Better Mobile App

Money toolkit app?

Hello has anyone used the money toolkit app to access your account?. On my iphone I have an official natwest app, which am sure is safe however a bit worried about this one cause it clearly states not affiliated with any bank.

Hi marvi0
I am Dan - founder of Money Toolkit, so obviously my opinion is not impartial
You are absolutely right to question apps like ours, and I wish more people were more diligent in this resect.
The biggest barrier to using any third party financial app is trust. For a small start up like ours, theres a bit of a catch 22 thing. The best way for people to trust our app is to see others using it, which means having enough early trail blazers use it.
I hope you do read some of the pages on our site regarding security - we have gone to very great lengths to keep you in charge of your credentials.
But this is still only our word. Probably the best thing to help increase your confidence is to look on our get satisfaction pages - (we cant delete messages, so it is an open conversation). Also check the comments on the Android market, again we can't even respond as the developer (which can be frustrating).
I hope others do respond on here, though we only have 500+ active users, so I would be a bit surprised.
There will always be some nervousness committing to our app, ultimately you have to go with your instincts - most people who see our app don't go on to enter their details, which is a shame in my opinion (obviously), because those who do find our app really useful.
Any questions, just ask.
Cheers.
Dan.

I have installed it and it looks pretty good
I have my fingers crossed regarding the security

Thanks for your reply so does this app actually allow me to view my natwest account information?

marvi0 said:
Thanks for your reply so does this app actually allow me to view my natwest account information?
Click to expand...
Click to collapse
it does yeah
you get an overview and then when you click on the account it drills down into the transactions
you cant see direct debits etc
also i wish you could change the theme, the wooden effect is a bit yukky, lol
but it does the job fine
also you have to manually log out or the app will run in the background, and if someone picks up your phone they can see the bank funds etc

winwiz - thanks for that.
You are not alone a few people don't like the wooden theme, so we are thinking of changing that.
The idea was that it continues the web site theme of being a work bench - continuing to follow the tool kit idea! We also didn't want to look like another boring bank, but probably it doesn't work that well on the phones.
Regarding logging out - we keep you logged in on purpose, (it will time out after 5 minutes) it is really annoying when you accidentally go back too far or want to swap to another app and have to log back in. Perhaps we should make that another setting?
some people even choose to keep their password remembered, and rely on the phones own security.
Remember this is a READ ONLY app, there is absolutely no way anyone could transfer funds, or make any changes to your bank.
We've got some nice things planned, like categorising your sending and graphs etc.
So any feedback or ideas really welcome - especially on the get satisfaction pages
Cheers.

MTK-Dan said:
winwiz - thanks for that.
You are not alone a few people don't like the wooden theme, so we are thinking of changing that.
The idea was that it continues the web site theme of being a work bench - continuing to follow the tool kit idea! We also didn't want to look like another boring bank, but probably it doesn't work that well on the phones.
Regarding logging out - we keep you logged in on purpose, (it will time out after 5 minutes) it is really annoying when you accidentally go back too far or want to swap to another app and have to log back in. Perhaps we should make that another setting?
some people even choose to keep their password remembered, and rely on the phones own security.
Remember this is a READ ONLY app, there is absolutely no way anyone could transfer funds, or make any changes to your bank.
We've got some nice things planned, like categorising your sending and graphs etc.
So any feedback or ideas really welcome - especially on the get satisfaction pages
Cheers.
Click to expand...
Click to collapse
Hi Dan,
Thanks for the great feedback. I'd like the option to customise the background, or if this is not possible, a solid black background. The timeout option should be configurable so the user can set the timeout period!
I look forward to the updates

MTK-Dan said:
I am Dan - founder of Money Toolkit, so obviously my opinion is not impartial
...
Any questions, just ask.
Click to expand...
Click to collapse
Hi Dan,
Was just deliberating about using Money Toolkit and I had a couple questions. I've no knowledge in this area so please bare with me.
On the blog post here: hxxp://moneytoolkit.com/2010/09/secure-mobile-banking/
You said that:
"Yodlee then sells your bank data to the web site that you signed up".
Which I agree doesn't sound ideal - but they have to make money to be a sustainable business. How does money toolkit intend to make money? Which part of users financial details will be utilised to do this?
Secondly - regarding the security - the same blog post says:
"Not only would someone have to get access to your phone they would have to go to the same lengths as they would if they wanted to ‘hack’ into a bank, but they would have to do it three times!"
I presume that each location storing data can't login to the bank account in part. Instead a single server instance would have to login - requiring all 3 parts of the information to do so as banks usually randomise the questions asked. That presumption may be wrong however - but if it's correct does that mean a hacker could just hack that single server instance and intercept the traffic being sent to the bank?

You said that:
"Yodlee then sells your bank data to the web site that you signed up".
"but they have to make money to be a sustainable business. How does money toolkit intend to make money? Which part of users financial details will be utilised to do this?""
Click to expand...
Click to collapse
We point out the normal relationship with Yodlee because Yodlee is an independant third party, they are the entity that you end up having the biggest contractual relationship with, in fact you sign over power of attourney to them when you use a web site that uses their aggregation (read the small print).
Regarding Money Toolkit making money, so far we don't! Of course, as you point out, we need to, so we have two options - we will ask for 50p per month (for example), or we will offer good deals with companies we trust (generally not main stream banking companies), where we will make a commission, if we do that we will make the commission obvious and share it with the person taking the offer.
"Secondly - regarding the security...
...does that mean a hacker could just hack that single server instance and intercept the traffic being sent to the bank?"
Click to expand...
Click to collapse
Well your main assumptions is correct, but the reasoning not quite right. Firstly it is not just because of the random nature of the security questions that the three way split is valuable, but literally each part is utterly useless without the other parts, they are three parts of an encrypted file, which MUST come together before it is possible to decrypt.
The decrypted file (now only in volatile memory) then returns values to your phone and it is your phone which sends (over SSL) the right request to the bank, so they would have to breach our own SSL traffic (and custom encryption). Our IP's and the bank's are hard coded so a traditional man in the midle attack is ruled out. They would in effect, have to dupe you into downloading a dodgy Money Toolkit apk for this to be possible.
As you may know, the huge majority of security problems come from static data being discoverable (cd's and memory sticks left on trains for example). In our case the three seperate locations, including your phone make this kind of static data recovery, all but impossible.
However... you are right tht if someone managed to compromise the individual server that, at that moment (we have many), did that specific decryption: then if they were very smart, they might have the ability to detect your secure bank details. Though it would be almost imposible for that to happen and us not know about it. To alter our code and not have our systems detect the intrusion would be phenomenal.

MTK-Dan said:
so we have two options - we will ask for 50p per month (for example), or we will offer good deals with companies we trust (generally not main stream banking companies), where we will make a commission, if we do that we will make the commission obvious and share it with the person taking the offer.
Click to expand...
Click to collapse
Great, both options sound reasonable
MTK-Dan said:
they are three parts of an encrypted file, which MUST come together before it is possible to decrypt.
Click to expand...
Click to collapse
Neat, didn't realise.
MTK-Dan said:
The decrypted file (now only in volatile memory) then returns values to your phone and it is your phone which sends (over SSL) the right request to the bank, so they would have to breach our own SSL traffic (and custom encryption).
They would in effect, have to dupe you into downloading a dodgy Money Toolkit apk for this to be possible.
Click to expand...
Click to collapse
That at least does sound secure (without understanding it more) I suppose there may also be security issues beyond a dodgy .apk file if the Android device has been rooted - because I think that allows apps to work outside of their sandbox. Again, I don't know enough about that.
Thanks for the detailed answers, it gives me more confidence in the service.

aph5 said:
Great, both options sound reasonable
Neat, didn't realise.
That at least does sound secure (without understanding it more) I suppose there may also be security issues beyond a dodgy .apk file if the Android device has been rooted - because I think that allows apps to work outside of their sandbox. Again, I don't know enough about that.
Thanks for the detailed answers, it gives me more confidence in the service.
Click to expand...
Click to collapse
Is it possible to transfer money to whomever you want with this app?

[Q] NFC solutions

I'm not sure how slow or fast this technology will roll out, here in the States. Heck it could be 2014 before we actually get some common use out of it or it could be as early as 2012.
(Read up on NFC: http://en.wikipedia.org/wiki/Near_field_communication)
(Watch NFC: http://www.youtube.com/watch?v=49L7z3rxz4Q)
But in the meantime I was considering the soon to come NFC capable, micro SD Cards & using that in my EVO 3D & maybe the phone after .vs getting a phone I don't want (that has NFC) or an NFC sticker that has poor software interation.
I might never use it (much like my OG EVO's HDMI out cord) but I'm no stranger to being prepared.
One good thing about the EVO 3D is the card's location for this type of card, as I'm guessing its range will not be as good as a dedicated & integrated NFC solution but its location is set on the outermost region in the EVO 3D & not deeply slotted within the phone, which should help. Again, its just guesses as I haven't even seen or heard about this card actually being tested or what it uses for range, only that its in development.
Thoughts? Plans? Scoffs? Meh?

I have mixed feelings about this NFC technology. On one hand it is about as close to a voluntary national ID card type system that I can think of aside from credit/debit cards... and we already have and use those, so, this just eliminates that one last thing to carry. But either way the more use of this type of tech is taken up by the general public the less common cash will be...I'd imagine cash would probably be accepted as legal tender always...but then again, throw around the word terrorist a couple times in congress and where there is a will there is a way. Now any 'non-government-sanctioned' transactions will have a very clear and accessible trail....
....now, I'll take my tinfoil hat off and say it is cool. I do dig technology...but aside from cashless payment systems I don't see much valid use of this technology. Somebody please tell me what I'm missing? It doesn't seem too terribly cool, but, once again perhaps I am missing something.
It also sounds ripe for abuse and fraud. Sure, they can use mega-secure encryption and there will be a clear trail, but, if it was designed by man there is (usually) a back door, intentional or otherwise.
Someone please tell me what is so exciting that I am missing, surely there must be something?

daneurysm said:
Someone please tell me what is so exciting that I am missing, surely there must be something?
Click to expand...
Click to collapse
You got the main idea down (honestly what you posted will be some of the most commonly used functions of it) but it also goes a tad further,
Quoting the Wiki link here of just the few things NFC can do:
Social networkingNFC simplifies and expands Social networking options:
File Sharing: Tap one NFC device to another to instantly share a contact, photo, song, application, video, or website link.[6]
Electronic business card: Tap one NFC device to another to instantly share electronic business cards or resumes.[7][8]
Electronic money: To pay a friend, you could tap the devices and enter the amount of the payment.
Mobile gaming: Tap one NFC device to another to enter a multiplayer game.[6][9]
Friend-to-friend: You could touch NFC devices together to Facebook friend each other or share a resume or to "check-in" at a location.[10]
[edit] Bluetooth and WiFi ConnectionsNFC can be used to initiate higher speed wireless connections for expanded content sharing.[11]
Bluetooth: Instant Bluetooth Pairing can save searching, waiting, and entering codes. Touch the NFC devices together for instant pairing.[6][11]
WiFi: Instant WiFi Configuration can configure a device to a WiFi network automatically. Tap an NFC device to an NFC enabled router.[11]
[edit] eCommerceNFC expands eCommerce opportunities, increases transaction speed and accuracy, while reducing staffing requirements. A Personal identification number (PIN) is requried for payments.[7]
Mobile payment: An NFC device may make a payment like a credit card by touching a payment terminal at checkout or a vending machine when a PIN is entered.[7][6][12]
PayPal: PayPal may start a commercial NFC service in the second half of 2011.[13][14]
Google Wallet is an Android app that stores virtual versions of your credit cards for use at checkout when a PIN is used.[12]
Ticketing: Tap an NFC device to purchase rail, metro, airline, movie, concert, or event tickets. A PIN is required.[7][15][16]
Boarding pass: A NFC device may act as a boarding pass, reducing check-in delays and staffing requirements.[7]
Point of Sale: Tap an SmartPoster tag to see information, listen to an audio clip, watch a video, or see a movie trailer.[10][11]
Coupons: Tapping an NFC tag on a retail display or SmartPoster may give the user a coupon for the product.[10][11]
Tour guide: Tap a passive NFC tag for information or an audio or video presentation at a museum, monument, or retail display (much like a QR Code).[6][10]
[edit] Identity documentsNFC's short range helps keep encrypted identity documents private.[11]
ID card: An NFC enabled device can also act as an encrypted student, employee, or personal ID card or medical ID card.[11]
Keycard: A NFC enabled device may serve as car, house, and office keys.[11]
Rental Car and hotel keys: NFC rental car or hotel room keys may allow fast VIP check-in and reduce staffing requirements.[6][17]
Click to expand...
Click to collapse

Okay, all of those are extensions on the basic idea of what I thought it was...though much more clever and compelling I must say.
Okay...I'm on board. A lot of those uses seem like even going through the motion of 'tapping' would be a pain in the ass to do...but then I realized you would (like social networking sites) probably just set automatic (manually override-able) 'privacy defaults', 'proximity defaults' and 'dwell defaults' for checking in places, proximity auto-friending, game joining, contact transferal, etc.
Very interesting...also very scary, but, old fashioned 'privacy' might just be a thing of the past--though I would only sign up for a society like that if there was an equivalent amount of transparency in the operating of such a society, but, wiki-leaks and this administrations empty promises have already shown that to be nearly impossible to achieve through anything but empty lip service.
But I digress, aside from my idealism and cynicism being (once again) my stickiest of wickets, I think this has the potential to be really freakin' cool.

Cvs Pharmacy now accepts google wallet for payment. Our phones are already out dated... ha. Does anyone know if the photon has nfc?

aimbdd said:
Cvs Pharmacy now accepts google wallet for payment. Our phones are already out dated... ha. Does anyone know if the photon has nfc?
Click to expand...
Click to collapse
Did you even read any of the, what 4 (FOUR!??) other posts? One of them tells you everything you need to know to have your "way out of date" phone perform this simple function that is very likely buried in the phone somewhere, waiting for an update to open up...
...I doubt it costs all of $1 to enable this technology. It's like bluetooth but nowhere near as powerful....bluetooth chips are so cheap to make that they are thrown in on wifi stacks for free...ask any of us nook owners

Yeah It's an add on hence why I said what I said. Also that's SD nfc card Isn't available yet... Nor do we have pricing or a date for availability so what's your point? I never said It's "way out of date" no need to be so defensive.
Sent from my HTC Evo 3D.

aimbdd said:
Cvs Pharmacy now accepts google wallet for payment. Our phones are already out dated... ha. Does anyone know if the photon has nfc?
Click to expand...
Click to collapse
No. I haven't heard of any upcoming Android phones (aside from Samsung & Nexus related devices) that will have it, just that they will add it in the future.

aimbdd said:
Yeah It's an add on hence why I said what I said. Also that's SD nfc card Isn't available yet... Nor do we have pricing or a date for availability so what's your point? I never said It's "way out of date" no need to be so defensive.
Sent from my HTC Evo 3D.
Click to expand...
Click to collapse
Yeah, sorry about that.
I was just scanning the thread, read that post (of mine) and thought "what's that asshole's problem?" ... I don't know what the hell my problem was.
Sent from my Nexus S 4G using XDA App

Honestly I have no desire whatsoever to use this.

NFC= tool of the devil
Sent from my PG86100 using XDA App

Jay516 said:
NFC= tool of the devil
Sent from my PG86100 using XDA App
Click to expand...
Click to collapse
LOL, I'm guessing the "mark of the beast" will be NFC. I don't plan on sticking around for that.

I can't tell if you guys are being serious... NFC is the future, whether it's utilized well or not it'll still be a huge deal a couple years down the line. Google's only getting started with their implementation.
Cousin has a NS4G, has an NFC tag on his door to turn on WiFi, open up his remote notifier app, and turn his volume all the way down.
You may be thinking "Big deal Tasker could do it." but imagine anyone being able to do that from just a swipe, no configuring or anything. Just swipe your phone and you're automatically on a locked network.
I'm especially excited to see what smart companies can do with NFC for marketing.

Fadakar said:
I can't tell if you guys are being serious... NFC is the future, whether it's utilized well or not it'll still be a huge deal a couple years down the line. Google's only getting started with their implementation.
Cousin has a NS4G, has an NFC tag on his door to turn on WiFi, open up his remote notifier app, and turn his volume all the way down.
You may be thinking "Big deal Tasker could do it." but imagine anyone being able to do that from just a swipe, no configuring or anything. Just swipe your phone and you're automatically on a locked network.
I'm especially excited to see what smart companies can do with NFC for marketing.
Click to expand...
Click to collapse
You're right, it just depends on the speed of how its deployed & spread.
I'm hoping it spreads like wildfire & setups (much like your cousin's) become a common deal.
Serious, yes. The thread is just to touch people's stance (not everyone may like it was we do) on current plans & feelings for NFC, I plan to make a move the month the SD card solution becomes available.

[Q] Can someone develop an app for me?

Hi.
I am looking at getting a couple of Flyers for my small business, but I need something quite specific, so I am guessing I would need an app developed for me.
What I am looking for, is an app that I can use as a job sheet when on site.
It would need to have a template for the job sheet, with areas that I can enter text using the on screen keyboard.
It would also need to have tick boxes for several areas of the service work that has been completed.
Another thing that would be required, is the ability to automatically save to a specific folder on the SD card, using the job reference as a file name.
The final thing, and probably the hardest to implement, is an area for the customer to sign upon completion of the work.
Is this possible, and would anyone be interested in helping out with this?
I think that if the template could be inseted into the app using either an image file, pdf, or some other file type, the app could be valuable to many people considering using a device like the Flyer for work.
If somebody could get an app developed in this way, we would be able to pay something towards it.
Thanks.
Steve.

stabloid said:
Hi.
I am looking at getting a couple of Flyers for my small business, but I need something quite specific, so I am guessing I would need an app developed for me.
-snipped-
Click to expand...
Click to collapse
Can I ask a few questions...
1. Why an app specifically for the Flyer? Would a web/cloud app do?
Given that you could save to a cloud database rather than an SD card, this would have certain advantages. If this doesn't work for you, I'd be interested to know why not.
Though question 2 might do it.
2.a I get why you may want a customer to sign a screen with a pen as per the Flyer platform. Could they use Evernote to do the signature?
2.b If Evernote would suffice for the signature, why not just use an Evernote form. for the whole app. (Google 'Evernote Form' for details)
3. Personally, I advise avoiding "signing" tablet devices (like delivery pads). The potential identity theft and data protection risks from recording and storing handwriting make me shudder.
A better form of authorisation (imo) would be to complete the form, email a PDF to your client, and have the client reply back to authorize. This is better because the client's email server and your email server will both have a legally enforceable record of the transaction.
I'm interested in your view of this.
Hope that helps

I will have a look at the suggestions you made.
The reason we're looking for this app, is to replace our job sheet books, which we take on site with us.
Being able to use the flyer instead, will save us a lot of money over a 2 year period, and would be more convenient than a paper book, which becomes dog-eared, and I am able to print off multiple copies if required, or email it direct to the customer.
We tend to deal with commercial establishments, such as care home groups, so we could streamline the whole process.
With regards to the whole identity theft thing, we don't take any details from people other than name & signature, and we never have any access to home addresses, credit cards, or bank details. Like I say, we bill head office, and they send a cheque, or use direct bank transfer.
I will try and post up a copy of one of our sheets, so you can see the layout we currently use.
Are you able to help develop an app, or are you just trying to help me find a different way to acheive my goals?
Cheers.
Steve.

There is a possibility that I could develop such an app. I would like to see a copy of the work sheet you currently use. I cannot commit myself to it right now though. If no one else picks it up in a few days, I'll try to carve out some time for it.

Thanks.
No major rush.
We don't have the Flyers yet.
I think I would prefer an app, as it is less messing around.
Cheers.
Steve.

stabloid said:
-snip-
Are you able to help develop an app, or are you just trying to help me find a different way to acheive my goals?
Click to expand...
Click to collapse
My interest is in web-based mobile apps rather than os-based mobile apps. The difference being that web-based is browser only, whereas os-based runs on your device. What you've asked for here is, ostensibly, an os-based app - what I think you want is a business solution.
Right now, there is a lot of pressure, from the marketing side of the software industry, to build os-based mobile apps. Personally, I challenge the long-term commercial viability of this - because it will not fulfill customers (i.e. your) goals.
My concern is with the total cost of ownership. The bug fixes, version upgrades, and general long term viability are a 10:1 factor in favour of web-based rather than os-based. In this I'm referring only to custom/bespoke business applications not mass market targets.
(However, in your case, as you want to take your job books on-site, you may have to work without an internet connection and this means you have to go os-based.)
Forgive me if this all seems a bit esoteric.
Short answer, if you want a web-based mobile app, yes I can help. PM for details.
But... I suspect the costs to build/host could come as a bit of a shock. Your posts imply that you'd have a handful of users. To get major cost benefits you'd have to have 100's of users - and I think this would apply wherever (web or os) the app was targeted.
From what you've said, and guessing at your budget, getting someone to simply put your form into Evernote would be your likely best course of action. Sorry, I can't help with this.
(Evernote is the free Notes app that comes pre-installed with the Flyer. I've no affiliation, though I am a user.)
Trust that is all of some use.
Regards

You make some good points mate, and I can see the benefits of all solutions.
However, as you say, with taking the Flyer on site, we do end up in "dead-spots", and this would just cause huge problems.
I was considering getting the wifi version for us, and using tethering from our phones for data when required.
If it can all be done in Evernote, then that may be an option.
The reason I would like sd card usage, is so that I can review job sheets at any time.
I would like to run a full system for job sheets, invoicing, etc. but that would just be too costly.
I think VNC to connect to the office PC would be best option for invoicing.
There are currently only 2 engineers, and we would just like a nice clean simple solution to the job sheet problem, and the Flyer seems like it could be perfect.
It would replace diaries, job books, notepads (pen & paper), sat-nav, and looks nice and professional when you are on site.
Cheers.
Steve.

Xiaomi Security issues.

Xiaomi Security issues. Xiaomi firmware has multiple backdoors So I've basically got myself in this sh*t because lack of care.. Until it pop'd and hit the highlights.
And now straight to the point. It doesn't f*ckin matters if you had a fw or not. As the backdoors are embedded in ROOT system processes.
And those where obviously white-listed as i didn't think of a nasty Chinese guy sitting in it calling back home. My friend who got the same phone found the article as i was having my vacation for a bit, so when i found out i did a bit a research of course on my device. After finding all this i e-mail'd him it and he posted it on the Xiaomi European forums. Guess what happened, it got deleted. So they know damn good what they're doing.
Quote:
When you purchase Xiaomi products or services, we’ll collect relevant personal information, including but not limited: delivery information, bank account, credit card information, bill address, credit check and other financial information, contact or communication records.
Quote:
Originally Posted by OP
Music app(?) connects to:
202.173.255.152
2012-12-01 lrc.aspxp.net
2012-12-01 lrc.feiyes.net
2012-12-01 w.w.w.616hk.com
2012-12-01 w.w.w.hk238.com
2012-12-01 w.w.w.lrc123.com
123.125.114.145
2013-11-27 tinglog.baidu.com
1/53 2014-07-02 12:51:01 hxxp://tinglog.baidu.com
Latest detected files that communicate with this IP address
Latest files submitted to VirusTotal that are detected by one or more antivirus solutions and communicate with the IP address provided when executed in a sandboxed environment.
3/43 2014-07-08 07:39:24 facb146de47229b56bdc4481ce22fb5ec9e702dfbd7e70e82e 4e4316ac1e7cbd
47/51 2014-04-28 09:25:27 091457f59fc87f5ca230c6d955407303fb5f5ba364508401a7 564fb32d9a24fa
24/47 2014-01-08 08:19:43 3cf0a98570e522af692cb5f19b43085c706aa7d2f63d05469b 6ac8db5c20cdcd
21/48 2013-12-02 15:15:45 7e34cb88fc82b69322f7935157922cdb17cb6c69d868a88946 8e297257ee9072
19/48 2013-12-01 20:02:32 bce4bd44d3373b2670a7d68e058c7ce0fa510912275d452d36 3777f640aa4c70
Latest URLs hosted in this IP address detected by at least one URL scanner or malicious URL dataset.
1/53 2014-07-02 12:47:57 hxxp://dev.baidu.com/
Android-system ANT HAL Service(Framework_ext.apk/jar) connect to:
42.62.48.207
VirusTotal's passive DNS only stores address records. The following domains resolved to the given IP address.
2014-04-28 app.migc.wali.com
2014-07-12 app.migc.xiaomi.com
2014-05-30 gamevip.wali.com
2014-05-30 log.wlimg.cn
2014-04-21 mitunes.game.xiaomi.com
2014-04-30 oss.wali.com
2014-05-17 p.tongji.wali.com
2014-07-13 policy.app.xiaomi.com
Latest detected URLs
Latest URLs hosted in this IP address detected by at least one URL scanner or malicious URL dataset.
1/58 2014-08-13 07:10:49 hxxp://policy.app.xiaomi.com/cms/interface/v1/checkpackages.php
1/58 2014-08-10 00:46:35 hxxp://policy.app.xiaomi.com/
1/53 2014-07-02 12:49:59 hxxtp://oss.wali.com
Messages(Mms.apk) connect to (it literary calls back home)
54.179.146.166
2014-08-12 api.account.xiaomi.com
2014-07-26 w.w.w.asani.com.pk
What it does? It sends phone numbers you call to, send messages to, add etc to a Resin/4.0.13 java application running on a nginx webserver to collect data. Checkpackages, embedded system process/app posts all installed apps to a Tengine a/k/a nginx webserver cms.
URL: hxxtp://api.account.xiaomi.com:81/pass/v3
Server: sgpaws-ac-web01.mias
Software: Tengine/2.0.1 | Resin/4.0.13
URL: hxxp://policy.app.xiaomi.com:8080/cms/interface/v1/
Server: lg-g-com-ngx02.bj
Software: Tengine | Resin
Bottom line
They don't give a single damn about your data.. All sent in plain text.
For messages APK (Mms.apk)
I don't believe it needs those permissions for normal functionalities, this is only for the extra feature let's call it bug.
android.permission.SEND_SMS_NO_CONFIRMATION
android.permission.GET_ACCOUNTS
android.permission.WRITE_EXTERNAL_STORAGE
android.permission.ACCESS_NETWORK_STATE
android.permission.CHANGE_NETWORK_STATE
android.permission.INTERNET
miui.permission.SHELL
android.permission.GET_TASKS
android.permission.CAMERA
Some code ... i also attached java classes and smali dalvik jvm bytecode..
Code:
RELATED
http://apkscan.nviso.be/report/show/...0b623da712918f
http://lists.clean-mx.com/pipermail/...14/072661.html
OTHER SOURCES
http://www.newmobilelife.com/2014/08...-china-server/
http://www.htcmania.com/showthread.php?p=14730859
Main post and more info. All credits go to the OP
http://forum.xda-developers.com/gene...oords-t2847069

zelendel said:
Xiaomi Security issues. [/URL]
Click to expand...
Click to collapse
dude that is sooo old cheese already. you really seem to have a personal problem with xiaomi?
go read a bit:
http://www.cnet.com/news/xiaomi-makes-cloud-messaging-opt-in-amid-privacy-concerns/
http://www.androidcentral.com/hugo-barra-responds-xiaomi-privacy-concerns
Xiaomi has added encryption to the communication in an updated firmware, and the cloud service is now opt-in.
while i will say that unencrypted transfer is uncool, most of the stuff transferred (or actually all) has to do with their cloud service.
Apple & Google are doing the same stuff, i bet you Samsung does also.
so what is the big deal here? that it was not encrypted? or that it sends something in the first place?

linr76 said:
dude that is sooo old cheese already. you really seem to have a personal problem with xiaomi?
go read a bit:
http://www.cnet.com/news/xiaomi-makes-cloud-messaging-opt-in-amid-privacy-concerns/
http://www.androidcentral.com/hugo-barra-responds-xiaomi-privacy-concerns
Xiaomi has added encryption to the communication in an updated firmware, and the cloud service is now opt-in.
while i will say that unencrypted transfer is uncool, most of the stuff transferred (or actually all) has to do with their cloud service.
Apple & Google are doing the same stuff, i bet you Samsung does also.
so what is the big deal here? that it was not encrypted? or that it sends something in the first place?
Click to expand...
Click to collapse
First off do I have issues with them? Sure most here do but that is a whole other matter.
This was brought to attention by another user. Had you read the post you would have known that.
The fact that they record your bank account info is cause for further investigation.
I just posted it here for users to know and look into. In the end it doesn't matter to me as Ill never use their device or OS.

Ok I get it. No discussion will come of this. Apple is doing the same and that's all right since they are 'mericans. Totally cool.
Sent from my MI 3W using Tapatalk

linr76 said:
Ok I get it. No discussion will come of this. Apple is doing the same and that's all right since they are 'mericans. Totally cool.
Sent from my MI 3W using Tapatalk
Click to expand...
Click to collapse
No it's not. If we were and iOS forum. Then we would be calling them out as well.

Same issue, blocked me in MiUi forum!
zelendel said:
No it's not. If we were and iOS forum. Then we would be calling them out as well.
Click to expand...
Click to collapse
I had noticed the same security issues and data leaks by Xiaomi device (note is not just MiUi but whole system) and showed them proofs, even wrote to Hugo but just after seeing my proofs they blocked me in their forum. I do use MI3 but miss the resources they have in forum. Anyway, I am just using the device without DATA or firewall app if need DATA. Hope they had played fairly with users.
Problem is deeper than this. The users instantly start screaming any one who says this mobile has security leaks (e.g me) ad asks for proofs, once I post the proofs they dont accept it and raise as whole but they get their own way to download resources from MiUi forum. I am alone but I wont surrender.

For sure they'll upload ur info. For purpose.

pkb_always4u said:
I had noticed the same security issues and data leaks by Xiaomi device (note is not just MiUi but whole system) and showed them proofs, even wrote to Hugo but just after seeing my proofs they blocked me in their forum. I do use MI3 but miss the resources they have in forum. Anyway, I am just using the device without DATA or firewall app if need DATA. Hope they had played fairly with users.
Problem is deeper than this. The users instantly start screaming any one who says this mobile has security leaks (e.g me) ad asks for proofs, once I post the proofs they dont accept it and raise as whole but they get their own way to download resources from MiUi forum. I am alone but I wont surrender.
Click to expand...
Click to collapse
I don't think the phone is released in Europe yet? So if you have problem with the software,flash with your own OS build or use another phone. The government tried to push everyone using true identity in case there is any cyber crime happens. Plus, did CIA,NSA or any government agency tell you when they search through your personal data? I doubt.
Sent from my HTC One using XDA Free mobile app

xiaohan said:
The government tried to push everyone using true identity in case there is any cyber crime happens.
Sent from my HTC One using XDA Free mobile app
Click to expand...
Click to collapse
And you believe that?

zelendel said:
And you believe that?
Click to expand...
Click to collapse
Hey,who case,I don't have porn on my phone ,nor any illegal stuff stored. If u don't have something don't want to be touched,keep it in physical format and never get connected.
Sent from my HTC One using XDA Free mobile app

xiaohan said:
I don't think the phone is released in Europe yet? So if you have problem with the software,flash with your own OS build or use another phone. The government tried to push everyone using true identity in case there is any cyber crime happens. Plus, did CIA,NSA or any government agency tell you when they search through your personal data? I doubt.
Sent from my HTC One using XDA Free mobile app
Click to expand...
Click to collapse
What? Brother I am from India. To clear my situation more My banker sends me a highly secured one time password through message each time I try to access their online services. Now this MI3 is leaking (have proofs) and redirecting SMS (with one access notification which is not clear enough) its a security breach and case of international cyber crime. But in India, politicians has nothing to do with such issues, officers have "more important" things to do and Banker said me to change my mobile. So such is the case when you are in not developed country. Here even if some gets killed then police comes after all has been settled down let alone a security breach. It just and just a very "minor" or not an issue at all.

pkb_always4u said:
What? Brother I am from India. To clear my situation more My banker sends me a highly secured one time password through message each time I try to access their online services. Now this MI3 is leaking (have proofs) and redirecting SMS (with one access notification which is not clear enough) its a security breach and case of international cyber crime. But in India, politicians has nothing to do with such issues, officers have "more important" things to do and Banker said me to change my mobile. So such is the case when you are in not developed country. Here even if some gets killed then police comes after all has been settled down let alone a security breach. It just and just a very "minor" or not an issue at all.
Click to expand...
Click to collapse
You know once you use a public service ,there is no privacy right? People can spy on you using your cellphone,not even a smart one and listend to whatever youare talking about next to your phone even it's off as long as the battery is not taken off. What does this mean to your bank's highly secured one off password for your online banking?
Just use another one if you are not happen with it. E.g. iPhone which slightly record your real time geo information since iOS7 update without telling the users and even theIR staff don't know anything about it.
Sent from my MI 3C using XDA Free mobile app

xiaohan said:
You know once you use a public service ,there is no privacy right? People can spy on you using your cellphone,not even a smart one and listend to whatever youare talking about next to your phone even it's off as long as the battery is not taken off. What does this mean to your bank's highly secured one off password for your online banking?
Just use another one if you are not happen with it. E.g. iPhone which slightly record your real time geo information since iOS7 update without telling the users and even theIR staff don't know anything about it.
Sent from my MI 3C using XDA Free mobile app
Click to expand...
Click to collapse
Have your heard of "boiling water and frog's" story? I already said we dont raise our voice against such crimes adjust ourselves saying "ohh very minor", "doesnt affect me much" or "others do it too". Just show me that Apple's product steals your SMS and I will agree with you, if you cant then either raise your voice with me or just get boiled like a frog in adjusting.

This is a technology forum, politics problem is not interested here I guess. Surely, sending sensitive data back to the server initially was suspicious,but the security issue has been patched,if you have a lot of security concern, don't use a smart phone.
Sent from my HTC One using XDA Free mobile app

I use a Mi3 in India
Well if you're online chunks of your data is always going places you don't know. AFAIK, India too has a PRISM like setup and your calls, call logs & SMS are stored. No idea how much data is shared by companies. Seems like people believe that only in US & Europe you're data is used without your knowledge.
The US based companies came public on data collection thanks to Mr.Snowden only.
Last week a US court ordered Microsoft to disclose data in their servers in Europe.
If you're concerned about privacy don't use smartphones. Or don't use a phone at all. Safest way keep your privates stuff private. Don't save those nude pics on phone or cloud or anything connected. Use long complex passwords, encrypt.
Sent from my MI 3W using XDA Free mobile app

ramanvemman said:
I use a Mi3 in India
Well if you're online chunks of your data is always going places you don't know. AFAIK, India too has a PRISM like setup and your calls, call logs & SMS are stored. No idea how much data is shared by companies. Seems like people believe that only in US & Europe you're data is used without your knowledge.
The US based companies came public on data collection thanks to Mr.Snowden only.
Last week a US court ordered Microsoft to disclose data in their servers in Europe.
If you're concerned about privacy don't use smartphones. Or don't use a phone at all. Safest way keep your privates stuff private. Don't save those nude pics on phone or cloud or anything connected. Use long complex passwords, encrypt.
Sent from my MI 3W using XDA Free mobile app
Click to expand...
Click to collapse
It is known all countries do this. This issue is what these country the info goes to.

Hey,if you have problem, don't use it. Not posting any xiaomi product forums, I guess you don't own all the models you posted in the forum to.
I believe people come to here are not idiot. You mentioned the OS has issue you have concerns is enough, people make their own judgement and decisions.
Sent from my HTC One using XDA Free mobile app

Been a national news for us android lovers here in Indonesia. Luckily enough, i never bought their products (quite popular here). OP, you sounds like you're really against Xiaomi, though. You ever been in something with them?

Xiaomi is an arrogant company. Until now they have not released the kernel for mi3 despite of Barra's commitment. All their forum threads so stupid like "give ideas and win bunny" "give suggestions and win a fcking phone". MIUI will never ever ever get stable. It follows iOS design principles. When I gave a negative feedback, I was banned from miui forum. Freakingly selfish mindset stupid copycat company.
Sent from my MI 3W using XDA Free mobile app

jothiprasad1984 said:
Xiaomi is an arrogant company. Until now they have not released the kernel for mi3 despite of Barra's commitment. All their forum threads so stupid like "give ideas and win bunny" "give suggestions and win a fcking phone". MIUI will never ever ever get stable. It follows iOS design principles. When I gave a negative feedback, I was banned from miui forum. Freakingly selfish mindset stupid copycat company.
Sent from my MI 3W using XDA Free mobile app
Click to expand...
Click to collapse
Kernel Source has been realeased today
https://github.com/mi3-dev/android_device_xiaomi_cancro
https://github.com/mi3-dev/android_device_xiaomi_msm8974-common
https://github.com/mi3-dev/proprietary_vendor_xiaomi

Google monitoring our network activity

When I connected to the colleges wifi this morning I noticed a little message when I used wifi assist, I'm starting not to trust Google anymore or seems like they are shooting on us more and more each day

It's like 15 years ago and we're all suspicious of what they do.
I won't even mention Project Fi, but have you read any of Google's data disclaimers?

Can you not turn it off? It's likely just a Google VPN. They probably decided this is preferable to the alternative of letting average users connect to an open WiFi with SSID "Starbucks" that's actually someone running a WiFi hotspot in their car in the parking lot

LOL,
---------- Post added at 06:40 PM ---------- Previous post was at 06:38 PM ----------
LOL, I am neither scared or ashamed of anything Google knows about me. In the end whats it worth?

popper668 said:
LOL,
---------- Post added at 06:40 PM ---------- Previous post was at 06:38 PM ----------
LOL, I am neither scared or ashamed of anything Google knows about me. In the end whats it worth?
Click to expand...
Click to collapse
I dont mean to turn this into a big discussion but to answer your question, the data has value. In the book 1984 there were "telescreens" everywhere (devices that work as TV & camera. Sound familiar?) The point is there isnt always someone spying on you. BUT there COULD be at any given time. And when people think theyre being watched they generally behave different.
Just another way of looking at it. Because I think most people believe the way you do--theyre not breaking laws so they have nothing to hide. Its a low bar in terms of privacy which should be everyone's right.

KLit75 said:
I dont mean to turn this into a big discussion but to answer your question, the data has value. In the book 1984 there were "telescreens" everywhere (devices that work as TV & camera. Sound familiar?) The point is there isnt always someone spying on you. BUT there COULD be at any given time. And when people think theyre being watched they generally behave different.
Just another way of looking at it. Because I think most people believe the way you do--theyre not breaking laws so they have nothing to hide. Its a low bar in terms of privacy which should be everyone's right.
Click to expand...
Click to collapse
I understand, consider Google as data trade off, give and take.
You supply data to improve their services, pedestrian data, locations, etc,
They provide you the same data although compiled and applied, when you open google maps for example, and ask for directions.
The data you provide to them is not "personal" per se, but used to improve general services which every user uses and accesses.
You can always stop it.

I don't feel like this should be a surprise to anyone. Google is Google. Their data collection isn't exactly a secret. It would be naive to think the services they provide don't collect at least some data on you in some form. At the end of the day, I do value and enjoy what they provide me. I personally don't mind trading some of my privacy for it. But I do acknowledge what they are doing and I don't pretend like they're providing all these services for free because they're nice.

"Oooooh, google is monitoring my network activity. Here, let me put my all life in Facebook."

This is old news! A concern might be the intrusive big bro gov cia, nsa, fbi, hs, etc...

MidnightDevil said:
I understand, consider Google as data trade off, give and take.
You supply data to improve their services, pedestrian data, locations, etc,
They provide you the same data although compiled and applied, when you open google maps for example, and ask for directions.
The data you provide to them is not "personal" per se, but used to improve general services which every user uses and accesses.
You can always stop it.
Click to expand...
Click to collapse
I wasnt implying this specific case was grounds for outrage. My concern is people dont fully grasp that information is power and despite that theres a growing attitude of nonchalance . Sure you can turn it off here but you have to care, and to care you need to be informed. I dont mean purposely trading data for access to apps, features or helping to improve services. Thats different.
Id also point to the story (which should've been huge) from just a couple weeks back. Yahoo willingly allowed state sponsored hackers to access millions of user accounts. None of the customers were aware, neither the well informed nor the ones who care. And my biggest grievance with this is its not quite the breaking news it should be. The fact that many would consider me paranoid or a conspiracy theorists because this disturbs me is the most concerning part.
***I dont really mean xda members since they seem to be more knowledgeable about privacy. But the general population isnt really catching up.

Here's a link to what they mean by this message.
https://support.google.com/nexus/answer/6327199?hl=en

The only thing Google collects through Wi-Fi assist is location and ssid/bssid. If you actually researched this stuff you are so worried about you would be a lot more concerned with what your phone carrier does with your data than Google any day of the week...
Sent from my Nexus 6P using XDA-Developers mobile app

Bounty44 said:
The only thing Google collects through Wi-Fi assist is location and ssid/bssid. If you actually researched this stuff you are so worried about you would be a lot more concerned with what your phone carrier does with your data than Google any day of the week...
Sent from my Nexus 6P using XDA-Developers mobile app
Click to expand...
Click to collapse
Well i guess that is true but i've seen a lot of research about google and they collect everything... like the average google phone user, they let google acces to all their information/location... specailly with all those people that keep everything on like GPS. But its the same with Windows or Facebook, all those privacy settings that are by default on. Its all about the money and control over the masses... also for NSA/FBI/CIA very handy.... its not that weird to know that they have access to all those systems if they need to, thats no secret. It's all about if you got nothing to hide... everybody has something to hide. I keep tabs on all my privacy settings of all my apps as far as i can go. I accept certain privacy breaches but thats ok, thats the world we live in and i accept that. The same with people that dont mind all those freaking ads on their phone and websites..... for me mind boggeling. Especially here on xda forum, people that keep everything stock with no adjustments... first thing for me is that adaway has to work....
Here in The Netherlands, we have laws for ISP's and phone carriers, they collect but cant use it for other purposes then for criminal justice orders. Google has no laws to ibide here in Holland, they can collect en use your data unrestricted.

rayraycarter4 said:
When I connected to the colleges wifi this morning I noticed a little message when I used wifi assist, I'm starting not to trust Google anymore or seems like they are shooting on us more and more each day
Click to expand...
Click to collapse
Its a VPN that Google provides on open WIFI Hot spots in order to ensure that your data is not being being intercepted while you're connected to that network. I have project fi and thats one of the benefits of the service, and also because a good portion of the service relies on silently connecting to google approved wifi host spots all over the country. In order to ensure your data is not at risk, because all someone would need to do is create their own wifi hotspot with the unique name that google uses and they could steal info from anyone who happened to connect to their base. As long as they forward you to the internet while the connection is active then you wouldn't even notice there was anything wrong. Google is the most benevolent corporation on the planet. I highly doubt that anyone need worry about any data they collect as I'm sure its all being used for the purposes of trying to provide new technology based on what the consumer wants and at a price that makes you wonder how they are still the top technology company in the world because they surely have to be losing money with the prices they charge for their goods and services.

So you're connecting to an open wifi AP and you're scared about your privacy?
You do know that your connection to the AP is unencrypted and by that fact, people have been spying on you for ages?
That's what I do regularly when I go in hotels and I'm bored because there's nothing on TV.