Related
Hello has anyone used the money toolkit app to access your account?. On my iphone I have an official natwest app, which am sure is safe however a bit worried about this one cause it clearly states not affiliated with any bank.
Hi marvi0
I am Dan - founder of Money Toolkit, so obviously my opinion is not impartial
You are absolutely right to question apps like ours, and I wish more people were more diligent in this resect.
The biggest barrier to using any third party financial app is trust. For a small start up like ours, theres a bit of a catch 22 thing. The best way for people to trust our app is to see others using it, which means having enough early trail blazers use it.
I hope you do read some of the pages on our site regarding security - we have gone to very great lengths to keep you in charge of your credentials.
But this is still only our word. Probably the best thing to help increase your confidence is to look on our get satisfaction pages - (we cant delete messages, so it is an open conversation). Also check the comments on the Android market, again we can't even respond as the developer (which can be frustrating).
I hope others do respond on here, though we only have 500+ active users, so I would be a bit surprised.
There will always be some nervousness committing to our app, ultimately you have to go with your instincts - most people who see our app don't go on to enter their details, which is a shame in my opinion (obviously), because those who do find our app really useful.
Any questions, just ask.
Cheers.
Dan.
I have installed it and it looks pretty good
I have my fingers crossed regarding the security
Thanks for your reply so does this app actually allow me to view my natwest account information?
marvi0 said:
Thanks for your reply so does this app actually allow me to view my natwest account information?
Click to expand...
Click to collapse
it does yeah
you get an overview and then when you click on the account it drills down into the transactions
you cant see direct debits etc
also i wish you could change the theme, the wooden effect is a bit yukky, lol
but it does the job fine
also you have to manually log out or the app will run in the background, and if someone picks up your phone they can see the bank funds etc
winwiz - thanks for that.
You are not alone a few people don't like the wooden theme, so we are thinking of changing that.
The idea was that it continues the web site theme of being a work bench - continuing to follow the tool kit idea! We also didn't want to look like another boring bank, but probably it doesn't work that well on the phones.
Regarding logging out - we keep you logged in on purpose, (it will time out after 5 minutes) it is really annoying when you accidentally go back too far or want to swap to another app and have to log back in. Perhaps we should make that another setting?
some people even choose to keep their password remembered, and rely on the phones own security.
Remember this is a READ ONLY app, there is absolutely no way anyone could transfer funds, or make any changes to your bank.
We've got some nice things planned, like categorising your sending and graphs etc.
So any feedback or ideas really welcome - especially on the get satisfaction pages
Cheers.
MTK-Dan said:
winwiz - thanks for that.
You are not alone a few people don't like the wooden theme, so we are thinking of changing that.
The idea was that it continues the web site theme of being a work bench - continuing to follow the tool kit idea! We also didn't want to look like another boring bank, but probably it doesn't work that well on the phones.
Regarding logging out - we keep you logged in on purpose, (it will time out after 5 minutes) it is really annoying when you accidentally go back too far or want to swap to another app and have to log back in. Perhaps we should make that another setting?
some people even choose to keep their password remembered, and rely on the phones own security.
Remember this is a READ ONLY app, there is absolutely no way anyone could transfer funds, or make any changes to your bank.
We've got some nice things planned, like categorising your sending and graphs etc.
So any feedback or ideas really welcome - especially on the get satisfaction pages
Cheers.
Click to expand...
Click to collapse
Hi Dan,
Thanks for the great feedback. I'd like the option to customise the background, or if this is not possible, a solid black background. The timeout option should be configurable so the user can set the timeout period!
I look forward to the updates
MTK-Dan said:
I am Dan - founder of Money Toolkit, so obviously my opinion is not impartial
...
Any questions, just ask.
Click to expand...
Click to collapse
Hi Dan,
Was just deliberating about using Money Toolkit and I had a couple questions. I've no knowledge in this area so please bare with me.
On the blog post here: hxxp://moneytoolkit.com/2010/09/secure-mobile-banking/
You said that:
"Yodlee then sells your bank data to the web site that you signed up".
Which I agree doesn't sound ideal - but they have to make money to be a sustainable business. How does money toolkit intend to make money? Which part of users financial details will be utilised to do this?
Secondly - regarding the security - the same blog post says:
"Not only would someone have to get access to your phone they would have to go to the same lengths as they would if they wanted to ‘hack’ into a bank, but they would have to do it three times!"
I presume that each location storing data can't login to the bank account in part. Instead a single server instance would have to login - requiring all 3 parts of the information to do so as banks usually randomise the questions asked. That presumption may be wrong however - but if it's correct does that mean a hacker could just hack that single server instance and intercept the traffic being sent to the bank?
You said that:
"Yodlee then sells your bank data to the web site that you signed up".
"but they have to make money to be a sustainable business. How does money toolkit intend to make money? Which part of users financial details will be utilised to do this?""
Click to expand...
Click to collapse
We point out the normal relationship with Yodlee because Yodlee is an independant third party, they are the entity that you end up having the biggest contractual relationship with, in fact you sign over power of attourney to them when you use a web site that uses their aggregation (read the small print).
Regarding Money Toolkit making money, so far we don't! Of course, as you point out, we need to, so we have two options - we will ask for 50p per month (for example), or we will offer good deals with companies we trust (generally not main stream banking companies), where we will make a commission, if we do that we will make the commission obvious and share it with the person taking the offer.
"Secondly - regarding the security...
...does that mean a hacker could just hack that single server instance and intercept the traffic being sent to the bank?"
Click to expand...
Click to collapse
Well your main assumptions is correct, but the reasoning not quite right. Firstly it is not just because of the random nature of the security questions that the three way split is valuable, but literally each part is utterly useless without the other parts, they are three parts of an encrypted file, which MUST come together before it is possible to decrypt.
The decrypted file (now only in volatile memory) then returns values to your phone and it is your phone which sends (over SSL) the right request to the bank, so they would have to breach our own SSL traffic (and custom encryption). Our IP's and the bank's are hard coded so a traditional man in the midle attack is ruled out. They would in effect, have to dupe you into downloading a dodgy Money Toolkit apk for this to be possible.
As you may know, the huge majority of security problems come from static data being discoverable (cd's and memory sticks left on trains for example). In our case the three seperate locations, including your phone make this kind of static data recovery, all but impossible.
However... you are right tht if someone managed to compromise the individual server that, at that moment (we have many), did that specific decryption: then if they were very smart, they might have the ability to detect your secure bank details. Though it would be almost imposible for that to happen and us not know about it. To alter our code and not have our systems detect the intrusion would be phenomenal.
MTK-Dan said:
so we have two options - we will ask for 50p per month (for example), or we will offer good deals with companies we trust (generally not main stream banking companies), where we will make a commission, if we do that we will make the commission obvious and share it with the person taking the offer.
Click to expand...
Click to collapse
Great, both options sound reasonable
MTK-Dan said:
they are three parts of an encrypted file, which MUST come together before it is possible to decrypt.
Click to expand...
Click to collapse
Neat, didn't realise.
MTK-Dan said:
The decrypted file (now only in volatile memory) then returns values to your phone and it is your phone which sends (over SSL) the right request to the bank, so they would have to breach our own SSL traffic (and custom encryption).
They would in effect, have to dupe you into downloading a dodgy Money Toolkit apk for this to be possible.
Click to expand...
Click to collapse
That at least does sound secure (without understanding it more) I suppose there may also be security issues beyond a dodgy .apk file if the Android device has been rooted - because I think that allows apps to work outside of their sandbox. Again, I don't know enough about that.
Thanks for the detailed answers, it gives me more confidence in the service.
aph5 said:
Great, both options sound reasonable
Neat, didn't realise.
That at least does sound secure (without understanding it more) I suppose there may also be security issues beyond a dodgy .apk file if the Android device has been rooted - because I think that allows apps to work outside of their sandbox. Again, I don't know enough about that.
Thanks for the detailed answers, it gives me more confidence in the service.
Click to expand...
Click to collapse
Is it possible to transfer money to whomever you want with this app?
http://www.youtube.com/watch?v=ev3rUQMvyhU
In an attempt to distance themselves from the increasingly volatile Carrier IQ situation, we’ve been told that Sprint has ordered that all of their hardware partners remove the Carrier IQ software from Sprint devices as soon as possible.
This comes after a number of dramatic turns over the past few weeks. During that time Carrier IQ was called a lot of things, from a harmless mobile intelligence company to a vicious rootkit designed to steal our personal data and sell it to the ne’er-do-wells. In my opinion, Carrier IQ is a company that provides a service that benefits everyone with a cellphone by giving information to the carriers about when their network has problems that affects our service. Unfortunately, this software was installed in such a manner that, when discovered, there was a significant panic. This is understandable because the software was forced onto unsuspecting users with no real oversight to speak of.
That panic was made worse when the company responded by trying to silence the person who discovered the software, instead of trying to explain what was actually happening. So here we sit, a month away from a Senate hearing on whether or not Carrier IQ is doing anything illegal, on top of a barrage of lawsuits against all of the companies involved.
Sources at HTC have told us that, as a result of the lawsuits targeting Carrier IQ, Sprint, and other CIQ-using OEMs, Sprint has asked all of their partners to get rid of Carrier IQ. Starting with the high-volume and high-profile devices on the network, each of the OEM’s has been asked to quickly release binaries that do not contain Carrier IQ so that over-the-air updates can be pushed to those devices as quickly as possible. The eventual plan is to remove Carrier IQ from all of the devices on Sprint’s network.
This is being done as soon as possible and, according to our source at HTC, anyone who is working with Sprint in testing labs have even had their vacation time over the holidays seriously restricted. No official rollout plan for these updates has been devised, but it has been made clear to everyone involved that this change needs to happen soon. I would assume that we will see updates for devices including the iPhone, HTC Evo 3D, and the Samsung Galaxy S II Epic 4G Touch before 2012.
At this time, Carrier IQ, Samsung, and Apple all refused to comment on any developments in this matter.
Some may view this as a classic “too little, too late” situation. Sprint waited until there were lawsuits to start removing Carrier IQ from their network, where previously they had been defending their use of the mobile intelligence service. This could possibly even be seen as an admission of guilt, as them removing the software in an attempt to make amends for what they have been caught doing.
Even so, Sprint could have just as easily made a public statement announcing that they were turning off the servers that collected the information, pending the results of the trial and the Senate inquiry. At that point a simple test from any of the security researchers that have gotten involved would confirm Sprint’s cancellation of CIQ and they wouldn’t have to involve every manufacturer on their network.
Click to expand...
Click to collapse
http://www.geek.com/articles/mobile...trip-carrier-iq-from-their-hardware-20111216/
TrevE > CIQ
Nuff said!!!
Another victory!!!! TrevE is forever my hero!
While this is nice and all the article seems to be lacking some knowledge in itself on some things. mainly the fact it included iPhone in the list of devices that would be getting updates. I'm pretty sure Apple commented on this long ago stating they do not use CarrierIQ in their devices anymore at all.
And I can't really see Sprint able to force Apple to load it on the device either...
Awsome just hope we didn't make it worst for sprint
Sent from my PG86100 using xda premium
tech7 said:
Awsome just hope we didn't make it worst for sprint
Sent from my PG86100 using xda premium
Click to expand...
Click to collapse
I just had to laugh I mean Sprints network already sucks how could it possibly get worse. CarrierIQ is not going to fix 4G or even poor 3G speeds due to network congestion. They know they have a problem doubt they need an app to confirm it.
Can you say Pwned! TrevE is the man!
Tons of idiots. Ciq is made to learn how you do things, so they can make it better. Yet, you complain about things your phone can't do. How the **** are they supposed to know what you want if you don't tell them? Oh yeah HTC is supposed to troll the forums and sees that one person doesnt like sense and remove it bc one person doesn't like it. Or they could use ciq, see that 50% of people who have sense, use a different launcher and then rethink their approach. You guys are pathetic.
Sent from my PG86100 using Tapatalk
bloodrain954 said:
Tons of idiots. Ciq is made to learn how you do things, so they can make it better. Yet, you complain about things your phone can't do. How the **** are they supposed to know what you want if you don't tell them? Oh yeah HTC is supposed to troll the forums and sees that one person doesnt like sense and remove it bc one person doesn't like it. Or they could use ciq, see that 50% of people who have sense, use a different launcher and then rethink their approach. You guys are pathetic.
Sent from my PG86100 using Tapatalk
Click to expand...
Click to collapse
How are we pathetic..... Ciq is the one that is pathetic. They had the chance to explain what CIQ does but instead they try to silence TrevE. On top of that they install CIQ without even letting you know.
I understand that it's probably used to make phones and services better, but they should at least give you a disclaimer, an opt out option, and an explanation of what CIQ does and maybe then so many people wouldn't be angry at CIQ.
I think the *****ing and complaining is like he said...the fact they covered it up, tried to silence someone. Not that its probably bad software but bad business ethics. Agreed?
Sent from my PG86100 using XDA App
bloodrain954 said:
Tons of idiots. Ciq is made to learn how you do things, so they can make it better. Yet, you complain about things your phone can't do. How the **** are they supposed to know what you want if you don't tell them? Oh yeah HTC is supposed to troll the forums and sees that one person doesnt like sense and remove it bc one person doesn't like it. Or they could use ciq, see that 50% of people who have sense, use a different launcher and then rethink their approach. You guys are pathetic.
Sent from my PG86100 using Tapatalk
Click to expand...
Click to collapse
Oh please, its fine that you are ok with invasive measures that reduce your personal security, freedom, and privacy but criticizing other's opinions based on your lack of knowledge is crap. When your life is ruined because data isn't protected and you didn't authorize or get the choice in giving that info up I hope you remember your BS logic that the risk is fine and dandy because they were "trying" to gather data to improve things.
So naive, yeah they want to mine and transfer data to make your life better. Wrong, bottom line is the almighty dollar. They make millions doing what they do, they could give two ****s less about you and your experience
+1 so true
Information was still being withdrawn from my phone without my permission. Individual info should never be given out for free nor taken without consent.
Sent from my PG86100 using XDA App
CIQ might have done the right thing collecting error logs on the phone to troubleshoot. But installing it on devices without user permission or any kind of disclosure of the software being install is just "unethical".
P.S. the reason why they are being sued was due to unethical practices.
Sent from my PG86100 using xda premium
The fact that it was capable of reading texts, emails, URLs, passwords is what the problem is. We're just supposed to believe they aren't using it for that? Why the hell is it even possible to do so then?!
Cuss all you want..you can be a tool. I'll go with the crowd that wants it gone.
Sent from my PG86100 using xda premium
Sad Panda said:
Oh please, its fine that you are ok with invasive measures that reduce your personal security, freedom, and privacy but criticizing other's opinions based on your lack of knowledge is crap. When your life is ruined because data isn't protected and you didn't authorize or get the choice in giving that info up I hope you remember your BS logic that the risk is fine and dandy because they were "trying" to gather data to improve things.
So naive, yeah they want to mine and transfer data to make your life better. Wrong, bottom line is the almighty dollar. They make millions doing what they do, they could give two ****s less about you and your experience
Click to expand...
Click to collapse
LOL! When my life is ruined? They aren't stealing credit card and social security numbers, they are just reporting what apps and hardware is used during the day. Huge difference. Yeah, CIQ didn't do the right thing with the lawsuit, boo hoo life goes on.
You know people at your local bank track everything you do, have access to your credit cards and social security number. They can tell you where you've spent your money, what you bought, and all your personal information, yet nobody cries about that. But its a huge deal to report to Sprint that your playing angry birds at 1pm.
Sent from my PG86100 using Tapatalk
bloodrain954 said:
You know people at your local bank track everything you do, have access to your credit cards and social security number. They can tell you where you've spent your money, what you bought, and all your personal information, yet nobody cries about that. But its a huge deal to report to Sprint that your playing angry birds at 1pm.
Sent from my PG86100 using Tapatalk
Click to expand...
Click to collapse
That's because by choosing the bank you opt into that, and go in knowing that they can track your money. And for the record they don't know what you bought, just that you spent so much money here and so much money there. The cc from the bank gets an amount taken not an itemization of funds spent per transaction. CIQ was added without knowledge, why can't you grasp the differences?
http://allthingsd.com/20111201/carr...monitors-service-messages-ignores-other-data/
Learn what it really does before you jump on the zomg my personal info is compromised!!1! Bandwagon.
Sent from my PG86100 using Tapatalk
bloodrain954 said:
http://allthingsd.com/20111201/carr...monitors-service-messages-ignores-other-data/
Learn what it really does before you jump on the zomg my personal info is compromised!!1! Bandwagon.
Sent from my PG86100 using Tapatalk
Click to expand...
Click to collapse
First of all I never said anything about personal info. I don't like how it was forced onto us without control. Second, just because they say (AFTER they were found out about) that their software does do anything with personal data doesn't mean it's true. The US Gov said there were weapons of mass destruction and we should go to war, there wasn't and we were there for oil only. Don't believe something especially when the company has their back against the wall trying to fish their way out.
wardfan220 said:
The US Gov said there were weapons of mass destruction and we should go to war, there wasn't and we were there for oil only.
Click to expand...
Click to collapse
Iraq war is a great analogy for Carrier IQ....
Hey all,
I've been a lurker for a while, been looking for a way to encourage the now Google-owned Motorola Mobility to unlock their bootloaders much like HTC has wisely done, but it's becoming more and more obvious to me that they don't care about the "minority" of us that actually feels as though we are entitled to full admin rights on our phones that we either paid a ton of cash for, or signed a lengthy contract to obtain. Verizon is the one blocking it? HTC found a way, and so can Motorola Mobility...that is cop-out.
My proposal is that there be an effort to unlocked the bootloader, I am not some expert programmer, and I am open to whatever will help the cause. I know there was a bounty on it, but to me this isn't about money, I'll donate time, money, information ripped from my phone if it, in some way, contributes to unlocked that bootloader. Even if you need my unused CPU cycles to calculate things, I don't care, just tell me what I can to do help, because I am sick of not being able to use my phone to it's fully potential.
Maybe I am being naive, but I believe if we all worked together we could accomplish this goal. If you agree, please, let's organize and figure this out!
-Joshua
I love optimism
I'm down with the movement...
This phone does have mad potential to be so limited compared to other phones.
I just can't believe that we are running an unofficial, incomplete version of CM7 and it runs smoother than stock Blur.
Is that telling you something about Motorola?
Do you guys think Google will make that decision for Motorola or will Moto stay the same?
Sent from my Android
Worth a try...
Re: Google changing Moto policy
I don't know so much about Google changing Motorola's stance on the locked bootloader, we've tried petitioning the company themselves, but have we tried petitioning Google? Or maybe it's too soon, maybe they are working on it right now? Hard to tell, and I don't want to put pressure on Google too soon especially if they are trying diligently right now to do the right thing.
But the above poster is right, cracking it ourselves is definitely worth a try. I have contacts (unfortunately know inside Motorola), I know people with lots of knowledge on encryption, I'll be honest one of my friends does have a knack for the impossible, but this would be too much for one lone person. I also have a few computers in the house, to donate computing power. None above 5 GB of RAM unfortunately, but my friend with all of that know-how does also have a synchronous 20/mbit up/down connection to the net, if that helps, and I have another friend that is the linux admin at a an unnamed private university in Durham that might could lend a hand in some way.
We have the resources, we just need to pool them.
Someone with the realistic technical know-how, just tell us where to begin, and the shortest path to getting to our goal and we'll do all we can to contribute!
Thanks for understanding and not just writing this off as a pipe-dream...because I know if we work together we can accomplish almost anything.
-Joshua
spyda256 said:
I don't know so much about Google changing Motorola's stance on the locked bootloader, we've tried petitioning the company themselves, but have we tried petitioning Google? Or maybe it's too soon, maybe they are working on it right now? Hard to tell, and I don't want to put pressure on Google too soon especially if they are trying diligently right now to do the right thing.
But the above poster is right, cracking it ourselves is definitely worth a try. I have contacts (unfortunately know inside Motorola), I know people with lots of knowledge on encryption, I'll be honest one of my friends does have a knack for the impossible, but this would be too much for one lone person. I also have a few computers in the house, to donate computing power. None above 5 GB of RAM unfortunately, but my friend with all of that know-how does also have a synchronous 20/mbit up/down connection to the net, if that helps, and I have another friend that is the linux admin at a an unnamed private university in Durham that might could lend a hand in some way.
We have the resources, we just need to pool them.
Someone with the realistic technical know-how, just tell us where to begin, and the shortest path to getting to our goal and we'll do all we can to contribute!
Thanks for understanding and not just writing this off as a pipe-dream...because I know if we work together we can accomplish almost anything.
-Joshua
Click to expand...
Click to collapse
i love your optimism i have some old pms that may help with the effort
SHA-1 brute force can be cracked for around $2 of Amazon cloud computing service.
http://www.geek.com/articles/news/r...for-2-10-with-amazons-cloud-service-20101122/
Isn't boot loader use SHA-1 encryption?
(of course, the key may be much longer, but it may not be impossible for cheap. I say try to pool together like $100 and try Amazon cloud computing a try?)
Re: Amazon
hpark21:
I like the way you're thinking, does anyone else think this might be a good call? I know there was a bounty of around ~$800 somewhere, so I doubt if all of us who rightfully were promised and unlocked bootloader wouldn't mind pooling a bit of money for the computing power, hell I myself would give $50 to the effort if we knew it was a viable solution.
Other thoughts?
Also, ztotherad, if you could send me those PMs maybe we can sift through those and see if there are some other avenues, nothing is off the table at this point.
thanks again for coming together on this, that is the true meaning of community.
spyda256 said:
hpark21:
I like the way you're thinking, does anyone else think this might be a good call? I know there was a bounty of around ~$800 somewhere, so I doubt if all of us who rightfully were promised and unlocked bootloader wouldn't mind pooling a bit of money for the computing power, hell I myself would give $50 to the effort if we knew it was a viable solution.
Other thoughts?
Also, ztotherad, if you could send me those PMs maybe we can sift through those and see if there are some other avenues, nothing is off the table at this point.
thanks again for coming together on this, that is the true meaning of community.
Click to expand...
Click to collapse
i can def send you them, idk how much help theyll be
Uh, I think it's already been established that brute forcing it is impossible.
Stuckinabox said:
Uh, I think it's already been established that brute forcing it is impossible.
Click to expand...
Click to collapse
In one of the many threads concerning bootloader unlocks, I believe the chances of us finding it were determined to be 1mill:1. It would take us over a decade to manually come up with the key. I don't want to kill confidence, but I'd like to keep things relatively rational.
Sent from my MB870 using xda premium
Stuckinabox said:
Uh, I think it's already been established that brute forcing it is impossible.
Click to expand...
Click to collapse
it's been established that brute forcing is nearly impossible, not completely impossible
it is something that would take an insane amount of resources to accomplish , and/or time ,
it would really come down to "how lucky are we?" really, as in::: how lucky are we that we stumble across or know a genius that can crack it, stumble across needed files, etc...
good luck to all who try, I wish I could do anything to get us there, but I don't know the first thing when it comes to this stuff, don't give up the dream!
Basically, what it comes down to is:
Find out what their hash key is. (encrypted password)
Then, try to go through all valid characters and see whether the input matches the output hash.
If one is lucky and they used short enough password, then it will be quick to find.
If unlucky and they used really long password, then the answer is that we won't be able to find it in REASONABLE time. (I would say 1-2 months to be reasonable - at $2/hr, it would cost $48/ day).
Only issue is when do we stop?
hpark21 said:
Basically, what it comes down to is:
Find out what their hash key is. (encrypted password)
Then, try to go through all valid characters and see whether the input matches the output hash.
If one is lucky and they used short enough password, then it will be quick to find.
If unlucky and they used really long password, then the answer is that we won't be able to find it in REASONABLE time. (I would say 1-2 months to be reasonable - at $2/hr, it would cost $48/ day).
Only issue is when do we stop?
Click to expand...
Click to collapse
There was some kind of crazy algorithm applied to each character to generate the correct item for each number of the key, correct? We would have to come up with that too?
Sent from my MB870 using xda premium
THANK YOU! Finally ... a revived movement. I pledged $100 on another thread and I'm good for putting it toward an unlocked bootloader again!
To learn from one of the most influential groups of our generation ... anonymous utilizes botnets to pool computing resources ... if we get a tool that could function similarly, could we not pool 1000s of computers together to crack it faster? It would make what is not feasible for a small set of computers to do... feasible. If all most users have to do is download a tool that gives us access to processing power and bandwidth ... users will download the hell out of it.
Count me in.
[ sent from _base2 ]
Hope
I understand doubters, and odds are likely against us, but that's ok, no one person can do it, and maybe not just one method, but somehow we WILL get to our goal. Whether Motorola capitulates or we find a method to crack it, we will not have this awesome hardware go to waste.
I am not generally a "black hat" kind of person, but in this case we are in the right so far as I am concerned (please don't quote DMCA BS to me, lol) because they made a promise to their customers, and it will be kept, whether they like it or not.
So, I am with the above poster that mention he didn't know quite where to start, or where we have already made progress, but if someone can help us out, explain the process, we figure out how to move forward. (Please forgive the run-on sentence).
I've minimal experience programming, only VB.net, C++, and a bit of Java from college, and I do tier 2 desktop support for a bank these days, but on my off time I'd love to spend it on something worthwhile, all of you deserve this, and we'll make it happen.
Maybe it's the troubleshooter in me that sees the problem and says "oh no, there's a way, we just need to find it". I have a colleague, the one I spoke of before, he has a knack for doing incredible things, so once we have a breakdown of what we need to do, perhaps he can be of help.
So my friends, where do we go from here?
spyda256 said:
I understand doubters, and odds are likely against us, but that's ok, no one person can do it, and maybe not just one method, but somehow we WILL get to our goal. Whether Motorola capitulates or we find a method to crack it, we will not have this awesome hardware go to waste.
I am not generally a "black hat" kind of person, but in this case we are in the right so far as I am concerned (please don't quote DMCA BS to me, lol) because they made a promise to their customers, and it will be kept, whether they like it or not.
So, I am with the above poster that mention he didn't know quite where to start, or where we have already made progress, but if someone can help us out, explain the process, we figure out how to move forward. (Please forgive the run-on sentence).
I've minimal experience programming, only VB.net, C++, and a bit of Java from college, and I do tier 2 desktop support for a bank these days, but on my off time I'd love to spend it on something worthwhile, all of you deserve this, and we'll make it happen.
Maybe it's the troubleshooter in me that sees the problem and says "oh no, there's a way, we just need to find it". I have a colleague, the one I spoke of before, he has a knack for doing incredible things, so once we have a breakdown of what we need to do, perhaps he can be of help.
So my friends, where do we go from here?
Click to expand...
Click to collapse
sir, did you get my pms?
Re: PMs
Nope, just saw them, thanks for that!
In the past, CM has allowed users to opt out of sending their data. It's recently decided to remove the "optout feature" (c'mon, is that really a "feature"), forcing users to eat it.
http://www.androidpolice.com/2013/0...pting-out-of-cm-stats-cyanogen-says-to-chill/
"Cyanogenmod Will No Longer Allow Opting Out of CM Stats-- Cyanogen Says to Chill"
in response, i kindly made this argument:
"A fundamental issue still exists. If the data is collected via a unique identifier, and it has a timestamp, then it isn't as anonymized as people think. Anyone with a basic understanding of data security knows that. I think the uproar has to do with the reputation of the team as the protectors and defenders of our platform...you give us choice. But when we see behavior that doesn't add up, were naturally going to believe you've used that position in the community to do evil. We understand you want the the data.
What doesn't make sense, and the natural road for us all to go down:
1) is this being used to monetize CM?
2) installation data: to include location, language, device, build version, and carrier, are all things that can be identified using a single, static event report. Why should we be comfortable with an always-collecting, transmitting-in-the-background service? What's the use-case for this? You've said yourself that Google Play apps themselves often collect this data..why is that method insufficient for CM? And why should we have to expect the same from you guys as we do from everyone else. Surely there's a way to collect the necessary data you need with a scalpel, negating the need for a device drag-net like this.
In all seriousness, i trust CM to do the right thing...i just can't tell right now if they've done the lazy thing, and created a service which is omnipresent, omnipotent, running in the background and silently spying on me, just so CM can tell which language my device is running, my general location, my build information, etc.
That's fine, it's simple data, and it's fairly straight forward.
The question is, if you needed that data (which CM says it does), then why are you collecting a much, much more complicated data set, and why won't a simple installation report do? Why won't running for a short period of time...say, 5-7 days do?
Why did they take the Carrier IQ route?
Maybe they want it just so they can have it. As Koushik stated on the google plus post (where he does a great job at assuaging some fears, and creating others):
"---Did you know over half of our users are in China? They just passed the US in terms of CM installation base.
Call it ego surfing, but the data is incredibly useful."
So they're collecting all this data, without a need? It's obvious why it's extremely useful to understand, say....which language most of your users use, etc. But you don't need a 24/7 service to find out what language people use your device in.
Anyways, here's the Google + Post:
https://plus.google.com/103583939320326217147/posts/GwnzKJijBKj
Here, he has, however, provided a screenshot of your data in action, assuaging the fears of most (we never truly get to see what our data looks like after its sent through the mizteereeus pipez of the interwebz, magically transformed, and then spit back out to an analyst), and he even tells you a bit about what data it collects. What he doesn't say, is why on earth submitting the data once, after installation, in a single report wont do, or why a build report once a week, or however often, wont do.
That's the end of my tinfoil hat tirade. Like i said, i love CM, i trust them, but i'm disappointed. The reasons i listed above are arguments made to explain why people are raising hell because of this. I don't believe they'll do anything nefarious, and personally, they can ego=surf with my data all they want. It IS pretty cool. Maybe the move was a tad bit short-sighted though, because they may have gotten a bit out of touch with their users, and their users opinion of them-- and that's what my posts were supposed to do...they were supposed to bring the way I (and other's) think about them more in line with reality.
Edit: It's important to note that, as explained to us by CM, CM Statistics calls home upon reboot. Whether it runs all the time, or just for a nanosecond upon reboot, or 24/7 is important as well, but I'm unable to verify any of this, because my github skills are w34ks4uce. If we had a independent dev who could take a look at CM Stats and then explain exactly (key word) what it was collecting, that'd be über helpful....but it wouldn't mean anything in the long run. Because I was viewing the macroscopic effects of the decision. A comprehensive announcement and explanation wold probably have been prescient, because the information contained in the Google+ post is just as key as the announcement itself-- the stigma of collecting data is far to strong to just say one day-- "sneaky, sneaky--no more opting out".
Nothing has changed here, only the fact that it's enabled by default vs opt-out. The dataset hasn't changed.
Don't use it if you don't like it. They are not spying on you. WITHOUT stats they would have zero visibility to what is actually used. Download data is trash compared to actual usage.
And what if they decide they want to improve Language X translations, but only 10 people use it? Worth it? Or what about Device Y that only a handful of people are still clinging onto? Resources can be used in better ways.
I knew I'd see a post crying about this eventually...
If this thread turns into a flame fest it will be locked
As for data collection...you are using Android right?
Also check the permissions to all those third party apps.
Thanks in advance for keeping this thread civil or ignoring it.
Friendly Neighborhood Moderator
I take my privacy seriously, as I'm sure most of us do. As mentioned previously market apps gain a certain amount of info from us.
Maybe CM should have a free version with no opt out or a pay version with one (key maybe). That should make everyone happy.
Sent from my SAMSUNG-SGH-I717 using xda premium
khaytsus said:
Nothing has changed here, only the fact that it's enabled by default vs opt-out. The dataset hasn't changed.
Don't use it if you don't like it. They are not spying on you. WITHOUT stats they would have zero visibility to what is actually used. Download data is trash compared to actual usage.
And what if they decide they want to improve Language X translations, but only 10 people use it? Worth it? Or what about Device Y that only a handful of people are still clinging onto? Resources can be used in better ways.
I knew I'd see a post crying about this eventually...
Click to expand...
Click to collapse
This.
Whoooooooo caaaares delete thread
RoOt-[]D [] []V[] []D-BeEr
Solution to all this: OpenPDroid
briand.mooreg said:
I take my privacy seriously, as I'm sure most of us do. As mentioned previously market apps gain a certain amount of info from us.
Maybe CM should have a free version with no opt out or a pay version with one (key maybe). That should make everyone happy.
Sent from my SAMSUNG-SGH-I717 using xda premium
Click to expand...
Click to collapse
I think this is a brilliant idea, regardless of the status of CM Stats. A paid version with a extra feature set would be awesome.
As far as the argument for data like language, region, build, etc. I think we can say conclusively that this could be handled by a installation report, that runs once after installation or upgrade.
The type of data they need doesn't neccesitate a background service, which is why its naturally suspicious.
Sent from my Transformer using XDA Premium HD app
btswein said:
This.
Click to expand...
Click to collapse
I though is was enabled by default. Is this something the devs choose? Upon installation, i see a "cm statistics is running" banner in notification. Even so, what's changing, is their removing opt out all together.
Sent from my Transformer using XDA Premium HD app
http://review.cyanogenmod.org/#/c/35047/
well there you have it:
Commit MessagePermalink
Restore the opt-out for stats.
* Apparently this is a bigger issue for a small number of extremely
vocal users. We should respect their wishes, no matter how off-base
their claims are in this context.
Change-Id: I9eef9a65260ec4e360d398f80d610a198c09c915
Thanks to: khaytsus
for posting the link
khaytsus said:
http://review.cyanogenmod.org/#/c/35047/
Click to expand...
Click to collapse
Is there a way we can educate/frame a conversation around how to do this in a way accepting of the vocal crowd? Perhaps an outreach campaign, minimal in effort that might encourage more users to opt in? This is an area where fundamental good can be done. The same people who've been vocal should have no problem explaining what would get them to opt in.
I think this whole thing might have been a brief thing, but if the statistics really help the project, we can all have our cake and eat it too.
Sent from my SAMSUNG-SGH-I717 using XDA Premium HD app
khaytsus said:
I knew I'd see a post crying about this eventually...
Click to expand...
Click to collapse
You knew you'd see a post crying about this because of all that data your collecting told you lol!
Just teasin!
I would have just frozen the background service. ...
We rooty types can do that sort of thing now days. ..
And just to prevent the assumption that I missed the point of the OP. ...I didn't, and can only imagine the amount of target data our carriers pull by simply using our device. (See lengthy contract and service agreement of your carrier)...
CM data is small potatoes by comparison. ..and while quite useful to them in the generation of custom firmwares, it's a useless data source for us.
I've freely given cyanogen my data for years. And in return Steve has given me high quality work for my trouble. .....privacy concerns accepted. ....g
The easiest way to prevent CM from getting any data from you is too not install, not really that hard to figure out.
Sent from my SAMSUNG-SGH-I717 using xda premium
Hi,
I recently met someone online who was a romantic type of encounter but the more we spoke the more creeped out I got by the things hes seemed to know about me.
I finally came to the conclusion the things he said to me were extremely huge red flags, there was no way it was a coincidence anymore, and he knew FAR too much about things personal to me such as separate email accounts, and fake birthdates I use as only the last straw before I concluded to reset my device.
Code:
Alcatel
One Touch
Fierce 2
Kitkat
Thats the device I have. We 1st spoke on Kik and he sent me 2 pictures. One was of him that would not open an image. I tried to open it several times but it was just a blank picture.
The second I was able to view and download.
Does anyone know if this is possible to become infected by those means alone?
Otherwise it is possible he made a fake account and infected me with a link that did not work, but I was always under the impression that it was not possible to become infected by Rat or Keylogger with out installation. I was told in a recent thread I could become infected with opening a false link(???).
Im pretty much 100% sure I was infected. I hard reset my phone, but not the SD card yet. I believe the virus is gone, but I feel very creeped out this happen and do not see this going anywhere further but I would like to know if it is even possible. Theres no way Im being paranoid, but I do get a little over worried sometimes, unfortunately I think this was one of the genuine times.
How is it possible if someone did? Anybody have a link to a good article I could learn more? Thanks. PLEASE FORWARD TO ANYONE WHO MAY HAVE ANY ADVICE AT ALL WOULD BE MUCH APPRECIATED
Most likely he (or she) learned information about you some other way.
You might be surprised what people can learn from the "right" Google searches using some known info like email and city.
If a password on some account can be guessed, that can provide a flood of info, like reading every email or forum posts.
Most infections are from Android apps installed outside of Google Play. Image file viruses are theoretically possible, but I don't recall hearing of any such thing lately.
Please use this thread to continue this discussion: http://forum.xda-developers.com/general/security/getting-infected-android-device-t2989738