Greetings All
Having played with android now for some time Im am suprised that nobody that I am aware of is offering any true full disc encryption for Android.
There are "Security Suites" that offer remote wipe etc but I myself dont consider this to be true security.
RIM has offered full disc encryption and wipe to disc capability for years. Yet Android still doesnt truly have this capability (I am aware the latest versions do have weak so called encryption capability). Android devices certainly have the power to run encryption.
And with Whyspersys having been acquired by Twitter that doesnt seem to be a viable option any longer. Besides, they only really offered encryption for two models of phones.
There has been a DARPA request for this, so somebody must be working on it....
So, my questions are:
Why isnt there any stand alone encryption software available? It cant be that hard to create given that its already been available on other types of handsets that could be considered inferior and less powerful. Blackberry handsets have had full disc encryption with wipe to disc capability for years.
Why havent the larger companies (ie symantec etc) offered it? I believe it would be economically viable as there are many that would buy it particularly if it sold as outside of the Google Market and could be managed from the desktop.
For that matter, why hasnt some whippersnapper wrote a program say even at 168 encryption? Again, it cant be that difficult?
Perfect package in my mind would be 256 AES two fish (or 168), sold on a disc rather than the online market, and come with a desktop manager.
Thanks, for any comments-
I know there's encryption inside ICS natively, but I don't know how strong it is.
endeavour123 said:
I know there's encryption inside ICS natively, but I don't know how strong it is.
Click to expand...
Click to collapse
Not very strong or effective.
Easily defeated with cellex, celbrite, JTAG etc as is iOS etc.
Unfortunately BBerry is the only handset to offer amazing encryption and wipe to disc encryption. Which why Im amazed nobody else does, or that DARPA has to appeal to the community at large in order to solve this....
Most products address end to end encryption of calls, txt, email etc and location options.
Remote wipe is NOT a true solution if you are carrying important data for business if industrial espionage is a consideration let alone 4th Amendment rights.
I love Android devices, but still....
wallflood said:
Not very strong or effective.
Easily defeated with cellex, celbrite, JTAG etc as is iOS etc.
Unfortunately BBerry is the only handset to offer amazing encryption and wipe to disc encryption. Which why Im amazed nobody else does, or that DARPA has to appeal to the community at large in order to solve this....
Most products address end to end encryption of calls, txt, email etc and location options.
Remote wipe is NOT a true solution if you are carrying important data for business if industrial espionage is a consideration let alone 4th Amendment rights.
I love Android devices, but still....
Click to expand...
Click to collapse
To be honest no matter what you do as long as android is built using an open source platform you will never be able to compare it to a device that was made for business.
Sent from my Inspire 4G using Tapatalk 2
zelendel said:
To be honest no matter what you do as long as android is built using an open source platform you will never be able to compare it to a device that was made for business.
Sent from my Inspire 4G using Tapatalk 2
Click to expand...
Click to collapse
Could you clarify this argument? In my oppinion Open source is the key to secure encryption. The more people are able so review the source code and the encryption algorithms, the less exploits will be able to stay unfound.
zelendel said:
To be honest no matter what you do as long as android is built using an open source platform you will never be able to compare it to a device that was made for business.
Sent from my Inspire 4G using Tapatalk 2
Click to expand...
Click to collapse
I think I understand where you are coming from, but I respectfully disagree with that position.
Having been a BB user for several years, I think Android OS is superior in all ways.
But I think the OS, not having come from one company with one goal in mind, is what put Android OS in this position.
As well as the overall obsssion with the collection of tech date by companies and governments, I cant help but feel developers are actually discouraged from creating encryption programs that secure handsets and tablets-
...Interestingly, DARPA is releasing a secure version of Android OS and is open source so the public can view it.
And the NSA is revealing its SE Android, also open source.
But these versions of the OS focus on being able to store and transmit.recieve classified information.
They also focus on limiting permissions of apps.
For general public use (and Enterprise use) it would be nice to just have a system that was encrypted to disc, and could wipe to disc-
I Know
Please use the Q&A Forum for questions &
Read the Forum Rules Ref Posting
Thanks ✟
Moving to Q&A
Please elaborate
Not very strong or effective.
Easily defeated with cellex, celbrite, JTAG etc as is iOS etc.
Unfortunately BBerry is the only handset to offer amazing encryption and wipe to disc encryption. Which why Im amazed nobody else does, or that DARPA has to appeal to the community at large in order to solve this....
Most products address end to end encryption of calls, txt, email etc and location options.
Remote wipe is NOT a true solution if you are carrying important data for business if industrial espionage is a consideration let alone 4th Amendment rights.
Click to expand...
Click to collapse
Not sure where your info is coming from.
As of Android 2.3.4 device encryption has been available. Granted most manufactures didn't implement the ability very quickly. I have two GB devices niether give me an option to encrypt my device on the stock ROMs, but some did. I am running 4.1.2, and encryption is as full as it gets. If I boot into CWM recovery I can adb into a minimal root shell, but the revocery partition doesn't "see" any of the actual data. I think this suffices. As far as circumventing this encryption, I don't think a JTAG or cellebrite will help you with this. As of Android 3.0 (tablet only I know...) the encryption standard is 128 bit AES, I wish they would have used 256 bit...but whatever. No doubt Android is late in the game, I just don't think they thought it necissary until the smartphone evolved to something more powerful.
Android Encryption: http://source.android.com/tech/encryption/android_crypto_implementation.html
Cellebrite: Their schtick, as far as Android and BB devices are concerned, is recovering data from a locked device, ie you forgot the password and the backup etc etc. They go out of their way to not mention the word DECRYPTION when talking about Android or BB. I say this because in thier iOS section, they repeatedly mention their ability to DECRYPT the device data on the fly. So again it would appear to me that, for Android, they use some custom revocery ROMs and adb to revocer UNENCRYPTED data (with their special hardware).
in fact this is from Cellebrite themselves:
for ALL Android OS versions including Android 4.X (Ice Cream Sandwich). Physical extraction for any locked device is only available if the USB debugging has been switched on
Click to expand...
Click to collapse
Cellebrite on Android: http://www.cellebrite.com/forensic-solutions/android-forensics.html
Encryption is encryption, if it uses AES, as far as I know you have to be able to crack AES to get at the data once it's encrypted.
You need the password, or brute force, OR find a weakness in the algorithm.
If you're that worried, find another way to transport/store your private data. Companies with this much at stake are stupid to entrust sensitive data to any of these devices in any of their current states. For you and me, I don't think yo uneed to worry about your stuff that much. This is like the old adage that locks keep honest people honest. Most people find a phone, maybe try a few cheap easy tricks and wipe if they fail. Although AES is considered safe against brute force, if you need more, use truecrypt with hidden partitions or something like this and a real computer. Even then....
Related
Hello! to anyone who might read this
First off, let me tell you a tiny bit about myself (Bare with me here).
My name is Christian, I'm 19 and I'm an intern at an IT-section. I've been working here for a year already - Each year interns are to write two individual papers about different subjects. My last paper was a virtual Windows Server 2003 Server Park Environment for another company. This year my first paper is on Android.
My place of work supports other workplaces, such as schools, the hospital, social workers, basically everything. With next-gen phones and new OS' out - Naturally, we're upgrading. The question is what OS to go with. That's why I was asked to create a paper on Android, showing how a work-phone could be. Not all of the details have been planned out yet, but it goes something like this:
- Create a ROM with the necessary applications
- Strip the ROM of anything ..unnecessary (Could be anything, Gapps even).
- Choose/Develope a Launcher that can work pretty much out-of-the-box without having to customize too much.
That's pretty much all the information I've been given for now. I've been given a HTC Desire to 'play around with'. I've been told we're going to have a meeting about it soon. The reason I'm creating this thread is to give myself sort of a roadmap, I guess. And I'd love your opinions on how I can best do this, what I should base my ROM on and anything else you might think I need to know.
Peace.
It's a great idea for a workplace to go with android for employees given the ability to create more secure levels of access since it's based on linux. Also the ability to tailor the OS and UI to suite the needs of the business are something that's desired more and more these days. The downfalls you'll have to overcome are battery power (stripped down OS could nix that) and the fact that most companies will lean more towards Blackberry for two main reasons.
First is security, lets face it, Google is the internet for the most part and a lot of people fear the unknown such as where does their data go and what's done with it. Is it erased (securely)? Is it shared and what about data leaks?
Also, even though I love Android, for a business setting Blackberry has everything right. Android lacks in the 'push' area by a longshot and (from what I've seen) Blackberry supports more email protocals. Let's not forget when you're emailing all day or writing a paper a physical keyboard is more desired, a lot of Android phones lack that.
If the correct phones were chosen and (with a custom ROM and apps) the right measures were taken to address the push issue, plus maybe some sort of native encryption to ease security concerns - I think you could make a very valid argument to use Android phones for their employees. Android beats the othe OS types by a longshot, you just have to address those small but major issues.
Using Android as platform for devices inside an organization makes a lot of sense.
I disagree with KCRic about the superiority of BlackBerry on push and mail systems compatibility. Remember that BB requires you to use a secondary server to "translate" your Exchange, Notes, GroupWise or whatever you have to the devices.
Agree 100% in terms of the keyboard issue.
Something Android has on its side is that Google is the internet. Android was designed from the bottom up to be a "connected" platform. This means mobile devices with ample access to databases and hosted applications. If a business is still wondering if the data on the cloud is the solution, they may not be here on the next decade.
Believe me, you don't find many devices with VPN support, something that is already supported on most Android ROMs. Secure connections and a secure local storage can be easily achieved, the tools are already there.
Think also not only on phones but many other devices (tablets, kiosks, etc) that can benefit from this idea.
I think the major obstacle will be to convince the service provider to let your organization put customized ROMs on the devices. They will panic. Maybe if your agreement says that you provide the support. I already have to go through some of this (on a different initiative) and it is not easy.
KCRic was right about blackberry .... was. The Droid Pro puts that puppy to bed for good, I think. To the OP, your company needs to take back that desire and get ahold of a Droid pro for you. That'll be the (as of right now) best device for workplace use and give you the best launch-off point.
Sent from my DROIDX using XDA App
Thank you gentlemen, I appreciate your input!
My company will most likely be standardizing on the Desire Z as the 'top notch' phone - And some sort of first level entry phone for employees that don't need aweesomesauce features. I've begun dissecting my own ROM using dsiXDA's kitchen. If my company is going to settle on Android as a platform I will have to build the ROM from source, though. Seeing as when I'm finished with my internship someone else will have to continue development on the ROM.
Right now I'm going to dissect a couple of ROMS. My place of work wants to see which of the two fits best for us: AOSP or Sense. I'm an AOSP man myself but Sense is easier to use for 'newbies' and it's also easier to configure too look-and-work-just-like-this, if that makes sense. THANKFULLY dxiXDA's kitchen exists so the workload isn't .. ****ty just yet.
Again, thank you for your input!
zHk3R said:
Thank you gentlemen, I appreciate your input!
My company will most likely be standardizing on the Desire Z as the 'top notch' phone - And some sort of first level entry phone for employees that don't need aweesomesauce features. I've begun dissecting my own ROM using dsiXDA's kitchen. If my company is going to settle on Android as a platform I will have to build the ROM from source, though. Seeing as when I'm finished with my internship someone else will have to continue development on the ROM.
Right now I'm going to dissect a couple of ROMS. My place of work wants to see which of the two fits best for us: AOSP or Sense. I'm an AOSP man myself but Sense is easier to use for 'newbies' and it's also easier to configure too look-and-work-just-like-this, if that makes sense. THANKFULLY dxiXDA's kitchen exists so the workload isn't .. ****ty just yet.
Again, thank you for your input!
Click to expand...
Click to collapse
If you don't want the employees messing around with their phones, I'd definately exclude the Market app (Vending.apk) and include the apps of which you believe they are necessary. There's just to much crap in the market and even if it isn't meant to damage your phone, it still can do some damage if you put too much apps with the same functions on it. Experience? Yes, with my X10. The thing was damn slow until I removed a whole bunch of apps.
First off, I want to apologize if this information is either or both regurgitated and irrelevant.
I was looking for information on eMMC, and there really isn't much, and I found an old article that describes how data reliance works with eMMC. At least a cursory look.
One of the features of Reliance (and Reliance Nitro) file system is that it never overwrites live data. It will always use free space on disk or in case there is no space, it will give “disk full” error back to the application. Reliance also has a special transaction mode called “Application-controlled”. In this case, Reliance only conducts a transaction point when asked by the application.
Click to expand...
Click to collapse
Full article here. Information about integration with embedded linux, here.
What struck me was the "Application-controlled" part. It would explain the technology that is undoing changes to /system when the system kills the temp root. I wonder if its possible for temp root to trigger the "commit" function of reliance once some small changes have been made...
Hope this is of some use.
CyWhitfield said:
First off, I want to apologize if this information is either or both regurgitated and irrelevant.
I was looking for information on eMMC, and there really isn't much, and I found an old article that describes how data reliance works with eMMC. At least a cursory look.
Full article here. Information about integration with embedded linux, here.
What struck me was the "Application-controlled" part. It would explain the technology that is undoing changes to /system when the system kills the temp root. I wonder if its possible for temp root to trigger the "commit" function of reliance once some small changes have been made...
Hope this is of some use.
Click to expand...
Click to collapse
Just an FYI, system is an EXT4 FS. This would require not only a custom kernel, but a lot of one offs in the way it's dealing with data. From what I've seen, this isn't what they are using.
But that's a very good find, I am looking into some of the information. Never heard of this before.
Thanks for the info. I would love to find out more about how this memory technology works. More articles are welcome!
Isn't that basically just wear leveling?
Is your name Ben? Or are you perhaps searching on this because of a post that Ben made on HTC? His claim was that even with an unlocked bootloader, that the eMMC could still be locked and prevent us from getting root. This seems far fetched to me.
edufur said:
Is your name Ben? Or are you perhaps searching on this because of a post that Ben made on HTC? His claim was that even with an unlocked bootloader, that the eMMC could still be locked and prevent us from getting root. This seems far fetched to me.
Click to expand...
Click to collapse
In all reality, I'm thinking this is the eventuality. Sprint knows that with root access we can circumvent the WiFi tether that they want to charge you for. They would never be OK with that.
Sent from my PG86100 using Tapatalk
Just an FYI, system is an EXT4 FS. This would require not only a custom kernel, but a lot of one offs in the way it's dealing with data. From what I've seen, this isn't what they are using.
But that's a very good find, I am looking into some of the information. Never heard of this before.
Click to expand...
Click to collapse
Given that you have taken a much closer look at the inner workings than I have, I will defer to your observation with a caveat
According to wiki eMMC supports something called Reliable Write. This suggests that the reversion capability is a part of the eMMC standard. Reliance sounds more and more like a commercial implementation of this function decoupled from a specific media type. After looking it over again, nowhere in the article about Reliance is eMMC mentioned.
Isn't that basically just wear leveling?
Click to expand...
Click to collapse
Wear leveling is a byproduct of what reliable write is doing. The difference is the ability to defer commitment of file system changes, so that a failed system update wont brick the device.
I do not know if changes made to the device are immediate and revertable (i.e., if eMMC is not told to commit a write, the changes just "go away" when its remounted). Nor do I know if reversions can be made on the fly, as we are experiencing when temp root gets deactivation.
There really isn't much information out there about this that is easy to find.
Is your name Ben? Or are you perhaps searching on this because of a post that Ben made on HTC? His claim was that even with an unlocked bootloader, that the eMMC could still be locked and prevent us from getting root. This seems far fetched to me.
Click to expand...
Click to collapse
Neither. eMMC isn't "locked" per se. HTC is using some mechanism that will revert the contents of /system to a prior state when some unknown condition is met. I do not mean to suggest that this is being done through "reliable write" or "Reliance", since it has already been pointed out by someone much more knowledgable on the subject than I that a standard EXT4 file system is being used. I honestly have no idea. I found this information somewhat by accident, and thought that if it could prove useful I should share it here.
Something is dynamically protecting the contents of /system. Once the phone is rooted, I have no doubt that this "something" will be rendered quite impotent. If it were not possible to do so in the first place, OTAs wouldn't work
Sprint knows that with root access we can circumvent the WiFi tether that they want to charge you for. They would never be OK with that.
Click to expand...
Click to collapse
The first part of your statement is true, Sprint knows full well that we can circumvent their attempts to charge us for WiFi tethering with root access. They have known this for years. They also know that in reality there is no way they can completely prevent someone from tethering their phone in one way or another. Even without root access. Ref: PDANet.
In my opinion, this protection of the eMMC contents was designed to reduce support costs from failed OTA updates bricking phones, and perhaps as protection against malware that can attain root, not unlike what Temp Root does.
I am not as paranoid as some here and refuse to accept that this was done specifically to thwart efforts to root the phone. The vast (and i mean VAST) majority of people who buy this phone will never even consider rooting the devices. This same majority has a subset of people that are easily stupid enough to screw up an OTA update or download and install malware.
I will take it a step further and opine that the only reason HTC is unlocking the bootloader is because we are such a minority AND that by tinkering with an unlocked device, we are actually helping HTC improve their product. They would rather have a more appealing facebook page than worry about losing a minuscule fraction of wifi tethering income.m Moreover, take a good look at where Sprint stands in the market, and what they have done recently to improve their position. They are doing a lot of really cool things, and have taken impressive steps to improve customer service and corporate image. That they would allow this bashing of HTC to continue unabated over a handful of tethering dollars is unlikely.
I appreciate your canter, very informative. A thanks will come your way.
Sent from my PG86100 using Tapatalk
Does pdanet allow wireless tether? I didn't think it did.
Sent from my PG86100 using Tapatalk
Nutzy said:
Does pdanet allow wireless tether? I didn't think it did.
Sent from my PG86100 using Tapatalk
Click to expand...
Click to collapse
It doesn't act as a hotspot, no.
Sent from my PG86100 using XDA App
Nutzy said:
I appreciate your canter, very informative. A thanks will come your way.
Sent from my PG86100 using Tapatalk
Click to expand...
Click to collapse
Much appreciated!
Sent from my PG86100 using XDA App
So, I would be interested in hearing more thoughts on this. Is the eMMC independent of the OS? In other words, would a custom ROM have to obey and work with the eMMC? Or could a custom ROM be made to either disable the eMMC or make it do what we want?
edufur said:
So, I would be interested in hearing more thoughts on this. Is the eMMC independent of the OS? In other words, would a custom ROM have to obey and work with the eMMC? Or could a custom ROM be made to either disable the eMMC or make it do what we want?
Click to expand...
Click to collapse
I think you're misunderstanding this. The eMMC is the memory inside the device that everything is stored on. It replaced the old NAND chips in older devices.
The OS is stored & runs off of eMMC memory, it's not independent. If you were to 'turn off' the eMMC the device would do nothing. A lot of the security features available on the chip itself probably aren't in use. HTC has been using their own form of write protection since early last year, even on the NAND based Evo 4G. I'd stake a bet they're using the same system here, and we just need to find a way to flash the ENG bootloader like we did last year to get around it.
I agree with you. reliance is setup to ward against "unauthorized" changes to the /system partitions. i believe the developer community takes way too deep a look at each action made by a corporation (htc) and view them as "big brother", when infact most changes are actually approved, reviewed, and committed by someone in accounting with no technical skills whatsoever. these people are forced to look at the bigger scheme of things and make a decision about it (after working for sprint for almost 2 years now...i can tell you how many decisions are literally made by someone who has no idea what the heck he is making decisions on).
instead of looking at them "trying to stop the development community from unlocking wireless tether" look at them as a CEO (who most of the time has no technical knowledge) and a PR rep (who really only cares about how their company is viewed) and using this kind of encryption is only there to "safeguard" their devices against attacks.
one would think the secret to perm rooting the device is triggering the reliance write function so it commits the changes instead of reloading them. if /system doesnt get changed unless theres an OTA of some sorts....theres more than likely a hash table that reliance would check against to verify...so an OTA would need to write to that table first, then make the changes....
more than likely some other noob has already said something along those lines and been flamed for it as well...just throwing it out there....
newkidd said:
.........
one would think the secret to perm rooting the device is triggering the reliance write function so it commits the changes instead of reloading them. if /system doesnt get changed unless theres an OTA of some sorts....theres more than likely a hash table that reliance would check against to verify...so an OTA would need to write to that table first, then make the changes....
........
Click to expand...
Click to collapse
that stuck out in bold to me..... hmmmmmm
I probably was overlooking what eMMC was, however based on the links the user gave, I later learned a little more about its potential. It would appear that HTC is doing something along the lines of the operations expressed in the link. And if they are not fully replicating efforts, it would be a shame. I like the concept of wear leveling and efficient read/writes. It would be my hope that we could integrate all those functions within a custom rom.
I found a page on the Micron site on eMMC. In the tech notes section there are informational downloads for just one chip. Specifically, the Qualcomm QSC6695
You have to register to download them. A process I have already started. Their site claims it takes a half hour to register a new account.
Once I have the PDFs, I will attach them to the OP.
I don't know if this is the chip the evo 3d is using, but if it is these may prove beneficial to have.
EDIT: Nevermind. i'd have to sign an NDA first.
EDIT: Although, this looks interesting.
Geniusdog254 said:
A lot of the security features available on the chip itself probably aren't in use. HTC has been using their own form of write protection since early last year, even on the NAND based Evo 4G. I'd stake a bet they're using the same system here, and we just need to find a way to flash the ENG bootloader like we did last year to get around it.
Click to expand...
Click to collapse
Perhaps, but a hint at the design really tells me that it would only make sense to offload this protection to the eMMC. Posted a link just a minute ago with the eMMC "enablement" model in PDF form. Interesting read...
CyWhitfield said:
I found a page on the Micron site on eMMC. In the tech notes section there are informational downloads for just one chip. Specifically, the Qualcomm QSC6695
You have to register to download them. A process I have already started. Their site claims it takes a half hour to register a new account.
Once I have the PDFs, I will attach them to the OP.
I don't know if this is the chip the evo 3d is using, but if it is these may prove beneficial to have.
EDIT: Nevermind. i'd have to sign an NDA first.
EDIT: Although, this looks interesting.
Click to expand...
Click to collapse
VERY interesting link & read for sure
CyWhitfield said:
The first part of your statement is true, Sprint knows full well that we can circumvent their attempts to charge us for WiFi tethering with root access. They have known this for years. They also know that in reality there is no way they can completely prevent someone from tethering their phone in one way or another. Even without root access. Ref: PDANet.
In my opinion, this protection of the eMMC contents was designed to reduce support costs from failed OTA updates bricking phones, and perhaps as protection against malware that can attain root, not unlike what Temp Root does.
I am not as paranoid as some here and refuse to accept that this was done specifically to thwart efforts to root the phone. The vast (and i mean VAST) majority of people who buy this phone will never even consider rooting the devices. This same majority has a subset of people that are easily stupid enough to screw up an OTA update or download and install malware.
I will take it a step further and opine that the only reason HTC is unlocking the bootloader is because we are such a minority AND that by tinkering with an unlocked device, we are actually helping HTC improve their product. They would rather have a more appealing facebook page than worry about losing a minuscule fraction of wifi tethering income.m Moreover, take a good look at where Sprint stands in the market, and what they have done recently to improve their position. They are doing a lot of really cool things, and have taken impressive steps to improve customer service and corporate image. That they would allow this bashing of HTC to continue unabated over a handful of tethering dollars is unlikely.
Click to expand...
Click to collapse
I completely agree with all of that. Other carriers have taken many steps to try to prevent wireless tethering. They've asked google to filter certain apps from the market from their customers, they've sent out letters to their customers who they suspect of tethering, they've used ECM's to try to stop it.
But Sprint...they've been remarkably silent on that front. Hell they don't even seem to plan on putting any usage caps in place. In my opinion, I suspect that Sprint wants to be different from the other carriers. They can't outright allow tethering because people would go nuts with it and it would saturate their network. Instead they have this approach of telling you that you can't do it without paying extra, but they look the other way when you do.
I don't know if I fully agree on why HTC locks the phone so tight though. I mean they really went out of their way to make sure nobody touches it. There could have been far more simple countermeasures in place to prevent malware yet still be open to somebody who has physical access to the phone.
It can't be that Sprint insisted on it being that way, otherwise Sprint would have insisted that the Nexus S be fully locked, so I don't believe that this is a carrier issue at all, at least not as far as the Evo 3D is concerned.
One of my suspicions is that HTC may make a profit off of having certain apps installed, much in the way that PC OEM's get paid to preload different apps (e.g. norton.) It could be that they want to make sure that you can't remove them. However that profit they make off of these apps may be significantly offset by having a really negative facebook page, hence the decision to unlock.
Hard to say really.
Since we know the main reason Google did Android was the same as all their other free products - collect more info from users, can the built in VPN settings be trusted? It just seems to me that the only reason Google would be "kind" enough to build in a system to defeat the reason they built Android in the first place would be if they wanted a way to offer "security" with a back door for themselves??? i.e. Maybe all traffic goes through Google before being sent to VPN??
Or maybe a simple question is can Google still see your traffic or get the info they want if you use the built in VPN settings (with a VPN service of course)?
Would using an OpenVPN app be more secure than the standard settings?
Thanks and I'll apologize in advance if this is a stupid question!
Remove the tinfoil hat for a second and listen:
Even if the traffic from the VPN were to be sent to Google, they would only receive the encrypted traffic!
Erm, yeah, that is, if no other part of the VPN framework is sending the encryption key to Google servers -in an encrypted form so as to not be so easily detectable by sniffing the traffic...
Heck, the FBI and the NSA do it with e-mail (google-search "carnivore program" and "Echelon communications interception", you'll find plenty of info on these -surprisingly not well known- topics) and truckloads of other communication forms, why would Google mind ?
You're absolutely right to be wary -especially if you live in the USA, where the "Patriot Acts" 1 and 2 give practically free-hands to the government to wiretap everything they want, in the interest of "national security" (or so they say. Most times though, it's used for more 'impure' intentions), and sometimes forward the collected info to big corporations who can make big money out of it. That's how Boeing practically stole a multibillion $ contract right under the nose of Airbus : the NSA tipped them off after they intercepted emails and faxes emitted by Airbus about the bid, and told Boeing to slightly -just enough- increase their own bid, and voilà... (but they never acknowledge anything by saying "we intercepted comms that said they'll bid so much or so much", nope, it's way more sneaky than this : it goes like "about this contract, we think that it would be a good idea to slightly increase your bid, by say a million or two", never mentioning any wiretapping -and of course the people who benefit from the info are way too glad to think about spoiling the ambiance by asking embarassing questions. "you don't look a gift horse in the mouth", after all...
If you really wanna have a (mostly) relaxed mindset about this, I see only one reliable solution : code your very own VPN app, and keep it to yourself, forever and ever, so it can't be reverse-engineered by no one (and even this is no 100% guarantee, you're never safe from anything in this sorry world)..
That being said, I'm not entirely convinced Google created Android just for gathering info from its sheepish users.. There probably is some of that, sure -althoug, to be a Android user requires way more technical knowledge and curiosity about the device you're using (that is, if you wanna use it at 100% of its capabilities) than the "average frustrated Windows chump".. And this kind of user is way more liable to uncover the "conspiracy", sooner and easier than just a WinMo or iOS user.. It's kind of like sawing the branch you're sitting on..
And if this happened -Google being discovered spying upon the communications of Android users- they'd probably be in biiiig trouble, probably more than what makes it worth trying it. Just look at Apple when it got known that every iPhone has a hidden memory area that stores the GPS coordinates of your every move and periodically uploads them to Apple servers. Jobs managed to dodge the bullet by publicly explaining that it was meant to enhance the algorithms that will be used by future GPS chips, but who the hell believes that ? For one thing, Apple never manufactured GPS chips, and probably never will, mostly because building a chip-foundry factory costs a huge wad of dough (just ask Intel how much they're spending to upgrade their infrastructures each time they reduce the die-sizes by a few nanometers, the amounts are hard to believe when you're making about 15$ an hour like me..), and also because there are already too many competitors out there -most of which are better than Apple at designing quality hardware.. It's probably no mystery if Apple prefers using 3rd-party hardware than making their own : it's cheaper, easier, and at least if you get some f-ed up hardware, you can just blame it on the corporation who sold it to you instead of having to make an embarassing and very public mea-culpa (at this point, the words "HTC", "eMMC" and "Samsung-made chips" are popping into my mind.. Is anyone else feeling those symptoms ? ^^). And it would be way harder -if not downright impossible- for Google to find a believable and reasonable explanation for such a mischief (I think it's even called a felony at this level.. But I'm no yankee, can't be 100% sure about this detail -and right now I'm too lazy to Google it up and find out.. xD).
But then again, who can be 100% sure ? It's always wise to be wary, and always be prepared for every contingency, as far as is humanly possible
I personally think that if Google created Android it's probably more because they wanted to thwart Microsoft from ever gaining complete monopoly of the mobile OS market, like they did with Windows and the PC OS market -which they mercilessly dominate by every means possible, even those that are borderline illegal sometimes, if the outcome makes it very worth the risk..
Google and Microsoft just can't stand each other (just like Microsoft and SCO-Unix couldn't stand each other back in the heroic days.. Actually, Microsoft has had many a foe along the way, IBM is counting among those too -but MS finally managed to kill off their offspring OS/2. It wouldn't die by itself so they had to kill it.. But they only managed to do so because they were more determined on taking it out of the OS scene than IBM was determined on defending it.. ), and they just will do anything that is in their respective grasp to piss off one another -with varying success..
And I gotta admit that they did a pretty good job out of it, all things considered : the Unix open-source community benefits from one more interesting project (even if the sources for every new Android release are often very long to come out. But then, the GNU public licence only states that you have to release the source code with your app if you're reusing some GNU-licensed code, it never mentions any deadlines, or that it has to be released together with the compiled binary), and Microsoft is held back from completely winning a juicy prize, which makes their new CEO Steve Ballmer mad with rage -which is hilariously funny to me (I can't get enough of seeing this fatass enraged. Too bad Bill Gates retired, it'd probably have been equally as funny -if not more- to see him enraged, with Ballmer towering over him by his side and trying to make himself as small as a mouse so he could escape by a crack in the nearest wall, the "angry dwarf and the 'not-too-bright-but-very-bulky' giant". In the movies that's always a winning combo)..
Snakeforhire said:
Erm, yeah, that is, if no other part of the VPN framework is sending the encryption key to Google servers -in an encrypted form so as to not be so easily detectable by sniffing the traffic...
Click to expand...
Click to collapse
Well, if you want to follow that road, what's telling you that the VPN clients around aren't sending that very same key to law enforcement agencies?
The answer is simple, it would be a huge, gigantic ****up, as you said!
read the rest of my post, I address this issue a few lines down.
@Alcap12 I don't generally consider myself to be part of the tin foil hat club. But I am older and have learned (the hard way) the difference between regrets and mistakes - mistakes you can fix. I think there is going to be a whole **** load of young folks who are going to regret not taking their privacy a little more seriously in a few years.
Thanks for the reply SnakeforHire.
I understand the man-in-the-middle type of attack and if you're using an ssl vpn the only thing the middleman sees is encrypted traffic. But Google isn't in the middle they own the starting point. So is it possible: A user sends some data, Android phones home with the metadata, and then Android encrypts the data and sends it to the vpn server? Tons of the apps on the market are tracking you - heck the Dolphin browser just got busted doing it right here on XDA so why not Android itself??
I'm thinking a packet sniffer would tell us the answer. I'm also thinking if I've thought of this one of the professionals here on XDA has too and has checked it out already. At least I'm hoping so. I just posted this thread in the hopes of finding out for sure.
you're assuming the filtered-out data would be sent over to the eavesdropper in an unencrypted form, otherwise the packet sniffer would just see meaningless garbage..
And I kinda doubt that anyone willing to go to such lengths to spy on others would be so foolish as to forget to add encryption to his upload framework.
Well, it seems to be a very good and informative question. I use VPN service and i don' think that google can trace out your traffic though the traffic from the local ISP transmit through a sound means which is absolutely encrypted and protected so there won't be any chance for anyone to look into you data and traffic...
i use the service of hidemyass and i can say that its is the best iphone vpn. I have been searching around the web for several aspects related to vpn and my research concluded that through vpn no data can be traced..All what google or anyone else will receive is the encrypted data like [email protected]#$^^&*. So impossible for anyone to see it
Since the arrival of latest Android Phones, we have been seeing people searching for the most reliable and trustworthy Android VPN Providers. It has not been easy for anyone of us, searching for VPN provider that can support our latest Android Phones settings. In fact this has not been easy for us to compile this entire list of Android VPN Providers.
Setting up commercial VPN on Android 3.0 or older versions is a piece of cake nothing to worry about. You just have to tap here and there on your New Android Phone and you are connected.
Before providing you with the step by step process, I would again mention the ‘disclaimer’ that this blog-post is not for the experts or techies, but this is for those who are new to VPN or android and want to setup their VPN accounts for the first time on their Android Phones.
Let’s cut the crap and start with the tutorial, I will first tell you how to setup a simple PPTP VPN connection on your Android Phone.
Go to your Phone settings.
Tap on Wireless Controls and then VPN Settings.
Click ‘Add VPN’ and you are Half way through J
Tap on “Add PPTP VPN”. Do not worry about others, we will let you know about the other protocols as well.
Add your “VPN Name”. It can be your name, you can even name it “I Do not need VPN”
Now the so-called difficult part arrives, entering the Server Name. Server Name can only be entered, if you have a VPN account, or you have setup your own VPN. If you do not have both, please do not try this, you will not get anything
Server name is being provided by the VPN Provider, it will be like “usa.bestvpnservice.com”.
You can enable the encryption here. (If VPN still does not work, try again after disabling it)
Do not worry about DNS Search Domains until or unless you are planning to use Internal DNS Server, if yes enter them here.
Save the Settings and You are all set with your New VPN Connection on your Android Honeycomb.
Now, comes the connecting part. Go to your VPN Settings and there you will get your added VPN connection. Tap to connect it and enter your Username and Password, which you will get after paying your VPN Provider. You will see a small Key like icon on the Top, which means you are now safe, secure and anonymous in the digital world. You can disconnect your VPN by going to the same area with VPN settings and tapping on your connected VPN Connection.
I hope it will helpful for you to configure settings on your Android. Currently i am Using my Ipad its more easy as compare to Android.
To see Ipad VPN and its seetings:
bestvpnservice.com/blog/how-to-connect-to-a-vpn-on-ipad-2
Hello there.
I'm working in the field of privacy protection. Recently Mister Snowden found out, that a big state agency in the US with three letters has backdoors in Android, Windows Phone and Black Berry.
So i have to ask you guys if you know something about this.
As we already know, these back doors do exist in the stock firmware, but what about let's say CM or all the others. Do they have these back doors as well?
And optionally for those of you, who know the european privacy protection laws, is there a way to demand of samsung to remove these backdoors to comply with these privacy protection laws?
Just imagine such kind of rootkit could be implemented already in dalvik-vm (low-level). Who's able to dump and verify it? Short answer: no one without JTAG hardware and advanced assembler skills
But that's nothing I would worry about.
Sent from my GT-I9300 using xda app-developers app
I always believed, i could find the guys you were writing of there as well.
The vulnerability is there for everyone. It's stitched into the android firmware and I very much doubt the CyanogenMOD team could do anything about it.
As Edward Snowden said, though, you can avoid this by using strong encryption and isn't commercial (openSource is better) on your entire ingoing and outgoing data connection. You can also encrypt your storage.
SELinux is useless, since, the NSA wrote it.
Kryten2k35 said:
The vulnerability is there for everyone. It's stitched into the android firmware and I very much doubt the CyanogenMOD team could do anything about it.
As Edward Snowden said, though, you can avoid this by using strong encryption and isn't commercial (openSource is better) on your entire ingoing and outgoing data connection. You can also encrypt your storage.
SELinux is useless, since, the NSA wrote it.
Click to expand...
Click to collapse
It's a good start (OpenVPN, PGP, drive encryption + custom bootloader and ROM, F-Droid). But if we dig further, what good is encryption if firmware can log key 'presses' on your virtual keyboard and microphone can be remotely controlled for sending data in the pre-encryption state? It seems much easier to implement on Android devices with so much non-free firmware (look closely at http://redmine.replicant.us/projects/replicant/wiki/ReplicantStatus and http://redmine.replicant.us/projects/replicant/wiki/TargetsEvaluation) than on PC, where you can go without non-free firmware in many cases and only need to suspect Intel/AMD backdoors (mainly in RNGs) and those in the BIOS/UEFI. On the other hand, with SSDs and their non-free firmware becoming more common...
Sorry but what will they get from my phone?
Anything from gapps data to the conversation you're having while not thinking the microphone in your phone laying at the table is set on, for the starters.
Hi,
with all media attention related to NSA spy activities.
How does one know this all happening here is not related to NSA activities?
If i'm correct the bloatware a provider installs when you bought it gives nsa access or gives provider unwanted access.
Maybe i'm thinking too much, but even NSA could bring out a rom which looks great and so and you think it's save and not accessing your private details, mic or camera.
Just a thought i had.
(on duckduckgo.com there was this advertising for save internet and cyanomod, thatss how i came here)
Thanks !
Have you been abusing ice or something ?
haha no, just curious that's all. As you know google ain't clean either in terms of privacy. And Android is Google.....
But no, i like what's happening here, it was just a thought.
Alright...
Intelligence agencies can already essentially look at whatever they want whenever they want via direct access to all networks. They can break a lot of encryption. Most operating systems (whether phone/PC/whatever) either have some NSA designed bits (I.E SELinux) or 'backdoors' which enable them to access even the most tightly 'locked up' systems.
I very much doubt they need to release a bit of 'crapware' or an OS of their own given the above. Though I can imagine in certain cases they custom design an exploit for a particular individual or organisation they want keep tabs on, but I can't imagine they'd want to do it to ordinary phone users en masse in the manner you suggested.
They already 'passively' surveil just about everyone (I.E collect all data but tend not to look at it unless they need to), so they don't need to do what you mentioned.
In my view opensource system has an advantage that you can check the source code yourself for a potential backdoor.
Most of the ROMs here are opensource so you can download, check, compile and install.
However you do not have 100% opensource devices - you have for example radio drivers which we just trust they will send data to correct receiver and in correct format...
I don't think it is proven SELINUX introduces backdoor or was it? If yes, I'm very interested to see it.
https://en.wikipedia.org/wiki/Security-Enhanced_Linux. Everything is backdoored.
MistahBungle said:
Alright...
Intelligence agencies can already essentially look at whatever they want whenever they want via direct access to all networks. They can break a lot of encryption. Most operating systems (whether phone/PC/whatever) either have some NSA designed bits (I.E SELinux) or 'backdoors' which enable them to access even the most tightly 'locked up' systems.
I very much doubt they need to release a bit of 'crapware' or an OS of their own given the above. Though I can imagine in certain cases they custom design an exploit for a particular individual or organisation they want keep tabs on, but I can't imagine they'd want to do it to ordinary phone users en masse in the manner you suggested.
They already 'passively' surveil just about everyone (I.E collect all data but tend not to look at it unless they need to), so they don't need to do what you mentioned.
Click to expand...
Click to collapse
yes you're right. it totaaly agree.
thanks a lot for your answer.
MistahBungle said:
Everything is backdoored.
Click to expand...
Click to collapse
I checked Wikipedia SELinux Entry. I remember Linus's nodding, however there is no hint it was with relation of SELinux.
I found another discussion on this topic and I agree with the point that "It would be singularly dumb of them to inject backdoors in their own name."
Time will show.
Anyway - if you do not trust it, you can turn it off completely or use an alternative - AppArmor - which does not come from NSA.