Related
Hi Guys,
What is your opinion, do you think that today's android operating smart phones are so vulnerable to the visus threat as for exemple our PCs so that we should all run a dedicated program in order to cope with that?
I don't use any. If you don't download any pirated apps from untrusted, you should be safe, however no guarantee, install it if you need it for a peace of mind.
I use LBE Privacy Guard, so everytime I install an app, I can see what it accesses and block it accordingly. For example, many games want direct access to calls, sending sms, which I block with LBE. As far as protection, I think this is probably the safest bet for android.
Maybe scanning apps you install could be a good start , but I don't think having an antivirus running all the times is really benefic ,attacks on such devices are possible but rare compared to computer's one ( related to the fact using 3G network )
As most of users here, I again say, it is really unnecessary to run Antivirus unless you install new apps or anything.
LBE on other hand is good start for checking what apps can do.
I would say not yet but keep an eye on the future .
jje
Hi all
I am currently in the planning stages of developing a root security system for Android.
As everyone knows, there are security implications to rooting your phone etc. Untill now, I have used the normal means of controlling this (lock security, disabling ADB, Superuser.apk whitelist), but this is of limitted help if someone physically gets hold of your phone (while unlocked or ADB enabled).
There are a few things I would like to implement, and would like to gather some feedback on whether;
a) It will be of use to anyone but me, and
b) If anyone has any input as to the feasability (or has done any such work in the past)?
There are 3 areas I would like to lock down, somehow. It will not perfect the security, but will go a long way toward improving the overall security on rooted devices. I have not done much reasearch as yet, so some of this may be impossible. These are:
1) CWM recovery: Currently, CWM (and other recovery/pre-android resources) can be used to bypass almost anything you put in place to secure your phone. I would like to implement a password/passcode on CWM to lock out unauthorised changes. My personal preference would be to store this in /data somewhere it would be removed on wipe, and leave the option to wipe without passcode (so you don't end up with a brick if you forget the password), but lock out all security-sensitive operations like flashing. That way, someone could get to recovery, but would have to wipe data to be able to do anything usefull without authorisation.
2) ADB: Currently, even if your phone is locked you can get access to everything through ADB. The only way I currently see to do anything about this is to disable ADB when you are not using it, but this is irritating when you use it as much as I do. What I would like to do instead is either force a popup from Superuser.apk to grant root every time you connect, or implement a password which must be entered on connection. Both could be problematic, but I think forcing a confirmation (or even a check if the dev is unlocked) would be most useable, but my knowledge is limitted here. It may be that neither method is practical and disabling ADB is the only practical solution.
3) Superuser.apk: Everyone knows they should have security set up on their phones and not leave it lying around unlocked, but some don't like the hassle and most will occasionally forget to lock it. I would therefore like to implement securoty on Superuser.apk to stop (at least) new apps from aquiring root. This is the least important IMHO, but would be a further step towards improving security.
So, what does everyone think?
Questions or Problems Should Not Be Posted in the Development Forum
Please Post in the Correct Forums & Read the Forum Rules
Moving to Q&A
lufc said:
Questions or Problems Should Not Be Posted in the Development Forum
Click to expand...
Click to collapse
Sorry. I posted in Dev because this is the beginning stages of some development I plan to do, but fair enough.
I can only really answer the first question... I would be interested in something like this. I've actually taken an interest in mobile security recently, but I've constrained myself to existing products like avast and PDroid to give me some extra protection. When it comes to hardening these other components... I don't know enough about stuff at that level. But I would dig it.
Things like avast handle some things, like disabling debug if you remotely lock it. But it wouldn't solve things like securing CWM if the person simply reboots into recovery.
How do you disable ADB now?
please, do it!
drmouse81
As a poor ex-owner of a lost Samsung Galaxy Ace, I would love to have a password protected CWM recovery ... this would have propably saved my device (an have back my loved photos!)
My device was operator-locked, SIM was pin protected, screen was locked by pattern ... I rang to my lost mobile, taxi driver answered ... spoke with him ... asked him to return my phone I was offering rewarding. He laughted a lot!
Yes, there are apps to locate your terminal, ring loud, etc. But none solves the basic problem of someone that wipes the phone, puts a new bootloader, etc.
Most people do not knkow that IMEI blocking only works in home country of the SIM operator.
On the other hand, there were a lot of past discussions on this topic, but many people seem not to see this as feasible.
If you find a way to solve this, I am sure you will do a lot of money with companies, who are looking for a real solution to information loss on mobile devices.
Requirements: phone should be not functional. thieves would be able to use them only for spares ...
a) require password to make changes to bootloader / wipe (that is, recovery is also blocked)
b) encryption of user data (even in SD)
c) allow to swipe a new SIM, provide pin of the SIM, then block the phone but send SMS with new number and location. Show on screen customizable message (such as -- this phone is property of xxx and has been lost/stolen -- please contact owner at xxx or hand it to police --- )
Is this possible? Why previous discussions shut off this topics?
Best luck - would love to be guinea pig for this ...
CTone.
---------- Post added at 01:00 AM ---------- Previous post was at 12:39 AM ----------
www dot cyanogenmod dot com slash blog slash security-and-you
Hi
I stopped posting here for a couple of reasons, the main one being I have been too busy. I'm still planning to take this on, but it may be a while.
The other problem is that, although it will help, it will not secure the device completely. There will always be ways around it. Manufacturer supplied tools will still bypass it.
As for your phone, did you contact the police? Knowing the taxi driver answered, they should have been able to get it back, or at least prosecute they b#####d!
Sent from my MB860 using xda premium
You actually have a really valid and practical idea...
Have nothing to contribute here, just want to encourage you...
:thumbup:
If personal life does permit you, please do consider working on this
Typed using a small touchscreen
You have got the Android phone and have all your personal data stored in that which includes your passwords and all personal information which is too sensitive. Just like you think your Android phone is a precious belonging to you, same is the case with the data it holds. So what if your phone is stolen or hacked by someone or it is lost?
Each day, you like some app and try to get it for your Android phone. Well that is nice but even that lets your security to lose a bit of ground. To secure your Android phone’s data, you need to have a good knowledge about enhancing the security options. Also, you got to implement some things that shield you in the times when you can get your data to fall in some stranger’s basket. Learn how you secure it.
1. Use SE Android OS
When you get some app downloaded to your phone then you give it some or more access as well. This lessens up your security. To help you National Security Agency (NSA) has created a new SE Android OS. This is a version of Android OS which is much secure and locks your phone and data exploitation by the unknown.
2. Lock your Android phone
You can lock your Android phone by setting a passcode. To do so, go to the ‘settings menu’ and tap on ‘location and security’. You will see there an option to ‘set unlock pattern’. By locking your phone properly none can use it without your prior permission and your data stays secured and intact.
3. Advanced security options
MobileDefense, TenCube and WaveSecure are few good advanced security options that you can choose from. If you lose your phone or it is stolen away then in that case you get an option to wipe off all the personal data by using these kinds of app only.
4. Apps that secure your Android phone
Get your Android phone protected from web intruders by selecting powerful anti-malware apps like Lookout. With such an app you can be rest assured that your security will remain intact when you are browsing, using your Android phone.
5. SIM card lock
In an addition to the prior phone lock mentioned in this article, you must choose for a SIM card lock by setting up a PIN code. This will secure all your contact information and the data usually stored in a SIM.
6. Third party protection
Programs and software like AVG, Norton, Trend Micro help you in securing your data in various many ways. It is better to get the premium protection cover rather than going for the free ones because a premium one provides you with a complete protection cover.
7. Full device backup
There are apps like Titanium Backup which can help you in getting a clone or backup of your phone onto the hard disk of your computer. In the case of theft or severe physical damage to your phone, backup helps you to get everything as it was.
8. Dropbox
Dropbox is cloud storage software which works with Android OS and then gives you complete access over your data on the go. One has to sign up for a Dropbox account and then save all essential and needy files in it. Without a Dropbox, you cannot thing of the backup of your data.
9. How Google helps in securing
When you have an Android phone that means, everything you use from an email to apps and contact information; all this stays with your [email protected] account and address. Simply add that to your new phone and import everything from there to the new device.
10. Secure data with AndroidLost
Go to the Android Market and search there for AndroidLost. When you find this application, install it to your Android phone (this is free for all Android gadgets and devices). By logging in with your Google account to the AndroidLost website you have full command over your data, even when the phone is not with you.
11.MY XPERIA
If you happen to misplace your Xperia™ device, the my Xperia service helps you to find it and protect private information by locking your device or even deleting all information on your device. The my Xperia service is offered by Sony Mobile Communications free of charge.
The my Xperia service uses the Google account on your device. If you are using several Google accounts on your device, you can sign in with any of them. You can connect several devices to my Xperia, using the same Google account.
For the my Xperia service to work, your smartphone or tablet must be turned on and has to have a working data connection.:angel:
Nice tips to get a bond phone
Can u elaborate first point??
drsanket_xperia_u said:
Nice tips to get a bond phone
Can u elaborate first point??
Click to expand...
Click to collapse
defn by wiki-
What is SE for Android?
Security Enhancements for Android™ (SE for Android) is a project to identify and address critical gaps in the security of Android. Initially, the project is enabling the use of SELinux in Android in order to limit the damage that can be done by flawed or malicious apps and in order to enforce separation guarantees between apps. However, the scope of the project is not limited to SELinux.
SE for Android also refers to the reference implementation produced by the project. The current reference implementation provides a worked example of how to enable and apply SELinux at the lower layers of the Android software stack and provides a working demonstration of the value provided by SELinux in confining various root exploits and application vulnerabilities.
hope it helped....
is there an easy way to see if youre phone is getting hacked/virus? like a tools. because sometimes after 2-3 months my phone become slower and slower (need to reflash it again) and i use the phone just for daily basis like call, internet, messaging.
noel_din said:
is there an easy way to see if youre phone is getting hacked/virus? like a tools. because sometimes after 2-3 months my phone become slower and slower (need to reflash it again) and i use the phone just for daily basis like call, internet, messaging.
Click to expand...
Click to collapse
it shoud nt hapn if rooted use avast security..:angel:
C00ldUdE8655 said:
it shoud nt hapn if rooted use avast security..:angel:
Click to expand...
Click to collapse
rooted use avast security? protect with avast you mean? i do that, but my sola will slow down to the point i want to hit a wall with it :laugh:
Great tips man...like it
Sent From C6603 Using xda premium
Encang_Rojali said:
Great tips man...like it
Sent From C6603 Using xda premium
Click to expand...
Click to collapse
liked it..prezz **THANKS**
C00ldUdE8655 said:
You have got the Android phone and have all your personal data stored in that which includes your passwords and all personal information which is too sensitive. Just like you think your Android phone is a precious belonging to you, same is the case with the data it holds. So what if your phone is stolen or hacked by someone or it is lost?
Each day, you like some app and try to get it for your Android phone. Well that is nice but even that lets your security to lose a bit of ground. To secure your Android phone’s data, you need to have a good knowledge about enhancing the security options. Also, you got to implement some things that shield you in the times when you can get your data to fall in some stranger’s basket. Learn how you secure it.
1. Use SE Android OS
When you get some app downloaded to your phone then you give it some or more access as well. This lessens up your security. To help you National Security Agency (NSA) has created a new SE Android OS. This is a version of Android OS which is much secure and locks your phone and data exploitation by the unknown.
2. Lock your Android phone
You can lock your Android phone by setting a passcode. To do so, go to the ‘settings menu’ and tap on ‘location and security’. You will see there an option to ‘set unlock pattern’. By locking your phone properly none can use it without your prior permission and your data stays secured and intact.
3. Advanced security options
MobileDefense, TenCube and WaveSecure are few good advanced security options that you can choose from. If you lose your phone or it is stolen away then in that case you get an option to wipe off all the personal data by using these kinds of app only.
4. Apps that secure your Android phone
Get your Android phone protected from web intruders by selecting powerful anti-malware apps like Lookout. With such an app you can be rest assured that your security will remain intact when you are browsing, using your Android phone.
5. SIM card lock
In an addition to the prior phone lock mentioned in this article, you must choose for a SIM card lock by setting up a PIN code. This will secure all your contact information and the data usually stored in a SIM.
6. Third party protection
Programs and software like AVG, Norton, Trend Micro help you in securing your data in various many ways. It is better to get the premium protection cover rather than going for the free ones because a premium one provides you with a complete protection cover.
7. Full device backup
There are apps like Titanium Backup which can help you in getting a clone or backup of your phone onto the hard disk of your computer. In the case of theft or severe physical damage to your phone, backup helps you to get everything as it was.
8. Dropbox
Dropbox is cloud storage software which works with Android OS and then gives you complete access over your data on the go. One has to sign up for a Dropbox account and then save all essential and needy files in it. Without a Dropbox, you cannot thing of the backup of your data.
9. How Google helps in securing
When you have an Android phone that means, everything you use from an email to apps and contact information; all this stays with your [email protected] account and address. Simply add that to your new phone and import everything from there to the new device.
10. Secure data with AndroidLost
Go to the Android Market and search there for AndroidLost. When you find this application, install it to your Android phone (this is free for all Android gadgets and devices). By logging in with your Google account to the AndroidLost website you have full command over your data, even when the phone is not with you.
11.MY XPERIA
If you happen to misplace your Xperia™ device, the my Xperia service helps you to find it and protect private information by locking your device or even deleting all information on your device. The my Xperia service is offered by Sony Mobile Communications free of charge.
The my Xperia service uses the Google account on your device. If you are using several Google accounts on your device, you can sign in with any of them. You can connect several devices to my Xperia, using the same Google account.
For the my Xperia service to work, your smartphone or tablet must be turned on and has to have a working data connection.:angel:
Click to expand...
Click to collapse
OK, a good comprehensive list...can you give a poiner to start working with SELinux...something that will help me start developing policies or something?
please add the source. ive read the same post somewhere
Nice tips bro, like it!
Ok so this is a question for lets say hardcore developers, lately Ive taken an interest in android security after the Snowden revelations, (not that any of us have anything to hide), but mainly due to the simple principle of privacy in the digital age... anyhow in my research ive found various ways and sites that can help harden ones security on android , and there are also tools that have been developed to purposely get around these same security precautions on android. My question is to various developers that design security related apps, those who design custom recoveries (TWRP, CM, etc), and even those that work on fastboot (Google).
1) I know there are plenty of apps that are made for security, but are developers sure they are cleaning up (read "wiping ram, on say an app FC, a reboot, or upon receiving a fastboot request from a host")? In the age of NSA and everyone else wanting all in your business, are developers making sure that keys, and other secure info is destroyed, and not still in memory or God forbid in some file on the SD card?
2) Is there any way to make/modify the bootloader so that before you could even get to the bootloader menu (ie. fastboot/recovery/boot/etc..) the bootloader either nukes the entire RAM or fills it with random data? Granted there are always ways to get to ones data, but i was just wondering if there was consideration for the lifespan of said 'security' once one is done with some secure app are the keys tossed(?) ram cleared before deallocation, etc?
3) And... in the interim is there a way users can auto clear/wipe deallocated RAM and SD/internal storage space (as well as within the system area on rooted devices) every so often using something like the Tasker app, remote wipe or something similar?
@steve_77 RAM (at least the RAM we have in phones at the moment) is volatile, meaning it only retains data when powered, therefore there's no need to go to any lengths to wipe it. A reboot will do that. Besides, if any data is being loaded into memory at all in the first place, the NSA probably already have it . Just kidding of course, if you have measure in place already like encryption; I don't think it's possible to retrieve data from memory like that anyway, but I'm no expert.
I understand that the measures mentioned are extreme, but there is already a way to break encryption via reading the keys out of the RAM as outlined in the link provided in the previous post from a German university that was able to do it.
I'm sure this is also not the only type of tools designed to hack into peoples phones and bypass encryption, but if exiting an app does not erase/wipe the RAM allocated to that app, all that data is up for grabs. Sure in this particular case someone would have to physically have your phone, but what if there were some new way, say in the future that could use some sort of exploit to access your data, and what can be done now to mitigate this potential pitfall and make our phones more secure?
Hi all.
I have a rooted phone that is used strictly in wifi mode and only needs to be able to run 4 or 5 standard aps, a couple of optional aps, plus the aps that support rooted phones and enhanced power management. I don't want google-anything on it, and I am not kidding. My prime concern is battery life, I hope to be able to run my phone for 3 to 4 days (or more) between charges, so deleting all fluff aps and crapware is important, as is underclocking it and getting rid of google. I also want to stop updating of the operating system and installed software by google.
I hope to do a hardware mod to remove power from the cell band rf transceiver. Despite it being turned off in the phone using software, I am detecting occasional transmissions from the cell band transmitter. Hardware mods are not a problem for me, I'm a retired EE, who specialized in RF design.
I need to know if it's possible for the phone to function if gmail, google+, google search, chrome, google calendar and google-whatever are exhorsized (uninstalled)? Yes, I also want to give the playstore the boot, to prevent excessive battery drain (and, yes, I do realize downloading aps will be slightly more difficult without the playstore).
For those who might be interested, the phone is used as a wifi phone for the home based Ooma telephone service. I also might like to run a mini bittorrent server. It seems to me that the android community could use bittorrent in place of the playstore, thus making it easier for others to give google and google playstore the boot
I love this forum, and want to thank all those that support and administer it.
Aloha,
A
alohagirl said:
Hi all.
I have a rooted phone that is used strictly in wifi mode and only needs to be able to run 4 or 5 standard aps, a couple of optional aps, plus the aps that support rooted phones and enhanced power management. I don't want google-anything on it, and I am not kidding. My prime concern is battery life, I hope to be able to run my phone for 3 to 4 days (or more) between charges, so deleting all fluff aps and crapware is important, as is underclocking it and getting rid of google. I also want to stop updating of the operating system and installed software by google.
I hope to do a hardware mod to remove power from the cell band rf transceiver. Despite it being turned off in the phone using software, I am detecting occasional transmissions from the cell band transmitter. Hardware mods are not a problem for me, I'm a retired EE, who specialized in RF design.
I need to know if it's possible for the phone to function if gmail, google+, google search, chrome, google calendar and google-whatever are exhorsized (uninstalled)? Yes, I also want to give the playstore the boot, to prevent excessive battery drain (and, yes, I do realize downloading aps will be slightly more difficult without the playstore).
For those who might be interested, the phone is used as a wifi phone for the home based Ooma telephone service. I also might like to run a mini bittorrent server. It seems to me that the android community could use bittorrent in place of the playstore, thus making it easier for others to give google and google playstore the boot
I love this forum, and want to thank all those that support and administer it.
Aloha,
A
Click to expand...
Click to collapse
There are threads all over the place trying to do this. Google is deeply ingrained into all the apks used by the os. You will be very hard pressed to find away to remove them completely and still have things work right.
I agree that security is an illusion. I dumped Microshaft in 2013 in order to improve my security and privacy.
However, the android operating system is supposed to be open source, so it should be possible to de-google-ize it IF someone knows how to edit and recompile the android OS.
I was merely asking if anyone knew of a way to give google the boot, even if it came down to paying someone to compile a custom rom.
The loss of google playstore is not a consideration, neither is a monetary forfeiture (any programmers out there?).
I'm curious, is it possible to gag google so it can't connect to the outside world (with a firewall)? We used to do this in XP to prevent Bill's Internet Explorer from downloading updates.
Are any of the custom roms currently available able to run without google-anything??
Is there any hope, or is it truly hopeless? If a custom rom that gave google the boot was available, how many would pay a small fee to have it? Just curious??!!
TY
A.
alohagirl said:
I agree that security is an illusion. I dumped Microshaft in 2013 in order to improve my security and privacy.
However, the android operating system is supposed to be open source, so it should be possible to de-google-ize it IF someone knows how to edit and recompile the android OS.
I was merely asking if anyone knew of a way to give google the boot, even if it came down to paying someone to compile a custom rom.
The loss of google playstore is not a consideration, neither is a monetary forfeiture (any programmers out there?).
I'm curious, is it possible to gag google so it can't connect to the outside world (with a firewall)? We used to do this in XP to prevent Bill's Internet Explorer from downloading updates.
Are any of the custom roms currently available able to run without google-anything??
Is there any hope, or is it truly hopeless? If a custom rom that gave google the boot was available, how many would pay a small fee to have it? Just curious??!!
TY
A.
Click to expand...
Click to collapse
There is one project that is working on removing Google completely in the forums. A search will find it for you. There are some issues that I don't recall if they could find a way around or fix. You could give that a shot.