Related
Is it possible to implement some sort of block for this kind of system dump?
Slashdot link
Could it be as simple as leaving USB debugging off and using a pin/pattern lock? Or would it require something as complex as whole-disk (card) encryption like TrueCrypt?
It really depends..
First.. those kinds of articles do have a way of getting blown out of proportion.
I've heard a lot about what people "can" do only to find out that when you really start digging into it... they made false/misleading claims.
Although if the article is to be believed.. a password wouldn't do any good as you can read "defeats password protection."
Something along the lines of truecrypt would be a prerequisite..
Also.. there are some major legal problems.. like sensitive data on phones ranging from a frisky girlfriend/boyfriend to confidential patient information in a doctor/lawyers email..
Pull battery
If I have helped press thanks.
Without a warrant, what they are doing is against the law. To obtain a warrant they would have to specify what was being looked for and need to be reasonably confident the phone have evidence leading to prosecution of believed criminal offense.
Remember, Lawful and Legal are two entirely different things. So they may be searching phones unlawfully while legally within bounds.
Law = Immutable rule, you know them with out being told (ex, Do not steal, Do not kill)
Statute = Legislation given the force of law (ex. seat belt , any "rule" you must be told of)
Code = Legislation given the force of law by Corp. (ex. local code- dry counties, no smoking in city bars, must wear black shoes to work at walmart < lol )
Encryption will stop this. I don't see it being a problem though due to the fact nothing found will be usable in ANY court of law without having obtained a warrant. Know and use your rights, as they will continue to be taken away until "YOU" draw the line in the sand and say No More.
Also: This is not new tech, they been doing this for some time, had the capability at least. Agree with Snow_Fox.... it is blown out of proportion, but for other reason. Its not that they cant, its that at this time, it is not a rampant thing. From there do what you will ......
Agreed with everything said with regards to legality. However, our government seems to do a lot of things illegally. It seems that all a law enforcement person has to say is "terrorism" and they get a hall pass for anything.
Sent from my SAMSUNG-SGH-I897 using XDA App
I am just glad to see such responses to this.. We need to spread the word.
Maybe its time to create a website dedicated to educating people of the (what should be shocking and horrifying) loss of rights we seem to be having.
halfsoul said:
Agreed with everything said with regards to legality. However, our government seems to do a lot of things illegally. It seems that all a law enforcement person has to say is "terrorism" and they get a hall pass for anything.
Sent from my SAMSUNG-SGH-I897 using XDA App
Click to expand...
Click to collapse
Oh yes, I agree, they will/do. The thing is we need to be brave enough to stand up and so NO and "enforce our rights", or they will surely continue to walk all over the scared general population.
Also, it is clearly illegal. To search your home pc, a warrant must be obtained. To get you home phone records, a warrant must be obtained. To listen to your phone calls, a warrant must be obtained. To look at your photo album in your hall closet, a warrant must be obtained. To search the locked trunk/glove compartment of your vehicle, a warrant must be obtained.
Smartphones are comparable to all of the above combined into one.A warrant less search is definitely illegal and unlawful and a violation of rights. Hold some feets to the fire, learn to say NO, consequences will never be the same
Snow_fox said:
I am just glad to see such responses to this.. We need to spread the word.
Maybe its time to create a website dedicated to educating people of the (what should be shocking and horrifying) loss of rights we seem to be having.
Click to expand...
Click to collapse
There is a website called eff.org
but unfortunately most Americas are too distracted and really don't care!
I f#$%n care while most of the people i know, have no idea what is happeneing!
My view is humans get used to small changes but not big changes. What people don't realize is the changes to our rights is small and slow but one day WE WILL WAKE UP to a world of complete control and the idea of freedom won't even be comprehendable to future generations!
Maybe Big Brother is inevitable but thanks to terrorism, it has only accelerated the progression to Complete Control!
Sent from my ADR6400L
bulletproof1013 said:
Pull battery
If I have helped press thanks.
Click to expand...
Click to collapse
Or turn it off?
Human smugglers get around police being able to look at their phones by keeping the battery out of the phone
Sent from my SAMSUNG-SGH-I897 using XDA App
I don't think pulling the battery or turning it off is reasonable. If someone has hardware to do a dump, surely they can provide power and turn it on.
I'm looking for something more along the lines of disabling the usb port or encrypting the sd cards.
Sent from my SAMSUNG-SGH-I897 using XDA App
halfsoul said:
I don't think pulling the battery or turning it off is reasonable. If someone has hardware to do a dump, surely they can provide power and turn it on.
I'm looking for something more along the lines of disabling the usb port or encrypting the sd cards.
Sent from my SAMSUNG-SGH-I897 using XDA App
Click to expand...
Click to collapse
Power without a battery? Tell me how and we'll make trillions!
Added: If you're that worried about what someone can discern from your phone, you got bigger issues.
it is soo vague i think this is a conceptual project and not something being deployed, if it were in use there would be more details, does it communicate over cellular? wifi? bluetooth? usb? are gsm phones safe?, are cdma phones safe?
can it be done without the driver knowing about it? or is it a search you can refuse? can you protect against it by encrypting the sd card, the sdcard + /system + /data +/cache?
what security exploits does it use?
Sounds to me like a technology that is available and there is no evidence yet that it is being abused. Odd though that the article has obvious errors, stating that Michigan has no cell phone laws, as texting and driving will get you pulled over. This opens the door to more abuse by police than worrying about them illegaly searching my phone. All they have to do is see you looking at your phone and they can claim that you appeared to be texting, thus justifying the traffic stop. I in no way condone texting/driving but it seems that we have given the police free reign to pull anyone over virtually at will given the plethora of "primary" offenses.
cappysw10 said:
Power without a battery? Tell me how and we'll make trillions!
Added: If you're that worried about what someone can discern from your phone, you got bigger issues.
Click to expand...
Click to collapse
Please tell me you're joking. The micro usb cable provides power + data simultaneously, try it for yourself if you don't believe me. And freedom & privacy should be everyone's biggest issue -- at least, all Americans.
Dani897 said:
it is soo vague i think this is a conceptual project and not something being deployed, if it were in use there would be more details, does it communicate over cellular? wifi? bluetooth? usb? are gsm phones safe?, are cdma phones safe?
can it be done without the driver knowing about it? or is it a search you can refuse? can you protect against it by encrypting the sd card, the sdcard + /system + /data +/cache?
what security exploits does it use?
Click to expand...
Click to collapse
If you followed the links to read the articles you would see that it is already deployed and in use, hence the ACLU FOIA request.
According to Cellebrite's website here, the Captivate is by cable (screencap attached).
Not much info about the exploits' particulars, but here are some choice snippets from Cellebrite's site:
Superior handset support - Over 3,000 handset models supported, with monthly software updates for newly released devices prior to carrier launch. The system includes more than 85 data cables for connecting 95% of all handset models worldwide. Cellebrite has exclusive carrier agreements and works directly with cellular phone manufacturers to receive pre-production handsets prior to retail launch.
Complete extraction of mobile phone data - Contacts, SMS Messages, pictures, videos, call logs (dialed, received, missed), ESN/IMEI, audio files, and deleted SMS/Call History from the SIM/USIM.
Memory Dump - Complete dump of phone file system for select handsets, providing the ability to extract otherwise inaccessible files, and user passwords.
Click to expand...
Click to collapse
And here you can see it in action.
halfsoul said:
Please tell me you're joking. The micro usb cable provides power + data simultaneously, try it for yourself if you don't believe me. And freedom & privacy should be everyone's biggest issue -- at least, all Americans.
Click to expand...
Click to collapse
ACTUALLY you may want to try it yourself. the phone DOES NOT RUN OR MOUNT without battery. take out battery, plug it in, and dont post anything on xda until it mounts to your PC... I'll wait here for you...
If you Plug it in first and remove the battery it will run for 22 seconds then shut off (with official Samsung AC charger) and 4 seconds with aftermarket "USB" charging
bulletproof1013 said:
Pull battery
If I have helped press thanks.
Click to expand...
Click to collapse
Yeah, that's going to do a lot of good.
Surely if they are asking for the phone they will also either ask you to stop taking out the battery or if you have already done so, ask for the battery also?
In either case it is no different than simply refusing to give the phone. Either you get away with it because they are taking advantage of people being intimidated into giving them permission or they arrest you for refusing to give them the phone or the battery.
Even worse, taking the battery out just makes you look like a smartass if they see you doing it.
TRusselo said:
ACTUALLY you may want to try it yourself. the phone DOES NOT RUN OR MOUNT without battery. take out battery, plug it in, and dont post anything on xda until it mounts to your PC... I'll wait here for you...
If you Plug it in first and remove the battery it will run for 22 seconds then shut off (with official Samsung AC charger) and 4 seconds with aftermarket "USB" charging
Click to expand...
Click to collapse
You're right, I stand corrected.
jimk9 said:
Yeah, that's going to do a lot of good.
Surely if they are asking for the phone they will also either ask you to stop taking out the battery or if you have already done so, ask for the battery also?
In either case it is no different than simply refusing to give the phone. Either you get away with it because they are taking advantage of people being intimidated into giving them permission or they arrest you for refusing to give them the phone or the battery.
Even worse, taking the battery out just makes you look like a smartass if they see you doing it.
Click to expand...
Click to collapse
Exactly. Especially for those of us with cases.
In addition, this has broader application than just keeping your info private from authorities. What about if your phone is lost or stolen? You wouldn't have an opportunity to pull the battery.
but im sure if they have a dump computer, it wouldnt be a far reach at all to have a variable voltage power supply with 2 tiny clip on leads....
but there is any EASY fix for this,
but not capable on our captivate, needs some programming...
in the newer phones they have NFC chip readers, (Near Field Communication)
get a micro chip NFC implanted into your body, and have the new generation phones encrypt its whole OS to your Chip ID on first boot, and needs your chip near by to do anything at all or unlock it by storing your chip in flash memory temporarily until locked again.
easy fix.
As long as there are devices that that store information there will be devices that can swipe it. As for if it is right or not, that is not my place to say. A simple lock will require that the cops get a search warrent for it, so just keep it locked.
I personally hate people who text and drive but there will always be people that do it no matter who they hurt while they do it.
There will be no true way to stop this if what they are saying is true. As they would need to be working with the OS makers for it to work. So while these devices may have just come into light, they have been around for awhile. We will keep an eye on it, but to be honest all that one could really do is not keep anything on the phone that you have to worry about the cops seeing.
Anyone know anything about this?
http://www.goandroid.co.in/samsung-galaxy-s5-update-brings-performance-tweaks/37180/
quordandis said:
Anyone know anything about this?
http://www.goandroid.co.in/samsung-galaxy-s5-update-brings-performance-tweaks/37180/
Click to expand...
Click to collapse
I'm curious about this too. I've been checking the updater and theres no software update available.
The screenshots in that article are for the Canadian variant -- G900W8.
It'll probably take a while for any update to get "certified" by the big @, plus I think I'm going to avoid doing software and security policy updates in case an exploit for this current version is found.
smknutson said:
It'll probably take a while for any update to get "certified" by the big @, plus I think I'm going to avoid doing software and security policy updates in case an exploit for this current version is found.
Click to expand...
Click to collapse
I have to wonder how many full-time employees AT&T and Samsung have that do nothing but monitor the web (mostly XDA) for whatever goes on here at XDA so they can react to any potential important discoveries, mods, or developments.
scott14719 said:
I have to wonder how many full-time employees AT&T and Samsung have that do nothing but monitor the web (mostly XDA) for whatever goes on here at XDA so they can react to any potential important discoveries, mods, or developments.
Click to expand...
Click to collapse
For the longest time I have thought this..............
I thought I was the only one...
I too also thought this....it had occurred to me that it would be particularly clever and prudent to have your finger on the pulse of your "power users", but then it occurred to me that because it's such a smart idea, they're guaranteed NOT to do it (keeping in line with they're history). So that's my logic....
As nefarious as that sounds, it's almost guaranteed that the engineering portions of Sammy/AT&T that are responsible for security monitor forums and social media such as this. Probably even have moles portraying themselves as ignorant users.
smknutson said:
As nefarious as that sounds, it's almost guaranteed that the engineering portions of Sammy/AT&T that are responsible for security monitor forums and social media such as this. Probably even have moles portraying themselves as ignorant users.
Click to expand...
Click to collapse
I'm sure that engineers look at XDA and other developer/user forums out of interest or even as part of the job; but unless something directly affects Samsung or AT&T in a manner that is costing them a significant amount of money I doubt any action is made in response. Remember these are corporations, money/time is not spent chasing a relatively few users who choose modify their phones, even if it is to evade fees and/or modify a locked feature. It just doesn't make a large financial difference.
Apple certainly pursued a cease and desist strategy but I think that was mostly out of a control freak corporate culture. Other than tethering for free,what do rooting and custom ROMs actually cost AT&T or Samsung? We still buy their phones loyally and pay for the service. If it mattered enough they would take greater steps to lock stuff down, or routinely push updates to secure their devices when exploits are found.
Just my take on it - I'm a pretty paranoid dude but not in this regard. We just don't matter much to them.
http://forum.xda-developers.com/showthread.php?t=2721505
I know the qualcomm guys look. Lol
Sent from my SAMSUNG-SGH-I317 using Tapatalk
TOA Duck said:
http://forum.xda-developers.com/showthread.php?t=2721505
I know the qualcomm guys look. Lol
Sent from my SAMSUNG-SGH-I317 using Tapatalk
Click to expand...
Click to collapse
the sad thing is all those files and scripts wouldn't have provided us any solution to root or unlocking the boot loader, those were qualcomm scripts and files but only for signing the mbr/mbl nothing unfortunatley to do with unlocking it or rooting the device in any manor, the certs may have been helpfull in tricking odin in to believing a custom rom was official is the only thing that i could actually see coming out of that.
and I was a little leary of the member in the first place, he offered no tangible proof that the scripts did anything all he did was list a directory of files, and when he was asked to provide proof that he actually rooted or unlocked a bootloader he refused to respond.
delawaredrew said:
I'm sure that engineers look at XDA and other developer/user forums out of interest or even as part of the job; but unless something directly affects Samsung or AT&T in a manner that is costing them a significant amount of money I doubt any action is made in response. Remember these are corporations, money/time is not spent chasing a relatively few users who choose modify their phones, even if it is to evade fees and/or modify a locked feature. It just doesn't make a large financial difference.
Apple certainly pursued a cease and desist strategy but I think that was mostly out of a control freak corporate culture. Other than tethering for free,what do rooting and custom ROMs actually cost AT&T or Samsung? We still buy their phones loyally and pay for the service. If it mattered enough they would take greater steps to lock stuff down, or routinely push updates to secure their devices when exploits are found.
Just my take on it - I'm a pretty paranoid dude but not in this regard. We just don't matter much to them.
Click to expand...
Click to collapse
One thought. Samsung and Apple are both making big enterprise plays. My company in it's BYOD program is pushing Samsung hard over other Android phones because they are more locked down with corporate policies mandating encryption and forbidding rooting/jailbreaking coming soon to my employer, I can see how a locked down phone is more attractive to them and could lead to more sales, not yet.
We're not their only market, and in the grand scheme of things, there may be more money for them going this path.
stoobie-doo said:
One thought. Samsung and Apple are both making big enterprise plays. My company in it's BYOD program is pushing Samsung hard over other Android phones because they are more locked down with corporate policies mandating encryption and forbidding rooting/jailbreaking coming soon to my employer, I can see how a locked down phone is more attractive to them and could lead to more sales, not yet.
We're not their only market, and in the grand scheme of things, there may be more money for them going this path.
Click to expand...
Click to collapse
What they should be doing is making business/gov contracted phone deals locked down, and leaving the consumer phones as is, that's what they should be doing. Honestly TW is pretty good now and wouldn't bother me if I couldn't flash a rom (obviously I want to), however not having root and not being able to actually delete (not just disable) bloatware is f'n annoying lol.
TOA Duck said:
http://forum.xda-developers.com/showthread.php?t=2721505
I know the qualcomm guys look. Lol
Sent from my SAMSUNG-SGH-I317 using Tapatalk
Click to expand...
Click to collapse
Huh thats interesting. I had argued it was worthless since QC hadn't sent a takedown. May have to take another look.
can anyone pointe to the thread to root a nexus 6 with marshmallow on it please? i search but i see a lot of old, conflicting and outdated reports
I just want solid instructions that somebody here already used
cpugeeker said:
can anyone pointe to the thread to root a nexus 6 with marshmallow on it please? i search but i see a lot of old, conflicting and outdated reports
I just want solid instructions that somebody here already used
Click to expand...
Click to collapse
Here are the steps I used:
- flash/upgrade to Marshmallow
- flash modified boot.img
- flash/boot TWRP and sideload latest v2.50+
No. Not that unless you want unknown evil invading your phone and stealing your private information.
Use this instead;
http://forum.xda-developers.com/nexus-6/general/root-t3231211
doitright said:
No. Not that unless you want unknown evil invading your phone and stealing your private information.
Use this instead;
http://forum.xda-developers.com/nexus-6/general/root-t3231211
Click to expand...
Click to collapse
WOW what happen with them? I found some readings but now all. What exactly went down? Any good reads on this?
doitright said:
No. Not that unless you want unknown evil invading your phone and stealing your private information.
Use this instead;
http://forum.xda-developers.com/nexus-6/general/root-t3231211
Click to expand...
Click to collapse
lol. I appreciate your work on providing other root access methods, but you really shouldnt go around claiming made up info as fact and trying to spread fear everywhere you can. You have no proof whatsoever of the things you claim.
EniGmA1987 said:
lol. I appreciate your work on providing other root access methods, but you really shouldnt go around claiming made up info as fact and trying to spread fear everywhere you can. You have no proof whatsoever of the things you claim.
Click to expand...
Click to collapse
You obviously don't know the first thing about security, or the gravity of offering root control to an unknown entity.
To make it simple, unless you can *prove* that something is safe, the only rational assumption is that it isn't.
In other words, it is not my place to prove them unsafe. It is your responsibility to prove that they are safe, and frankly, that is an impossible task.
Feel free to use whatever you like. But don't go recommending to somebody that they take dangerous risks that are unnecessary.
---------- Post added at 01:33 AM ---------- Previous post was at 01:27 AM ----------
cpugeeker said:
WOW what happen with them? I found some readings but now all. What exactly went down? Any good reads on this?
Click to expand...
Click to collapse
It was almost acceptable when it was maintained by a single individual, but at some point fairly recently, the code was transferred/sold to an outfit that has been buying up all the root control software that can be found on play store.
Although the original author continues to make the software available under his pseudonym, there is no indication of the contract in place between him and the software's new owners, and no indication of their motives.
That makes the situation incredible frightening and dangerous.
doitright said:
You obviously don't know the first thing about security, or the gravity of offering root control to an unknown entity.
To make it simple, unless you can *prove* that something is safe, the only rational assumption is that it isn't.
In other words, it is not my place to prove them unsafe. It is your responsibility to prove that they are safe, and frankly, that is an impossible task.
Feel free to use whatever you like. But don't go recommending to somebody that they take dangerous risks that are unnecessary.
Click to expand...
Click to collapse
So something that has always been a bit closed, yet still trusted and used, gets transfered to a newly made company started through XDA leaders and still maintained currently by Chainfire for a while, and suddenly this means secret organizations with corrupt ties have suddenly taken control of the Android root world?
EniGmA1987 said:
So something that has always been a bit closed, yet still trusted and used, gets transfered to a newly made company started through XDA leaders and still maintained currently by Chainfire for a while, and suddenly this means secret organizations with corrupt ties have suddenly taken control of the Android root world?
Click to expand...
Click to collapse
It doesn't guarantee that it's bad. But for it to not be controlled by the creator (a first ballot Hall of Famer in this community) and ownership switched to an unproven entity, it turns it from solid and secure to who knows what. The new owners could be just as good. But we should skeptically wait and see
EniGmA1987 said:
So something that has always been a bit closed, yet still trusted and used, gets transfered to a newly made company started through XDA leaders and still maintained currently by Chainfire for a while, and suddenly this means secret organizations with corrupt ties have suddenly taken control of the Android root world?
Click to expand...
Click to collapse
It is not really a newly made company and no where are the XDA leaders involved.
Now make no mistake. Chains SU will be around for a very long time. Will there be other options? Sure, there are many already. If not as mainstream. Apps like this will come and go. It is the nature of the beast.
Now before people start bashing others they better have something to prove it. Other wise they have nothing to say worth listening to.
zelendel said:
It is not really a newly made company and no where are the XDA leaders involved.
Click to expand...
Click to collapse
Could you provide some info on the company to the people here then? Because business filings say that you are wrong on that. The filings for the company were done on August 11th of this year and they rent a virtual office space at the Trump Building on Wall Street. Chainfire himself also said that the XDA leadership was involved in getting his project moved over to this company. Now maybe he wasnt supposed to let that slip, IDK, but he did say it.
EniGmA1987 said:
Could you provide some info on the company to the people here then? Because business filings say that you are wrong on that.
Click to expand...
Click to collapse
Just look deeper and you will see. Just because they have a different name, or make an off shoot doesnt really make them a different company. If you read you will see that they already have their fingers into a few SU apps already. Dont you think that is odd for a new company?
XDA admins only made introductions. I personally dont really care. Nor should anyone really. If you are using SU then you know the risks you run and how to spot them.
zelendel said:
Just look deeper and you will see. Just because they have a different name, or make an off shoot doesnt really make them a different company. If you read you will see that they already have their fingers into a few SU apps already. Dont you think that is odd for a new company?
Click to expand...
Click to collapse
What would be incredibly useful and go a long way in putting people's minds at ease, would be a realistic explanation of the MOTIVATIONS of this company, WHICH IS NEW, regardless of your perception of it being a simple name change, for acquiring and controlling ALL of the different mechanisms for controlling root on Android.
Frankly, I can imagine only a few motivations, none of which ANYONE should be ok with;
1) Charging for it,
2) Forcing ads that the user cannot control,
3) Backdoor/botnet/etc.
You need to remember that while their software will prompt you when some OTHER software tries to access root, it has the ability to hide its own use of root, as well as to wipe evidence from the logs.
Root access should ONLY EVER be open source.
doitright said:
What would be incredibly useful and go a long way in putting people's minds at ease, would be a realistic explanation of the MOTIVATIONS of this company, WHICH IS NEW, regardless of your perception of it being a simple name change, for acquiring and controlling ALL of the different mechanisms for controlling root on Android.
Frankly, I can imagine only a few motivations, none of which ANYONE should be ok with;
1) Charging for it,
2) Forcing ads that the user cannot control,
3) Backdoor/botnet/etc.
You need to remember that while their software will prompt you when some OTHER software tries to access root, it has the ability to hide its own use of root, as well as to wipe evidence from the logs.
Root access should ONLY EVER be open source.
Click to expand...
Click to collapse
The open source was done once. It didnt last very long and due to the nature of SU will never stay open source and mainstream at the same time. If someone wants to charge for the SU app then ok let them. Heck most already paid for the SU pro anyway. No point in going on a witch hunt before there is something to hunt. All we can do is sit back and wait. If chain trusts them then I am willing to give them a chance. Root itself is a security risk and anyone that does root should know just what they are doing. If not then they get whats coming to them.
This is not this companies first root app. As stated they own/profit from just about all the root apps that are around.
zelendel said:
The open source was done once. It didnt last very long and due to the nature of SU will never stay open source and mainstream at the same time.
Click to expand...
Click to collapse
I have no idea how to respond to that besides saying to you that this statement is *ABSURD*.
The open source root was the *FIRST* root, and has persisted. In fact, the root that *I* am working on, is the extension of that very same *ORIGINAL* root done by Koush. It has remained *the* primary mechanism for controlling root access from 2009 to present, except for a brief loss of maintenance during the reign of Android 5.x.
Further, the nature of root REQUIRES it to be open source.
And will be THE ONLY mainstream method of providing root access control for anyone who has ANY consideration for security.
If someone wants to charge for the SU app then ok let them. Heck most already paid for the SU pro anyway.
Click to expand...
Click to collapse
Only because they are being denied simple and mandatory features. This isn't a voluntary charge, this is coercion and even RANSOM.
No point in going on a witch hunt before there is something to hunt.
Click to expand...
Click to collapse
But there IS a witch to hunt: SECURITY. Or lack thereof.
All we can do is sit back and wait. If chain trusts them then I am willing to give them a chance.
Click to expand...
Click to collapse
You are a fool. Not only did the author of that binary root NEVER actually do anything to EARN your trust, the fact that you put your trust into a business arrangement that doesn't even involve you is tremendously scary... for you.
Root itself is a security risk and anyone that does root should know just what they are doing. If not then they get whats coming to them.
Click to expand...
Click to collapse
No. This is entirely invalid. Root is not a security risk when done correctly, in open source, and treated with *respect*.
Binary root control *IS* a security risk, and unfortunately you are wrong again on this, since knowing what you are doing DOES NOT protect you from it. There is NOTHING you can do to protect yourself from binary software that you VOLUNTARILY put into a sensitive position of high trust.
This is not this companies first root app. As stated they own/profit from just about all the root apps that are around.
Click to expand...
Click to collapse
That is a TERRIFYING prospect for reasons I've already discussed.
doitright said:
I have no idea how to respond to that besides saying to you that this statement is *ABSURD*.
The open source root was the *FIRST* root, and has persisted. In fact, the root that *I* am working on, is the extension of that very same *ORIGINAL* root done by Koush. It has remained *the* primary mechanism for controlling root access from 2009 to present, except for a brief loss of maintenance during the reign of Android 5.x.
Further, the nature of root REQUIRES it to be open source.
And will be THE ONLY mainstream method of providing root access control for anyone who has ANY consideration for security.
Only because they are being denied simple and mandatory features. This isn't a voluntary charge, this is coercion and even RANSOM.
But there IS a witch to hunt: SECURITY. Or lack thereof.
You are a fool. Not only did the author of that binary root NEVER actually do anything to EARN your trust, the fact that you put your trust into a business arrangement that doesn't even involve you is tremendously scary... for you.
No. This is entirely invalid. Root is not a security risk when done correctly, in open source, and treated with *respect*.
Binary root control *IS* a security risk, and unfortunately you are wrong again on this, since knowing what you are doing DOES NOT protect you from it. There is NOTHING you can do to protect yourself from binary software that you VOLUNTARILY put into a sensitive position of high trust.
That is a TERRIFYING prospect for reasons I've already discussed.
Click to expand...
Click to collapse
He has done alot to earn my trust. You would know that had to been around as long as I have been.
I am fully aware of the first root. And the reasons behind him stopping its development. The only ones that I am aware of that was even using it was CM and they are almost as much of a joke as MIUI.
I am fully aware of what you are working on and to be honest not something I or many others would use would even use as you are unknown and to be honest not really trusted. Maybe after you have been around a while more people will put faith in you and your projects. Not to mention your attitude is enough to make many not bother with it.
Root is a security risk. Just as any real developer. Even Google is making things like root harder to obtain because they see the risk. But to be honest as I have already said "Mobile security is and illusion" If I was truly worried about security I would not unlock my bootloader or bother with rooting.
Now we can argue this back and forth and never get anywhere. So We can end this here.
doitright said:
You obviously don't know the first thing about security, or the gravity of offering root control to an unknown entity.
To make it simple, unless you can *prove* that something is safe, the only rational assumption is that it isn't.
In other words, it is not my place to prove them unsafe. It is your responsibility to prove that they are safe, and frankly, that is an impossible task.
Feel free to use whatever you like. But don't go recommending to somebody that they take dangerous risks that are unnecessary.
---------- Post added at 01:33 AM ---------- Previous post was at 01:27 AM ----------
It was almost acceptable when it was maintained by a single individual, but at some point fairly recently, the code was transferred/sold to an outfit that has been buying up all the root control software that can be found on play store.
Although the original author continues to make the software available under his pseudonym, there is no indication of the contract in place between him and the software's new owners, and no indication of their motives.
That makes the situation incredible frightening and dangerous.
Click to expand...
Click to collapse
This is almost the most amazing post on xda. :good:
Could you kindly prove that the Google Factory Image is safe? Otherwise I would advise you destroy your handset immediately as its probably not safe.
zelendel said:
He has done alot to earn my trust. You would know that had to been around as long as I have been.
Click to expand...
Click to collapse
I've been around longer than you. Try again.
I am fully aware of the first root. And the reasons behind him stopping its development. The only ones that I am aware of that was even using it was CM and they are almost as much of a joke as MIUI.
Click to expand...
Click to collapse
I won't argue with CM being a joke, but MOST people used Koush's superuser up until they were stopped by selinux.
I am fully aware of what you are working on and to be honest not something I or many others would use would even use as you are unknown and to be honest not really trusted. Maybe after you have been around a while more people will put faith in you and your projects. Not to mention your attitude is enough to make many not bother with it.
Click to expand...
Click to collapse
Speak for yourself, but don't you DARE to speak for others.
As far as the trustworthiness of my work goes... go ahead and AUDIT IT. The code speaks for itself.
Root is a security risk. Just as any real developer.
Click to expand...
Click to collapse
I ask myself. Answer is that you have no idea what you are talking about.
Even Google is making things like root harder to obtain because they see the risk. But to be honest as I have already said "Mobile security is and illusion" If I was truly worried about security I would not unlock my bootloader or bother with rooting.
Click to expand...
Click to collapse
Google is correctly worried about the dangers of binary root. As YOU should also be.
Now we can argue this back and forth and never get anywhere. So We can end this here.
Click to expand...
Click to collapse
Only because you have degenerated into personal attacks rather than rational argument.
---------- Post added at 06:07 PM ---------- Previous post was at 06:05 PM ----------
Amos91 said:
This is almost the most amazing post on xda. :good:
Could you kindly prove that the Google Factory Image is safe? Otherwise I would advise you destroy your handset immediately as its probably not safe.
Click to expand...
Click to collapse
I can't prove that google factory image is safe. I can make a strong argument to suggest that it most likely is, and I can prove that AOSP is safe.
FYI: I use a Nexus, so I'm not limited to factory images, as implied by your last sentence.
Well, I'm no techie, I'm just an end-user of other people's talented work, but I'm with doitright on this one. I have trusted Chainfire for years - I have a number of his apps on my device, all of them paid for even though most work perfectly as free apps, simply because I do trust his work. Even if it's closed source black box stuff, he has always appeared to be a straight-up guy.
Still, once the black box passes into company ownership, at that point my trust ends. Companies are not charities hoping for donations. They want some return on whatever investment they've put into taking over SuperSU. Bottom line, I don't trust companies - and yes, that does include Google or Alphabet or whatever piece owns Android these days. I live with the knowledge that I am the product - my choice.
It's also my choice to opt for an open-source solution over a black box one. If doitright's superuser can be audited by people who know what they're looking at (I don't) then that'll do it for me.
And as an afterthought, yes, doitright is a spiky character. So is Torvalds. So what? As long as he comes up with the goods I have no problem with it. He comes across as passionate, doesn't suffer fools gladly (and that is just a saying, I'm not referring to any posters), and since I'm pretty much the same, if a bit more politic in the way I write, I can't criticise that...
doitright said:
Feel free to use whatever you like. But don't go recommending to somebody that they take dangerous risks that are unnecessary
Click to expand...
Click to collapse
Risk = Chance * Effect.
doitright said:
I've been around longer than you. Try again.
I won't argue with CM being a joke, but MOST people used Koush's superuser up until they were stopped by selinux.
Speak for yourself, but don't you DARE to speak for others.
As far as the trustworthiness of my work goes... go ahead and AUDIT IT. The code speaks for itself.
I ask myself. Answer is that you have no idea what you are talking about.
Google is correctly worried about the dangers of binary root. As YOU should also be.
Only because you have degenerated into personal attacks rather than rational argument.
---------- Post added at 06:07 PM ---------- Previous post was at 06:05 PM ----------
I can't prove that google factory image is safe. I can make a strong argument to suggest that it most likely is, and I can prove that AOSP is safe.
FYI: I use a Nexus, so I'm not limited to factory images, as implied by your last sentence.
Click to expand...
Click to collapse
I only speak for the developers I have talked to about using your root set up instead of chains. Got the same answer from all of them.
As for being around longer then me in the modding area. I would put a bet on that. I have been modding phones before a smart phone was even a thought.
You were the first to throw insults. As seems to be your way. Anyone that doesn't agree with you is called a fool or other wise.
Nope you are right. I have no idea what I'm talking about. Now excuse me I have some bugs to fix thanks to Google messing things up.
This might be a silly question, I've not used Samsung in a long time, last one was the S2 haha.....but is it ever going to be possible to root and/or install TWRP on this device without breaking OTA updates? I love rooting my devices and using custom ROMs, I still have need for root access, but to be honest this phone I would be happy keeping as close to stock as possible, I could live without TWRP, but will we ever get root without losing the ability to OTA update? If not then I'll just go custom when the urge becomes too strong haha.
Oh and I have the exynos version.
beta546 said:
This might be a silly question, I've not used Samsung in a long time, last one was the S2 haha.....but is it ever going to be possible to root and/or install TWRP on this device without breaking OTA updates? I love rooting my devices and using custom ROMs, I still have need for root access, but to be honest this phone I would be happy keeping as close to stock as possible, I could live without TWRP, but will we ever get root without losing the ability to OTA update? If not then I'll just go custom when the urge becomes too strong haha.
Oh and I have the exynos version.
Click to expand...
Click to collapse
+1
I too see a growing need for root elevation without destroying core security patch options. Either from stock, or with an aptitude like package management used by ROM creators, so you can even patch android files sooner than Samsung normally would. Because as it stands, the way we root now makes android a security disaster.
In essence this is a design failure by google and android. How could they expect users to be happy with non-configurable systems? That's why we don't have Apple devices, so we can config and alter whenever we would want to. Sigh.. Closed source for android is such a PITA. And so slow with patches..
?
jult said:
+1
I too see a growing need for root elevation without destroying core security patch options. Either from stock, or with an aptitude like package management used by ROM creators, so you can even patch android files sooner than Samsung normally would. Because as it stands, the way we root now makes android a security disaster.
In essence this is a design failure by google and android. How could they expect users to be happy with non-configurable systems? That's why we don't have Apple devices, so we can config and alter whenever we would want to. Sigh.. Closed source for android is such a PITA. And so slow with patches..
Click to expand...
Click to collapse
I agree, people like Samsung who just want to lock down their devices for whatever reason is just getting a bit extreme now. I don't think it's Google to blame though as android is easily rooted in general, it's manufacturers like Samsung that make you jump through hoops to do it. And yes it's exactly why we don't have iPhones haha. I believe every android device should come with a setting in developer options that just activates root with a disclaimer.....take my warranty, I don't care in the slightest, but don't cripple my device that I payed £720 for that is now my property, just because I want to use some of the most useful features and app designed to work with root. After reading through these forums I see Samsung seem more like apple than ever. I mean God the guide to install a custom ROM is crazy haha, perfectly doable, but compared to my le max 2 which was just, plug your phone in, push this through ADB, then flash this zip and you're done, so simple.
beta546 said:
I agree, people like Samsung who just want to lock down their devices for whatever reason is just getting a bit extreme now. I don't think it's Google to blame though as android is easily rooted in general, it's manufacturers like Samsung that make you jump through hoops to do it. And yes it's exactly why we don't have iPhones haha. I believe every android device should come with a setting in developer options that just activates root with a disclaimer.....take my warranty, I don't care in the slightest, but don't cripple my device that I payed £720 for that is now my property, just because I want to use some of the most useful features and app designed to work with root. After reading through these forums I see Samsung seem more like apple than ever. I mean God the guide to install a custom ROM is crazy haha, perfectly doable, but compared to my le max 2 which was just, plug your phone in, push this through ADB, then flash this zip and you're done, so simple.
Click to expand...
Click to collapse
The most important part of your post is often missed by a lot of people.
"lock down their devices for whatever reason..."
No one thinks about the reason it seems. As much as it sucks for folks on XDA, the folks that come to XDA don't think about all of the people that DO NOT come to XDA, or why a device manufacturer that makes their devices primarily for the Corporate world, wouldn't want to let their devices be unlocked by the small amount of XDA folks that buy them.
And before anyone says "the exynos is unlockable!" Remember the Exynos version is international, not USA. There's are so much more benefits to Samsung keeping the USA devices locked than there are downsides. I work for a small corporate company of about 300 employees and I am not allowed to have a device with the bootloader unlocked, period. Why? I don't even know, and I am in the tech field. Each company has their rules and such. Imagine how much contracts Samsung could have with corporations out there for their devices. We used to have one, and look at how small we are. We don't have one anymore because it's cheaper to just have employees front the device cost instead of the company paying for devices! Lame I know. I fought against it but lost.
As far as the original question goes, no, you will not be able to keep OTA and root at the same time. Not for the way OTA are setup, and rooting works.
Jammol said:
As far as the original question goes, no, you will not be able to keep OTA and root at the same time. Not for the way OTA are setup, and rooting works.
Click to expand...
Click to collapse
Now. You mean. It can (and should) change. The way the android permission model is designed, is totally corporate-based, not user-friendly at all. And if Samsung would stay on top of security-patches and push updates (like you have with Win10 now, which are still totally under the user's control without having to 'root' anything), that would be fine, but time and again these smartphone manufacturers have proven to stop giving a hoot after they've released a new model, if they even cared at all about security patching in time, because they apparently really don't. Not enough anyway. If they would, we'd already be running Android 9 on our Notes by now.
Jammol said:
The most important part of your post is often missed by a lot of people.
"lock down their devices for whatever reason..."
No one thinks about the reason it seems. As much as it sucks for folks on XDA, the folks that come to XDA don't think about all of the people that DO NOT come to XDA, or why a device manufacturer that makes their devices primarily for the Corporate world, wouldn't want to let their devices be unlocked by the small amount of XDA folks that buy them.
And before anyone says "the exynos is unlockable!" Remember the Exynos version is international, not USA. There's are so much more benefits to Samsung keeping the USA devices locked than there are downsides. I work for a small corporate company of about 300 employees and I am not allowed to have a device with the bootloader unlocked, period. Why? I don't even know, and I am in the tech field. Each company has their rules and such. Imagine how much contracts Samsung could have with corporations out there for their devices. We used to have one, and look at how small we are. We don't have one anymore because it's cheaper to just have employees front the device cost instead of the company paying for devices! Lame I know. I fought against it but lost.
As far as the original question goes, no, you will not be able to keep OTA and root at the same time. Not for the way OTA are setup, and rooting works.
Click to expand...
Click to collapse
That makes a lot of sense really, obviously there are going to be businesses and companies and such that wpild rely on their workers devices being as secure as possible, for multiple reasons. But again that's not really up to Samsung to decide really, now I agree that although there are a huge number of people that want to modify their devices in various ways, but on the grand scale it's a relatively low percentage of the market. Which is why I think it should always be an option, that way they cater to everyone. If a company has a requirement that all their employees devices stay locked down, they simply don't allow it, and if an employee does it regardless then the consequences would be their own. I guess Samsung could bake in the setting, but with an option at first boot as to leave the ability to unlock intact, or to choose to permanently remove any option of ever being able to do it. That way when a company bought the phones they could lock them all down before handing them out. But in the scenario where people must purchase their own device, they then would have to decide whether to follow company policy, or unlock the phone and risk potentially losing their job at worst because of it....that's just what I think really, but I'm in no way some business or manufacturing giant haha, there will be multiple arguments for and against this entire scenario.
And also thanks for the answer ? It was as I suspected, but always worth an ask.
Voiding the Warranty for unrelated modifications is illegal and there is a better way
It seems we are all getting used to the arrogance and impertinence ...
... with which manufacturers and telephone service operators want to dictate what we do with our property. Let us not forget that «this will void your warranty», though common practice, is not in accordance with current legislation.
Modifications to devices should be protected under the Magnuson-Moss Warranty Act, unless the modification caused the damage you're asking the manufacturer to repair. Manufacturers threatening to void warranties for rooting, even when they have no legal right to do so, is nothing but bullying, banking on the fact that most people are not feeling confident about legal battles with corporations for which time and money are of no consequence. It is about time that reviews took the aspect of rooting/customization friendliness into consideration, so that manufacturers like OnePlus and HTC receive the credit they deserve for being more lenient toward rooting and still receiving updates. If technology journalists pointed this aspect out in their reviews, companies might come to their senses. Being able to use some apps that can do what they do only with Root access is more important than yet another MegaPixel on the camera -- if the other manufacturers do not drop the ball yet again, by dumbing down their phone instead of building the best device they possibly can, this year's phone purchase will be from a brand that is user friendly and provides OTA updates even on customised devices.
As for the «security» fairytale, that's often the last aspect that manufacturers care about, skipping security patches even after exploits have been detected. By the way: if some guy with a mobile phone could really bring down or disturb an operator's network, the operator doesn't deserve better. Most people do not root because they are devious masterminds from a Bond movie who try to mess up their kernels or bring down the global communication networks, but because they want to customize the looks of devices to their liking, fix some flaws or get some software to work. Very few people would keep rooting if manufacturers only guarded their kernels against overclocking beyond what the phone can endure and operators blocked what could disrupt the network -- if they did that and only that, hardly anyone would complain or root.
Security is obviously not what it's really all about. On my SAMSUNG GALAXY NOTE 9, Amazon Shopping, Fakecrook, LinkedIn and a whole bunch of other garbage came pre-installed as system apps that can be disabled but not uninstalled. Like everything imposed on us by Google, these companies have no interest in enhancing their customers' security and privacy, but exactly the opposite, grab as much sensitive information about us as they possibly can and sell it to whoever is interested and willing to pay for it.
On a Windows PC, I can do most things I want to do if I really have to, via editing the Windows Registry if need be and turning off User Access Control (UAC) when the unnecessary extra-click got on my nerves. Millions of people are and have been doing the same without upsetting the space-time-continuum, and corporations can restrict whatever they want to restrict if there is an administrator to do it. In most cases, however, there is not, because after all, it's a Personal Computer (PC), managed by the user at home. If we pay for something -- and quite handsomely so -- we own it, consequently it should be us who, after a warning that can be turned off with a checkmark, have the final say. So far, the corporate world seems to thrive quite nicely with the kind of approach to security that MS Windows is taking, despite surely being the first and loudest ones to complain if there were any real and relevant problems that seriously threaten their dayly operations.
Mobile phone manufacturers and operators use «security» as an excuse to restrict what the owners of those expensive little toys can do, just like governments proclaim «terrorism» as the excuse for spying on and controlling their own populations by grabbing ever more power with authorizing laws that undermine constitutional civil liberties. In our societies, it is to keep track on any possible threats to the Status Quo that might be caused by a shift of public opinion if the media -- these days large corporations themselves -- did not distract us with polemics, sports and celebrity BS, but reported on and kept in focus issues such as ecology, human overpopulation, inequality, tax evasion, poverty, injustice, corruption, lobbyism and so on. In the mobile phone world, they do it to milk us for banalities like boot animations, wallpapers, type fonts, themes, icons and whatever we would like to do to make our phones look nicer. Under Windows, buy a shareware CD with 10,000 fonts, copy the 20 or 30 you like into the respective system folder -- done. On Android, they want to milk us for every bit they can and that's the real motivation for all the bull****, harassment, hoops and loops they make us jump through.
If companies were really interested in user privacy rights and security, the first thing that would be forbidden were advertisements, because a lot of sh.t can come in through those backdoors. Second, why does Apple not allow antivirii and firewalls if security is such a concern? Why are owners of devices with a custom recovery or root being punished by exclusion from OTA updates, given that these updates are supposed to improve stability and security? That's just bollocks and distraction to ram as much advertising down our throat, rip us off for every boot animation, wallpaper, theme, icon or type font that we have tons of lying around on our hard drive, and to obtain as much data from us as possible, in order to know and track what we buy, think, believe, suffer from, like, dislike or do in any place at any at any time.
Apart from a couple of absolute geeks and nerds, nobody would root their phones if adaptation and customization of our phones was easily possible, i.e. if everything except things that could irrevocably damage hardware or networks could be easily modified as we please. The introduction of a/b partition slots for Seamless Updates paved the way for preventing irreparable accidents and could easily be expanded and improved, together with a better design of the user interface and user experience to make the process more comprehensible for average users. Yet, most companies did not even implement a/b partitions, although this approach makes accidents and mistakes when playing around with the device «non-lethal» and saves the Customer Service costs that companies so often cite as the second excuse and pretext for the arrogance with which they keep and exert control over other people's property. With each new generation of phones and every new version of operating systems, the restrictions are getting worse, the options for access and harmless modification less, and that unacceptable trend needs to stop.
If companies want to disencourage people from rooting their phones, they need to stop bombarding us with intrusive ads, stop spying and imposing bloatware and replace it with useful tool bundles (Titanium Backup, decent file managers, cleaners, system tools and the like). It is okay to guard and firewall the indispensable and risky parts (hardware overclocking, network integrity), but only block those irreparable areas while opening up the rest for users to customise to their hearts content, making it as comfortable, easy and intuitive as possible to copy, paste, move and configure everything else between phone and PC. If something goes wrong while doing so, make sure that a system restore point and booting into the alternative partition means that there's no harm, no foul and therefore no problem and no service cost.
Instead of wasting our time hunting for patched partiton files, info on how to get out of bootloops, etc., users could then enjoy and be happier with our phone instead of fixing its shortcomings or, dare I say it, do something fun and entertaining outside while the snow is fresh or the sun is shining.
.
Qui Peccavit said:
It seems we are all getting used to the arrogance and impertinence ...
... with which manufacturers and telephone service operators want to dictate what we do with our property. Let us not forget that «this will void your warranty», though common practice, is not in accordance with current legislation.
Modifications to devices should be protected under the Magnuson-Moss Warranty Act, unless the modification caused the damage you're asking the manufacturer to repair. Manufacturers threatening to void warranties for rooting, even when they have no legal right to do so, is nothing but bullying, banking on the fact that most people are not feeling confident about legal battles with corporations for which time and money are of no consequence. It is about time that reviews took the aspect of rooting/customization friendliness into consideration, so that manufacturers like OnePlus and HTC receive the credit they deserve for being more lenient toward rooting and still receiving updates. If technology journalists pointed this aspect out in their reviews, companies might come to their senses. Being able to use some apps that can do what they do only with Root access is more important than yet another MegaPixel on the camera -- if the other manufacturers do not drop the ball yet again, by dumbing down their phone instead of building the best device they possibly can, this year's phone purchase will be from a brand that is user friendly and provides OTA updates even on customised devices.
As for the «security» fairytale, that's often the last aspect that manufacturers care about, skipping security patches even after exploits have been detected. By the way: if some guy with a mobile phone could really bring down or disturb an operator's network, the operator doesn't deserve better. Most people do not root because they are devious masterminds from a Bond movie who try to mess up their kernels or bring down the global communication networks, but because they want to customize the looks of devices to their liking, fix some flaws or get some software to work. Very few people would keep rooting if manufacturers only guarded their kernels against overclocking beyond what the phone can endure and operators blocked what could disrupt the network -- if they did that and only that, hardly anyone would complain or root.
Security is obviously not what it's really all about. On my SAMSUNG GALAXY NOTE 9, Amazon Shopping, Fakecrook, LinkedIn and a whole bunch of other garbage came pre-installed as system apps that can be disabled but not uninstalled. Like everything imposed on us by Google, these companies have no interest in enhancing their customers' security and privacy, but exactly the opposite, grab as much sensitive information about us as they possibly can and sell it to whoever is interested and willing to pay for it.
On a Windows PC, I can do most things I want to do if I really have to, via editing the Windows Registry if need be and turning off User Access Control (UAC) when the unnecessary extra-click got on my nerves. Millions of people are and have been doing the same without upsetting the space-time-continuum, and corporations can restrict whatever they want to restrict if there is an administrator to do it. In most cases, however, there is not, because after all, it's a Personal Computer (PC), managed by the user at home. If we pay for something -- and quite handsomely so -- we own it, consequently it should be us who, after a warning that can be turned off with a checkmark, have the final say. So far, the corporate world seems to thrive quite nicely with the kind of approach to security that MS Windows is taking, despite surely being the first and loudest ones to complain if there were any real and relevant problems that seriously threaten their dayly operations.
Mobile phone manufacturers and operators use «security» as an excuse to restrict what the owners of those expensive little toys can do, just like governments proclaim «terrorism» as the excuse for spying on and controlling their own populations by grabbing ever more power with authorizing laws that undermine constitutional civil liberties. In our societies, it is to keep track on any possible threats to the Status Quo that might be caused by a shift of public opinion if the media -- these days large corporations themselves -- did not distract us with polemics, sports and celebrity BS, but reported on and kept in focus issues such as ecology, human overpopulation, inequality, tax evasion, poverty, injustice, corruption, lobbyism and so on. In the mobile phone world, they do it to milk us for banalities like boot animations, wallpapers, type fonts, themes, icons and whatever we would like to do to make our phones look nicer. Under Windows, buy a shareware CD with 10,000 fonts, copy the 20 or 30 you like into the respective system folder -- done. On Android, they want to milk us for every bit they can and that's the real motivation for all the bull****, harassment, hoops and loops they make us jump through.
If companies were really interested in user privacy rights and security, the first thing that would be forbidden were advertisements, because a lot of sh.t can come in through those backdoors. Second, why does Apple not allow antivirii and firewalls if security is such a concern? Why are owners of devices with a custom recovery or root being punished by exclusion from OTA updates, given that these updates are supposed to improve stability and security? That's just bollocks and distraction to ram as much advertising down our throat, rip us off for every boot animation, wallpaper, theme, icon or type font that we have tons of lying around on our hard drive, and to obtain as much data from us as possible, in order to know and track what we buy, think, believe, suffer from, like, dislike or do in any place at any at any time.
Apart from a couple of absolute geeks and nerds, nobody would root their phones if adaptation and customization of our phones was easily possible, i.e. if everything except things that could irrevocably damage hardware or networks could be easily modified as we please. The introduction of a/b partition slots for Seamless Updates paved the way for preventing irreparable accidents and could easily be expanded and improved, together with a better design of the user interface and user experience to make the process more comprehensible for average users. Yet, most companies did not even implement a/b partitions, although this approach makes accidents and mistakes when playing around with the device «non-lethal» and saves the Customer Service costs that companies so often cite as the second excuse and pretext for the arrogance with which they keep and exert control over other people's property. With each new generation of phones and every new version of operating systems, the restrictions are getting worse, the options for access and harmless modification less, and that unacceptable trend needs to stop.
If companies want to disencourage people from rooting their phones, they need to stop bombarding us with intrusive ads, stop spying and imposing bloatware and replace it with useful tool bundles (Titanium Backup, decent file managers, cleaners, system tools and the like). It is okay to guard and firewall the indispensable and risky parts (hardware overclocking, network integrity), but only block those irreparable areas while opening up the rest for users to customise to their hearts content, making it as comfortable, easy and intuitive as possible to copy, paste, move and configure everything else between phone and PC. If something goes wrong while doing so, make sure that a system restore point and booting into the alternative partition means that there's no harm, no foul and therefore no problem and no service cost.
Instead of wasting our time hunting for patched partiton files, info on how to get out of bootloops, etc., users could then enjoy and be happier with our phone instead of fixing its shortcomings or, dare I say it, do something fun and entertaining outside while the snow is fresh or the sun is shining.
.
Click to expand...
Click to collapse
Best post I've read in the recent years. Well done!
PS: Love the Angola flag.
Information available on Reddit seem to show that several of Motorola's phones have not had any security patch levels applied since after January. It also seems like as long as the known security issues are just documented as theoretically possible that Lenovo/Motorola seem happy to keep reiterating the same lie that they make security a "top priority" while not actually addressing these problems. It is also frustrating that Motorola seems unwilling to release a version of the Motorola One that is intended to be used in the USA.
It would be nice to have a proof of concept repository similar to Rapid7's metasploit but for the Motorola G-series. Please keep in mind, I am *NOT* talking about violating responsible disclosure. This would not include any unpatched vulnerabilities. Instead, this would be known issues were AOSP has provided fixes to Motorola for over a month and Motorola has selected to still notify it's customers that their device is "up to date" without having addressed the known issues.
I believe only by showing customers what is possible with this exploits can enough pressure be put on Lenovo/Motorola to make "top priority" mean actual action instead of empty posturing.
However, based on my careful reading of the XDA ToS, it seems anything that facilitate the creation of malicious content is not allowed. This seems vaguely worded enough to exclude all proof of concept exploit discussion. But several of the issues left unaddressed by Motorola seem to be fairly easy to exploit. So, is XDA really improving the situation or avoiding transparency in favor of shielding Motorola's poor behavior?
It would be really nice if someone could provide some clarification behind the wording of this ToS and XDA's position on vendors that make security a "top priority" leaving months of patches outside of the scope available to customers if the device is to remain under warranty.
This is what I already said.
Motorola is just a retarded company.
I don't know in which universe this is acceptable.
Someone needs to sh*t in a bag and address it at Motorola, so they see what they sell.
The G6 was my last Motof**k phone.
F**k Motorola. F**k Lenovo and f**k all the retards which work in this companies.
I hope the company dies and never sells a f**kphone again.
I completely understand your level of frustration ThisIsRussia but please don't get the thread locked.
If I were to mail something to Motorola to make a statement, it would probably be a finger-print reader attached to swiss cheese. They keep using user facing features to give the illusion of security while leaving the rest of the product full of security holes.
Yeah, sorry I was a little upset because they are always responding with phrases like "soon it will be updated" etc.
Since February. Its May now.
I just don't use Motorola phones anymore and if someone asked me for opinion I didn't recommend Motorola/Lenovo.
They are a bunch of liars. period.
I picked up the g6 on Fi just to have a cheap phone. I thought it was just the Fi version not getting security updates.. luckily I don't keep financials, etc on. Only good as a glorified phone and music streaming device, but for $99?
Not many budget phones get monthly patches on time. None that are under$150 anyways.
$99 or $150 isn't what I was charged for the Moto G6. It was released for a price of $200.
The Federal Trade Commission has fined D-Link, TP-Link and ASUS for marketing *BUDGET* wireless routers that sold for much less than $200 or $150 or $99 for misrepresenting their products as providing security while "failing to take reasonable steps to secure."
According to David Kleidermacher, Google's head of security for Android, ""Android security made a significant leap forward in 2017 and many of our protections now lead the industry" and also "as Android security has matured, it has become more difficult and expensive for attackers to find high severity exploits."
Google owned Motorola, they should have been able to established policies and procedures for Motorola to make good on David Kleidermacher's statements. Or they should have made establishing those part of terms of the sale to Lenovo.
Lenovo and Motorola also market themselves as providing security even for budget devices with statements as:
* "Prevent unauthorized access with secure biometrics"
* "keeping your devices and systems secure and your digital privacy intact is a top priority"
At no point do they put any exclusionary statement such as "but only if it is not a budget device."
Also, while Motorola One is also a budget device, it does get more frequent updates. However, the Moto One is clearly not intended for purchase in the USA market and is missing support for several LTE bands.
And the Moto G6 is supposed to be a Treble/GSI device were any effort Motorola put into providing updates to flagship GSI devices should also apply to being able to also update the G6 for almost no additional effort.
So, I reject the claim no one should expect Feb 2019 security updates by May 2019 because it is simply a budget device.
Then let's also look at the claim that if financials or similar are not stored directly on the phone then it is not really a big issue.
To respond to that I am going to focus on just one Feb 2019 patch. There have been plenty of other security issues in Jan 2019 to now but for purposes of this discussion, I will just focus on one. The CVE-2019-1988 seems to still apply to still apply to any Motorola phone that is "up-to-date" but has a Jan 2019 security level. This vulnerability as a high impact score of 10 out of 10 and an easy exploitability score of 8.6 out of 10. The attack complexity is low and "could lead to remote code execution in system_server with no additional execution privileges needed."
What would need to result from this for it to be considered a violation of Lenovo and Motorola's marketing of making security a top priority?
What if an email or MMS ("text message") or instant message could do any of the following:
* Open and stream the microphone while the phone is locked
* Take and transmit pictures from either the front or rear camera while the phone is locked
* Send and receive text messages while the phone is locked
* Transmit phone location while the phone is locked
* Access and transmit email and files/documents on Google Drive and Google Docs while the phone is locked
Would any of this be disturbing? Is Lenovo/Motorola really delivering on "[preventing] unauthorized access with secure biometrics" if this is possible while the phone is locked?
I get this is all theoretical and I sound like I have been wearing a tin foil hat (maybe I am ). Anyone want to find out? Anyone want to give me the phone number to a Moto G6? Anyone want to give me the email address that they use with their Moto G6? How confident are people that not having financials stored directly on the phone means CVE-2019-1988 is not a major issue?
So far, people's reactions have been similar to this forum that there is still things people can do to maintain their privacy while using a device in this state. No one wants to believe that a major company would leave them so exposed. Lenovo/Motorola seems to be banking on no one understand the full scope of the problem. But what if a Proof of Concept of a Remote Access Trojan launched not via installing an application but simply from viewing a PNG really happened, would anyone be interested that? Would being able to actually demonstrate a PoC RAT have any positive value in holding Motorola accountable to their marketing claims or simply feed "hackers" with an exploit? If it is already known to be easily exploitable, shouldn't it be safe to assume any criminal that wanted it already has created their own implementation?
What exactly is XDA's stand on a real PoC RAT full disclosure? Is XDA taking on the stance that a RAT disclosure is always only harmful? Or is it that Motorola's actions are harmful?
@chilinux
Relax, you don't need to attack me. I can see you're feeling very hostile.
I didn't say you or anyone should accept it. I said it's common on low end devices. Even low to midrange devices.
I don't care what you paid for it. I have the g6 play and paid $99 for it. And it has been updated to pie with March security patch.
Moto is not great at supplying updates the way they were when they were under Google. Not many companies in China that are shopping phones to other countries are good at it.
It sucks, I was agreeing with you.
So rant at someone else. Geez
madbat99 said:
@chilinux
Relax, you don't need to attack me. I can see you're feeling very hostile.
Click to expand...
Click to collapse
I am very sorry you feel personally attacked. I do admit that I have taken a hostile stance but I wasn't trying to attack you.
My point is that I have already heard from users that the issue is not really that bad. It really seems like a demonstration is the only way to change the Lenovo/Motorola business model of leveraging customer misconception. At the same time, the XDA ToS seems to be at odds with using this forum as the method of giving such a demonstration. To me, this means XDA is passively contributing to Motorola's clearly invalid marketing of using product security to protect against unauthorized access.
Allowing remote unauthorized access is very much part of how the Moto G6 functions.
chilinux said:
I am very sorry you feel personally attacked. I do admit that I have taken a hostile stance but I wasn't trying to attack you.
My point is that I have already heard from users that the issue is not really that bad. It really seems like a demonstration is the only way to change the Lenovo/Motorola business model of leveraging customer misconception. At the same time, the XDA ToS seems to be at odds with using this forum as the method of giving such a demonstration. To me, this means XDA is passively contributing to Motorola's clearly invalid marketing of using product security to protect against unauthorized access.
Allowing remote unauthorized access is very much part of how the Moto G6 functions.
Click to expand...
Click to collapse
XDA needs to cover their butts. They walk a fine line on many things.
To provide members the most information, useful guides, and general Android knowledge; they do have to remain, for lack of a better term, "neutral".
They allow us access to guides, knowledge, and even files, that allow us to take back some semblance of "ownership" of our devices. And that is despite many OEM, and country, restrictions, regulations, and "ownership", be it proprietary or what have you, that threaten their voice.
We, in turn, try to adhere to their rules to maintain an even keel, so to speak. So as not to make it harder, or impossible, to do the good work they are doing.
That said, this may not be the platform to achieve the ends you seek. Even if others share your view, in part, or otherwise.
Make sense?
madbat99 said:
XDA needs to cover their butts. They walk a fine line on many things.
To provide members the most information, useful guides, and general Android knowledge; they do have to remain, for lack of a better term, "neutral".
They allow us access to guides, knowledge, and even files, that allow us to take back some semblance of "ownership" of our devices. And that is despite many OEM, and country, restrictions, regulations, and "ownership", be it proprietary or what have you, that threaten their voice.
We, in turn, try to adhere to their rules to maintain an even keel, so to speak. So as not to make it harder, or impossible, to do the good work they are doing.
That said, this may not be the platform to achieve the ends you seek. Even if others share your view, in part, or otherwise.
Make sense?
Click to expand...
Click to collapse
I understand what it is you are trying to saying that XDA sees it to their advantage to not rock the boat too much. That doesn't mean it makes sense to me.
Here is how I view how the world works when people don't speak out:
https://www.cnn.com/2019/01/12/middleeast/khashoggi-phone-malware-intl/index.html
If Motorola wants to specify that security and safety simply is not part of this product, then I can understand them making that part of their *stated* business model. But Lenovo/Motorola has decided they can market a product as preventing authorized access without doing the work required to actually provide that feature. There should be moral and ethical issues raised when knowingly letting a company mislead their customers to that extent.
There should be room someplace on the XDA forum to create a penetration/vulnerability to put customers of Motorola in a better position for informed consent. The idea that the average person can take the April and May 2019 security bulletins and understand what that really means just doesn't work out. They know what the word "critical" means but usually don't know what RCE is and largely take it as being someone else's problem. The level of conflict of interest on the part of Motorola is not made clear.
Instead, the average person still focuses on if when they are going to see the latest Avengers movie. "CVE-2019-2027" means nothing but if you show them April/May gives criminals all of the infinity gems such that at a click of their fingers half of customers of Motorola have their privacy turn to dust, then that is something they can at least understand. Then they can more meaningfully decide if it is reasonable/safe to use that device without leaving airplane mode permanently on.
chilinux said:
I understand what it is you are trying to saying that XDA sees it to their advantage to not rock the boat too much. That doesn't mean it makes sense to me.
Here is how I view how the world works when people don't speak out:
https://www.cnn.com/2019/01/12/middleeast/khashoggi-phone-malware-intl/index.html
If Motorola wants to specify that security and safety simply is not part of this product, then I can understand them making that part of their *stated* business model. But Lenovo/Motorola has decided they can market a product as preventing authorized access without doing the work required to actually provide that feature. There should be moral and ethical issues raised when knowingly letting a company mislead their customers to that extent.
There should be room someplace on the XDA forum to create a penetration/vulnerability to put customers of Motorola in a better position for informed consent. The idea that the average person can take the April and May 2019 security bulletins and understand what that really means just doesn't work out. They know what the word "critical" means but usually don't know what RCE is and largely take it as being someone else's problem. The level of conflict of interest on the part of Motorola is not made clear.
Instead, the average person still focuses on if when they are going to see the latest Avengers movie. "CVE-2019-2027" means nothing but if you show them April/May gives criminals all of the infinity gems such that at a click of their fingers half of customers of Motorola have their privacy turn to dust, then that is something they can at least understand. Then they can more meaningfully decide if it is reasonable/safe to use that device without leaving airplane mode permanently on.
Click to expand...
Click to collapse
Nope. Nobody is "honest" in marketing. They would sell nothing. Is it right....? No. Is it going to continue? Of course.
There are places to speak out. This isn't IT. Period.
You want a Google device that updates with every patch, you're gonna have to get a Pixel. Flat out. No company truly cares about you're security. They start companies to make money. The end. Right or wrong. Sorry bro. It is what it is.
Unless a company specifically spelled it out in the laws of the country their marketing in they don't have to do it. They can skirt rules and regulations anyway they possibly can. And they have lawyers to make sure they get around that crap. Marketing gimmicks do not equal legal regulation obedience.
if you have a medium to carry out the plan you intend to, find it and do it. just make sure no consumers are harmed in the process. because then the line has been crossed where you're not helping anyone but hurting people.
companies are going to sell their products at the greatest profitt imaginable and that's just the way things are going to be until some company proves that profits lie somewhere else. There isn't much you or I can do about it.
Again, this is not the medium for you to carry out such a vision. the most we hope to do here is to give users the keys to find a way to pick the lock for themselves. Not a way to circumvent the rules, punish the guilty, or vindicate innocence. There are places for that.
I'm going to bed now because I get up for work early. Good luck dude. hope you feel better in the morning.
how many people in the budget phone range are still using phones that haven't even been updated past kit Kat. Just a bit of a reality check. Up-to-the-minute security patches don't mean much to those who are struggling just to have a device to communicate with.
Infinity gems be damned, level-headed decisions with your device make all the difference in the world
madbat99 said:
just make sure no consumers are harmed in the process. because then the line has been crossed where you're not helping anyone but hurting people.
Click to expand...
Click to collapse
I can not no consumers would ever be harmed by anything I ever released. TeamViewer has been weaponized to performing scams. UPX was weaponized to help hide malware from detection. Cerberus antitheft app for Android has the potential to be weaponized. Magisk can be weaponized for malware to avoid detection on Android. To claim any of those projects is "not helping anyone" is really a stretch.
The security audit PoC suite would be similar to previously publicly released project. It would have a method of install via exploit similar to JailbreakMe and it would provide demonstration on what privileged level access provides similar to Back Orifice 2000. Both of those previous project had the potential to weaponize but also helped customers make a better informed decisions about the products they use.
madbat99 said:
how many people in the budget phone range are still using phones that haven't even been updated past kit Kat. Just a bit of a reality check. Up-to-the-minute security patches don't mean much to those who are struggling just to have a device to communicate with.
Click to expand...
Click to collapse
Just a bit of a reality check, I know a medical doctor that discusses information that should be legally protected under HIPAA in the same room as a Moto G6. When a vendor misrepresents the degree to which unauthorized access to a device's microphone is prevented, then more than just people struggling to communicate are impacted. That level of misplaced trust also means the privacy impact extends beyond just owners of the phone.
It is also a level of mistaken trust that was contributed to by people like Ronald Comstock with the XDA Developers sponsorship team which recommended this phone. It might be possible to make an excuse that at the time the recommendation was made it wasn't known how far behind security updates for the product would go. However, the XDA sponsorship team never posted a retraction and the XDA ToS makes it hard to effectively counter the vendor's misrepresentations of the XDA recommended product.
chilinux said:
I can not no consumers would ever be harmed by anything I ever released. TeamViewer has been weaponized to performing scams. UPX was weaponized to help hide malware from detection. Cerberus antitheft app for Android has the potential to be weaponized. Magisk can be weaponized for malware to avoid detection on Android. To claim any of those projects is "not helping anyone" is really a stretch.
Just a bit of a reality check, I know a medical doctor that discusses information that should be legally protected under HIPAA in the same room as a Moto G6. When a vendor misrepresents the degree to which unauthorized access to a device's microphone is prevented, then more than just people struggling to communicate are impacted. That level of misplaced trust also means the privacy impact extends beyond just owners of the phone.
.
Click to expand...
Click to collapse
It can be said that security and privacy are separate issues.
But your insights are well stated.
I remember when a "researcher" seemingly died right before demonstrating how security flaws in insulin pumps could kill a man. (We know who did it Jack) so security is a real concern. And big money will always try to silence what is too expensive to fix. So I get your point. Just goes a little beyond XDA is all I meant. No hard feelings intended, so I hope you didn't take it that way.
madbat99 said:
And big money will always try to silence what is too expensive to fix. So I get your point. Just goes a little beyond XDA is all I meant. No hard feelings intended, so I hope you didn't take it that way.
Click to expand...
Click to collapse
I have hard feeling about this issue but not about what you have said.
I also have a much less issue with "big money" not spending money were it does not need to. But they need to be transparent about that.
What I have hard feelings about is this:
https://androidenterprisepartners.withgoogle.com/device/#!/5659118702428160
And statements from Google related to that page such as:
"Organizations can then select devices from the curated list with confidence that they meet a common set of criteria, required for inclusion in the Android Enterprise
Recommended program ... Mandatory delivery of Android security updates within 90 days of release from Google (30 days recommended), for a minimum of three years"
As appears in this document:
https://static.googleusercontent.co...droid_Enterprise_Security_Whitepaper_2018.pdf
Ninety days from the February 5, 2019 security update bulletin was May 6, 2019. Choosing from that list does not result in mandatory delivery of security updates within 90 days. Google and David Kleidermacher are drowning consumers with willfully misleading information to put trust into devices that aren't held to the criteria they claim they are.
am i the only one who doesn't give a crap about security patches? i just want my phone to work, which my G6 does, just fine.
Dadud said:
am i the only one who doesn't give a crap about security patches? i just want my phone to work, which my G6 does, just fine.
Click to expand...
Click to collapse
You are far from the only one who doesn't care about security patches. I would agree with you that you should not have to care. Addressing problems that are over 90 days old are stated to be the responsibility of Google and Motorola to have taken care of.
In terms of it working just fine, my point is while it appears to normally be fine there is known ways that unapproved behavior can be applied to the product without the owners being aware of them. To me that is not working as advertised and is also not really working fine.