands of the software creators. If piracy is something you want to prevent (or at least inhibit) for your software, create an IMEI checking device key required to be granted after receipt (and clearance) of payment. Similar to CoPilot, granted it still gets cracked - it is much harder and much less widespread, and a simple update renders it useless to those who used the cracked version (check all over these forums for people complaining about it).
Also, implement trials that don't require the user to pay for them, giving them only 24 hours to try something out before they decide they need their money back. Even Microsoft lets users go 30 days without activation (last I checked) to try out Windows. They do not (to the best of my knowledge) make great attempts to prevent their software from being copied, but instead make it harder on those who do pirate it. Blocking system updates (of course everything has a workaround or crack, but making it harder on someone is oftentimes a great deterrent), preventing new feature installation, etc.
I am not condoning piracy, nor am I condemning software publishers. Just trying to make a point, which is this:
If you take someone who has stolen a program (for whatever reason/justification they may think of) and punish them by revoking their access to purchase said program (or any other program), you have thus reinforced their reason/justification to not purchase any programs.
Now, i may be wrong here, but looking at their source code to integrate into applications, there seem to be 2 things: 1) the device has to have a data connection, otherwise the code doesnt know whether the device is blacklisted or not, at which point it defaults to assuming it isnt, which overall is a good thing for users who have paid but for whatever reason dont have network at that time, however it is easy enough to stop an application from accessing the network, or even a specific site (ie the site for your imei number on their page).
secondly, is this meant to run on the first run of an app, or every run? if it is every run then i can see people getting annoyed by the unnecessary data usage, whereas if it is only on the first run then someone still has access to all their pirated apps from before they were on the database.
please note the only coding i have done is some fairly simple C, so i could be wrong, but anyone can check this if they want: http://www.artfulbits.com/Articles/Samples/Piracy/Integration.aspx
I think that by now most people know that I don't honeycoat things, so I'll just say it... this idea is RETARDED.
1) The application needs to use the API to get the IMEI. If you start using the IMEI to blacklist phones, a minor modification to the API causes the application to always read a string of 0's. Defeated.
2) The application needs PERMISSION to read the IMEI (android.permission.READ_PHONE_STATE). If you start requiring programs to have this permission, people will simply DENY it this permission (yes, it IS possible to block a permission)... this is ESPECIALLY the case when the application has *no good reason* to read the phone state.
3) As has been mentioned before in this thread, HOW DO YOU KNOW that an application you are downloading is pirated? Many applications are FREE to download, and virtually NONE of the pirated apps are labeled as "THIS IS PIRATED".
4) Connection to the internet can be EASILY blocked. Lots of ways... firewall, hosts, permissions, etc. Again, defeated.
Oh, and to those saying crap like access to paid market won't stop piracy, NOBODY SAID IT WOULD!!! It *WILL* reduce it though, since there ARE people out there who WOULD buy apps *IF THEY COULD*.
daveid said:
I am a bit confused, what does this ban people from? The market in it's entirety?
Click to expand...
Click to collapse
Read the description again more carefully. This does not impact a user's ability to access the Market, as it is not a Google product. In case your comprehension is lacking, i'll explain it very simply:
1. A developer decides to use the Artfulbits Anti Piracy Database (shortened AAPD) with its app.
2. A user downloads this AAPD-enabled app from the market.
3. When said app is run, it sends the IMEI of the device to the Artfulbits server. The server returns a color code corresponding to the number of times that IMEI has been reported by other AAPD-enabled apps for piracy. The app can then do whatever it wants with that information. This can be anything from deleting itself to crippling its own functionality.
4. App can also detect if has been pirated (by checking to see if the app has an entry in the user's personal Market account or some other method). If the app detects it is pirated, it will send a report to AAPD.
Another point Artfulbits failed to consider is that not all Android devices will have IMEIs to report.
Is piracy really that much of a problem? I mean most apps cost <3€ and I don't think I am the only one who values his time higher than saving 3€. I rather pay once and get updates via Market than check warez-sites for updates, and I think that most think that way?
There are just two apps that I ever considered to pirate. One was a dictionary for 20$ but I ended up buying it. The other is CoPilot which I would never buy since I don't own a car, but since it is not cracked anyway, I was not forced to really think about it.
I don't see anything good coming from that database. I.e. if my phone would be entered by mistake, you can imagine what problems that would cause for devs whose apps I bought, which I assume would suddenly stop working then.
You really need to think about whether the negative side-effects of such measures like this database are worth the (presumably very small) benefit.
Since buying the N1 in April, I've been very happy with both the phone, and the Android OS.
However, I've been noticing an uptick in the past couple of months of dubious emails hitting my Google account which I registered with my phone. admittedly this is anecdotal, but the nature of the emails leads me to think that some of the app devs whose programs I've installed/tried out, are capturing and selling validated email addresses to third parties. It then seems that some of them (besides increasing the usual Spam being filtered by gmail) go a step further and register the email address to various groups, lists, emails, newsfeeds, etc.
I'm not terribly shocked by this, and since I pretty much limit my gmail usage to using on the phone, I just want to sound people out to determine if I'm just being paranoid, or actually noticing something valid.
Not that it's related, but I'm also running Cyan 6.0.0 (8/27)
Seeing as the market is open for any individual to just slap some crap up for people to download, there is no doubt this is possible. Nothing unique to Android.
One way to attempt to protect yourself in the future would be to sign up with these dev's by adding a tag to your email address like such:
Code:
[email protected]
or
Code:
[email protected]
where '+shadydev1' is incremented to identify who is sending what. Though, the spammers could strip the tags making all this pointless, in which case just do what everyone else does and send them to your Hotmail account
*Edit* Looking at your OP again, I guess youre saying that the DEVs are pulling your email from the phone itself which is much more malicious, making my post pointless.
crachel said:
Seeing as the market is open for any individual to just slap some crap up for people to download, there is no doubt this is possible. Nothing unique to Android.
One way to attempt to protect yourself in the future would be to sign up with these dev's by adding a tag to your email address like such:
Code:
[email protected]
or
Code:
[email protected]
where '+shadydev1' is incremented to identify who is sending what. Though, the spammers could strip the tags making all this pointless, in which case just do what everyone else does and send them to your Hotmail account
*Edit* Looking at your OP again, I guess youre saying that the DEVs are pulling your email from the phone itself which is much more malicious, making my post pointless.
Click to expand...
Click to collapse
Hey, I have not noticed this, but thanks for the tip! Had no idea you could tag in the username like that for GMail. I don't use it much honestly, but perhaps I will
I have my own domain and I have like spam1 spam2 spam3 etc I use... but not quite as flexible
Thanks for the suggestion. Going to start utilizing it. Sorry about the late response, been out of touch for a bit.
With the recent dustup over Facebook, that's exactly the sort of thing I'm suspecting is happening in my situation. Because it really started to amp up when I installed Cyanogen 6.0. Now in no way am I implying something wrong or directly related to Cy's code. It's awesome and I wouldn't trade it for anything. But anecdotally, the level of Spam seems to coincide. And as i don't know enough about the Android OS, not sure if 1) rooting the phone and installing a custom ROM left it more exposed than stock, 2) Some market app(s) I've installed have done a 'Facebook' with my data via some exploit or 3) Stock or rooted, wouldn't make much of a difference because jagoffs are the same no matter where, when or how. They'll find a way.
But as my original query didn't seem to gain much traction, doesn't seem others have experienced any noticible increase as a result of rooting their phones. Btw, I should say not just Spam for viagra type stuff has increased in my gmail account. but what would otherwise seem to be 'legitimate' emails that i have no idea as to their origins. religious groups, a car dealership asking me how I like my new car, etc. And after some research, it seems that variants of my email address will find their way into my inbox. according to google's Help. If I create [email protected], i'll also get email for [email protected], for example.
smashmouth_engineer said:
Thanks for the suggestion. Going to start utilizing it. Sorry about the late response, been out of touch for a bit.
With the recent dustup over Facebook, that's exactly the sort of thing I'm suspecting is happening in my situation. Because it really started to amp up when I installed Cyanogen 6.0. Now in no way am I implying something wrong or directly related to Cy's code. It's awesome and I wouldn't trade it for anything. But anecdotally, the level of Spam seems to coincide. And as i don't know enough about the Android OS, not sure if 1) rooting the phone and installing a custom ROM left it more exposed than stock, 2) Some market app(s) I've installed have done a 'Facebook' with my data via some exploit or 3) Stock or rooted, wouldn't make much of a difference because jagoffs are the same no matter where, when or how. They'll find a way.
But as my original query didn't seem to gain much traction, doesn't seem others have experienced any noticible increase as a result of rooting their phones. Btw, I should say not just Spam for viagra type stuff has increased in my gmail account. but what would otherwise seem to be 'legitimate' emails that i have no idea as to their origins. religious groups, a car dealership asking me how I like my new car, etc. And after some research, it seems that variants of my email address will find their way into my inbox. according to google's Help. If I create [email protected], i'll also get email for [email protected], for example.
Click to expand...
Click to collapse
Yep, as does [email protected], or [email protected]
Has nothing to do with this nonsense thread.
I have yet to get a spam mail past Gmail spam filter, and I have my Nexus rooted and on custom ROMs for a long time.
The scenario you describe theoretically might happen if you installed a "semi-malicious" app that would request your permissions for accessing your account / contact list, and you let it. Just rooting and installing whatever ROM won't get you there.
Greetings everyone.
Ill just start off with asking the question: How many of you give 2nd, 3rd or nth thoughts about using a rooted (or, rooted and ROM'd) phone?
Now, let me explain why I am asking this question.
Earlier this week, my Google account was broken into. The attacker mass-emailed everyone on my contact list a link to a Viagra ad, of all things. It could have been worse, since my contacts and emails were left in-tact. In a furious, chaotic, post-incident rush, I was scrambling in an attempt to figure out how they obtained my password. At the time of this writing, I have come up with nothing. The first thing I thought, naturally, was a worm/trojan/virus on my PC. Several anti-virus / anti-malware / anti-root-kit scans proved to be clean.
So, I turned my sleuthing efforts towards my phone -- a Samsung Captivate, which had been rooted and ROM'd to Captivate 3.04. I had Lookout installed the entire time, and I have been using Cognition ROMs since late December of 2010. In assuming the worst, I nuked my phone, reverted back to stock and re-rooted and re-ROM'd. While rooting my phone, my virus scanner pleasantly informed me that the One Click rooting solution contained an exploit (Lotoor, I believe). Now, I completely understand that its necessary to use these exploits in order to gain access. However, it kinda got me thinking -- what else could be going into the phone that I dont know about?
Note that all ROMs and Rooters were obtained from links available from this website. I did not get them from "shady" locations.
I am realistic about this. I download and install applications from the internet frequently. I put a some faith in my virus scanners / anti-malware applications. This little incident, however, is making me a little more skeptical about what applications I run, as its difficult and time consuming to monitor every application for "phone home" activities.
The bottom line is that I do not want to sound like that I am placing blame on any of the Cognition developers (or any ROM developer). In fact, I am probably going to donate to them because the 3.04 version finally allowed me to use my GPS normally. I honestly feel like I have a smart phone now, as everything works as it should and the phone is alot snappier compared to the stock version. I am saying this even after I tried out the official Samsung Kies Froyo update, which still leaves me hanging for GPS service.
And yes, I completely understand that I could have very well downloaded something on the Android market that was infected. Even though I did not download any of the applications mentioned on the latest hotlist (really, I just dont care about "screaming sexy Japanese girls"), I could have obtained an undiscovered beast. It could also be the case that I have something on my PC that scanners just arent picking up. I may never know.
Where do you all stand on this issue? Do most ROM creators have more than one set of eyes looking at the packages that get deployed, or is that too unpractical?
Thanks in advance!
(P.S. I have searched the forum and looked at the suggested links before posting. I just didnt find anything that quenched my thirst)
nope 10 chars
Mobile security is becoming a concern and should be. Regardless of stock or rooted, there is a risk.
I don't bank on my phone, use my 'real' gmail or put sensitive info on my phone. Mobile is becoming a huge platform to mine information from.
qwertyaas said:
Mobile security is becoming a concern and should be. Regardless of stock or rooted, there is a risk.
I don't bank on my phone, use my 'real' gmail or put sensitive info on my phone. Mobile is becoming a huge platform to mine information from.
Click to expand...
Click to collapse
Isn't that the truth? I definitely have not done any mobile banking over mobile, and I don't think that I ever will. Its just scary that the attacker probably could have dug up more information about me in my emails than I care to think about.
I switched over to Google's 2-step verification system, so hopefully that will deter future attempts. Notice how I didnt say "prevent," as I dont think anything can actually stop a determined attacker short of getting rid of the phone and my gmail account. Obviously, if my phone falls into the wrong hands, I could be potentially hosed.
Check this out
http://www.engadget.com/2011/03/06/google-flips-android-kill-switch-destroys-a-batch-of-malicious/
cappysw10 said:
Check this out
http://www.engadget.com/2011/03/06/google-flips-android-kill-switch-destroys-a-batch-of-malicious/
Click to expand...
Click to collapse
Dilli already released a fix for this vulnerability for his 7.0 ROM. Maybe u cud get a similar one on ur custom ROM too.
While your concerns are rational and I await the answers, I believe they are borne out of a false understanding of what happened to you. When a spam e-mail is sent "from" your e-mail account it is not always the case that the attacker has gained access to your machine or your e-mail account. Most e-mail spam is sent via smtp "spoofing" whereby an attacker can make an e-mail look like it is from anyone else. These are done by automated scripts that can find and/or generate random "from" e-mails and then send to other recipients that have been found or randomly generated. If many of your friends received the e-mail, it IS POSSIBLE your computer or account was compromised, or that other friends' accounts have been compromised such that the automated spam bot gained access to a similar address book to yours.
Just wanted to let you know that you may not have been compromised.
Anyway, I too, am interested in the vulnerabilities of these custom ROMS.
sircaper said:
While your concerns are rational and I await the answers, I believe they are borne out of a false understanding of what happened to you. When a spam e-mail is sent "from" your e-mail account it is not always the case that the attacker has gained access to your machine or your e-mail account. Most e-mail spam is sent via smtp "spoofing" whereby an attacker can make an e-mail look like it is from anyone else. These are done by automated scripts that can find and/or generate random "from" e-mails and then send to other recipients that have been found or randomly generated. If many of your friends received the e-mail, it IS POSSIBLE your computer or account was compromised, or that other friends' accounts have been compromised such that the automated spam bot gained access to a similar address book to yours.
Just wanted to let you know that you may not have been compromised.
Anyway, I too, am interested in the vulnerabilities of these custom ROMS.
Click to expand...
Click to collapse
He said the email was sent to every one if his contacts. He was compromised.
That said. Use a secondary junk gmail account if at all possible on your phone. Don't install any app that asks for stupid permissions. Be very leary of any app that wants internet access regardless of who developed it. Android virus scanners are a joke, do not trust them.
P.s. "(really, I just dont care about "screaming sexy Japanese girls")" = blasphemy
whiteguypl said:
He said the email was sent to every one if his contacts. He was compromised.
That said. Use a secondary junk gmail account if at all possible on your phone. Don't install any app that asks for stupid permissions. Be very leary of any app that wants internet access regardless of who developed it. Android virus scanners are a joke, do not trust them.
P.s. "(really, I just dont care about "screaming sexy Japanese girls")" = blasphemy
Click to expand...
Click to collapse
Point taken. I don't disagree, but the odds say no. I figured he was using hyperbole and didn't really validate with every single person in his address book. The majority of spam e-mails are via spoofing.
sircaper said:
While your concerns are rational and I await the answers, I believe they are borne out of a false understanding of what happened to you. When a spam e-mail is sent "from" your e-mail account it is not always the case that the attacker has gained access to your machine or your e-mail account. Most e-mail spam is sent via smtp "spoofing" whereby an attacker can make an e-mail look like it is from anyone else. These are done by automated scripts that can find and/or generate random "from" e-mails and then send to other recipients that have been found or randomly generated. If many of your friends received the e-mail, it IS POSSIBLE your computer or account was compromised, or that other friends' accounts have been compromised such that the automated spam bot gained access to a similar address book to yours.
Just wanted to let you know that you may not have been compromised.
Anyway, I too, am interested in the vulnerabilities of these custom ROMS.
Click to expand...
Click to collapse
Thanks for the input.
As much as I would like to believe it was spoofed (and inherently making me feel better at the same time), I can say with a high degree of certainty that whoever did this had my password. How can I be somewhat sure of this? The "recent activity" list on gmail.com had an entry from a web browser access in Brazil. I do not have a proxy in Brazil, nor have I traveled there in.. well... ever. Also, the recipients' email headers claimed the email originated from gmail.com. Now, you're completely right that this part could have been spoofed, but I am not so sure about the first part. Upon doing some research, I've found that alot of other people who also had their accounts compromised had the same log entries and same origin in the email headers sent to the recipients.
Digression. Anyways, what they did is not as important as how they did it. Even to this day I am not sure. I really dont want to place blame on the ROM, because honestly the Cognition people did a fantastic job with it.
Bottom line is that I was curious as to everyone's security concerns, or lack thereof, when using custom ROMs.
How can you tell if your phone has been infected? What are some of the signs?
Hondo209 said:
How can you tell if your phone has been infected? What are some of the signs?
Click to expand...
Click to collapse
Well, I am no expert in this area, but the first place to look would be at an anti-virus, anti-malware application (such as Lookout). However, that probably wont do you any good if the virus/trojan/worm/whatever is still unknown.
Second place you might want to look is at your data usage. Excessive amounts might indicate something is up.
Other than that, maybe one of the sure-fire ways is to see which system files have changed and how. For some reason, a software package like Tripwire comes to mind. Although, I dont know how useful something like that would be on a mobile device.
Someone much more versed in this topic should have some better ideas
EggplantWizard said:
Thanks for the input.
As much as I would like to believe it was spoofed (and inherently making me feel better at the same time), I can say with a high degree of certainty that whoever did this had my password. How can I be somewhat sure of this? The "recent activity" list on gmail.com had an entry from a web browser access in Brazil. I do not have a proxy in Brazil, nor have I traveled there in.. well... ever. Also, the recipients' email headers claimed the email originated from gmail.com. Now, you're completely right that this part could have been spoofed, but I am not so sure about the first part. Upon doing some research, I've found that alot of other people who also had their accounts compromised had the same log entries and same origin in the email headers sent to the recipients.
Digression. Anyways, what they did is not as important as how they did it. Even to this day I am not sure. I really dont want to place blame on the ROM, because honestly the Cognition people did a fantastic job with it.
Bottom line is that I was curious as to everyone's security concerns, or lack thereof, when using custom ROMs.
Click to expand...
Click to collapse
Hmm.. Interesting.... I may take back my argument then!
As far as the concerns? I am also on Cognition 3.04 and up until now, I brushed aside the security issues. I had concerns, but hoped the community was strong enough to expose them. There definitely is an inherent risk downloading files authored by the developers. I know that some of them add in their own signature files just to track the programs and see if they are being altered. I'm not sure what can be done. Maybe you can run the ROM zips through a virus scanner on your pc before installing?
whiteguypl said:
P.s. "(really, I just dont care about "screaming sexy Japanese girls")" = blasphemy
Click to expand...
Click to collapse
HA! Now that's just funny.
sircaper said:
I figured he was using hyperbole and didn't really validate with every single person in his address book.
Click to expand...
Click to collapse
Well, I didnt validate with *every* single person in my address book, but I talked with a few that I speak with on a daily basis. They all had the same headers originating from gmail.com
Although, I do have to admit that one of the bizarre after-effects of such a compromise is that I have been "reunited" with people I haven't spoken to in a very long time. Take the good with the bad, I suppose.
I agree that security is a concern especially so when one is rooted. There are so many things to take into account. Even using wifi hotspots where hackers can hijack your logged in sessions whether it be Gmail, websites or banking. There are other methods where they can intercept packets with password and account information. For myself, I try and keep antivirus apps like Lookout running and scan often as well as am very cautious as to what hotspots I connect to. It doesnt look like your virus scanner helped you much. However, there may the possibility that you received malware on your PC where you may also be checking gmail from and it spoofed your account using information from there. Its all a guessing game though as there is probably no way to tell how this happened to you. I'd be thankful that it was just an ad that was sent out and nothing more serious came as a result...and change my passwords damn fast (lol)
Oh yeah, I only use wifi networks that I know. I don't log onto public wireless or random networks...
Let's get started!
What you're going to need!(IMPORTANT!)
1. SU
2. Busy Box
3. A Way To Side Load
4. Knowledge Of Permission Setting
& Root Permissions
5. Root Explorer
If you're familiar with setting permissions via. Root Explorer that's a plus!
I'm sorry, but as I don't get on the computer much. I can't provide permissions to set and I'll tell you the usual.
Everything here can be found with a simple Google search.
Are you a noob?
Well, I can tell you that this procedure is very easy and something easy to remember.
Google a search on; "What Permissions To Set On Root Explorer In System" or something among those lines, as we will need to install .apk's that way!
Assuming you understand what to do, let's figure out what player you'd like to use.
I, being one to have large libraries of music tend to use PlayerPro, I recommend Google Music/Google Play Music.
Let's pull more strings! Pull the app off the net or if you own the app, extract it onto a side load app you trust.
Once done, proceed to Root Explorer with knowing you have the app on the Ouya itself, once you see it use the Copy Paste method and place it in the System Apps(can be easily found from Main Directory), once you've established this, now is where permission settings come into play.
You should be able to remotely click the bottom "..." Using the D-Pad or the Touch Pad. This is where Copy And Paste should be.
If you've gotten through this and everything is set up proper, the next step is to reboot the console itself, do a full reboot to prevent any confusion and risk not seeing/having the player working.
If you've done this correctly, once you go to view your apps, you should see your app installed and ready to go.
NOTE: And yes, I mean note! Do not try this with the side load procedure and expect it to work, people have attempted this and either 1. See force closes, 2. The app is not loading, 3. The app is there but will not open and doesn't truly seem to be installed.
SIDE NOTE: This can be done with both ADB and my procedure.
If this was useful to you, I can only ask of a favor!
Check out my YouTube channel!
http://WWW.YouTube.com/user/TheDarkRosary
Subscribe if you will!
You also need googleloginservice.apk and googleservicesframework.apk otherwise you cannot sign into your google account to sync your library.
This has also been posted here:
http://forum.xda-developers.com/showthread.php?t=2291320
Also i would have classed this thread as general and not development.
MODS This just clickbait SPAM BS.
The title is vague on purpose, and the thread is basically saying "Hey bro, if you want a music app on your Ouya, just sideload that ****! OH WOW!"
However, like dully79 said, the only main reason to use the official Google Music app is to use the Google Music service and stream your library from the cloud. However, this is impossible without Google Services, which is not present in the stock Ouya ROM and isn't in any 3rd party ROM out yet, either. So basically, you can't do what he says you can do by doing what he says to do.
This is clearly intended to get people to try and go to his stupid YouTube channel, which he links to at the end.
How about you get traffic and views by having good content on your channel, instead of polluting this forum with useless bull****?
DivinityCycle said:
MODS This just clickbait SPAM BS.
The title is vague on purpose, and the thread is basically saying "Hey bro, if you want a music app on your Ouya, just sideload that ****! OH WOW!"
However, like dully79 said, the only main reason to use the official Google Music app is to use the Google Music service and stream your library from the cloud. However, this is impossible without Google Services, which is not present in the stock Ouya ROM and isn't in any 3rd party ROM out yet, either. So basically, you can't do what he says you can do by doing what he says to do.
This is clearly intended to get people to try and go to his stupid YouTube channel, which he links to at the end.
How about you get traffic and views by having good content on your channel, instead of polluting this forum with useless bull****?
Click to expand...
Click to collapse
Please be respectful of my threads.
No, I do not have my channel setup at the end to spam boards, it's just a simple thanks if you enjoyed my tutorial.
I don't intend to spam people, nor do I try and grab traffic.
I am simply trying to help others understand a method, if you disagree, I'd be more than happy to remove my channel link with a simple request, and also a request that you not bash my threads as I'm only here for assistance and spend my time happily making ROMs and doing other things.
I will not criticize you unless you doing do the same, it's disrespectful to me that you try and hurt my progress and tuts I post as users may not know how.
If I were simply begging for something I'd spend my time in General Forums where people generally go to do that sort of thing.
Lastly, if you've got nothing nice to say, don't say it and just avoid wasting your time coming through a place where people go to help, not get help with a channel.
I'm disappointed to know that someone would go as far as to make a whole post bashing on what I do to help the community, and I will have this brought to the mods and discussed with them in order to better our area without someone posting the same in all threads.
My last words are, thank you for those of you who actually know I try to help and who simply understand that if I were to spam you'd seed traffic from my post everywhere. I love you all, and appreciate you not going this far to bash me.
DivinityCycle said:
MODS This just clickbait SPAM BS.
The title is vague on purpose, and the thread is basically saying "Hey bro, if you want a music app on your Ouya, just sideload that ****! OH WOW!"
However, like dully79 said, the only main reason to use the official Google Music app is to use the Google Music service and stream your library from the cloud. However, this is impossible without Google Services, which is not present in the stock Ouya ROM and isn't in any 3rd party ROM out yet, either. So basically, you can't do what he says you can do by doing what he says to do.
This is clearly intended to get people to try and go to his stupid YouTube channel, which he links to at the end.
How about you get traffic and views by having good content on your channel, instead of polluting this forum with useless bull****?
Click to expand...
Click to collapse
To leave my feedback on a clearer note. YES! Yes you can listen to music from a storage device as long as the device is read as a USB Mount! This has been confirmed by others in the official Ouya Forums!
Google Play Music is for cloud streaming. And for any other read device!
dully79 said:
You also need googleloginservice.apk and googleservicesframework.apk otherwise you cannot sign into your google account to sync your library.
This has also been posted here:
http://forum.xda-developers.com/showthread.php?t=2291320
Also i would have classed this thread as general and not development.
Click to expand...
Click to collapse
Oops, my bad man, all credit goes to you if I took your method.
People cry a out signatures, there's no need for one! I love my community and will stand up for it!
This thread was your fourth post on XDA, at least on that account.
It is not actually a Development post and contains basically nothing that anyone in the Dev section wouldn't already know ("Hey bro, if you want to put an app onto your system you can copy & paste it into /system/apps! This makes it a system app! Oh wow!")
Then you link to your YouTube channel and ask people to go to it.
All of these things together made you seem like a SPAMmer. If you're not, sorry about that, but your post is still in the wrong forum and doesn't actual contain useful or new information. The fact that a much better thread explaining how to do what you posted about exists (in the correct forum no less) is just icing on the cake.
DivinityCycle said:
This thread was your fourth post on XDA, at least on that account.
It is not actually a Development post and contains basically nothing that anyone in the Dev section wouldn't already know ("Hey bro, if you want to put an app onto your system you can copy & paste it into /system/apps! This makes it a system app! Oh wow!")
Then you link to your YouTube channel and ask people to go to it.
All of these things together made you seem like a SPAMmer. If you're not, sorry about that, but your post is still in the wrong forum and doesn't actual contain useful or new information. The fact that a much better thread explaining how to do what you posted about exists (in the correct forum no less) is just icing on the cake.
Click to expand...
Click to collapse
That's fine, I just didn't want you to take me as a spammer, I didn't intend to.
I didn't know where to post this at that.
I've got multiple things done that people are still asking about and I was just trying to knock this one out of the way.
People cry about signatures, there's no need for one! I love my community and will stand up for it!
It's not that I don't like the stock keyboard, I'm always looking for something new, safe, practical and well....not questionable.
Keymonk Keyboard, from the app store did not require permissions. However...
"Attention: This method can collect all of the text you enter, except passwords, including personal data and credit card numbers. It comes from the app Keymonk FREE. Use anyway?" ---- (Upon some digging, I've read that this is a mandatory message for all after market keyboards?) Well, if it doesn't require permissions then is this just another way of saying...."just kidding, we can and have the ability to collect all your inputs and we may or may not jack it from you."
SwiftKey is obviously ubber popular, but it asks for these permissions:
In-app purchases (obvious)
Identity (WHY?)
SMS (WHY?)
Photos/Media/Files (WHY?)
Wi-Fi connection info (WHY?)
Device ID & call information (WHY?)
For those who care, seeing all these apps requiring permissions that are not related to the apps function can be uncomfortable. To be clear, I understand that some codes for specific functions are written within the OS for another particular function. (It'd be nice to know what basic functions are connected to what so that we know to make sense of all these permissions.)
So the question is, what keyboard is the most secure to use?
Obvious Tips, but questionable:
Stick with reputable companies? - This to me can go either way. Just because they are a big name doesn't mean that they are necessarily more secure and honest. A lot of big names are very questionable and can probably get away with more....
Use a VPN? - By doing so, although the data is secure within the pipeline, would the actual input be vulnerable by collecting its data at the point of input before the data is actually sent? Possible I'm assuming...
They're all secure.
They're not saving everything you type in a database to somehow use against you later.
But what makes you that special that you think someone would do that?
Haha, because I'm Santa clause and I don't want anyone knowing my secrets. Lol j/k...
No but on a serious note, the thread was intended to be more general to address the point of how secure the keyboards really are and why they have the default prompt of it telling you that it has your personal info on tap at their disposal.
At the same time, I'm fully aware that most people don't care, but on the flip side of the coin there are people who do care for legitimate reasons whether it'd be work or what not. Either way, it raises an interesting question.
devynbf said:
They're all secure.
They're not saving everything you type in a database to somehow use against you later.
But what makes you that special that you think someone would do that?
Click to expand...
Click to collapse
SwiftKey can store your information in the cloud to be shared across devices, however.
RiverCity.45 said:
SwiftKey can store your information in the cloud to be shared across devices, however.
Click to expand...
Click to collapse
Yea I guess that's true. But I'm pretty sure anything you type isn't going to be relevant to, really, anything that matters on the scale OP is proclaiming.
Literally, absolutely nothing.
On the scale that OP is proclaiming? You're pretty optimistic. I'll give you that, but I think you're missing the point here. Not everyone is lolly dolly like you in thinking that everything is all fine and dandy where you can trust anyone and everyone. You're also pretty wishy washy and hesitant in agreeing with something that is true. What RiverCity.45 pointed out is true. Face it.
Literally, absolutely nothing? Where have you been hiding?
Also, what have you done to contribute to the original question? NOTHING. Just leave it be.
devynbf said:
Yea I guess that's true. But I'm pretty sure anything you type isn't going to be relevant to, really, anything that matters on the scale OP is proclaiming.
Literally, absolutely nothing.
Click to expand...
Click to collapse