Related
Has anyone in their rom building and reverse engineering ever found anything Big Brotherish in the code? Keyloggers and hidden processes that phone home
your location come to mind.
When you set up the phone there is a question about sharing your location with google
jsapp said:
When you set up the phone there is a question about sharing your location with google
Click to expand...
Click to collapse
But that is upfront, I'm asking about hidden processes. One that would crop up after you say no.
I'm sure Google wouldn't stick a keylogger or hidden process for the fun of it in a fresh build of the OS. I doubt it, like if you choose "No" it will tell the OS not to send location data to google.
Coburn64 said:
I'm sure Google wouldn't stick a keylogger or hidden process for the fun of it in a fresh build of the OS. I doubt it, like if you choose "No" it will tell the OS not to send location data to google.
Click to expand...
Click to collapse
Yes, but what about HTC? T-Mobile? No offense but have you actually dug around the code? I don't know much about code besides web but I wouldn't put it past a company to do something like that.
ATT already got busted for helping DHS spy on citizens. I'm not paranoid, just curious.
Danny double post. Srry
thedroid said:
Yes, but what about HTC? T-Mobile? No offense but have you actually dug around the code? I don't know much about code besides web but I wouldn't put it past a company to do something like that.
ATT already got busted for helping DHS spy on citizens. I'm not paranoid, just curious.
Click to expand...
Click to collapse
I am wondering also now that u guys bring this up. Maybe someone could ask the devs. I faintly remebering a dev saying "got rid of shady HTC log apk". I think it might of been cyanogen but I'm not 100% on that. So if I gave credit to the wrong dev feel free to correct me.
Well it wouldn't be incredibly smart to put in something like that, and then make it open source.
jsapp said:
Well it wouldn't be incredibly smart to put in something like that, and then make it open source.
Click to expand...
Click to collapse
HTC's code is technically closed source AFAIK.
jsapp said:
Well it wouldn't be incredibly smart to put in something like that, and then make it open source.
Click to expand...
Click to collapse
This is the biggest reason I love open source. The more people with the code the better.
thedroid said:
I'm not paranoid, just curious.
Click to expand...
Click to collapse
Im curious too, and paranoid
I just assume the governments watching me all the time, and I make sure to give them something to talk about.
thedroid said:
ATT already got busted for helping DHS spy on citizens. I'm not paranoid, just curious.
Click to expand...
Click to collapse
Why would a telecom company put spying code on the mobile? It would be so much easier to just snoop on their server end, where there's little possibility you could discover such an intrusion.
Thoughts and responses appreciated
Privacy policy from Google suggest private user information IS sent to Google*. I am moving from HTCs WM devices to the G1 and I'm getting quite concerned about things of this nature. I can see that a user has the option to share or withold some information but not sure if there are options to withhold ALL personal details (location, contacts etc). Are there any options or methods that COMPLETELY stop ANY information being sent to Google or any other party? (Device config options, ROMs etc???)
I am new to Android and still learning so any help would be appreciated. (also posting in a hurry!)
Thanks
*G1-specific information we collect
* In order to set up your device, we ask you to sign-in with your Google Account (if you already have one) or create a new, free Google Account. Your Google Account information is stored by Google. If you change your device, you will have to associate the new device with your Google Account before we can authenticate you.
* Each device is assigned one or more unique identification numbers. These identification numbers are associated with your Google Account and the IMEI number, mobile country code, and mobile network code of your device (which is also stored by your wireless operator), and allow your device to sync your Google email, contacts, and other Google services.
* In order to continually improve our services and provide a better user experience, we collect some basic usage statistics from your device. Information such as the hardware model of your device and the version of the Android software you are running is collected but not stored in association with your Google Account. In addition, we collect some information on device-level events such as crashes that is associated with your Google Account temporarily in order to provide customer service. Neither of these categories of usage statistics contains application-level information such as the content of emails or phone call records.
* Certain applications or features of your G1 device may cause other information to be sent to Google but in a fashion that cannot be identified with you personally.
* Your device may send us location information (for example, Cell ID or GPS information) that is not associated with your Account.
* Using some applications or features may send information to Google that is stored with your Google Account. If you use standard Google services on your G1 device, for example by creating new contacts or Calendar events, then this information will be associated with your Google Account and stored consistent with the privacy policies for those services. Likewise, if you use the Android Market, information about your downloads, comments, and ratings will be stored with and accessible through your Google Account. You have the option to disable or not use these features, in which case Google will not receive this data.
* Certain of our products and services allow you to personalize the content you receive from us. For these products and services, we will store your preferences and the information you provide for customization. These preferences may be associated with your Google Account or elsewhere with Google, as explained in the Privacy Policies for those products.
Yes in settings and during setup it asks you if you want info to be sent...However you should know that microsofts has the win update which sends info about your pc. You shouldnt be concerned though...Contacts/emails/calender is sent/stored on servers.
Ace42 said:
Yes in settings and during setup it asks you if you want info to be sent...However you should know that microsofts has the win update which sends info about your pc. You shouldnt be concerned though...Contacts/emails/calender is sent/stored on servers.
Click to expand...
Click to collapse
I was curious to know if all the data collection methods could be switched off reliably. Thanks for the quick response Ace
SyncSMS lets you sync your text messages between your Android phone and tablet. SyncSMS lets you sync your text messages between your Android 2.1+ phone and 3G or WiFi-only Android 2.1+ tablet. This app lets you receive text messages on your tablet which have been received by or sent from your phone. Also, this app lets you compose text messages on your tablet which will be copied to your phone and sent out by your phone. You will need to sign up for a free Dropbox account, if you don't already have one, in order to temporarily store the messages between syncs.
Please rate and comment on the app in the Android Market and click Submit to Portal in the upper right of this post to vote this thread to XDA front page, thanks!
*******IMPORTANT LINKS*******
Download: https://market.android.com/details?id=com.d0lph1nk1ng.syncsms
Change Log: http://dl.dropbox.com/u/2774459/changelog.txt
DEV & USER SUGGESTIONS:
===== Ready for next release =====
- None
===== Under Dev =====
- Fix API 11 error when clicking item in action bar overflow menu
- Make C2DM respect wifi-only, DNS interval, and background sync off
- Sync on power
===== Backlog =====
# Bugs
- Auto resync
- ' Help > Setup > Push (Beta)
Push notifications are only for Received messages by the phone and Composed messages by the tablet. I will not be able to support copying Sent messages from your Phone to your Tablet withing doing polling. Please star the Android defect at the link below to add your support behind this enhancement to fix the issue. Thanks!
http://code.google.com/p/android/issues/detail?id=2261
Thanks,
d0lph1nk1ng
Doesn't work at all for me. I sign in to my existing Dropbox and get the error in the screenshot.
*post deleted*
d0lph1nK1ng said:
Could you please post the Logcat?
Click to expand...
Click to collapse
How do we know you are not capturing our DropBox credentials? This looks suspicious.
nevermind about the logcat, the issue is that I need a production API key from Dropbox. i agree on your suspicion, so i have posted the app's source code to instill confidence. please know that this app is not distributable or modifiable though. thanks!
d0lph1nK1ng said:
nevermind about the logcat, the issue is that I need a production API key from Dropbox. i agree on your suspicion, so i have posted the app's source code to instill confidence. please know that this app is not distributable or modifiable though. thanks!
Click to expand...
Click to collapse
Deleted...................
keith, honestly i am an innocent dev. have i broken a rule somewhere?
d0lph1nK1ng said:
keith, honestly i am an innocent dev. have i broken a rule somewhere?
Click to expand...
Click to collapse
Prove that your app is safe to install and immediately asks for Dropbox credentials and fails.
i have posted source code to my app which clearly shows that i use the dropbox api which requires username and password for the first login, then returns an access token per user which is the only thing that is saved to the local databases see LoginTask.java and Utils.java.
the 403 error stands for unauthenticated user. this is due to my app's dropbox api token being only validated for my email address. the app will work as described after i replace my api token with a production api token.
i do not deserve to be banned at all
d0lph1nK1ng said:
i have posted source code to my app which clearly shows that i use the dropbox api which requires username and password for the first login, then returns an access token per user which is the only thing that is saved to the local databases see LoginTask.java and Utils.java.
the 403 error stands for unauthenticated user. this is due to my app's dropbox api token being only validated for my email address. the app will work as described after i replace my api token with a production api token.
i do not deserve to be banned at all
Click to expand...
Click to collapse
Maybe not but you cannot release an app that does not demonstrate that you are not phishing username/password info which your initial release does not prove.
you know, honest mistakes do /actually/ happen in the world. plus, it's not my fault that Dropbox chooses not to allow OAuth for android apps. i never /wanted/ to have to have a user enter username/password in the context of my app for exactly this reason
d0lph1nK1ng said:
you know, honest mistakes do /actually/ happen in the world. plus, it's not my fault that Dropbox chooses not to allow OAuth for android apps. i never /wanted/ to have to have a user enter username/password in the context of my app for exactly this reason
Click to expand...
Click to collapse
Yes they do and when you have a secure way to access the app, please let us know. Until then, I am not touching it and recommend that no one else touches it either.
They do not allow OAuth access forwarding from their webpage per their guidelines. For Android (non mobile-web apps), they say to do so as follows.
From Dropbox dev page:
"Authentication For mobile devices
Mobile authentication is done using a call named token that's in the Mobile API specification section. Token takes a user's username and password and returns a working access token/secret pair to your application that you can use from then on. It's a relatively simple process, but with one caveat: you cannot store the user's password in your application. You can store a username for usability purposes or in case re-authentication is needed. However, there is no reason you should store their password."
Now, I have more than explained myself extremely detailed and clearly, so please go elsewhere with your false proclamations and ignorance.
keitht said:
Maybe not but you cannot release an app that does not demonstrate that you are not phishing username/password info which your initial release does not prove.
Click to expand...
Click to collapse
You expect people to willingly enter their username and password for Dropbox in your app that returns an error of forbidden?
jeez lets just see how this app pans out. Its a good idea and I know that the op has put out other good ideas out before.
Ill keep an eye on this thread. Thanks
instead of crying about it couldnt you just make another dropbox account for this
don't use the same password you do for everything else
problem solved. case closed. stealing your passwords or not, be smart and just make another dropbox account.
btw, i get my xoom soon so ill def. be looking into this app. sounds interesting
It seems to me that posting the source is all he needs to do here, if someone wants to challenge him based on what it contains, that's a different story.
There are tons of legit apps that use Gmail and facebook credentials. Just hooking into 3rd parties doesn't automatically make one a crook.
If you are going to smear someone, at least make the effort to show some evidence, jeez.
Santoro said:
It seems to me that posting the source is all he needs to do here, if someone wants to challenge him based on what it contains, that's a different story.
There are tons of legit apps that use Gmail and facebook credentials. Just hooking into 3rd parties doesn't automatically make one a crook.
If you are going to smear someone, at least make the effort to show some evidence, jeez.
Click to expand...
Click to collapse
You are right and I am sorry for being a prick. But be careful with apps like these especially if they fail on step 1, sign into an account that fails immediately (dropbox). After thinking about this further, I should not have posted what I did and I apologize. It is not my responsibility for others security.
OP, thanks very much for your effort with this, I NEED SMS on my Xoom!!
Possible suggestion.. Maybe making a widget to turn on the syncing? That way when I am using the Xoom, just flip the widget on for both phone and xoom, set phone aside.. This way the time frame for syncing can be quicker, and when I am done on my xoom, turn the widget off, and it wont sync anymore (for the sake of battery usage).
im a happy nexus 7 owner but im wondering how i can protect my nexus private data or even FB or TW from other people, in my phone i use avast so i can "delete" all data by sms, but i cant do this on my nexus, i was thinking use "pattern" or pin unlock screen, but its annoying doing this on every time i want unlock my screen, i was thinking on apps that put password on selected apps, but again maybe this could be annoying, and maybe someone with a little skill can use ADB or uninstall TB and re install and delete "data" from the app who its protecting (im rooted) so im wondering its other way to protect my nexus 7? i guess this are the best but im wondering if its other way that i didint know.
Thanks
Cerberus app
Sent from my Nexus 7 using Tapatalk 2
ateebtk said:
Cerberus app
Sent from my Nexus 7 using Tapatalk 2
Click to expand...
Click to collapse
+1 for Cerberus.
I use it on my nexus 7 and my att Samsung galaxy s ii. It can remotely wipe your device, lock it, track it via GPS even if you don't have GPS on, set off alarms, take pictures and video from the camera, and many other things. It is 110% worth it. I recommend it highly.
patriot720 said:
+1 for Cerberus.
I use it on my nexus 7 and my att Samsung galaxy s ii. It can remotely wipe your device, lock it, track it via GPS even if you don't have GPS on, set off alarms, take pictures and video from the camera, and many other things. It is 110% worth it. I recommend it highly.
Click to expand...
Click to collapse
Any noticeable effects on performance and battery life?
Lookout App.
Cerberus is a life saver! When both my Galaxy Nexus and my wallet were stolen in a restaurant I could track my mobile using a friend's phone within 2 mins after noticing the theft. I directed the police to the shop based on Cerberus' tracking and eventually got both my mobile and my wallet back within 15 mins after the call.
The issue with tracking a tablet without 3G is that you will only see it once it's logged into a wireless network rather than on the go. You'd also need to activate a pin which could be deactivated at home by an app like Tasker.
I suggest you also use Avast to scan for malware and as second protection which could survive a factory reset but not a new rom.
Sent from my Galaxy Nexus using xda premium
Yeah I'm testing thanks I will check seems kind of better than avast, not sure if this app will survive to factory reset, custom recovery should have password or something xD the bad it's nexus 7 doesn't had 3g u.u oh well thanks all
Enviado desde mi HTC One X
zen kun said:
i was thinking use "pattern" or pin unlock screen, but its annoying doing this on every time i want unlock my screen
Click to expand...
Click to collapse
Protection is sometimes not convenient, but if you don't have a code lock your device is wide open to whom ever picks it up.
Pattern or Pin Lock
When I am out, I use a pattern lock on all devices. If I am home for the weekend, I turn it off however it is turned back on before I leave the house.
Cerberus
I use this on my Nexus and it works good. You do need to have a WiFi connection which limits it greatly since I never allow my device to connect to a public WiFi... but with the lock out, 5 tries and the device locks.
Backups
While the data is fairly secure, losing the data and even perhaps more important the time and effort setting up the device in the first place, means that using a good backup and having that available OFF the device so that if it is lost/stolen/destroyed, I can simply re-root and then restore and have it back to where I was when the backup was made. I do full backups every Sun.. and other occasionally when I make big changes.
Two Factor Authentication
When Possible, use 2-Factor authentication. If you not using it, you should look into it.
Check out the app Android Lost on the play store.
It securely links with your gmail account and does not do any polling to servers so it saves your battery.
When you lose your phone it allows you to do many many things such as activate an alarm, track using gps or wifi, take a picture with the front or rear camera, wipe the phone or lock it and many more features. All remotely.
Best part is its free and has a minimal footprint on device.
Check it out!
Run L1ke H3LL said:
Check out the app Android Lost on the play store.
It securely links with your gmail account and does not do any polling to servers so it saves your battery.
When you lose your phone it allows you to do many many things such as activate an alarm, track using gps or wifi, take a picture with the front or rear camera, wipe the phone or lock it and many more features. All remotely.
Best part is its free and has a minimal footprint on device.
Check it out!
Click to expand...
Click to collapse
The Nexus 7 is not a phone, so it doesn't by default it doesn't have SMS, it by itself has no 3G/4G communications. The only way you can talk to it is via WiFi.
I use Android Lost on all my phones... but since my phone uses the same same gmail account, it can't control the Nexus, hence the use of Cerberus.
is cerberus better than where's my droid?
krelvinaz said:
The Nexus 7 is not a phone, so it doesn't by default it doesn't have SMS, it by itself has no 3G/4G communications. The only way you can talk to it is via WiFi.
I use Android Lost on all my phones... but since my phone uses the same same gmail account, it can't control the Nexus, hence the use of Cerberus.
Click to expand...
Click to collapse
I use my Nexus tethered to my phone so it uses WiFi. I suppose if I lost it would still connect to the WiFi networks in my area and I could locate it by those methods. My cable company provides public WiFi which is ubiquitous so 90% of the time if I'm not tethered I have data.
Sent from my Nexus 7 using Tapatalk 2
hoponpop said:
is cerberus better than where's my droid?
Click to expand...
Click to collapse
Much better.
---------- Post added at 12:12 AM ---------- Previous post was at 12:10 AM ----------
nyijedi said:
Any noticeable effects on performance and battery life?
Click to expand...
Click to collapse
None at all.
If u really want to protect ur data, I suggest don't root the device and encrypt the entire tablet. Then set up a PIN to unlock. Security often means you have to give up some convenience at times but the reward is satisfying.
Also like some one already suggested use 2-factor auth for FB and make sure u deprovision the tablet account when u find it lost or stolen.
Sent from my Nexus 7 using xda app-developers app
I use seek droid for my phones, but purchased cerberus with my gift moolah and am happy with its performance and have also installed it on my Acer a500. The Developer is active with the community and has beta releases that fix some of the JB bugs.
So how secure is the Cerberus site? What's the dev's credentials in IT security? Is he just some dude with an app?
In signing up for this, you're putting the ability to remote-wipe/track/spy your online life into some dude's hands. You're paying him 3 bucks and hope he can keep it secure. Can he? In mitigating one risk (device theft), you're incurring a new risk of having your device remote wiped, or being spied upon, if the site gets hacked. Good trade-off?
With a one-time fee of $3, I don't see that much incentive for the dev to continuously maintain security, assuming he even has the expertise. It's his hobby, not his livelihood.
From a cursory inspection of the Cerberus site and its support forum, I don't see the word "security" or "2-factor authentication" anywhere.
Ditto SeekDroid or any similar app.
e.mote said:
So how secure is the Cerberus site? What's the dev's credentials in IT security? Is he just some dude with an app?
In signing up for this, you're putting the ability to remote-wipe/track/spy your online life into some dude's hands. You're paying him 3 bucks and hope he can keep it secure. Can he? In mitigating one risk (device theft), you're incurring a new risk of having your device remote wiped, or being spied upon, if the site gets hacked. Good trade-off?
With a one-time fee of $3, I don't see that much incentive for the dev to continuously maintain security, assuming he even has the expertise. It's his hobby, not his livelihood.
From a cursory inspection of the Cerberus site and its support forum, I don't see the word "security" or "2-factor authentication" anywhere.
Ditto SeekDroid or any similar app.
Click to expand...
Click to collapse
Have to somewhat agree with the sentiment here.. that said, I'm presently using the Cerberus demo on my N7 and it appears quit good.... would prefer this to have been a mainstream vendor product ....
Sent from my Nexus 7 using xda app-developers app
Seek droid, and I think I only paid $.99
Sent from my Nexus 7 using Tapatalk 2
They have some really good reviews on their web site. And from very qualified sources,check it out. I just installed Cerberus and tested out great.
Sent from my Nexus 7 using xda app-developers app
>They have some really good reviews on their web site. And from very qualified sources,check it out. I just installed Cerberus and tested out great.
Yes, very qualified. Hahah.
Here's a "review" maybe you should read. It's by Cerberus itself (emphasis added). Welcome to spyware.
https://www.cerberusapp.com/privacy.php
THE INFORMATION LSDROID COLLECTS
REGISTRATION INFORMATION: You provide to LSDroid certain personally-identifiable information (such as device ID number, wireless operator / operator, your name, email address, etc.) when choosing to subscribe to the LSDroid Services.
LOCATION INFORMATION: To provide the LSDroid Services, we derive location information from your wireless operator, certain third-party service providers, or directly from the mobile device that you used to register with the LSDroid Services. This location tracking of your mobile device may occur even when the LSDroid Services mobile application is not actively open and running, but your location is being securely transmitted and logged in accordance with your privacy and opt-in settings.
COOKIES, PERSISTENT FILE INFORMATION: When you use the LSDroid Services, we may send one or more cookies (small text files containing a string of alphanumeric characters) to your computer. LSDroid may use both session cookies and persistent cookies. A session cookie disappears after you close your browser. A persistent cookie remains after you close your web browser and may be used by us during your subsequent visits to the LSDroid Web site. Persistent cookies set by the LSDroid Web site can be removed. Please review your web browser "Help" file to learn the proper way to modify your cookie settings.
LOG FILE INFORMATION: When you use the LSDroid Services, our servers automatically record certain information about your usage from your mobile device and web browser. These server securely logs may include information such as a mobile device identification number and device identifier, web requests, Internet Protocol ("IP") address, browser type, browser language, referring / exit pages and URLs, platform type, number of clicks, domain names, landing pages, pages viewed and the order of those pages, features used in the LSDroid mobile application, the amount of time spent on particular web pages, the dates and times of your requests, and one or more cookies that may uniquely identify your browser.
Ok long story short having trouble with one of my kids, I have an app (couple tracker) installed that allows me to see location, sms, and Facebook messages, but what I need is and app that can basically log all activities that I can install and hopefully password protect. I'm mainly looking to see what all email addresses get logged into via apps and Web browsers. And would also like to know what websites my kids been visiting. App does not have to be hidden but needs to be to where I can install it and it can't be tampered with.
Sent from my Nexus 6 using Tapatalk
msd24200 said:
Ok long story short having trouble with one of my kids, I have an app (couple tracker) installed that allows me to see location, sms, and Facebook messages, but what I need is and app that can basically log all activities that I can install and hopefully password protect. I'm mainly looking to see what all email addresses get logged into via apps and Web browsers. And would also like to know what websites my kids been visiting. App does not have to be hidden but needs to be to where I can install it and it can't be tampered with.
Sent from my Nexus 6 using Tapatalk
Click to expand...
Click to collapse
Get them a flip phone
msd24200 said:
Ok long story short having trouble with one of my kids, I have an app (couple tracker) installed that allows me to see location, sms, and Facebook messages, but what I need is and app that can basically log all activities that I can install and hopefully password protect. I'm mainly looking to see what all email addresses get logged into via apps and Web browsers. And would also like to know what websites my kids been visiting. App does not have to be hidden but needs to be to where I can install it and it can't be tampered with.
Click to expand...
Click to collapse
Well first off, there is no such thing as installing something that is beyond tampering. Especially not with a Nexus -- these things are DESIGNED FOR tampering.
At the moment, I'm not aware of any system developed in this manner to offer the type of monitoring that you are proposing.
One of the big issues with this, is that in order for it to work in a user friendly manner, it would actually require that EVERY application be modified to cooperate with it.
Otherwise, you're stuck basically with remote access and digging through system logs and application databases manually.
It is also worth noting that certain applications like the web browsers actually have privacy modes (some people call them "porn" mode) where they won't actually log activities.
The reason why sms can be relayed using the program you found, is that the sms database is system-level, not application-level. It is designed so that you can choose your own sms front-end, while leaving the complex telephony software at the root of it, all alone.
By the sounds of things, the problem you are having with your kid is beyond what you can deal with by adding controls and monitors to his/her phone. Since the kid knows you are watching, they WILL find alternative means of making those communications that you clearly don't want happening -- the ones you are watching for. You are going to have to find a better way to deal with this.
You want a keylogger, I've never used one on Android but a quick search popped this up http://www.vagueware.com/keylogger-software-for-android-phones/
Not sure if any work, search around for keylogger and find out you feel comfortable to try on your phone. Good luck
Make sure you put 1* reviews on your Banking apps or all apps that need updating to support face unlock, hopefully it will help speed up the development and support of face unlock on the pixel 4. I am really missing fingerprint unlock on my apps!
Demolition49 said:
Make sure you put 1* reviews on your Banking apps or all apps that need updating to support face unlock, hopefully it will help speed up the development and support of face unlock on the pixel 4. I am really missing fingerprint unlock on my apps!
Click to expand...
Click to collapse
Why? I just contacted my credit union asking for them to add support. Maybe larger national banks and stuff should have been aware and had support ready but smaller, more local institutions might just need to know that it's a thing on Android now.
Sent from my Pixel 4 XL using XDA Labs
In the Play Store, you can reach out to contact each app's development team via email. I've written to Chase, Bank of America, Mint, Credit Karma, and the other apps I use. Some developers are aware that they need to update, others aren't. Here are some of the responses I've received.
My original email (to each app):
Please update the Android app to support the biometric API so that I can use the secure face unlock on my Pixel 4! Thank you!
Click to expand...
Click to collapse
Bank of America:
Thank you for your feedback and we apologize for the inconvenience. We are working to update to the latest biometric authentication for the Pixel 4 and expect to have a supporting app shortly. For now, sign-in to the app using your online ID and password. Please look out for an app update soon.
Click to expand...
Click to collapse
Chase:
We'll be happy to review your request to update the
Android App.
Ivan, please note that the Chase Mobile App will work on
any Android smart phone or tablet running Android
operating system 5.0 (Lollipop) or higher. The minimum
operating system is 5.0 or higher. If your mobile phone
does not have the minimum requirement, the Chase Mobile
app will not be compatible.
We want our mobile app users to have the best experience
possible, so we regularly test chase.com using the most
current versions of operating systems. Since some mobile
app functionality may not work well on older operating
systems, we ask that you perform these updates. We
recommend you update your operating system and application
to the newest versions available. If your device isn't set
up to receive updates automatically, you can get the We
recommend you update your operating system and application
to the newest versions available.
We appreciate your business and thank you for choosing
Chase.
Click to expand...
Click to collapse
Credit Karma:
To determine if your Touch ID or Face ID function is turned on or off, go into your settings by clicking the icon in the top right corner of the app. The directions are the same whether you’re using Touch ID or Face ID.
If Touch or Face ID is turned on you will see a green circle with a white check mark.
If it’s turned off, simply click the empty circle and you’ll be prompted with a message stating the fingerprints or face registered on your phone can be used to access your Credit Karma account. Click “OK” to this prompt and you will be asked to enter your PIN to confirm this change.
Touch or Face ID is now turned on and you will be allowed to use this function to access the Credit Karma app moving forward.
Please note that if you log out of your account, the next time you open the app you’ll be prompted to enter your email address and password.
Thanks so much,
Click to expand...
Click to collapse
I've been sending further follow-ups to the ones who clearly don't understand what we are asking.
The more people who contact them, the more they'll understand that their apps are the problem by not using the current API.
I think Chase already stated that they were going to have an update before the end of the year. Hopefully sooner rather than later.
Robinhood works!
btonetbone said:
In the Play Store, you can reach out to contact each app's development team via email. I've written to Chase, Bank of America, Mint, Credit Karma, and the other apps I use. Some developers are aware that they need to update, others aren't. Here are some of the responses I've received.
My original email (to each app):
Bank of America:
Chase:
Credit Karma:
I've been sending further follow-ups to the ones who clearly don't understand what we are asking.
The more people who contact them, the more they'll understand that their apps are the problem by not using the current API.
Click to expand...
Click to collapse
Very nice work, I have left reviews and also contacted all my Banks via email. Hopefully it speeds up the process.
Throwing up a bunch of one-star reviews won't help, and all it serves to do is make the rater (you) look petty and childish. I'll send an email to my institutions, like a grownup, and go from there.
Getting in contact directly works best, via the play store will get you to the android app devs. I usually go through Twitter and you get a spokesperson who wouldn't know an apk from an adb and will give a stock response of soon™.
Remind them that the old biometric APIs are deprecated and that they should update to current versioning. Should anything happen they don't want to be the story of the bank that wasn't able to keep up.
Honestly I'm not missing it that much for my bank that much because I use LastPass which autofills it quickly. I do miss it for Outlook though because I have to do a pin.
Sent from my Pixel 4 XL using Tapatalk
So Far E-Trade has been updated to the Pixels face Unlock... I sent an email via the app store also to a credit union hoping they will update their app. I'm hoping within the next 2 weeks to a month that all major banks will update...
How secure if this anyway? I mean, my banking account has a password. I enter that password in my banking app to log into my account. In the future I will use my facial scan to log into my banking app.
Does that mean my banking account will have two password (1x password + 1x facial scan) oder will my password be stored somewhere in the app or on android and simply be passed on the my facial scan is verified?
Both do not sound very secure to me.
If you don't feel it's secure then just don't use the app.. simple. I trust that the banks know the risks and have mitigated them. After all they are the ones on the hook if there's fraud.
bobby janow said:
If you don't feel it's secure then just don't use the app.. simple. I trust that the banks know the risks and have mitigated them. After all they are the ones on the hook if there's fraud.
Click to expand...
Click to collapse
Not really the informative answer I was looking for.
I wouldn't blindly trust a bank app or any of the other countless apps that would use my facial scan.
What happens if your facial scan gets stolen / leaked. Everyone with that information will for ever be able to access your data. And you can't even change your access code like you would be able to with a password.
And it seems like you also have no idea where your facial scan is being saved, and how it is secured / locked down. Maybe it is just a plain file on your phone's storage? You don't seem to know.
Why no simply write down all your passwords in a .txt file and save it on your sdcard? That would alteast have the advantage that you could change your password at some point.
Utini said:
Not really the informative answer I was looking for.
I wouldn't blindly trust a bank app or any of the other countless apps that would use my facial scan.
What happens if your facial scan gets stolen / leaked. Everyone with that information will for ever be able to access your data. And you can't even change your access code like you would be able to with a password.
Click to expand...
Click to collapse
Isn't the face unlock for that device only? It's not like someone can install your bank app on their phone, somehow use your face unlock information, and spoof you on that device. Also there's still 2 step verification, at least with my bank, so the new app would still need to get the verification code. If anything, it's easier to do with your password because that's something that can be typed in and then somehow get the verification code text.
Sent from my Pixel 4 XL using Tapatalk
Utini said:
Not really the informative answer I was looking for.
I wouldn't blindly trust a bank app or any of the other countless apps that would use my facial scan.
What happens if your facial scan gets stolen / leaked. Everyone with that information will for ever be able to access your data. And you can't even change your access code like you would be able to with a password.
Click to expand...
Click to collapse
I'm not sure of the question you are asking. It seemed rhetorical to me basically commenting on how you don't think fingerprint, facial or password entry is secure on your app. I don't think any of it is stored in the cloud but nonetheless it's probably not as secure as walking into your bank and transacting with a teller. Even websites probably aren't as secure as you wish they were. So what exactly are you asking that you expect a reply to? You can perhaps check with your bank as to what your liability would be if your account got hacked.
EeZeEpEe said:
Isn't the face unlock for that device only? It's not like someone can install your bank app on their phone, somehow use your face unlock information, and spoof you on that device. Also there's still 2 step verification, at least with my bank, so the new app would still need to get the verification code. If anything, it's easier to do with your password because that's something that can be typed in and then somehow get the verification code text.
Sent from my Pixel 4 XL using Tapatalk
Click to expand...
Click to collapse
Oh is it? That makes it defeniately more secure. But then I would still like to know how it is ensured that my facial scan only works with my specific mobile device and not with any other mobile device.
Yep for banking there is still 2 step verficiation. Good point. But I was actually thinking more about e.g. KeePass.
bobby janow said:
I'm not sure of the question you are asking. It seemed rhetorical to me basically commenting on how you don't think fingerprint, facial or password entry is secure on your app. I don't think any of it is stored in the cloud but nonetheless it's probably not as secure as walking into your bank and transacting with a teller. Even websites probably aren't as secure as you wish they were. So what exactly are you asking that you expect a reply to? You can perhaps check with your bank as to what your liability would be if your account got hacked.
Click to expand...
Click to collapse
Maybe I didn't explain my question good enough. I will try again:
Currently I would unlock e.g. my KeePass Database with a password.
In the future I would use my facial scan for that.
I wonder at what point my facial scan will access my password of the KeePass Database, because it somehow has to know my password in order to unlock KeePass?
And in that case my password suddenly isn't saved only in my head anymore but also within android or another app (because Face Unlock has to somehow know it?).
Or will my KeePass database get a second "password" which is my facial scan data?
In that case I want to make sure that my facial scan is very secure and can't be stolen. Because if it turns up in smth like "haveibeenpwnd.com" everyone will forever be able to access all my files with my leaked facial scan which I cannot even change to something different anymore.
Utini said:
Maybe I didn't explain my question good enough. I will try again:
Currently I would unlock e.g. my KeePass Database with a password.
In the future I would use my facial scan for that.
I wonder at what point my facial scan will access my password of the KeePass Database, because it somehow has to know my password in order to unlock KeePass?
And in that case my password suddenly isn't saved only in my head anymore but also within android or another app (because Face Unlock has to somehow know it?).
Or will my KeePass database get a second "password" which is my facial scan data?
In that case I want to make sure that my facial scan is very secure and can't be stolen. Because if it turns up in smth like "haveibeenpwnd.com" everyone will forever be able to access all my files with my leaked facial scan which I cannot even change to something different anymore.
Click to expand...
Click to collapse
I used LastPass and I think it's not different then when I died the fingerprint option for it. There's a master password for the account and biometric login is, again, just for the individual device. And again, there's 2 step verification at least with LastPass, for whenever you set up.
Sent from my Pixel 4 XL using Tapatalk
EeZeEpEe said:
I used LastPass and I think it's not different then when I died the fingerprint option for it. There's a master password for the account and biometric login is, again, just for the individual device. And again, there's 2 step verification at least with LastPass, for whenever you set up.
Sent from my Pixel 4 XL using Tapatalk
Click to expand...
Click to collapse
Sounds interesting and secure. Now I am interested in how it is ensured that my fingerprint / facial scan will only work with my specific mobile device and that the stolen data from my device can't be used from another device
Utini said:
Oh is it? That makes it defeniately more secure. But then I would still like to know how it is ensured that my facial scan only works with my specific mobile device and not with any other mobile device.
Yep for banking there is still 2 step verficiation. Good point. But I was actually thinking more about e.g. KeePass.
Maybe I didn't explain my question good enough. I will try again:
Currently I would unlock e.g. my KeePass Database with a password.
In the future I would use my facial scan for that.
I wonder at what point my facial scan will access my password of the KeePass Database, because it somehow has to know my password in order to unlock KeePass?
And in that case my password suddenly isn't saved only in my head anymore but also within android or another app (because Face Unlock has to somehow know it?).
Or will my KeePass database get a second "password" which is my facial scan data?
In that case I want to make sure that my facial scan is very secure and can't be stolen. Because if it turns up in smth like "haveibeenpwnd.com" everyone will forever be able to access all my files with my leaked facial scan which I cannot even change to something different anymore.
Click to expand...
Click to collapse
Oh I see now. This really has more to do with your password manager than the bank. Unfortunately, I don't use a PM even though I suppose I should. Everyone says it's pretty secure. Since I don't really know what I'm talking about at this point I'll give it a shot anyway. lol
I don't think the facial scan or the fingerprint scan is saved anywhere other than your device. But I do use fingerprint (or did) scans on my banking app. If I change my password on the banking site my fingerprint scan will no longer work on the app. I would first have to change my password on the app and then reregister my fingerprint when the new password is entered. Can we compare it to the face scan at this point? I mean you can't change your fingerprints either right? Before I go on, am I reading your concerns correctly?
Utini said:
Sounds interesting and secure. Now I am interested in how it is ensured that my fingerprint / facial scan will only work with my specific mobile device and that the stolen data from my device can't be used from another device
Click to expand...
Click to collapse
https://support.google.com/pixelphone/answer/9517039?hl=en
Maybe this confirms it?View attachment 4860867
Sent from my Pixel 4 XL using Tapatalk