Database Develop

[Q] [CM7] Security Issues (Viruses, Passwords, Network, Privacy)

I'm just getting started with CM7 and the Nook Color, but I have some general security concerns that perhaps you could help me with?
1. Viruses. I understand that these are real in Android. I've temporarily disabled non-Market apps, but I believe viruses and/or spyware have shown up in Market Apps too. Are there decent AntiVirus apps and what do you recommend?
2. Firewall. What services are open by default? Are there good software firewalls available?
3. Adware. Is it always clear which Market apps are ad-supported? Have apps crossed the line into malicious or near-malicious spyware? (Taking over browsers, redirecting home pages or searches, infecting other apps, etc.)
4. Apparently Google does not require password-confirmation for Market purchases, and no real solution exists, since available apps complicate things and don't address the root issue. Do they have any plans to change that?
5. Where are application and web site passwords, WiFi keys, and the like stored, and are they encrypted?
6. Is there a multi-user / multi-profile facility to allow different users to log in to different desktops and/or applications? (Or is that best accomplished with dual booting.)
7. What major applications are known to "phone home" or otherwise divulge more information than might be expected? I was quite surprised that CM7 itself phones home to CyanogenMod by default, and even with that turned off the ROM Manager still reports usage statistics to Google?
8. Is anyone independently reviewing CyanogenMod itself for privacy and security implications? Right now many of us are relying on a hodgepodge of hacker contributions and the good will of those creating them. I'm sure that anything malicious would eventually come to light, but is anyone proactively checking out the release CM7 distribution, the GApps distribution, and the various installers and packagers? Right now the only verifiable "web of trust" that seems to exist is the good intentions of every contributor, and the general availability of the source code (which should make the review possible, if not particularly easy!).
9. Are there any "best practices" as a user? For example, I've set up a new GMail ID for use with the NC, and haven't yet linked any credit card or payment data. Meanwhile, for the B&N side I've had to submit a credit card number to get access to their market (even to get their "Free" offerings).
10. Any implications for configuring e-mail and/or contacts, etc.? Mass remailing trojans certainly exist on the Windows side.
11. Do the application specific permission settings compare favorably to those of the BlackBerry, and are they easily adjustable after you've already granted permissions to an app?
12. Is there any concept of sandboxing a new app to prevent it from possibly adversely affecting other applications or files?
13. Is there a best practice for how to manage files on both the eMMC and SD card storage, particularly when booting between the two? Can one be locked out from the other?
Okay, that's a baker's dozen. I'll stop now.
Thanks much for any input.

Really? Nobody has an opinion to share on this?

rooting /cm7 / and the purpose behind it may just not be for you. I don't think your going to get an answer your looking for. Also not trying to be rude, but you pretty much wrote a book in your first post. Just ask a question dude.

Thanks for the response, but I asked roughly 13 questions -- would you prefer I "just asked a question" by starting 13 different threads? I certainly wouldn't.
And your first sentence makes it sound as if there's no one here who gives a damn about their own data and that everyone views the Nook Color as a toy -- and I seriously doubt that.

xdabr said:
I'm just getting started with CM7 and the Nook Color, but I have some general security concerns that perhaps you could help me with?
1. Viruses. I understand that these are real in Android. I've temporarily disabled non-Market apps, but I believe viruses and/or spyware have shown up in Market Apps too. Are there decent AntiVirus apps and what do you recommend?
2. Firewall. What services are open by default? Are there good software firewalls available?
3. Adware. Is it always clear which Market apps are ad-supported? Have apps crossed the line into malicious or near-malicious spyware? (Taking over browsers, redirecting home pages or searches, infecting other apps, etc.)
4. Apparently Google does not require password-confirmation for Market purchases, and no real solution exists, since available apps complicate things and don't address the root issue. Do they have any plans to change that?
5. Where are application and web site passwords, WiFi keys, and the like stored, and are they encrypted?
6. Is there a multi-user / multi-profile facility to allow different users to log in to different desktops and/or applications? (Or is that best accomplished with dual booting.)
7. What major applications are known to "phone home" or otherwise divulge more information than might be expected? I was quite surprised that CM7 itself phones home to CyanogenMod by default, and even with that turned off the ROM Manager still reports usage statistics to Google?
8. Is anyone independently reviewing CyanogenMod itself for privacy and security implications? Right now many of us are relying on a hodgepodge of hacker contributions and the good will of those creating them. I'm sure that anything malicious would eventually come to light, but is anyone proactively checking out the release CM7 distribution, the GApps distribution, and the various installers and packagers? Right now the only verifiable "web of trust" that seems to exist is the good intentions of every contributor, and the general availability of the source code (which should make the review possible, if not particularly easy!).
9. Are there any "best practices" as a user? For example, I've set up a new GMail ID for use with the NC, and haven't yet linked any credit card or payment data. Meanwhile, for the B&N side I've had to submit a credit card number to get access to their market (even to get their "Free" offerings).
10. Any implications for configuring e-mail and/or contacts, etc.? Mass remailing trojans certainly exist on the Windows side.
11. Do the application specific permission settings compare favorably to those of the BlackBerry, and are they easily adjustable after you've already granted permissions to an app?
12. Is there any concept of sandboxing a new app to prevent it from possibly adversely affecting other applications or files?
13. Is there a best practice for how to manage files on both the eMMC and SD card storage, particularly when booting between the two? Can one be locked out from the other?
Okay, that's a baker's dozen. I'll stop now.
Thanks much for any input.
Click to expand...
Click to collapse
I have to admit, you come off as rather paranoid, and i am not sure why you are so.
Yes, there have been a couple of problem apps recently, but Google took care of them, and i would not worry. The best security you can have, is looking at what you are installing. The application cannot hide what permissions it needs, so if you have something asking for way more than you think it should need, take that as your first red flag.
Currently, Virus Scans on Android are a joke, and simply unneeded. Don't even waste you time. Firewalls are just about the same, and again, not worth the effort. One thing to keep in mind, that this is a linux system, and is not as prone to the Windows based attacks that you are used to. Things like email spam bots and such are not a problem.
As for Cyannogen - no code is added to the repository without being peer reviewed; and every code submission is available in public records. Frankly, they did not make it to CM7 by stealing people's data, nor is it simply a hodge podge of devs.
Frankly, I think right now more research is in order for ya. Most of what you ask is already discussed in many places, or is never discussed, because it simply isn't a worry...

Thank you, Divine_Madcat, for the advice and explanation. By hodgepodge I was more referring to the multiple installer methods and packages that newbies like me are relying upon to get everything installed easily. There are a lot of them, from a lot of nice people, from preconfigured SD card images to installation methods with modified boot loaders to interface and performance hacks. Even if Cyanogen itself is well maintained it would be pretty easy for someone to include a little trojan in one of those third-party "distributions".
It's not exactly paranoia, I've just seen this happen so often. Trojan horses are certainly not limited to Windows. Worms and other compromises have affected thousands of Unix and Linux machines in the past. Web sites and PHP and Perl scripts and databases and web frameworks regularly see vulnerabilities discovered and/or exploited. So since this device will be used in part by children with access to my credit card, I wanted to know what we're dealing with.
No, I was not familiar with Cyanogen's review practice (which is one reason I asked), so thanks for that reassurance! I will try to learn more as I go.
I do apologize for the length of the OP though -- I was trying to brainstorm and get everything down in one place that related to possible security concerns. It's not as if I'm worried sick about every little point.

One of the apps I install on all my installs is 'Lookout'. This app scans all my programs I install and update and I have heard very good reviews of it.
I did see that Eric Lundcrest did an article today:
http://web.eweek.com/t?r=2&c=38783&l=64&ctl=11B38843F5D4C728CF30E9F23F9E91BB51617&
You can check them out. I haven't tried them all myself and I noticed that he didn't include the app that I recommended above (and I use it on both my Nook and my HTC EVO)

You Should Also be Aware..
that one of the joys of Android (and of course Unix/Linux) is that everything is "sandboxed" unlike Windoze - there are not many apps that interfere with others - that's why it's so easy to install and uninstall from Android. Compare the uninstalling of even a large Android app with that of uninstalling from Windows.
I would not worry about interfering apps

Thanks, doc. I'm moderately familiar with the Unix security model, but not so much with Android. Is sandboxing really accurate? In Linux processes run with particular user rights, much as in Windows but more flexible -- that is, it's just much more common to have different daemons running as different users. Still, I don't think they're really isolated from one another as they might be with a "chroot jails" kind of function...

I don't think electronics are for you, I suggest books and a cabin in the woods.
No virus really exist yet, a few flaws in the code have been found but they are patched quick.
No real firewall, doesn't work quit that way with android.
Yes, it will say in the permissions of the app in the market.
You sign into the market when you first use it, making sure your devise has a lockscreen PW is how you keep it safe.
/data
no
Some apps phone home, check permissions before you install.
All CM code can be seen in the github, you can compile it yourself if you wish.
Use smart internet credit card practices such as only attaching a low limit card to accounts etc.
If the google email server was hacked maybe but all that stuff is stored encrypted on googles end.
Permissions need to be approved of by you if they change.
Android sandboxes all apps.
Dono, I have CM7 on internal and books etc stored on the SD card.

Nanan00, your actual answers were great, but "I don't think electronics are for you, I suggest books and a cabin in the woods." and the similar dismissive post above are exactly the kind of BS condescension that gives some open source communities a bad name. Stop it. Little by little it devalues the entire community and its projects.
Thanks for the substance of your response.

Truthfully... My parents practice pretty much all of the stuff you have said, they're very careful with credit cards and anything that could be used as personal information.
And yet... Someone got ahold of their credit card numbers and bought something for almost 3k last year...
I have no virus software or even firewall software on this computer, it has not received a virus in over 5 years (I know... it needs an upgrade) and I'm running Windows XP SP2.
If you're prone to viruses then go ahead and install some antivirus software. If you're scared about your kids + your credit card + the nook, then have them make all transactions on the computer.
The reason no one is taking this seriously is because Android is to new for there really to be anything worthwhile on the market. People are just now learning how to develop and code for it. So there aren't a bajillion(give or take one or two) viruses or trojans running around the google market.
On top of that, so long as your legally buying your apps from the google market, you have even less to worry about. As google has shown in the past that they'll go ahead and delete it the second they find it.
As far as permissions go, don't get to hung up on it. Everybody trust Pandora and yet it requires more permissions then some of googles own apps. =\

Thank you, Gin1212. I don't use an AntiVirus on my own Windows machines either -- it's more trouble than it's worth when you know what you're doing. (On Android I don't know what I'm doing, yet.)
And yeah, I already made sure to use a disposable credit card number ("ShopSafe") with a limit when setting up the Nook for the young'un. Google Market, thankfully, doesn't require a credit card unless you buy something, so I'll be checking out the free apps for a while (so that's part of why I asked about adware/spyware).
I was approaching the thing as I would any new (to me) full fledged operating system and computer, fully aware it's not the "safe" and dictatorially controlled little world of iOS or, to some extent, BlackBerry OS.
So thanks for the real world advice!

xdabr said:
Nanan00, your actual answers were great, but "I don't think electronics are for you, I suggest books and a cabin in the woods." and the similar dismissive post above are exactly the kind of BS condescension that gives some open source communities a bad name. Stop it. Little by little it devalues the entire community and its projects.
Thanks for the substance of your response.
Click to expand...
Click to collapse
Suffice it to say that Android's and Microsoft's, and even Linux's app model is vastly different. Google does not just act as a repository, as in Linux. From my understanding, Google is rather guarded about it's app market and if anything heretofor is found, the app is yanked from the market immediately.
I agree that website security is more an issue that needs to be looked at, but the lion's share of websites that have virii and adware are aimed at infecting windows machines, but your concerns are noted.
As to the intent of the Devs here, I think you need to understand that these roms, mods and apps are their children, and their passion of the moment. No one goes through all the crap they do just to foment adware. This is their meat and drink and trust me, if there were a dev whose morality came into question, they would police themselves and it would be all here for us to read. There are no secrets here. These aren't script kiddies looking to wreak havoc.
I agree that security is a good thing, but the twin natures of Android are openness and isolation. Each app, at least from my understanding is an island unto itself with rare exception. So I think that while your concerns in themselves are noble, they are unwarranted, and at some points even seem absurd. No offense intended here.
We aren't just drinking the kool-aid here, everyone knows the risks of adopting an unknown and untested ROM, everyone takes the responsibility to themselves when they violate their warranty in search of a better tablet experience. The average person who roots their nook is not your average idiot windows user. We are here because we want more and better than our legacy alientation by microsoft and those who can't think outside of their security model.
Well, there is my Android manifesto. Sorry for rambling.
migrax

No, I appreciate the manifesto -- thanks. Again, I tried to brainstorm and throw the kitchen sink into the original post so as to get everything down in one place. I was hoping it could serve as a general security discussion thread. Not everything there is a huge concern of mine, and sorry if it made things seem absurd.
I appreciate your points about the intentions of the developers and the operation of Google's market (although of course a big selling point is we are NOT limited to that market... conversely, I suppose anything I chose off-market would be something I had by definition come to trust independently).

xdabr said:
Nanan00... "I don't think electronics are for you, I suggest books and a cabin in the woods." and the similar dismissive post above are exactly the kind of BS condescension that gives some open source communities a bad name. Stop it. Little by little it devalues the entire community and its projects.
.
Click to expand...
Click to collapse
I think your overreacting a wee bit too much. I can't speak for Nanan00 but the first sentence of his post feels like a joke. He took the time to write out the answers of OP's question...
Also since you were referring to my post at the top..... I was just being candid with OP.
I read his post, I could see that he was a bit paranoid (IMO) and told him my honest opinion. Which is: Hacking your nook, or any device for that matter, may not be for you. The reasons being that when you hack your device, you inevitably increase its chances of being exposed (even if the increase is small, its there.) I don't feel that I am being arrogant, and I didn't catch that drift from Nanan00. But I wanted to address this since you obviously feel strong that this type of behavior is "devaluing the entire community and its projects."
Anyways to the OP:
Sorry if my post came off rude. I should of taken the time to give you my explanation.

colbur87 said:
I think your overreacting a wee bit too much. I can't speak for Nanan00 but the first sentence of his post feels like a joke. He took the time to write out the answers of OP's question...
Also since you were referring to my post at the top..... I was just being candid with OP.
I read his post, I could see that he was a bit paranoid (IMO) and told him my honest opinion. Which is: Hacking your nook, or any device for that matter, may not be for you. The reasons being that when you hack your device, you inevitably increase its chances of being exposed (even if the increase is small, its there.) I don't feel that I am being arrogant, and I didn't catch that drift from Nanan00. But I wanted to address this since you obviously feel strong that this type of behavior is "devaluing the entire community and its projects."
Anyways to the OP:
Sorry if my post came off rude. I should of taken the time to give you my explanation.
Click to expand...
Click to collapse
Um, colbur87, "OP" and I are the same person.
Asking questions is one way we learn. As an Android newbie many of my questions would apply to any Android device, hacked/rooted or not. If they're not appropriate for this forum, or if no one here thinks they're valid or worth a response, that would be okay. But to say in effect "your concerns are stupid and you don't belong here" is not only insulting, but factually wrong. Just because some people are content to not consider security implications doesn't mean they're not real.
Blithe unquestioning acceptance and faith is more of an Apple iFanboy trait, I would have thought.
And much as with Linux as a whole, positioning "hacked" Android as something not amenable to ordinary consumers is counterproductive.
(By the way, I'm not an ordinary consumer.)
Anyway, I do appreciate the answers people have given.

Wasn't lookig at the names so my bad on the mix up.
Anyways if you still think im being rude even after my previous post then so be it.
im out
Sent from my Desire HD using XDA Premium App

Divine_Madcat said:
The application cannot hide what permissions it needs, so if you have something asking for way more than you think it should need, take that as your first red flag.
Click to expand...
Click to collapse
Actually, that isn't true. There are holes in Android Market, so if app makers really wanted to, they can hide certain permissions even if your app calls out that permission through androidmanifest, which is how the permission is given in the first place. It was shown that even big name developers had exploited this one time or another. Of course this has nothing to do with CM7. Even stock Android phones are vulnerable to this. However, in general, if you download a popular app, you should be able to trust the permissions listed. Unless your the first person to download an app, you'll usually hear back from initial users if there's something funky going on.

Anti-Piracy Service/"Project Guard" [UPDATED W/ LINK TO DISABLE IT VIA XPOSED 8/16]

Anti-Piracy Service/"Project Guard" [UPDATED W/ LINK TO DISABLE IT VIA XPOSED 8/16]
If you use any of the following apps:
(List Updated 8/14)
-- Freedom
-- Lucky Patcher
-- Black Mart
-- All in one Downloader
-- Get APK Market
-- CreeHack
-- Game Hacker
Either do not flash any of the ROMs in the list below which have a trojan "Anti-Piracy" Service implemented or use one_minus_one's Xposed module (link above) to disable it.
(List Updated 8/14)
-- AICP (Confirmed)
-- Exodus (Confirmed)
-- Broken OS 3.0
-- OrionLP V1.3
The devs of AICP and custom ROMs such as exodus (a new ROM based on Cyanogen from the vanir devs, that is available for klte and kltespr) and others are implementing what is effectively an Anti-Piracy trojan in their ROMs that they call "Project Guard".
Project Guard is a service that runs in the background and literally blocks you from installing the APKs associated with these apps. And it doesn't stop there. Apparently Project Guard was having talk of banning both Aptoide and XPOSED in these ROMs. Thankfully, this was voted down but Aptoide was still on the table as far as I heard last. The fact that even the idea of banning Xposed from AOSP ROMs in order to stop it's users from pirating was even discussed, is frankly surreal to me and out of control. It's shameful. Not sure why the developers felt the need to implement this trivial and easily bypassed "feature" but it goes against everything I thought the AOSP stood for. While it is easy enough to bypass this service using third party apps or a hex editor, I do not wish to support any developers that would stoop to this level of greed. If you want money for your code, I totally understand, but this is AOSP not apple and there is a time and place for everything. Please, don't take out your misplaced aggression at software pirates on the AOSP. Because, although this may be just a little bit of code to you, to me it is the beginning of the end of AOSP. If you compromise your integrity now, it's a short trip from here to bloatware with a monthly subscription fee. In a modern internet climate that is becoming increasingly controlled and corporatized, AOSP is a beacon of hope to me. A reminder that technology belongs to the many and not the few. This decision spits in the face of that hope. People will say i'm being dramatic but this is a huge deal to me and if you care about having the freedom to do what you want with your phone, which i'm pretty sure most of you do, then this should be a big deal to you too. I thought I could trust AOSP developers to do the right thing but apparently they feel that it's their place to decide which apps I can and cannot install. If you care about having the freedom to do why you wish with your phone, I urge you not to flash this ROM, or any ROM that would compromise its integrity by adding code that is meant to control its users. This is the kind of thing that made us choose AOSP in the first place. It doesn't even make logical sense to implement things like this in an open source ROM, as inevitably new versions of the ROM will be released with this ridiculous code removed. I am seriously disappointed as AICP was one of my favorite ROMs. The developers of AICP and the other affected ROMs have the right to do whatever they want(within legal boundaries) with their code as creators of intellectual property but as an AOSP user you have the right to flash a ROM with a little more integrity.
*Update 8/14*
This is directly from the Project Guard Official Github Page:
"NOTE: Please report new piracy markets and malware to me or any of the others involved with this project. Pull requests are also welcome. For ROM developers interested in using this it makes more sense to track this project directly and then bridge into an existing package with correct perms (like settings). This way any changes made here to the blacklisted packages and improvements will reach out to everyone."
This "note", written in huge font right on the Project Guard Github main page, begs the question;
So what exactly is the criteria for a "Piracy Market"?
Any market that contains software that will help or allow you to pirate software? That's my best guess at the projects aim, HOWEVER, they have provided, as far as I can tell, ZERO criteria for what constitutes a "Piracy Market". A "Piracy Market" may include Aptoide but it could also include the Google Playstore. You see the problem here? This is much too arbitrary and relative to be efficient in stopping piracy and much more likely to hurt developers, especially seeing as anyone who knows how to pirate, can also learn to bypass this service with a quick Google search. I did. What is going to happen is, legitimate software, or software that gives a user access to legitimate software, will end up being banned in these ROMs. This is a very dangerous mindset they have here. This could turn into a witch hunt or full blown technological McCarthyism.
Make no mistakes about it, as a user named "Bikas" pointed out on the OPO forums here, this is indeed a trojan.
According to wikipedia a computer trojan is defined as "any malicious computer program which misrepresent itself as useful, routine, or interesting in order to persuade a victim to install it". When someone downloads a custom ROM, especially AOSP, they assume they are gaining more freedom but in this case they are having it taken away. People trust AOSP devs and won't expect this to happen. Nobody expects to be controlled like this by a backround service in an AOSP custom ROM, therefore the entire ROM can be considered a trojan.
Wikipedia also states that if the trojan is "installed or run with elevated privileges a Trojan will generally have unlimited access. What it does with this power depends on the motives of the attacker." This also fits these ROMs. The ROMs DO have unlimited access to your phone and blocking you from installing a whole category of APKs is very malicious. In this case the "motives of the attacker" are to stop or curb piracy.
It is very clear that they,
A. Have unlimited access to your phone
B. Have clear motives
C. Are using this access without your permission to prevent you from installing apps that they have deemed "pirate markets", which is consistent with these motives.
Now ask yourself, are you okay with your ROM including a Trojan entirely based on the ROM developer's personal motives and political ideology, at the cost of your technological freedom to install whatever the hell you want? Software, especially AOSP ROMs, should be free of it's creator's bias and motives.
One more thing. It is of my opinion that the underlying reason for the creation of these "Anti-Piracy" ROMs is just money, or simply put, greed. I understand it can be frusterating when you put your blood, sweat and tears into an app or ROM and not only does nobody donate but they remove your advertisement's with an app like lucky patcher or complain that you aren't releasing nightlys often enough. I really do get that. But at the end of the day this thing is about money as virtually all "Anti-Piracy" groups, laws and efforts are. This is about forcing people to pay. I'm not saying they shouldn't pay, BUT THIS IS THE WRONG WAY TO ENFORCE IT.
-- Tipsy
-- SlimLP
-- SlimSaber
-- MinimalOS
-- CyanogenMod 12.1
-- Euphoria
-- Slimremix
-- Cmremix
-- Resurrection Remix
Don't take my word for it,
READ UP!

The apps you mention these ROM developers are trying to block are all to bypass google licensing.
In effect "getting paid apps for free"...
These ROM developers may also develop apps which could require payment/donation to use..
Why should they take out their anti piracy measures? I haven't looked into these roms personally, but i'd be happy to use them if they have info messages before installation to warn of such measures.
Just my two pennies
I support Anti-piracy where time and effort has been put into apps, and these guys are just asking for small donations to use their apps
EDIT: I disagree with banning the use of xposed within their ROMS, but i agree if they just do not want to support this.
Aptoide I partially disagree due to the fact some coutries do not have access to the Google Playstore, it is down to Aptoide ti implement anti piracy measures within their store app.
Regards

f0xy said:
The apps you mention these ROM developers are trying to block are all to bypass google licensing.
In effect "getting paid apps for free"...
These ROM developers may also develop apps which could require payment/donation to use..
Why should they take out their anti piracy measures? I haven't looked into these roms personally, but i'd be happy to use them if they have info messages before installation to warn of such measures.
Just my two pennies
I support Anti-piracy where time and effort has been put into apps, and these guys are just asking for small donations to use their apps
EDIT: I disagree with banning the use of xposed within their ROMS, but i agree if they just do not want to support this.
Aptoide I partially disagree due to the fact some coutries do not have access to the Google Playstore, it is down to Aptoide ti implement anti piracy measures within their store app.
Regards
Click to expand...
Click to collapse
The biggest problem is they have no designated criteria for what apps are to be banned and what apps aren't. They just ask the general public to go and snitch on apps that they think are "pirate markets".
I also am concerned that if we compromise and allow this to be the norm then we have just set out on a path ruin. If things like this are allowed next time it WILL be closed.
As I stated above, they have the right to do whatever they want with their ROM but I have the right to not flash it and to encourage others not to in order to protect AOSP from becoming something like touchwiz.

jujijoog said:
The biggest problem is they have no designated criteria for what apps are to be banned and what apps aren't. They just ask the general public to go and snitch on apps that they think are "pirate markets".
I also am concerned that if we compromise and allow this to be the norm then we have just set out on a path ruin. If things like this are allowed next time it WILL be closed.
As I stated above, they have the right to do whatever they want with their ROM but I have the right to not flash it and to encourage others not to in order to protect AOSP from becoming something like touchwiz.
Click to expand...
Click to collapse
Without fully reading into this(no time at moment, at work! )
I can agree with your comments. Project Guard should not have the right to disallow users of roms to not run specific apps. I can understand what they are trying to do but they are going around it all the wrong ways.
I am now following the movement Anti - Contentguard

f0xy said:
The apps you mention these ROM developers are trying to block are all to bypass google licensing.
In effect "getting paid apps for free"...
These ROM developers may also develop apps which could require payment/donation to use..
Why should they take out their anti piracy measures? I haven't looked into these roms personally, but i'd be happy to use them if they have info messages before installation to warn of such measures.
Just my two pennies
I support Anti-piracy where time and effort has been put into apps, and these guys are just asking for small donations to use their apps
EDIT: I disagree with banning the use of xposed within their ROMS, but i agree if they just do not want to support this.
Aptoide I partially disagree due to the fact some coutries do not have access to the Google Playstore, it is down to Aptoide ti implement anti piracy measures within their store app.
Regards
Click to expand...
Click to collapse
f0xy said:
Without fully reading into this(no time at moment, at work! )
I can agree with your comments. Project Guard should not have the right to disallow users of roms to not run specific apps. I can understand what they are trying to do but they are going around it all the wrong ways.
I am now following the movement Anti - Contentguard
Click to expand...
Click to collapse
Exactly. I am not speaking out against Anti-Piracy, to do so would be to speak out against a persons right to intellectual property and capitalism as a whole really. I am speaking out against the intrusive method and implementation of Project Guard.

The main thing that concerns me on this matter is the fact that I like to try apps before I buy them. If the app is crap then I just uninstall it and don't worry with it after that. Some apps in the app store, and I have had problems with this, do not allow refunds once purchased. It is frustrating some times to just have nothing but screen shots that look awesome and a video that looks great, but you are the first one that sees the app and you buy it to only find out that it is nothing like described. I do personal ROM development from time to time and I would never allow anything like this in anything I do. It takes away from everything that is Linux. And yes android is Linux/UNIX based, so therefore should not be restricted as such. That is why Google implemented software that checks for pirated apps and won't allow you to use them if it sees certain checks that not even lucky patcher can bypass. My personal opinion on this matter is that there might be other reasons behind this code. If you analyze the code to be implemented, you will notice it connects to a server for verification of new apps added that are considered to be piracy apps and also to confirm the currently installed database. I know that some hackers use this type of ploy to gain access to your personal information because any time that you connect to a server with an app with full access to your device it can essentially get all the information saved on your device regardless of how secure you think it is. So keep that on mind. Take a look at their code on github and see for yourself.
Sent from my klte using Tapatalk

How will this effect folks in countries that crack down on the free flow of information like here in the US? Think it's more about control than it is money...ooopps, my bad, no such thing as money just notes. Imagine being paid in debt instruments for your labor, oh wait we already do and we love it; suckers!!
Prison Planet peace out!

This is epic!

The time you have spent to make this post was more than enough to learn how to compile rom from source and build it without this so called Trojan that helps the app devs.
And if we added a Trojan, you wouldn't even know it

@jujijoog
You are totaly right. How can the devs only dare, trying to protect us against breaking the laws rules.
What those piracy apps does is simply stealing.
You are taking someones right for money.
This is simply an anti-thief prevention.
Now ask yourself. Is it okay to steal things. Is it okay to steal money?
You say, they have clear motives.
So you have.
When your "freedom" is about stealing, i hope you end up in jail.
Sincerely,
mono

http://forum.xda-developers.com/showthread.php?p=62363666
no more and no less
HGT - S5 G900F - ONEPLUS ONE - TESLA TTL7 - Windows 10
---------- Post added at 15:05 ---------- Previous post was at 15:00 ----------
A page for thieves, nice.
HGT - S5 G900F - ONEPLUS ONE - TESLA TTL7 - Windows 10

Again in plain text
Tell me an app which does not have full access to my phone,
1, SuperSU and all Google Apps, then Facebook, Whatsapp, Viber and so on.
Each shi... app has access if they want to. Your argument is not an argument.
I'm more afraid of Google + + + and stolen apps as of the Anti Piracy code.
many Problems come from Google
http://blog.exodusintel.com/2015/08/13/stagefright-mission-accomplished/

LorD ClockaN said:
The time you have spent to make this post was more than enough to learn how to compile rom from source and build it without this so called Trojan that helps the app devs.
And if we added a Trojan, you wouldn't even know it
Click to expand...
Click to collapse
Well if you read my post you would understand that I'm not concerned about bypassing content guard. In fact i made it painfully obvious when I stated how easy it is to do just that, in the first paragraph....
What I am concerned about is compromising the integrity of AOSP.
One thing you cannot argue is that this is a precedent and I fear that this precedent has "awakened a sleeping giant" and could be the catalyst for something much worse. I'm not going to re-explain myself because you were either too lazy to read my whole post or too ignorant to comprehend it.
monochro100 said:
@jujijoog
You are totaly right. How can the devs only dare, trying to protect us against breaking the laws rules.
What those piracy apps does is simply stealing.
You are taking someones right for money.
This is simply an anti-thief prevention.
Now ask yourself. Is it okay to steal things. Is it okay to steal money?
You say, they have clear motives.
So you have.
When your "freedom" is about stealing, i hope you end up in jail.
Sincerely,
mono
Click to expand...
Click to collapse
You hope I end up in jail because I have a philosophical disagreement about what open source ROM content should be? Calm down bro.
And you are god damn right I have clear motives.
Talk about stating the obvious, LOL.
It's not like I pretended this was an unbiased research post.
My freedom is not about stealing, its about not having code in my ROM that does nothing for me but control me.
Content guard has the potential to stop much more than pirating.
It is already blocking access to legitimate apps and apps that provide access to legitimate apps.
I HAVE STATED BEFORE THAT I AM NOT OPPOSING ANTI-PIRACY MEASURES AS A WHOLE I AM PROTESTING THIS PARTICULAR METHOD OF ANTI-PIRACY IMPLEMENTATION AS I THINK IT IS DANGEROUS.
HorstiG said:
Again in plain text
Tell me an app which does not have full access to my phone,
1, SuperSU and all Google Apps, then Facebook, Whatsapp, Viber and so on.
Each shi... app has access if they want to. Your argument is not an argument.
I'm more afraid of Google + + + and stolen apps as of the Anti Piracy code.
many Problems come from Google
http://blog.exodusintel.com/2015/08/13/stagefright-mission-accomplished/
Click to expand...
Click to collapse
This is a ridiculous argument because although those apps have full access to your phone, NONE OF THEM DO ANYTHING EVEN CLOSE TO AS MALICIOUS AS CONTENT GUARD! Super SU simply gives the user privileges while Content Guard takes them away. To compare them in this way is frankly hilarious as they are actually great examples of a polar opposites.
Wow this is the best you Pro Content-Guard types got?
Can someone who has actually graduated from high school please come at me?

@jujijoog
You're a pompous ass and an instigator to theft, no more and no less.
I hope the post is closed here

HorstiG said:
@jujijoog
You're a pompous ass and an instigator to theft, no more and no less.
I hope the post is closed here
Click to expand...
Click to collapse
How am I an instigator to theft because I oppose the implementation of some code that I believe could cause AOSP to lose integrity and worsen? How many times do I have to say that I am not defending pirating software nor am I helping to do so. I may be helping to throw up road blocks to measures against it but even that I doubt as there was an exposed module made completely independent of my influence as well as several methods developed for bypassing content guard before I even knew it existed. What im getting at is that regardless of what I say or do content guard would have been made useless. Its the unintended side effects I'm worried about. The people behind this project were discussing banning xposed as a way of stopping a bypass. If they are willing to do something that damaging to the xda community then they are a problem. Do you not agree?
Do you think xposed should be banned? Really? Did you even read my post? What are you even reacting to, what you are saying makes no sense in the context of my post. I think by "you are a pompous ass", what you really meant was "I don't understand your post because I'm ignorant and that makes me insecure, scared and upset". Why would my post be b&? What possible reason would a mod find to b& my post. As far as I know XDA isn't in the business of censorship. I'm sure you would love to be though. You're the one that's more likely to get banned for name calling. Grow up.
What's up with all the name calling? If you don't agree with me then explain why as any intelligent, respectable adult would, this isn't a YouTube comment section.

LorD ClockaN said:
The time you have spent to make this post was more than enough to learn how to compile rom from source and build it without this so called Trojan that helps the app devs.
And if we added a Trojan, you wouldn't even know it
Click to expand...
Click to collapse
By the way, I don't appreciate you putting words in my mouth? When did I say this was helping app devs? Although its irresponsible of the app devs to agree to implement this I am not under the illusion that content guard was created by them. Its clear who is ultimately behind this and its not the app devs. However any app dev that allows this becomes, in their passivity, an agent of negative change to the whole Android dev scene. And I didn't know you added this until it blocked my install. All Trojans become apparent after they execute their malicious intent, with the exception of like a data mining trojan so I'm not sure what you mean?
P.S Funny you should mention I actually am working on a ROM right now. When I drop it I'll shoot you a link.

People just aren't wanting to listen. They aren't realizing the full affect this is going to have on the community. The devs working on getting xposed to work well with 5.1 are busting their butts to make it work and then someone comes along and tries to restrict the use of our ROMs. No where has anyone said that they are supporting piracy. You don't need apps like blackmart alpha, aptoid or anything of such to get free apps. If someone were to support piracy, then it is up to that individual. Like we say in the military, to each his own. Like I have said before, since this connects to a server for checks, we don't know what all it is capable of. And none of this " well facebook and other apps do the same thing and could do more damage! ". Yes we all know this, but there is a catch to that argument ..... We choose to install that software and understand the risk. They are not forced upon us or hidden like a piece of Turkey jerky mixed with beef. And from my understanding this code is going to be hidden in settings as well.
Sent from my Samsung Galaxy S5 using Tapatalk

What difference is this privacy guard going to make. People will just Google apks instead. I can't see where this is going. And this xposed module is made.
This is exactly the like of the story of the BPI. Greedy people trying to monopolise the market. What happened to AOSP's freedom. Well people have gone round the privacy measures.
Let's say Google Play doesn't allow an app for instance Adaway. Where am I going to get it officially? From their site or a market he uploads it to. There are genuine apps on there which are because of Google's terms. Most of them are pirated (which I don't condom at all).
With these new rules go ahead and block Google Play. There are unmonitored apps on there which can allow you to download music. Why can't you? Oh yeah, the greed.
I'm pretty sure this is a evasion of the users privacy. Even Windows 10 allowed you to change default settings and stop feedback; this change would be illegal which is why Windows 7 came with a browser choice update to allow other browser vendors.
Yup roms with this content guard BREAKS THE GPL. You cannot upload roms on XDA which break GPL [emoji12]

XDA_h3n said:
What difference is this privacy guard going to make. People will just Google apks instead. I can't see where this is going. And this xposed module is made.
This is exactly the like of the story of the BPI. Greedy people trying to monopolise the market. What happened to AOSP's freedom. Well people have gone round the privacy measures.
Let's say Google Play doesn't allow an app for instance Adaway. Where am I going to get it officially? From their site or a market he uploads it to. There are genuine apps on there which are because of Google's terms. Most of them are pirated (which I don't condom at all).
With these new rules go ahead and block Google Play. There are unmonitored apps on there which can allow you to download music. Why can't you? Oh yeah, the greed.
I'm pretty sure this is a evasion of the users privacy. Even Windows 10 allowed you to change default settings and stop feedback; this change would be illegal which is why Windows 7 came with a browser choice update to allow other browser vendors.
Yup roms with this content guard BREAKS THE GPL. You cannot upload roms on XDA which break GPL [emoji12]
Click to expand...
Click to collapse
Well said my friend. People don't really think about that kind of stuff usually though. That's how privacy guard came about. Lol
Sent from my Samsung Galaxy S5 using Tapatalk

XDA_h3n said:
What difference is this privacy guard going to make. People will just Google apks instead. I can't see where this is going. And this xposed module is made.
This is exactly the like of the story of the BPI. Greedy people trying to monopolise the market. What happened to AOSP's freedom. Well people have gone round the privacy measures.
Let's say Google Play doesn't allow an app for instance Adaway. Where am I going to get it officially? From their site or a market he uploads it to. There are genuine apps on there which are because of Google's terms. Most of them are pirated (which I don't condom at all).
With these new rules go ahead and block Google Play. There are unmonitored apps on there which can allow you to download music. Why can't you? Oh yeah, the greed.
I'm pretty sure this is a evasion of the users privacy. Even Windows 10 allowed you to change default settings and stop feedback; this change would be illegal which is why Windows 7 came with a browser choice update to allow other browser vendors.
Yup roms with this content guard BREAKS THE GPL. You cannot upload roms on XDA which break GPL [emoji12]
Click to expand...
Click to collapse
Well its definitely an invasion of privacy as far as im concerned but what constitutes an invasion of privacy is a matter of perspective. Do you think it is possible that content guard technically breaks any of googles TOS or possibly even privacy laws? Im not too familiar with legislation like this if it does exist. Much of the post 9/11 legislation has been aimed at making things like content guard more legal unfortunately. Several people I mentioned this to on another forum I frequent pointed out the windows 10 connection. Everyone agreed that content guard is a much more malicious implementation of Anti-Piracy code. You are right, people will just google or torrent apks, that is until Content Guard 2.0 blocks the installation of sideloaded apps, xposed and Installation of all apks via ADB (Just Kidding).
Edit: I just notice the last line about GPL. I had missed that. Is that true or are you just being facetious?
lunerceli said:
Well said my friend. People don't really think about that kind of stuff usually though. That's how privacy guard came about. Lol
Sent from my Samsung Galaxy S5 using Tapatalk
Click to expand...
Click to collapse
Im honestly kind of shocked that more people dont see, or at least care about the possible negative implications of something like this. I figured on a forum like XDA, support for an anti content guard movement would be mostly unanimous but it seems to be pretty well devided which actually makes things a little more interesting.

How do I root Nexus 6 marshmallow?

can anyone pointe to the thread to root a nexus 6 with marshmallow on it please? i search but i see a lot of old, conflicting and outdated reports
I just want solid instructions that somebody here already used

cpugeeker said:
can anyone pointe to the thread to root a nexus 6 with marshmallow on it please? i search but i see a lot of old, conflicting and outdated reports
I just want solid instructions that somebody here already used
Click to expand...
Click to collapse
Here are the steps I used:
- flash/upgrade to Marshmallow
- flash modified boot.img
- flash/boot TWRP and sideload latest v2.50+

No. Not that unless you want unknown evil invading your phone and stealing your private information.
Use this instead;
http://forum.xda-developers.com/nexus-6/general/root-t3231211

doitright said:
No. Not that unless you want unknown evil invading your phone and stealing your private information.
Use this instead;
http://forum.xda-developers.com/nexus-6/general/root-t3231211
Click to expand...
Click to collapse
WOW what happen with them? I found some readings but now all. What exactly went down? Any good reads on this?

doitright said:
No. Not that unless you want unknown evil invading your phone and stealing your private information.
Use this instead;
http://forum.xda-developers.com/nexus-6/general/root-t3231211
Click to expand...
Click to collapse
lol. I appreciate your work on providing other root access methods, but you really shouldnt go around claiming made up info as fact and trying to spread fear everywhere you can. You have no proof whatsoever of the things you claim.

EniGmA1987 said:
lol. I appreciate your work on providing other root access methods, but you really shouldnt go around claiming made up info as fact and trying to spread fear everywhere you can. You have no proof whatsoever of the things you claim.
Click to expand...
Click to collapse
You obviously don't know the first thing about security, or the gravity of offering root control to an unknown entity.
To make it simple, unless you can *prove* that something is safe, the only rational assumption is that it isn't.
In other words, it is not my place to prove them unsafe. It is your responsibility to prove that they are safe, and frankly, that is an impossible task.
Feel free to use whatever you like. But don't go recommending to somebody that they take dangerous risks that are unnecessary.
---------- Post added at 01:33 AM ---------- Previous post was at 01:27 AM ----------
cpugeeker said:
WOW what happen with them? I found some readings but now all. What exactly went down? Any good reads on this?
Click to expand...
Click to collapse
It was almost acceptable when it was maintained by a single individual, but at some point fairly recently, the code was transferred/sold to an outfit that has been buying up all the root control software that can be found on play store.
Although the original author continues to make the software available under his pseudonym, there is no indication of the contract in place between him and the software's new owners, and no indication of their motives.
That makes the situation incredible frightening and dangerous.

doitright said:
You obviously don't know the first thing about security, or the gravity of offering root control to an unknown entity.
To make it simple, unless you can *prove* that something is safe, the only rational assumption is that it isn't.
In other words, it is not my place to prove them unsafe. It is your responsibility to prove that they are safe, and frankly, that is an impossible task.
Feel free to use whatever you like. But don't go recommending to somebody that they take dangerous risks that are unnecessary.
Click to expand...
Click to collapse
So something that has always been a bit closed, yet still trusted and used, gets transfered to a newly made company started through XDA leaders and still maintained currently by Chainfire for a while, and suddenly this means secret organizations with corrupt ties have suddenly taken control of the Android root world?

EniGmA1987 said:
So something that has always been a bit closed, yet still trusted and used, gets transfered to a newly made company started through XDA leaders and still maintained currently by Chainfire for a while, and suddenly this means secret organizations with corrupt ties have suddenly taken control of the Android root world?
Click to expand...
Click to collapse
It doesn't guarantee that it's bad. But for it to not be controlled by the creator (a first ballot Hall of Famer in this community) and ownership switched to an unproven entity, it turns it from solid and secure to who knows what. The new owners could be just as good. But we should skeptically wait and see

EniGmA1987 said:
So something that has always been a bit closed, yet still trusted and used, gets transfered to a newly made company started through XDA leaders and still maintained currently by Chainfire for a while, and suddenly this means secret organizations with corrupt ties have suddenly taken control of the Android root world?
Click to expand...
Click to collapse
It is not really a newly made company and no where are the XDA leaders involved.
Now make no mistake. Chains SU will be around for a very long time. Will there be other options? Sure, there are many already. If not as mainstream. Apps like this will come and go. It is the nature of the beast.
Now before people start bashing others they better have something to prove it. Other wise they have nothing to say worth listening to.

zelendel said:
It is not really a newly made company and no where are the XDA leaders involved.
Click to expand...
Click to collapse
Could you provide some info on the company to the people here then? Because business filings say that you are wrong on that. The filings for the company were done on August 11th of this year and they rent a virtual office space at the Trump Building on Wall Street. Chainfire himself also said that the XDA leadership was involved in getting his project moved over to this company. Now maybe he wasnt supposed to let that slip, IDK, but he did say it.

EniGmA1987 said:
Could you provide some info on the company to the people here then? Because business filings say that you are wrong on that.
Click to expand...
Click to collapse
Just look deeper and you will see. Just because they have a different name, or make an off shoot doesnt really make them a different company. If you read you will see that they already have their fingers into a few SU apps already. Dont you think that is odd for a new company?
XDA admins only made introductions. I personally dont really care. Nor should anyone really. If you are using SU then you know the risks you run and how to spot them.

zelendel said:
Just look deeper and you will see. Just because they have a different name, or make an off shoot doesnt really make them a different company. If you read you will see that they already have their fingers into a few SU apps already. Dont you think that is odd for a new company?
Click to expand...
Click to collapse
What would be incredibly useful and go a long way in putting people's minds at ease, would be a realistic explanation of the MOTIVATIONS of this company, WHICH IS NEW, regardless of your perception of it being a simple name change, for acquiring and controlling ALL of the different mechanisms for controlling root on Android.
Frankly, I can imagine only a few motivations, none of which ANYONE should be ok with;
1) Charging for it,
2) Forcing ads that the user cannot control,
3) Backdoor/botnet/etc.
You need to remember that while their software will prompt you when some OTHER software tries to access root, it has the ability to hide its own use of root, as well as to wipe evidence from the logs.
Root access should ONLY EVER be open source.

doitright said:
What would be incredibly useful and go a long way in putting people's minds at ease, would be a realistic explanation of the MOTIVATIONS of this company, WHICH IS NEW, regardless of your perception of it being a simple name change, for acquiring and controlling ALL of the different mechanisms for controlling root on Android.
Frankly, I can imagine only a few motivations, none of which ANYONE should be ok with;
1) Charging for it,
2) Forcing ads that the user cannot control,
3) Backdoor/botnet/etc.
You need to remember that while their software will prompt you when some OTHER software tries to access root, it has the ability to hide its own use of root, as well as to wipe evidence from the logs.
Root access should ONLY EVER be open source.
Click to expand...
Click to collapse
The open source was done once. It didnt last very long and due to the nature of SU will never stay open source and mainstream at the same time. If someone wants to charge for the SU app then ok let them. Heck most already paid for the SU pro anyway. No point in going on a witch hunt before there is something to hunt. All we can do is sit back and wait. If chain trusts them then I am willing to give them a chance. Root itself is a security risk and anyone that does root should know just what they are doing. If not then they get whats coming to them.
This is not this companies first root app. As stated they own/profit from just about all the root apps that are around.

zelendel said:
The open source was done once. It didnt last very long and due to the nature of SU will never stay open source and mainstream at the same time.
Click to expand...
Click to collapse
I have no idea how to respond to that besides saying to you that this statement is *ABSURD*.
The open source root was the *FIRST* root, and has persisted. In fact, the root that *I* am working on, is the extension of that very same *ORIGINAL* root done by Koush. It has remained *the* primary mechanism for controlling root access from 2009 to present, except for a brief loss of maintenance during the reign of Android 5.x.
Further, the nature of root REQUIRES it to be open source.
And will be THE ONLY mainstream method of providing root access control for anyone who has ANY consideration for security.
If someone wants to charge for the SU app then ok let them. Heck most already paid for the SU pro anyway.
Click to expand...
Click to collapse
Only because they are being denied simple and mandatory features. This isn't a voluntary charge, this is coercion and even RANSOM.
No point in going on a witch hunt before there is something to hunt.
Click to expand...
Click to collapse
But there IS a witch to hunt: SECURITY. Or lack thereof.
All we can do is sit back and wait. If chain trusts them then I am willing to give them a chance.
Click to expand...
Click to collapse
You are a fool. Not only did the author of that binary root NEVER actually do anything to EARN your trust, the fact that you put your trust into a business arrangement that doesn't even involve you is tremendously scary... for you.
Root itself is a security risk and anyone that does root should know just what they are doing. If not then they get whats coming to them.
Click to expand...
Click to collapse
No. This is entirely invalid. Root is not a security risk when done correctly, in open source, and treated with *respect*.
Binary root control *IS* a security risk, and unfortunately you are wrong again on this, since knowing what you are doing DOES NOT protect you from it. There is NOTHING you can do to protect yourself from binary software that you VOLUNTARILY put into a sensitive position of high trust.
This is not this companies first root app. As stated they own/profit from just about all the root apps that are around.
Click to expand...
Click to collapse
That is a TERRIFYING prospect for reasons I've already discussed.

doitright said:
I have no idea how to respond to that besides saying to you that this statement is *ABSURD*.
The open source root was the *FIRST* root, and has persisted. In fact, the root that *I* am working on, is the extension of that very same *ORIGINAL* root done by Koush. It has remained *the* primary mechanism for controlling root access from 2009 to present, except for a brief loss of maintenance during the reign of Android 5.x.
Further, the nature of root REQUIRES it to be open source.
And will be THE ONLY mainstream method of providing root access control for anyone who has ANY consideration for security.
Only because they are being denied simple and mandatory features. This isn't a voluntary charge, this is coercion and even RANSOM.
But there IS a witch to hunt: SECURITY. Or lack thereof.
You are a fool. Not only did the author of that binary root NEVER actually do anything to EARN your trust, the fact that you put your trust into a business arrangement that doesn't even involve you is tremendously scary... for you.
No. This is entirely invalid. Root is not a security risk when done correctly, in open source, and treated with *respect*.
Binary root control *IS* a security risk, and unfortunately you are wrong again on this, since knowing what you are doing DOES NOT protect you from it. There is NOTHING you can do to protect yourself from binary software that you VOLUNTARILY put into a sensitive position of high trust.
That is a TERRIFYING prospect for reasons I've already discussed.
Click to expand...
Click to collapse
He has done alot to earn my trust. You would know that had to been around as long as I have been.
I am fully aware of the first root. And the reasons behind him stopping its development. The only ones that I am aware of that was even using it was CM and they are almost as much of a joke as MIUI.
I am fully aware of what you are working on and to be honest not something I or many others would use would even use as you are unknown and to be honest not really trusted. Maybe after you have been around a while more people will put faith in you and your projects. Not to mention your attitude is enough to make many not bother with it.
Root is a security risk. Just as any real developer. Even Google is making things like root harder to obtain because they see the risk. But to be honest as I have already said "Mobile security is and illusion" If I was truly worried about security I would not unlock my bootloader or bother with rooting.
Now we can argue this back and forth and never get anywhere. So We can end this here.

doitright said:
You obviously don't know the first thing about security, or the gravity of offering root control to an unknown entity.
To make it simple, unless you can *prove* that something is safe, the only rational assumption is that it isn't.
In other words, it is not my place to prove them unsafe. It is your responsibility to prove that they are safe, and frankly, that is an impossible task.
Feel free to use whatever you like. But don't go recommending to somebody that they take dangerous risks that are unnecessary.
---------- Post added at 01:33 AM ---------- Previous post was at 01:27 AM ----------
It was almost acceptable when it was maintained by a single individual, but at some point fairly recently, the code was transferred/sold to an outfit that has been buying up all the root control software that can be found on play store.
Although the original author continues to make the software available under his pseudonym, there is no indication of the contract in place between him and the software's new owners, and no indication of their motives.
That makes the situation incredible frightening and dangerous.
Click to expand...
Click to collapse
This is almost the most amazing post on xda. :good:
Could you kindly prove that the Google Factory Image is safe? Otherwise I would advise you destroy your handset immediately as its probably not safe.

zelendel said:
He has done alot to earn my trust. You would know that had to been around as long as I have been.
Click to expand...
Click to collapse
I've been around longer than you. Try again.
I am fully aware of the first root. And the reasons behind him stopping its development. The only ones that I am aware of that was even using it was CM and they are almost as much of a joke as MIUI.
Click to expand...
Click to collapse
I won't argue with CM being a joke, but MOST people used Koush's superuser up until they were stopped by selinux.
I am fully aware of what you are working on and to be honest not something I or many others would use would even use as you are unknown and to be honest not really trusted. Maybe after you have been around a while more people will put faith in you and your projects. Not to mention your attitude is enough to make many not bother with it.
Click to expand...
Click to collapse
Speak for yourself, but don't you DARE to speak for others.
As far as the trustworthiness of my work goes... go ahead and AUDIT IT. The code speaks for itself.
Root is a security risk. Just as any real developer.
Click to expand...
Click to collapse
I ask myself. Answer is that you have no idea what you are talking about.
Even Google is making things like root harder to obtain because they see the risk. But to be honest as I have already said "Mobile security is and illusion" If I was truly worried about security I would not unlock my bootloader or bother with rooting.
Click to expand...
Click to collapse
Google is correctly worried about the dangers of binary root. As YOU should also be.
Now we can argue this back and forth and never get anywhere. So We can end this here.
Click to expand...
Click to collapse
Only because you have degenerated into personal attacks rather than rational argument.
---------- Post added at 06:07 PM ---------- Previous post was at 06:05 PM ----------
Amos91 said:
This is almost the most amazing post on xda. :good:
Could you kindly prove that the Google Factory Image is safe? Otherwise I would advise you destroy your handset immediately as its probably not safe.
Click to expand...
Click to collapse
I can't prove that google factory image is safe. I can make a strong argument to suggest that it most likely is, and I can prove that AOSP is safe.
FYI: I use a Nexus, so I'm not limited to factory images, as implied by your last sentence.

Well, I'm no techie, I'm just an end-user of other people's talented work, but I'm with doitright on this one. I have trusted Chainfire for years - I have a number of his apps on my device, all of them paid for even though most work perfectly as free apps, simply because I do trust his work. Even if it's closed source black box stuff, he has always appeared to be a straight-up guy.
Still, once the black box passes into company ownership, at that point my trust ends. Companies are not charities hoping for donations. They want some return on whatever investment they've put into taking over SuperSU. Bottom line, I don't trust companies - and yes, that does include Google or Alphabet or whatever piece owns Android these days. I live with the knowledge that I am the product - my choice.
It's also my choice to opt for an open-source solution over a black box one. If doitright's superuser can be audited by people who know what they're looking at (I don't) then that'll do it for me.
And as an afterthought, yes, doitright is a spiky character. So is Torvalds. So what? As long as he comes up with the goods I have no problem with it. He comes across as passionate, doesn't suffer fools gladly (and that is just a saying, I'm not referring to any posters), and since I'm pretty much the same, if a bit more politic in the way I write, I can't criticise that...

doitright said:
Feel free to use whatever you like. But don't go recommending to somebody that they take dangerous risks that are unnecessary
Click to expand...
Click to collapse
Risk = Chance * Effect.

doitright said:
I've been around longer than you. Try again.
I won't argue with CM being a joke, but MOST people used Koush's superuser up until they were stopped by selinux.
Speak for yourself, but don't you DARE to speak for others.
As far as the trustworthiness of my work goes... go ahead and AUDIT IT. The code speaks for itself.
I ask myself. Answer is that you have no idea what you are talking about.
Google is correctly worried about the dangers of binary root. As YOU should also be.
Only because you have degenerated into personal attacks rather than rational argument.
---------- Post added at 06:07 PM ---------- Previous post was at 06:05 PM ----------
I can't prove that google factory image is safe. I can make a strong argument to suggest that it most likely is, and I can prove that AOSP is safe.
FYI: I use a Nexus, so I'm not limited to factory images, as implied by your last sentence.
Click to expand...
Click to collapse
I only speak for the developers I have talked to about using your root set up instead of chains. Got the same answer from all of them.
As for being around longer then me in the modding area. I would put a bet on that. I have been modding phones before a smart phone was even a thought.
You were the first to throw insults. As seems to be your way. Anyone that doesn't agree with you is called a fool or other wise.
Nope you are right. I have no idea what I'm talking about. Now excuse me I have some bugs to fix thanks to Google messing things up.

SuperSU and CCMT - clarifying privacy questions

Hi,
Many people are more and more concerned about privacy and security. The goal of this post is not to hear that people concerned about security and privacy should run stock.
Many threads over internet, over xda and reviews in Play are spreading assumptions about the security concerns since SuperSU is taken by an unknown, discrete and rather secret organisation, CCMT.
We all know the concerns spread over King root in the past.
There are no clarifications either from Chainfire or CCMT about their privacy policy. The supersu.com site has no indications about any physical identity or headquarters. There is no mention of any privacy policy statement. Any post related to these questions in other threads is wiped by mods as out of topic.
Many people over the years never trusted SuperSU as an app, but rather a human known as Chainfire. His reputation over xda community made him above any questioning.
Now, the privacy concerns around a so powerful application rely on a new owner: CCMT. The new owner is secret, has no physical identity, no previous reputation, no nationality and no privacy policy at all. It is releasing new GUI versions that even Chainfire states he is not aware of.
So, like many people, I am questioning my self about CCMT, their origin and their privacy policy. Over the years, I never thought a second to question on Chainfire, but, like many, I feel the right to ask it now.
I am expecting from this thread more clarifications about basic things: CCMT identity, headquarters, privacy policy, national affiliations (Europe / US vs Asia...)... so that anyone can decide to trust them or not

Phil3759 said:
Many people over the years never trusted SuperSU as an app, but rather a human known as Chainfire. His reputation over xda community made him above any questioning.
Click to expand...
Click to collapse
I can't agree more about this. That may be why lots of SuperSU users become worried after this transaction.
As far as I know, Whois says SuperSU.com belongs to a company in Hangzhou, China. And as a Chinese, I see many local SuperSU users hurrying to rollback or uninstall SuperSU. If CCMT is really a company from my country, I deeply understand their anxiety, because that's something related to the whole Chinese software industry:
The most renowned Chinese companies, like Tencent(Wechat, QQ, etc), Baidu, Alibaba(Alipay, etc), Qihoo(360 security, etc), Kingsoft(CleanMaster apps, not that CM for CyanogenMod), run in same strategies, that is to make free, but heavily bundled, bloated, privacy-peeking apps. Some even require hundreds of permissions, run hundreds of services and/or activities, install bloated apps automatically, or open camera to take photos on background. And they will do another clean version for Play Store for foreigners. So you won't experience that disaster, but in China thanks to GFW we can't use Play Store, but to download apps from other unofficial sources.
If CCMT is really Chinese, they, however I must point out, seems not to do anything far-fetched in the new release. SuperSU seems as pure as it used to be. And I believe a new company can't afford the risk to do that thing worldwide right after it takes off.
If CCMT is not Chinese, or wherever it locates, there's still possibility that SuperSU may be used to do something we dislike. We can remain cautious for a period of time. But we also have to beware that this decision was carefully made by Chainfire, and CCMT was introduced by XDA leadership. None of them want to see things go wrong.
But, yeah, I want to know more about CCMT too. It's indeed weird to see such a invisible company buy SuperSU.
Phil3759 said:
Hi,
Many people are more and more concerned about privacy and security. The goal of this post is not to hear that people concerned about security and privacy should run stock.
Many threads over internet, over xda and reviews in Play are spreading assumptions about the security concerns since SuperSU is taken by an unknown, discrete and rather secrent organisation, CCMT.
We all know the concerns spread over King root in the past.
There are no clarifications either from Chainfire or CCMT about their privacy policy. The supersu.com site has no indications about any physical identity or headquarters. There is no mention of any privacy policy statement. Any post related to these questions in other threads is wiped by mods as out of topic.
Many people over the years never trusted SuperSU as an app, but rather a human known as Chainfire. His reputation over xda community made him above any questioning.
Now, the privacy concerns around a so powerful application rely on a new owner: CCMT. The new owner is secret, has no physical identity, no previous reputation, no nationality and no privacy policy at all. It is releasing new GUI versions that even Chainfire states he is not aware of.
So, like many people, I am questioning my self about CCMT, their origin and their privacy policy. Over the years, I never thought a second to question on Chainfire, but, like many, I feel the right to ask it now.
I am expecting from this thread more clarifications about basic things: CCMT identity, headquarters, privacy policy, national affiliations (Europe / US vs Asia...)... so that anyone can decide to trust them or not
Click to expand...
Click to collapse

I'm also trust Chainfire and Xda but what in the future when Chainfire has nothing to do anymore with SuperSu? I prefer SuperSu because it's simply the best superuser for Android devices and Chainfire was always the first to root new devices but when Chainfire leaves SuperSu I'm seriously thinking to remove SuperSu and going for an opensource Superuser as PHH Superuser.
I really hope CCMT is a good and fair company but there are lots of bad examples where good apps are sold to questionable company's for example Quickpic and Cheetah mobile.
Thanks to Chainfire for the years of development on SuperSu and I respect your decision.
Sent from my lightning fast SM-G930F (S7)

I have to agree I find the whole thing to be shady as **** pardon my French, everything that surrounds it lately is pointing towards them not being a trustworthy entity, I have always trusted chainfire, he has been a stand up guy but money �� talks, obviously he has signed a nda so he can't disclose anything related to this, what I find shady imo is they are going far out of they're way to make their identity hidden, when the company/acquisition was first announced by @Chainfire they were supposed to be a trustworthy Compay who has built root apps that "everyone" has used in the past. Just a quick glance at their website and Google plus you can tell they are not native English speaking people, not that there is anything wrong with that, but it solidifys the only info that we know is that the domain is located in China, so most likely the owners do as well, we all know how bad China is for security/privacy.
There is a couple rumors going around that the actual owner of ccmt is Josh the xda owner/admin. If that is true then just tell the community it will save yourself alot of trouble, many developers etc are arleady working on alternatives to supersu because of the way this had been handled.
To put it frankly and to c/p Phil we the millions of root users would like to know..
CCMT identity, headquarters, privacy policy, national affiliations (Europe / US vs Asia...)... so that anyone can decide to trust them or not
Without this information you are basically admitting you are an untrustworthy company and shouldn't be trusted with literally uncontrollable access to millions of root users devices.
I say uncontrollable because supersu modify and reloads the sepolicy at will and can literally do anything it wants without user consent.
This is why this is such a big deal!!!!
Ps- to xda lets keep this discussion open.

BeansTown106 said:
I have to agree I find the whole thing to be shady as **** pardon my French, everything that surrounds it lately is pointing towards them not being a trustworthy entity, I have always trusted chainfire, he has been a stand up guy but money ? talks, obviously he has signed a nda so he can't disclose anything related to this, what I find shady imo is they are going far out of they're way to make their identity hidden, when the company/acquisition was first announced by @Chainfire they were supposed to be a trustworthy Compay who has built root apps that "everyone" has used in the past. Just a quick glance at their website and Google plus you can tell they are not native English speaking people, not that there is anything wrong with that, but it solidifys the only info that we know is that the domain is located in China, so most likely the owners do as well, we all know how bad China is for security/privacy.
There is a couple rumors going around that the actual owner of ccmt is Josh the xda owner/admin. If that is true then just tell the community it will save yourself alot of trouble, many developers etc are arleady working on alternatives to supersu because of the way this had been handled.
To put it frankly and to c/p Phil we the millions of root users would like to know..
CCMT identity, headquarters, privacy policy, national affiliations (Europe / US vs Asia...)... so that anyone can decide to trust them or not
Without this information you are basically admitting you are an untrustworthy company and shouldn't be trusted with literally uncontrollable access to millions of root users devices.
I say uncontrollable because supersu modify and reloads the sepolicy at will and can literally do anything it wants without user consent.
This is why this is such a big deal!!!!
Ps- to xda I know you helped facilitate this sale, and are probably gonna delete my message to cover this up(this is gonna be posted on Twitter and g+ as well) I should probably say goodbye to my recognized titles as well huh? But honestly this is scary **** and seriously one of the biggest security concerns the development Community has ever seen. Before u delete this just think of how many times you guys closed kingroot threads when honestly supersu could be owned by kingroot/cheetah/etc and nobody knows.
Click to expand...
Click to collapse
Couldn't have said it better myself, beans.

BeansTown106 said:
I have to agree I find the whole thing to be shady as **** pardon my French, everything that surrounds it lately is pointing towards them not being a trustworthy entity, I have always trusted chainfire, he has been a stand up guy but money ? talks, obviously he has signed a nda so he can't disclose anything related to this, what I find shady imo is they are going far out of they're way to make their identity hidden, when the company/acquisition was first announced by @Chainfire they were supposed to be a trustworthy Compay who has built root apps that "everyone" has used in the past. Just a quick glance at their website and Google plus you can tell they are not native English speaking people, not that there is anything wrong with that, but it solidifys the only info that we know is that the domain is located in China, so most likely the owners do as well, we all know how bad China is for security/privacy.
There is a couple rumors going around that the actual owner of ccmt is Josh the xda owner/admin. If that is true then just tell the community it will save yourself alot of trouble, many developers etc are arleady working on alternatives to supersu because of the way this had been handled.
To put it frankly and to c/p Phil we the millions of root users would like to know..
CCMT identity, headquarters, privacy policy, national affiliations (Europe / US vs Asia...)... so that anyone can decide to trust them or not
Without this information you are basically admitting you are an untrustworthy company and shouldn't be trusted with literally uncontrollable access to millions of root users devices.
I say uncontrollable because supersu modify and reloads the sepolicy at will and can literally do anything it wants without user consent.
This is why this is such a big deal!!!!
Ps- to xda I know you helped facilitate this sale, and are probably gonna delete my message to cover this up(this is gonna be posted on Twitter and g+ as well) I should probably say goodbye to my recognized titles as well huh? But honestly this is scary **** and seriously one of the biggest security concerns the development Community has ever seen. Before u delete this just think of how many times you guys closed kingroot threads when honestly supersu could be owned by kingroot/cheetah/etc and nobody knows.
Click to expand...
Click to collapse
If Beans post gets deleted, its gotta make you think.

BeansTown106 said:
Ps- to xda I know you helped facilitate this sale, and are probably gonna delete my message to cover this up(this is gonna be posted on Twitter and g+ as well) I should probably say goodbye to my recognized titles as well huh? But honestly this is scary **** and seriously one of the biggest security concerns the development Community has ever seen. Before u delete this just think of how many times you guys closed kingroot threads when honestly supersu could be owned by kingroot/cheetah/etc and nobody knows.
Click to expand...
Click to collapse
Recognized titles are not based upon arbitrary criteria - your title is based on your achievements and contributions, not whether you agree with people or not.
I wrote an article on the portal discussing the merits of open source in superuser apps. I don't think there's a massive conspiracy here to be honest.
My personal view on the situation is that the community can and should simply take this as a good reason to get together and write a better, open-source superuser app. Go on out there, and let's do it right. There's projects working on it, so let's all get in behind those, and let's get functional parity? If this is something you believe in, let's make it happen? Awesome opportunity to learn a lot about the underlying workings of android and selinux as well.

pulser_g2 said:
Recognized titles are not based upon arbitrary criteria - your title is based on your achievements and contributions, not whether you agree with people or not.
I wrote an article on the portal discussing the merits of open source in superuser apps. I don't think there's a massive conspiracy here to be honest.
My personal view on the situation is that the community can and should simply take this as a good reason to get together and write a better, open-source superuser app. Go on out there, and let's do it right. There's projects working on it, so let's all get in behind those, and let's get functional parity? If this is something you believe in, let's make it happen? Awesome opportunity to learn a lot about the underlying workings of android and selinux as well.
Click to expand...
Click to collapse
Couldn't agree more.

I've said it before; Anything can be sold to anybody and we shouldn't care. But when we specifically ask for who is/are the guys that take complete control of our devices over a night and they specifically go out of their way to not answer a simple question, it blatantly shows that they don't want to tell us something. It's so simple.
I'm all in for an opensource alternative and I will try to help as much as I can.

pulser_g2 said:
Recognized titles are not based upon arbitrary criteria - your title is based on your achievements and contributions, not whether you agree with people or not.
I wrote an article on the portal discussing the merits of open source in superuser apps. I don't think there's a massive conspiracy here to be honest.
My personal view on the situation is that the community can and should simply take this as a good reason to get together and write a better, open-source superuser app. Go on out there, and let's do it right. There's projects working on it, so let's all get in behind those, and let's get functional parity? If this is something you believe in, let's make it happen? Awesome opportunity to learn a lot about the underlying workings of android and selinux as well.
Click to expand...
Click to collapse
i hear ya, just didnt know, what would/could happen to me if i spoke out on this topic, it seems anyone who voices their opinion in the ccmt thread has been getting deleted. i understand that the there is a good chance nothing shady is going on. but at the same time to completely hide anything about yourself or your company and form a new company just to stay "secret" raises some big flags. i would have to say the chances are greater of their being something fishy going on than not 60/40%? maybe lol.
but on your topic of a open source superuser i fully agree that is what we should all start doing, even if people are not skilled to contribute alot contribute little bits that you know, and help review code/audit it as well.
im on vacation right now but i plan on looking into the open source superuser when i get home.. this is obviously something I will do and im sure alot of others will do, but it sadly doesnt help the millions of users on SuperSU right now which is the scary part.. i just think without demanding info we will never get any, and this is SOMETHING we should definitely have more info on

KreAch3R said:
I've said it before; Anything can be sold to anybody and we shouldn't care. But when we specifically ask for who is/are the guys that take complete control of our devices over a night and they specifically go out of their way to not answer a simple question, it blatantly shows that they don't want to tell us something. It's so simple.
I'm all in for an opensource alternative and I will try to help as much as I can.
Click to expand...
Click to collapse
this. money talks and i dont have anything against chainfire selling supersu, but when the company is doing everything they can to hide themselves we have problems considering every android user post what android 4.0+ is using superSU minus a handful or two.

Personally, I'm hoping some of our awesome Dev's around here might pick up the challenge and create an alternative. If the community isn't happy with the present situation, well, xda is all about changing situations when it comes to our devices.
Time will tell where this all goes, but I definitely find lack of faith disturbing, and I have faith an alternative will come.

Let's hop on this. PM your github username if you want in.
https://github.com/FOSSUC

BeansTown106 said:
i hear ya, just didnt know, what would/could happen to me if i spoke out on this topic, it seems anyone who voices their opinion in the ccmt thread has been getting deleted. i understand that the there is a good chance nothing shady is going on. but at the same time to completely hide anything about yourself or your company and form a new company just to stay "secret" raises some big flags. i would have to say the chances are greater of their being something fishy going on than not 60/40%? maybe lol.
but on your topic of a open source superuser i fully agree that is what we should all start doing, even if people are not skilled to contribute alot contribute little bits that you know, and help review code/audit it as well.
im on vacation right now but i plan on looking into the open source superuser when i get home.. this is obviously something I will do and im sure alot of others will do, but it sadly doesnt help the millions of users on SuperSU right now which is the scary part.. i just think without demanding info we will never get any, and this is SOMETHING we should definitely have more info on
Click to expand...
Click to collapse
I would rather stay neutral on the matter (as with most things), and since I'm not aware of the situation (don't spend as much time on here following the news as I used to), I don't feel in a position to discuss or speculate. I'd be tempted to mention Hanlon's Razor, but as I say I haven't followed things.
What I would say from a business perspective is that forming companies for new reasons isn't entirely unusual. In fact it can be a good idea. I would form a new company for any major new "product" - it's considerably easier to do that, than to attempt to transfer the rights to something between separate companies.
If you have any specific concerns about anything untoward, please do drop me a PM so I can look into it.

pulser_g2 said:
I would rather stay neutral on the matter (as with most things), and since I'm not aware of the situation (don't spend as much time on here following the news as I used to), I don't feel in a position to discuss or speculate. I'd be tempted to mention Hanlon's Razor, but as I say I haven't followed things.
What I would say from a business perspective is that forming companies for new reasons isn't entirely unusual. In fact it can be a good idea. I would form a new company for any major new "product" - it's considerably easier to do that, than to attempt to transfer the rights to something between separate companies.
If you have any specific concerns about anything untoward, please do drop me a PM so I can look into it.
Click to expand...
Click to collapse
It's not about who owns it, it is about why so much secrets, why no country of origin, why no privacy policy. There are no references despite they were claimed. Also, we all felt some frustration in Chainfire posts when CCMT released versions he is not aware of.
A superuser app must be from a completely trustful source. Even Chainfire mentioned that, if he wanted, he could exploit root to his will. He was honest and trustful.
We still have a good app, but no more a trustful source, that is the issue.
Until the situation is clarified, I feel legitimate that a site like xda officially warns about security concerns with the current app. It won't be fare else that kingroot was banned for the same reasons.

Phil3759 said:
It's not about who owns it, it is about why so much secrets, why no country of origin, why no privacy policy. There are no references despite they were claimed. Also, we all felt some frustration in Chainfire posts when CCMT released versions he is not aware of.
A superuser app must be from a completely trustful source. Even Chainfire mentioned that, if he wanted, he could exploit root to his will. He was honest and trustful.
We still have a good app, but no more a trustful source, that is the issue.
Until the situation is clarified, I feel legitimate that a site like xda officially warns about security concerns with the current app. It won't be fare else that kingroot was banned for the same reasons.
Click to expand...
Click to collapse
Can you hit me up on Telegram? Telegram @nolanroell

Looks like it's a company in Beijing, Chinese users are concerned too (link in Chinese).
As a matter of fact, I don't trust any software from such a company who tried so hard (but not successfully) to hide their identity, especially with root access.
Now Google Play is auto-updating to 2.78 and I have no way of keeping 2.76 unless I disable all auto-update... Shady business. Reverting to stock now.
fhfuih said:
I can't agree more about this. That may be why lots of SuperSU users become worried after this transaction.
As far as I know, Whois says SuperSU.com belongs to a company in Hangzhou, China. And as a Chinese, I see many local SuperSU users hurrying to rollback or uninstall SuperSU. If CCMT is really a company from my country, I deeply understand their anxiety, because that's something related to the whole Chinese software industry:
The most renowned Chinese companies, like Tencent(Wechat, QQ, etc), Baidu, Alibaba(Alipay, etc), Qihoo(360 security, etc), Kingsoft(CleanMaster apps, not that CM for CyanogenMod), run in same strategies, that is to make free, but heavily bundled, bloated, privacy-peeking apps. Some even require hundreds of permissions, run hundreds of services and/or activities, install bloated apps automatically, or open camera to take photos on background. And they will do another clean version for Play Store for foreigners. So you won't experience that disaster, but in China thanks to GFW we can't use Play Store, but to download apps from other unofficial sources.
If CCMT is really Chinese, they, however I must point out, seems not to do anything far-fetched in the new release. SuperSU seems as pure as it used to be. And I believe a new company can't afford the risk to do that thing worldwide right after it takes off.
If CCMT is not Chinese, or wherever it locates, there's still possibility that SuperSU may be used to do something we dislike. We can remain cautious for a period of time. But we also have to beware that this decision was carefully made by Chainfire, and CCMT was introduced by XDA leadership. None of them want to see things go wrong.
But, yeah, I want to know more about CCMT too. It's indeed weird to see such a invisible company buy SuperSU.
Click to expand...
Click to collapse

mycnam said:
Looks like it's a company in Beijing, Chinese users are concerned too (link in Chinese).
As a matter of fact, I don't trust any software from such a company who tried so hard (but not successfully) to hide their identity, especially with root access.
Now Google Play is auto-updating to 2.78 and I have no way of keeping 2.76 unless I disable all auto-update... Shady business. Reverting to stock now.
Click to expand...
Click to collapse
I saw that thread this morning when I hang around v2ex. The company is indeed very shady.
I remember you should be able to disable auto-update in Play Store and you can still use
Chainfire's link
https://download.chainfire.eu/supersu-stable
To download 2.76 by now.

First I was against magisk because we have superior supersu systemless root. Now I'm glad that @topjohnwu did it.
Going to give a try for phh superuser and magisk. Byebye SuperSU Chinese malware!

BeansTown106 said:
this. money talks and i dont have anything against chainfire selling supersu, but when the company is doing everything they can to hide themselves we have problems considering every android user post what android 4.0+ is using superSU minus a handful or two.
Click to expand...
Click to collapse
Let me play Devil's Advocate for a second...rooting your phone and leaving it rooted is like leaving your doors not only unlocked but wide open. So say a hacker steals your identity...and you get a fancy lawyer that blames it on your device being rooted...and decides to sue (SU?) the creator of Supersu..or worse creates a class action suit for not making it with better firewalls to prevent this...there are no warnings posted when you root your phone. I am surprised Chainfire didn't spend everyday in court because of idiot lawyers. Here is a fine example of that stupidity. So why not protect yourself from that stupidity with a corporation? And make it a little difficult to find out who is behind it? Not saying I like not having an open presence on XDA...but maybe that is still coming. Let's hope and I understand everyone's concerns. I have faith in Chainfire that he would choose a buyer that would not sully his reputation or harm us, the users.
Now as @pulser_g2 stated this is a chance for the community to come together...all the great devs at XDA's disposal, to create an XDA homegrown root solution. This is just the sort of thing that can make XDA great again in this time of locked bootloaders and declining development. So...let's make it happen! :highfive::good:

Hello. My name is Zero.

I live in the beautiful country of Russia, but we have a big security problem. If someone perceives the right to freedom of speech, prescribed in the Constitution of the country literally, then he may face big problems.
Hence, the decision was made to create a security build for mobile devices. First of all, smartphones.
I have a few questions for the distinguished community.
1. Can native encryption of Android smartphones be hacked?
2. {Mod edit}
3. Is it possible to protect the basic data of the SIM card from physical access, possibly using some kind of manipulation? Or make a remote SIM card? Or just scrubbing data off the surface? Or glue it tightly so that the chip will die when removed?
4. Virtualization on an android smartphone, our people are poor, not everyone can afford to buy a second device for private conversations.
5. Is it possible to download an android from a SD card, like a live CD?
6. Is it possible to effectively protect traffic from IP leaks through the torus? On stationary PCs, it turned out to be the most expedient to use Whonix, how are things going on android?
7. Is it possible to carry out all these manipulations, or do some of them be carried out without having root-rights on the device? The goal is to create an efficient and easy-to-use security build for the general public.
If you can answer at least some of the questions, I am very grateful in advance.

Welcome to the XDA Forums! I would be happy to awnser your questions.

1. Not likely but an experienced person in data decryption could do it, i dont know any specific details.
2. {Mod edit}
3. Some phones have the eSim feature which cannot be removed and are not a physical card.
4.some phones have dual apps and a privacy lock.
5. android x86 is a live CD version for PCs
6. Maybe an app can perform what your asking.
7. Root would be needed for no 2.

1. Yes, it can. However, with a threat model like a nation state actor, smartphone security has almost always been subpar because your phone mostly operates with the keys in memory for convenience. This can be mitigated by shutting down the phone in high risk environments.
2. IMEI can be spoofed using XPrivacyLua
3. Just get a burner phone/prepaid SIM, that will eliminate most headaches.
4. Virtualization does exist, but for a low powered arm processor in comparison to a PC probably isn't a good idea.
5. ROMs? That's probably what you're looking for.
6. Use TOR apps if you need to reach the web, otherwise I2P apps are good for preventing your IP from the outside world.
7. Yes for most except for IMEI spoofing. Take a look at GrapheneOS and CalyxOS, they're good starting points. Also, Whonix is only good if you're not using a compromised host (ditch Windows, go for Qubes, will work best with TPM and IOMMU support + VT-X/AMD-V (virtualization extensions))

Hmm welp. I'm not sure that much scrutiny would be needed but your choice..

High stakes situations are my specialty. If they're living in a repressive regime, security and privacy are paramount. Their call though.

razercortex said:
High stakes situations are my specialty. If they're living in a repressive regime, security and privacy are paramount. Their call though.
Click to expand...
Click to collapse
Well when I'm in an unstable political regime, I’ll make sure to grab your advice first

Keno_I said:
1. Not likely but an experienced person in data decryption could do it, i dont know any specific details.
2. {Mod edit}
3. Some phones have the eSim feature which cannot be removed and are not a physical card.
4.some phones have dual apps and a privacy lock.
5. android x86 is a live CD version for PCs
6. Maybe an app can perform what your asking.
7. Root would be needed for no 2.
Click to expand...
Click to collapse
1. The details are just important. The stakes are high. We had the story of Golunov, his phone could not be deciphered for a year. Or they are trying to convince us of this. However, personal experience suggests that our technology is bad.
2. Getting root is dangerous for an inexperienced user. I would like to avoid this. I will do it for myself, but whether others will be able to repeat it is a big question. You can get root using virtualization on an android. But I failed to encrypt such a system. It is very tempting: one is open, and in it the second is an encrypted container with all the necessary software and imei substitution. Perhaps even without encrypting the container, this is the solution to all problems. But it's better to learn how to encrypt it. Then the security build is suitable for weaker devices, which is important. For reference, the virtualization application is called VMOS pro. Throws a SIM card and changes imei.
3. I heard about eSim, but these are not cheap models. Well, and the question of practical applicability, is it possible to take out eSim data by pressing one button, or by a script, after receiving an SMS?
4. How is it? Open source? It is necessary that the clone of the application does not leave "tails", for example a browser.
5. Working with a PC deprives you of mobility. With pc the issue has already been resolved in the first approximation.
6. Maybe. On Windows, for example, my IP was periodically gone. Whatever I do. Solved only through Whonix.

Well i had a small phone sized laptop that had bitlocker drive encryption and an encryption software for my apps and files.
I had also edited windows to disable my computer connecting to Microsofts servers.
For an untraceable portable device i liked that.
I went through a paranoia period after an incident.

Don't use bitlocker, use veracrypt or dm-crypt on gnu/Linux, BSD is even better.

razercortex said:
Don't use bitlocker, use veracrypt or dm-crypt on gnu/Linux, BSD is even better.
Click to expand...
Click to collapse
Well I wanted to install kali anyway..

Moderator Announcement!
I've cleaned the thread form questions and replies regarding the change/edit of IMEI, what's illegal in quite a few countries.
We don't allow discussions or support in this matter.
XDA Forum Rules (excerpt):
...
9. Don't get us into trouble.
Don't post copyrighted materials or do other things which will obviously lead to legal trouble. If you wouldn't do it on your own homepage, you probably shouldn't do it here either. This does not mean that we agree with everything that the software piracy lobby try to impose on us. It simply means that you cannot break any laws here, since we'll end up dealing with the legal hassle caused by you. Please use common sense: respect the forum, its users and those that write great code.
...
Click to expand...
Click to collapse

Oswald Boelcke said:
Moderator Announcement!
I've cleaned the thread form questions and replies regarding the change/edit of IMEI, what's illegal in quite a few countries.
We don't allow discussions or support in this matter.
XDA Forum Rules (excerpt):
Click to expand...
Click to collapse
Sorry about that, I honestly answered the questions.

About the size of a phone? What kind of model is this?

Oswald Boelcke said:
Moderator Announcement!
I've cleaned the thread form questions and replies regarding the change/edit of IMEI, what's illegal in quite a few countries.
We don't allow discussions or support in this matter.
XDA Forum Rules (excerpt):
Click to expand...
Click to collapse
I'm sorry, I inadvertently broke your rules. It's just that in Russia changing IMEI is legal. It's funny, but everything I said above is legal here, including criticism of the government.
It's just that we can't get on the sight, otherwise they just throw two cartridges and goodbye Ivan)
What about virtualization? I installed VMOS Pro and raised the virtual Android over the real one. In a virtual different IMEI, would it be illegal in the US? Perhaps topics about virtualization should be avoided too?

Zero figgis from archer