Xiaomi Security issues. Xiaomi firmware has multiple backdoors So I've basically got myself in this sh*t because lack of care.. Until it pop'd and hit the highlights.
And now straight to the point. It doesn't f*ckin matters if you had a fw or not. As the backdoors are embedded in ROOT system processes.
And those where obviously white-listed as i didn't think of a nasty Chinese guy sitting in it calling back home. My friend who got the same phone found the article as i was having my vacation for a bit, so when i found out i did a bit a research of course on my device. After finding all this i e-mail'd him it and he posted it on the Xiaomi European forums. Guess what happened, it got deleted. So they know damn good what they're doing.
Quote:
When you purchase Xiaomi products or services, we’ll collect relevant personal information, including but not limited: delivery information, bank account, credit card information, bill address, credit check and other financial information, contact or communication records.
Quote:
Originally Posted by OP
Music app(?) connects to:
202.173.255.152
2012-12-01 lrc.aspxp.net
2012-12-01 lrc.feiyes.net
2012-12-01 w.w.w.616hk.com
2012-12-01 w.w.w.hk238.com
2012-12-01 w.w.w.lrc123.com
123.125.114.145
2013-11-27 tinglog.baidu.com
1/53 2014-07-02 12:51:01 hxxp://tinglog.baidu.com
Latest detected files that communicate with this IP address
Latest files submitted to VirusTotal that are detected by one or more antivirus solutions and communicate with the IP address provided when executed in a sandboxed environment.
3/43 2014-07-08 07:39:24 facb146de47229b56bdc4481ce22fb5ec9e702dfbd7e70e82e 4e4316ac1e7cbd
47/51 2014-04-28 09:25:27 091457f59fc87f5ca230c6d955407303fb5f5ba364508401a7 564fb32d9a24fa
24/47 2014-01-08 08:19:43 3cf0a98570e522af692cb5f19b43085c706aa7d2f63d05469b 6ac8db5c20cdcd
21/48 2013-12-02 15:15:45 7e34cb88fc82b69322f7935157922cdb17cb6c69d868a88946 8e297257ee9072
19/48 2013-12-01 20:02:32 bce4bd44d3373b2670a7d68e058c7ce0fa510912275d452d36 3777f640aa4c70
Latest URLs hosted in this IP address detected by at least one URL scanner or malicious URL dataset.
1/53 2014-07-02 12:47:57 hxxp://dev.baidu.com/
Android-system ANT HAL Service(Framework_ext.apk/jar) connect to:
42.62.48.207
VirusTotal's passive DNS only stores address records. The following domains resolved to the given IP address.
2014-04-28 app.migc.wali.com
2014-07-12 app.migc.xiaomi.com
2014-05-30 gamevip.wali.com
2014-05-30 log.wlimg.cn
2014-04-21 mitunes.game.xiaomi.com
2014-04-30 oss.wali.com
2014-05-17 p.tongji.wali.com
2014-07-13 policy.app.xiaomi.com
Latest detected URLs
Latest URLs hosted in this IP address detected by at least one URL scanner or malicious URL dataset.
1/58 2014-08-13 07:10:49 hxxp://policy.app.xiaomi.com/cms/interface/v1/checkpackages.php
1/58 2014-08-10 00:46:35 hxxp://policy.app.xiaomi.com/
1/53 2014-07-02 12:49:59 hxxtp://oss.wali.com
Messages(Mms.apk) connect to (it literary calls back home)
54.179.146.166
2014-08-12 api.account.xiaomi.com
2014-07-26 w.w.w.asani.com.pk
What it does? It sends phone numbers you call to, send messages to, add etc to a Resin/4.0.13 java application running on a nginx webserver to collect data. Checkpackages, embedded system process/app posts all installed apps to a Tengine a/k/a nginx webserver cms.
URL: hxxtp://api.account.xiaomi.com:81/pass/v3
Server: sgpaws-ac-web01.mias
Software: Tengine/2.0.1 | Resin/4.0.13
URL: hxxp://policy.app.xiaomi.com:8080/cms/interface/v1/
Server: lg-g-com-ngx02.bj
Software: Tengine | Resin
Bottom line
They don't give a single damn about your data.. All sent in plain text.
For messages APK (Mms.apk)
I don't believe it needs those permissions for normal functionalities, this is only for the extra feature let's call it bug.
android.permission.SEND_SMS_NO_CONFIRMATION
android.permission.GET_ACCOUNTS
android.permission.WRITE_EXTERNAL_STORAGE
android.permission.ACCESS_NETWORK_STATE
android.permission.CHANGE_NETWORK_STATE
android.permission.INTERNET
miui.permission.SHELL
android.permission.GET_TASKS
android.permission.CAMERA
Some code ... i also attached java classes and smali dalvik jvm bytecode..
Code:
RELATED
http://apkscan.nviso.be/report/show/...0b623da712918f
http://lists.clean-mx.com/pipermail/...14/072661.html
OTHER SOURCES
http://www.newmobilelife.com/2014/08...-china-server/
http://www.htcmania.com/showthread.php?p=14730859
Main post and more info. All credits go to the OP
http://forum.xda-developers.com/gene...oords-t2847069
zelendel said:
Xiaomi Security issues. [/URL]
Click to expand...
Click to collapse
dude that is sooo old cheese already. you really seem to have a personal problem with xiaomi?
go read a bit:
http://www.cnet.com/news/xiaomi-makes-cloud-messaging-opt-in-amid-privacy-concerns/
http://www.androidcentral.com/hugo-barra-responds-xiaomi-privacy-concerns
Xiaomi has added encryption to the communication in an updated firmware, and the cloud service is now opt-in.
while i will say that unencrypted transfer is uncool, most of the stuff transferred (or actually all) has to do with their cloud service.
Apple & Google are doing the same stuff, i bet you Samsung does also.
so what is the big deal here? that it was not encrypted? or that it sends something in the first place?
linr76 said:
dude that is sooo old cheese already. you really seem to have a personal problem with xiaomi?
go read a bit:
http://www.cnet.com/news/xiaomi-makes-cloud-messaging-opt-in-amid-privacy-concerns/
http://www.androidcentral.com/hugo-barra-responds-xiaomi-privacy-concerns
Xiaomi has added encryption to the communication in an updated firmware, and the cloud service is now opt-in.
while i will say that unencrypted transfer is uncool, most of the stuff transferred (or actually all) has to do with their cloud service.
Apple & Google are doing the same stuff, i bet you Samsung does also.
so what is the big deal here? that it was not encrypted? or that it sends something in the first place?
Click to expand...
Click to collapse
First off do I have issues with them? Sure most here do but that is a whole other matter.
This was brought to attention by another user. Had you read the post you would have known that.
The fact that they record your bank account info is cause for further investigation.
I just posted it here for users to know and look into. In the end it doesn't matter to me as Ill never use their device or OS.
Ok I get it. No discussion will come of this. Apple is doing the same and that's all right since they are 'mericans. Totally cool.
Sent from my MI 3W using Tapatalk
linr76 said:
Ok I get it. No discussion will come of this. Apple is doing the same and that's all right since they are 'mericans. Totally cool.
Sent from my MI 3W using Tapatalk
Click to expand...
Click to collapse
No it's not. If we were and iOS forum. Then we would be calling them out as well.
Same issue, blocked me in MiUi forum!
zelendel said:
No it's not. If we were and iOS forum. Then we would be calling them out as well.
Click to expand...
Click to collapse
I had noticed the same security issues and data leaks by Xiaomi device (note is not just MiUi but whole system) and showed them proofs, even wrote to Hugo but just after seeing my proofs they blocked me in their forum. I do use MI3 but miss the resources they have in forum. Anyway, I am just using the device without DATA or firewall app if need DATA. Hope they had played fairly with users.
Problem is deeper than this. The users instantly start screaming any one who says this mobile has security leaks (e.g me) ad asks for proofs, once I post the proofs they dont accept it and raise as whole but they get their own way to download resources from MiUi forum. I am alone but I wont surrender.
For sure they'll upload ur info. For purpose.
pkb_always4u said:
I had noticed the same security issues and data leaks by Xiaomi device (note is not just MiUi but whole system) and showed them proofs, even wrote to Hugo but just after seeing my proofs they blocked me in their forum. I do use MI3 but miss the resources they have in forum. Anyway, I am just using the device without DATA or firewall app if need DATA. Hope they had played fairly with users.
Problem is deeper than this. The users instantly start screaming any one who says this mobile has security leaks (e.g me) ad asks for proofs, once I post the proofs they dont accept it and raise as whole but they get their own way to download resources from MiUi forum. I am alone but I wont surrender.
Click to expand...
Click to collapse
I don't think the phone is released in Europe yet? So if you have problem with the software,flash with your own OS build or use another phone. The government tried to push everyone using true identity in case there is any cyber crime happens. Plus, did CIA,NSA or any government agency tell you when they search through your personal data? I doubt.
Sent from my HTC One using XDA Free mobile app
xiaohan said:
The government tried to push everyone using true identity in case there is any cyber crime happens.
Sent from my HTC One using XDA Free mobile app
Click to expand...
Click to collapse
And you believe that?
zelendel said:
And you believe that?
Click to expand...
Click to collapse
Hey,who case,I don't have porn on my phone ,nor any illegal stuff stored. If u don't have something don't want to be touched,keep it in physical format and never get connected.
Sent from my HTC One using XDA Free mobile app
xiaohan said:
I don't think the phone is released in Europe yet? So if you have problem with the software,flash with your own OS build or use another phone. The government tried to push everyone using true identity in case there is any cyber crime happens. Plus, did CIA,NSA or any government agency tell you when they search through your personal data? I doubt.
Sent from my HTC One using XDA Free mobile app
Click to expand...
Click to collapse
What? Brother I am from India. To clear my situation more My banker sends me a highly secured one time password through message each time I try to access their online services. Now this MI3 is leaking (have proofs) and redirecting SMS (with one access notification which is not clear enough) its a security breach and case of international cyber crime. But in India, politicians has nothing to do with such issues, officers have "more important" things to do and Banker said me to change my mobile. So such is the case when you are in not developed country. Here even if some gets killed then police comes after all has been settled down let alone a security breach. It just and just a very "minor" or not an issue at all.
pkb_always4u said:
What? Brother I am from India. To clear my situation more My banker sends me a highly secured one time password through message each time I try to access their online services. Now this MI3 is leaking (have proofs) and redirecting SMS (with one access notification which is not clear enough) its a security breach and case of international cyber crime. But in India, politicians has nothing to do with such issues, officers have "more important" things to do and Banker said me to change my mobile. So such is the case when you are in not developed country. Here even if some gets killed then police comes after all has been settled down let alone a security breach. It just and just a very "minor" or not an issue at all.
Click to expand...
Click to collapse
You know once you use a public service ,there is no privacy right? People can spy on you using your cellphone,not even a smart one and listend to whatever youare talking about next to your phone even it's off as long as the battery is not taken off. What does this mean to your bank's highly secured one off password for your online banking?
Just use another one if you are not happen with it. E.g. iPhone which slightly record your real time geo information since iOS7 update without telling the users and even theIR staff don't know anything about it.
Sent from my MI 3C using XDA Free mobile app
xiaohan said:
You know once you use a public service ,there is no privacy right? People can spy on you using your cellphone,not even a smart one and listend to whatever youare talking about next to your phone even it's off as long as the battery is not taken off. What does this mean to your bank's highly secured one off password for your online banking?
Just use another one if you are not happen with it. E.g. iPhone which slightly record your real time geo information since iOS7 update without telling the users and even theIR staff don't know anything about it.
Sent from my MI 3C using XDA Free mobile app
Click to expand...
Click to collapse
Have your heard of "boiling water and frog's" story? I already said we dont raise our voice against such crimes adjust ourselves saying "ohh very minor", "doesnt affect me much" or "others do it too". Just show me that Apple's product steals your SMS and I will agree with you, if you cant then either raise your voice with me or just get boiled like a frog in adjusting.
This is a technology forum, politics problem is not interested here I guess. Surely, sending sensitive data back to the server initially was suspicious,but the security issue has been patched,if you have a lot of security concern, don't use a smart phone.
Sent from my HTC One using XDA Free mobile app
I use a Mi3 in India
Well if you're online chunks of your data is always going places you don't know. AFAIK, India too has a PRISM like setup and your calls, call logs & SMS are stored. No idea how much data is shared by companies. Seems like people believe that only in US & Europe you're data is used without your knowledge.
The US based companies came public on data collection thanks to Mr.Snowden only.
Last week a US court ordered Microsoft to disclose data in their servers in Europe.
If you're concerned about privacy don't use smartphones. Or don't use a phone at all. Safest way keep your privates stuff private. Don't save those nude pics on phone or cloud or anything connected. Use long complex passwords, encrypt.
Sent from my MI 3W using XDA Free mobile app
ramanvemman said:
I use a Mi3 in India
Well if you're online chunks of your data is always going places you don't know. AFAIK, India too has a PRISM like setup and your calls, call logs & SMS are stored. No idea how much data is shared by companies. Seems like people believe that only in US & Europe you're data is used without your knowledge.
The US based companies came public on data collection thanks to Mr.Snowden only.
Last week a US court ordered Microsoft to disclose data in their servers in Europe.
If you're concerned about privacy don't use smartphones. Or don't use a phone at all. Safest way keep your privates stuff private. Don't save those nude pics on phone or cloud or anything connected. Use long complex passwords, encrypt.
Sent from my MI 3W using XDA Free mobile app
Click to expand...
Click to collapse
It is known all countries do this. This issue is what these country the info goes to.
Hey,if you have problem, don't use it. Not posting any xiaomi product forums, I guess you don't own all the models you posted in the forum to.
I believe people come to here are not idiot. You mentioned the OS has issue you have concerns is enough, people make their own judgement and decisions.
Sent from my HTC One using XDA Free mobile app
Been a national news for us android lovers here in Indonesia. Luckily enough, i never bought their products (quite popular here). OP, you sounds like you're really against Xiaomi, though. You ever been in something with them?
Xiaomi is an arrogant company. Until now they have not released the kernel for mi3 despite of Barra's commitment. All their forum threads so stupid like "give ideas and win bunny" "give suggestions and win a fcking phone". MIUI will never ever ever get stable. It follows iOS design principles. When I gave a negative feedback, I was banned from miui forum. Freakingly selfish mindset stupid copycat company.
Sent from my MI 3W using XDA Free mobile app
jothiprasad1984 said:
Xiaomi is an arrogant company. Until now they have not released the kernel for mi3 despite of Barra's commitment. All their forum threads so stupid like "give ideas and win bunny" "give suggestions and win a fcking phone". MIUI will never ever ever get stable. It follows iOS design principles. When I gave a negative feedback, I was banned from miui forum. Freakingly selfish mindset stupid copycat company.
Sent from my MI 3W using XDA Free mobile app
Click to expand...
Click to collapse
Kernel Source has been realeased today
https://github.com/mi3-dev/android_device_xiaomi_cancro
https://github.com/mi3-dev/android_device_xiaomi_msm8974-common
https://github.com/mi3-dev/proprietary_vendor_xiaomi
Related
Last week on a business trip to Rome, my XDA got stolen..
Offcourse I had it blocked as soon as possible and have password protection on it, but resetting it would make it usable for anyone.
If anyone sees a secondhand XDA for sale from Italy (where they are not sold) please remember me....
IMEI: 350312010049224
S/N : HT220CC15367
P/N : 99HJ00007-00
So... when is this new model XDA comming on the market?!
We thought of a program to stick into ROM which would, after cold-boot, send one SMS to a pre-determined number. Could be a friend's number, or possibly even a web-service, where you can look up all the phone numbers of all SIMs ever in that phone at cold-boot. You could even wait a few days to see if the owner field was ever filled out...
Please go into that, as I will buy an XDA again but feel quite bad about this one stolen and would very much want something to have a little more protection/means of getting it back.
I saw an advertisement on www.thinkgeek.com about a software that would automatically send emails with IP adresses when a stolen laptop is connected to internet.
Something like that could possibly be an option in a theft-recovery program?
Thanks,
Lx
Great idea XDA developer Peter Poelman...you guys should definitly do that!!
XDA developer Peter Poelman, that is one of the best ideas I have heard of!! If there were a server you could register your XDA on, then install the 'tracking' software it would be very cool.
Would it even be possible to get a fix on the location by picking up the nodes that the XDA is near? Effectively your XDA would text you its location, name of the new owner and new number to server where you could pickup the info. Hay-presto, you can inform the provider and authorities and maybe even get it back. I bet you could even sell the software to the providers!!
Gil.
Hold on guys, if you developed such a ROM, it should be clearly stated that it is doing that. I can imagine, if people started offering ROMS, that made unsolicited calls to premium rate numbers, that would be a great, and illegal, business venture.
Anything, that works behind the scenes must be clearly highlighted if trust is to be maintained in a public community
Sounds good though. If i could find all the people that have stolen bits and pieces from me, revenge would be sweet!
I guess that watching out for ROMs that have spy-wearz or nasty apps in the background ARE possible, there could be something about now. Let’s face it the ROM tool is not that hard to understand. And if someone was really that nasty they could make a lot of money in a very short period. After all a premium rate text number has no price cap. But lets not get in to that right now.
The answer to this, like a lot of things in IT is A trust in the developer, B trust that is has not been hackled – as above and C you have noting to hide.
The provider can already see al the calls and text that the sent from your phone. So the only thing for them to see would be your ROM version.
If this was made a voluntary process and secure I can see it doing a lot more good than harm.
Also another though on the spy wear bit, it would be good to have an app that watches the activity on you device and allow you to see it.
Sorry for the rant, Gil.
Oh yeah, we've thought of nasty things one could do. Possibly more scary still: if you have this Action Engine framework, someone holding a private key somewhere can remotely update your ROM, without telling you.
perhaps thats how o2 intended to upgrade in the future?
is it easy to place the AE exe file back onto the xda? its just the one file right?
No, it's a whole bunch of files. They were installed from the operator section of the ROM, though AutoConfig.exe, into device RAM.
I'm not really into the programming stuff, but I was just thinking...
If such a thing was to be implemented, you would not want it to be active until your device actually got lost. So how do you tell your device (that probably has a different SIM card in it) that it should start to broadcast it's location and new SIM information? And where to?
I was thinking of a site where you should register, very securely and only upon activating the 'tracking' program from this secure site that a constantly updated log file of all nodes where the device is connected to a GSM/GPRS network would state the deveice's location.
With this list (and possibly the information of the new SIM card) it should definatly be possible to retrieve the device, with collaboration from the provider/authorities ofcourse.
Also I heard a provider can locate any GSM down to 5meters accuratly when the phone is being used, about 100 meters when the device is on stand-by. Don't know for shure if this is true though.
If things like these could be incorporated, this would be the best software/ROM update ever to be made in my opinion. If there is any way in wich I could be of any help I would gladly be of service!
Two complimentary options would be:
the XDA sends a message to a server whenever the SIM card is changed, unless you enter a particular password first.
Send a specifically crafted sms to the XDA that causes it to realize that it is stolen. This starts it sending location info to the server.
I think you could switch XDA in to stolen mode using a broadcast directly to the PIN on the phone. This is how P2P works in the US instead of SMS. This could be done from a web site and the user of the stolen phone would not know until it was too late.
But then again I may be wrong?
Gil.
this is all good and well, but there will be always someone out there that says this is a privacy thing and they do not want people knowing where they are using their XDA
What should be developed is a Rom that once the owner name has changed, the XDA will then send a message to a server(if the XDA is registered) informing of the new number of the inserted SIM, the IMEI number and all other numbers/contacts straight to your provider. they then contact the new provider for information on the new owner. send the bissies round and reclaim your XDA.
this would be big money to phone service providers as it would reduce the amount of insuance claims and hastle.
if it can be done, then I will be buying it (once i own the XDA !!)
cheets
Hello has anyone used the money toolkit app to access your account?. On my iphone I have an official natwest app, which am sure is safe however a bit worried about this one cause it clearly states not affiliated with any bank.
Hi marvi0
I am Dan - founder of Money Toolkit, so obviously my opinion is not impartial
You are absolutely right to question apps like ours, and I wish more people were more diligent in this resect.
The biggest barrier to using any third party financial app is trust. For a small start up like ours, theres a bit of a catch 22 thing. The best way for people to trust our app is to see others using it, which means having enough early trail blazers use it.
I hope you do read some of the pages on our site regarding security - we have gone to very great lengths to keep you in charge of your credentials.
But this is still only our word. Probably the best thing to help increase your confidence is to look on our get satisfaction pages - (we cant delete messages, so it is an open conversation). Also check the comments on the Android market, again we can't even respond as the developer (which can be frustrating).
I hope others do respond on here, though we only have 500+ active users, so I would be a bit surprised.
There will always be some nervousness committing to our app, ultimately you have to go with your instincts - most people who see our app don't go on to enter their details, which is a shame in my opinion (obviously), because those who do find our app really useful.
Any questions, just ask.
Cheers.
Dan.
I have installed it and it looks pretty good
I have my fingers crossed regarding the security
Thanks for your reply so does this app actually allow me to view my natwest account information?
marvi0 said:
Thanks for your reply so does this app actually allow me to view my natwest account information?
Click to expand...
Click to collapse
it does yeah
you get an overview and then when you click on the account it drills down into the transactions
you cant see direct debits etc
also i wish you could change the theme, the wooden effect is a bit yukky, lol
but it does the job fine
also you have to manually log out or the app will run in the background, and if someone picks up your phone they can see the bank funds etc
winwiz - thanks for that.
You are not alone a few people don't like the wooden theme, so we are thinking of changing that.
The idea was that it continues the web site theme of being a work bench - continuing to follow the tool kit idea! We also didn't want to look like another boring bank, but probably it doesn't work that well on the phones.
Regarding logging out - we keep you logged in on purpose, (it will time out after 5 minutes) it is really annoying when you accidentally go back too far or want to swap to another app and have to log back in. Perhaps we should make that another setting?
some people even choose to keep their password remembered, and rely on the phones own security.
Remember this is a READ ONLY app, there is absolutely no way anyone could transfer funds, or make any changes to your bank.
We've got some nice things planned, like categorising your sending and graphs etc.
So any feedback or ideas really welcome - especially on the get satisfaction pages
Cheers.
MTK-Dan said:
winwiz - thanks for that.
You are not alone a few people don't like the wooden theme, so we are thinking of changing that.
The idea was that it continues the web site theme of being a work bench - continuing to follow the tool kit idea! We also didn't want to look like another boring bank, but probably it doesn't work that well on the phones.
Regarding logging out - we keep you logged in on purpose, (it will time out after 5 minutes) it is really annoying when you accidentally go back too far or want to swap to another app and have to log back in. Perhaps we should make that another setting?
some people even choose to keep their password remembered, and rely on the phones own security.
Remember this is a READ ONLY app, there is absolutely no way anyone could transfer funds, or make any changes to your bank.
We've got some nice things planned, like categorising your sending and graphs etc.
So any feedback or ideas really welcome - especially on the get satisfaction pages
Cheers.
Click to expand...
Click to collapse
Hi Dan,
Thanks for the great feedback. I'd like the option to customise the background, or if this is not possible, a solid black background. The timeout option should be configurable so the user can set the timeout period!
I look forward to the updates
MTK-Dan said:
I am Dan - founder of Money Toolkit, so obviously my opinion is not impartial
...
Any questions, just ask.
Click to expand...
Click to collapse
Hi Dan,
Was just deliberating about using Money Toolkit and I had a couple questions. I've no knowledge in this area so please bare with me.
On the blog post here: hxxp://moneytoolkit.com/2010/09/secure-mobile-banking/
You said that:
"Yodlee then sells your bank data to the web site that you signed up".
Which I agree doesn't sound ideal - but they have to make money to be a sustainable business. How does money toolkit intend to make money? Which part of users financial details will be utilised to do this?
Secondly - regarding the security - the same blog post says:
"Not only would someone have to get access to your phone they would have to go to the same lengths as they would if they wanted to ‘hack’ into a bank, but they would have to do it three times!"
I presume that each location storing data can't login to the bank account in part. Instead a single server instance would have to login - requiring all 3 parts of the information to do so as banks usually randomise the questions asked. That presumption may be wrong however - but if it's correct does that mean a hacker could just hack that single server instance and intercept the traffic being sent to the bank?
You said that:
"Yodlee then sells your bank data to the web site that you signed up".
"but they have to make money to be a sustainable business. How does money toolkit intend to make money? Which part of users financial details will be utilised to do this?""
Click to expand...
Click to collapse
We point out the normal relationship with Yodlee because Yodlee is an independant third party, they are the entity that you end up having the biggest contractual relationship with, in fact you sign over power of attourney to them when you use a web site that uses their aggregation (read the small print).
Regarding Money Toolkit making money, so far we don't! Of course, as you point out, we need to, so we have two options - we will ask for 50p per month (for example), or we will offer good deals with companies we trust (generally not main stream banking companies), where we will make a commission, if we do that we will make the commission obvious and share it with the person taking the offer.
"Secondly - regarding the security...
...does that mean a hacker could just hack that single server instance and intercept the traffic being sent to the bank?"
Click to expand...
Click to collapse
Well your main assumptions is correct, but the reasoning not quite right. Firstly it is not just because of the random nature of the security questions that the three way split is valuable, but literally each part is utterly useless without the other parts, they are three parts of an encrypted file, which MUST come together before it is possible to decrypt.
The decrypted file (now only in volatile memory) then returns values to your phone and it is your phone which sends (over SSL) the right request to the bank, so they would have to breach our own SSL traffic (and custom encryption). Our IP's and the bank's are hard coded so a traditional man in the midle attack is ruled out. They would in effect, have to dupe you into downloading a dodgy Money Toolkit apk for this to be possible.
As you may know, the huge majority of security problems come from static data being discoverable (cd's and memory sticks left on trains for example). In our case the three seperate locations, including your phone make this kind of static data recovery, all but impossible.
However... you are right tht if someone managed to compromise the individual server that, at that moment (we have many), did that specific decryption: then if they were very smart, they might have the ability to detect your secure bank details. Though it would be almost imposible for that to happen and us not know about it. To alter our code and not have our systems detect the intrusion would be phenomenal.
MTK-Dan said:
so we have two options - we will ask for 50p per month (for example), or we will offer good deals with companies we trust (generally not main stream banking companies), where we will make a commission, if we do that we will make the commission obvious and share it with the person taking the offer.
Click to expand...
Click to collapse
Great, both options sound reasonable
MTK-Dan said:
they are three parts of an encrypted file, which MUST come together before it is possible to decrypt.
Click to expand...
Click to collapse
Neat, didn't realise.
MTK-Dan said:
The decrypted file (now only in volatile memory) then returns values to your phone and it is your phone which sends (over SSL) the right request to the bank, so they would have to breach our own SSL traffic (and custom encryption).
They would in effect, have to dupe you into downloading a dodgy Money Toolkit apk for this to be possible.
Click to expand...
Click to collapse
That at least does sound secure (without understanding it more) I suppose there may also be security issues beyond a dodgy .apk file if the Android device has been rooted - because I think that allows apps to work outside of their sandbox. Again, I don't know enough about that.
Thanks for the detailed answers, it gives me more confidence in the service.
aph5 said:
Great, both options sound reasonable
Neat, didn't realise.
That at least does sound secure (without understanding it more) I suppose there may also be security issues beyond a dodgy .apk file if the Android device has been rooted - because I think that allows apps to work outside of their sandbox. Again, I don't know enough about that.
Thanks for the detailed answers, it gives me more confidence in the service.
Click to expand...
Click to collapse
Is it possible to transfer money to whomever you want with this app?
So recently, I had been fooling around with some options in the Cerberus Web Client using a VPN (though I don't think the VPN is really the issue). Just messing around seeing how things worked, and testing out the new features, because I haven't really logged in to the web page in two years or so, and was looking at using it for a project to see if I could automate something.
Well, I attempted to log in this morning, only to find whenever I tried to use one of the features of Cerberus, I would get "Feature blocked" message, leading to a message telling me my account was blocked due to ToS violations. I have/had an account for three years, and never once had an issue before, but I guess if you hit the Send Command button on more than one phone, it automatically flags you and places all your IMEI's on a blacklist so they can't be registered with another account or whatever. I have e-mailed the developer and am waiting to hear back from them about what they are willing to do (which at this point, I don't think they are, because I have read numerous stories about this).
So now.. I am trying to find a similar app, that provides similar features, and a similar payment plan, but isn't completely asinine when it comes to automatically banning someone without warning.
Would anyone have any suggestions on apps that are available? Apologies if this is in the wrong place, figured General Discussion was the best place for this.
Prey has been working fine for me
Sent from my HTC One_M8 using Tapatalk
maopesu said:
Prey has been working fine for me
Sent from my HTC One_M8 using Tapatalk
Click to expand...
Click to collapse
Unfortunately Prey does not have nearly enough of the same features under their free model, and their pricing plan for other models, is too high (compared to Cerberus).
When I connected to the colleges wifi this morning I noticed a little message when I used wifi assist, I'm starting not to trust Google anymore or seems like they are shooting on us more and more each day
It's like 15 years ago and we're all suspicious of what they do.
I won't even mention Project Fi, but have you read any of Google's data disclaimers?
Can you not turn it off? It's likely just a Google VPN. They probably decided this is preferable to the alternative of letting average users connect to an open WiFi with SSID "Starbucks" that's actually someone running a WiFi hotspot in their car in the parking lot
LOL,
---------- Post added at 06:40 PM ---------- Previous post was at 06:38 PM ----------
LOL, I am neither scared or ashamed of anything Google knows about me. In the end whats it worth?
popper668 said:
LOL,
---------- Post added at 06:40 PM ---------- Previous post was at 06:38 PM ----------
LOL, I am neither scared or ashamed of anything Google knows about me. In the end whats it worth?
Click to expand...
Click to collapse
I dont mean to turn this into a big discussion but to answer your question, the data has value. In the book 1984 there were "telescreens" everywhere (devices that work as TV & camera. Sound familiar?) The point is there isnt always someone spying on you. BUT there COULD be at any given time. And when people think theyre being watched they generally behave different.
Just another way of looking at it. Because I think most people believe the way you do--theyre not breaking laws so they have nothing to hide. Its a low bar in terms of privacy which should be everyone's right.
KLit75 said:
I dont mean to turn this into a big discussion but to answer your question, the data has value. In the book 1984 there were "telescreens" everywhere (devices that work as TV & camera. Sound familiar?) The point is there isnt always someone spying on you. BUT there COULD be at any given time. And when people think theyre being watched they generally behave different.
Just another way of looking at it. Because I think most people believe the way you do--theyre not breaking laws so they have nothing to hide. Its a low bar in terms of privacy which should be everyone's right.
Click to expand...
Click to collapse
I understand, consider Google as data trade off, give and take.
You supply data to improve their services, pedestrian data, locations, etc,
They provide you the same data although compiled and applied, when you open google maps for example, and ask for directions.
The data you provide to them is not "personal" per se, but used to improve general services which every user uses and accesses.
You can always stop it.
I don't feel like this should be a surprise to anyone. Google is Google. Their data collection isn't exactly a secret. It would be naive to think the services they provide don't collect at least some data on you in some form. At the end of the day, I do value and enjoy what they provide me. I personally don't mind trading some of my privacy for it. But I do acknowledge what they are doing and I don't pretend like they're providing all these services for free because they're nice.
"Oooooh, google is monitoring my network activity. Here, let me put my all life in Facebook."
This is old news! A concern might be the intrusive big bro gov cia, nsa, fbi, hs, etc...
MidnightDevil said:
I understand, consider Google as data trade off, give and take.
You supply data to improve their services, pedestrian data, locations, etc,
They provide you the same data although compiled and applied, when you open google maps for example, and ask for directions.
The data you provide to them is not "personal" per se, but used to improve general services which every user uses and accesses.
You can always stop it.
Click to expand...
Click to collapse
I wasnt implying this specific case was grounds for outrage. My concern is people dont fully grasp that information is power and despite that theres a growing attitude of nonchalance . Sure you can turn it off here but you have to care, and to care you need to be informed. I dont mean purposely trading data for access to apps, features or helping to improve services. Thats different.
Id also point to the story (which should've been huge) from just a couple weeks back. Yahoo willingly allowed state sponsored hackers to access millions of user accounts. None of the customers were aware, neither the well informed nor the ones who care. And my biggest grievance with this is its not quite the breaking news it should be. The fact that many would consider me paranoid or a conspiracy theorists because this disturbs me is the most concerning part.
***I dont really mean xda members since they seem to be more knowledgeable about privacy. But the general population isnt really catching up.
Here's a link to what they mean by this message.
https://support.google.com/nexus/answer/6327199?hl=en
The only thing Google collects through Wi-Fi assist is location and ssid/bssid. If you actually researched this stuff you are so worried about you would be a lot more concerned with what your phone carrier does with your data than Google any day of the week...
Sent from my Nexus 6P using XDA-Developers mobile app
Bounty44 said:
The only thing Google collects through Wi-Fi assist is location and ssid/bssid. If you actually researched this stuff you are so worried about you would be a lot more concerned with what your phone carrier does with your data than Google any day of the week...
Sent from my Nexus 6P using XDA-Developers mobile app
Click to expand...
Click to collapse
Well i guess that is true but i've seen a lot of research about google and they collect everything... like the average google phone user, they let google acces to all their information/location... specailly with all those people that keep everything on like GPS. But its the same with Windows or Facebook, all those privacy settings that are by default on. Its all about the money and control over the masses... also for NSA/FBI/CIA very handy.... its not that weird to know that they have access to all those systems if they need to, thats no secret. It's all about if you got nothing to hide... everybody has something to hide. I keep tabs on all my privacy settings of all my apps as far as i can go. I accept certain privacy breaches but thats ok, thats the world we live in and i accept that. The same with people that dont mind all those freaking ads on their phone and websites..... for me mind boggeling. Especially here on xda forum, people that keep everything stock with no adjustments... first thing for me is that adaway has to work....
Here in The Netherlands, we have laws for ISP's and phone carriers, they collect but cant use it for other purposes then for criminal justice orders. Google has no laws to ibide here in Holland, they can collect en use your data unrestricted.
rayraycarter4 said:
When I connected to the colleges wifi this morning I noticed a little message when I used wifi assist, I'm starting not to trust Google anymore or seems like they are shooting on us more and more each day
Click to expand...
Click to collapse
Its a VPN that Google provides on open WIFI Hot spots in order to ensure that your data is not being being intercepted while you're connected to that network. I have project fi and thats one of the benefits of the service, and also because a good portion of the service relies on silently connecting to google approved wifi host spots all over the country. In order to ensure your data is not at risk, because all someone would need to do is create their own wifi hotspot with the unique name that google uses and they could steal info from anyone who happened to connect to their base. As long as they forward you to the internet while the connection is active then you wouldn't even notice there was anything wrong. Google is the most benevolent corporation on the planet. I highly doubt that anyone need worry about any data they collect as I'm sure its all being used for the purposes of trying to provide new technology based on what the consumer wants and at a price that makes you wonder how they are still the top technology company in the world because they surely have to be losing money with the prices they charge for their goods and services.
So you're connecting to an open wifi AP and you're scared about your privacy?
You do know that your connection to the AP is unencrypted and by that fact, people have been spying on you for ages?
That's what I do regularly when I go in hotels and I'm bored because there's nothing on TV.
We have been through five phones -Samsung Galaxy, then Motorola, two internet providers two cell phone providers, made so many calls I have lost count. He uses Chromebook and a Motorola Droid phone. He has even hacked my old home phone, tv, you name it, he has tried to own it . Oh, I forgot-my home security and ring doorbells also. I can change an app permission and I can see him go right in and change it back. I am sure he lives close in the neighborhood How do I get rid of this horrible person?
He grays out permissions, default apps, etc., Which keeps me from being able to delete an app, or change someone being able to access in the background. He has confiscated our emails (Gmail), prevents us from sending or receiving ones he doesn't like. He uses email for email on the web, advertising, chat, and many other things. He listens to phone calls steals all photos, maps addresses to companies or people in contacts, uses maps for ?? Xxx an anyone help me, or at least tell me how to reverse graying out on apps? This has become unbearable! Thank you!
How do you know it's a he?
It's always the girl next door.
Lol! I cannot prove it, but the big gamers nextdoor moved in when this started happening. Their best friend is an experienced IT guy who only appears when I have gone in and changed things. In those days, new changes happen, such as Ring doorbells hacker, etc. Not blaming, but coincidence?
blackhawk said:
How do you know it's a he?
It's always the girl next door.
Click to expand...
Click to collapse
Sorry. See reply in post.
Bro, I'm so sorry. My husband has been going through this VERY thing for the past year. They don't mess with mine. I just wanted to let you know even though I don't have any resolve for you, I hear you and know that it's not phony and we totally feel for you. Seriously, maybe you and my hubby can talk. I'm so sorry that you're going through it. Feel free to message me.
This sounds like a great fan fiction and will bookmark this to see how the story develops. Thank you for putting this in Moto G Power section right where it belongs!
Sounds like you might need to invest in a router with better security features.
Moosetears said:
This sounds like a great fan fiction and will bookmark this to see how the story develops. Thank you for putting this in Moto G Power section right where it belongs!
Sounds like you might need to invest in a router with better security features.
Click to expand...
Click to collapse
Definitely not fiction. It is a nightmare and could REALLY use some advice!
gunnshot81488 said:
Bro, I'm so sorry. My husband has been going through this VERY thing for the past year. They don't mess with mine. I just wanted to let you know even though I don't have any resolve for you, I hear you and know that it's not phony and we totally feel for you. Seriously, maybe you and my hubby can talk. I'm so sorry that you're going through it. Feel free to message me.
Click to expand...
Click to collapse
It has been a nightmare! They started with mine, and have now invaded my husband's phone also.
Scammed said:
It has been a nightmare! They started with mine, and have now invaded my husband's phone also.
Click to expand...
Click to collapse
Why are you posting on XDA? If you are this convinced that someone has unauthorized access to your devices, you need to be talking to law enforcement. The best advice we can offer you is to change all your passwords immediately, enable 2 factor authentication, and if possible seek a restraining order. XDA is a smart device hacking and development community, not a private investigation service.
V0latyle said:
Why are you posting on XDA? If you are this convinced that someone has unauthorized access to your devices, you need to be talking to law enforcement. The best advice we can offer you is to change all your passwords immediately, enable 2 factor authentication, and if possible seek a restraining order. XDA is a smart device hacking and development community, not a private investigation service.
Click to expand...
Click to collapse
I didn't think you were a p.i. firm. Obviously, I am not tech savvy. A little kindness please? I simply want to know how to ungray grayed out app permissions. I have searched on my own and cannot find the answer. I have reported it to local police, state police, Motorola, Samsung, Verizon, Xfinity, metronet, on and on and on. No help from anyone. I don't have $2,500.00 to just put down a retainer for a p.i. I knew someone on this forum would know the answer I am searching for and might kindly tell me. Thank you.
Scammed said:
I didn't think you were a p.i. firm. Obviously, I am not tech savvy. A little kindness please? I simply want to know how to ungray grayed out app permissions. I have searched on my own and cannot find the answer. I have reported it to local police, state police, Motorola, Samsung, Verizon, Xfinity, metronet, on and on and on. No help from anyone. I don't have $2,500.00 to just put down a retainer for a p.i. I knew someone on this forum would know the answer I am searching for and might kindly tell me. Thank you.
Click to expand...
Click to collapse
Well, it can be hard to distinguish the difference between reasonable concern over privacy violations vs unwarranted paranoia, and you aren't the only one who's come to XDA with this type of story. Most of your assumptions are likely mistaken and can be simply explained by the nature of Android itself.
Remote intrusion of mobile devices is actually pretty rare. The most common ways bad actors get ahold of sensitive user information are: phishing, user-approved permissions on questionable apps such as TikTok, and "connected" social media accounts, where users allow websites and apps access to their social media profiles, or use their social media as a login.
Regardless, to the technical point of the matter, grayed out app permissions are not the result of hacking or surreptitious malfeasance, but rather the nature of the "rules" inherent to Android - you can't remove system apps or disable system-controlled permissions without root.
If you still think you have reasons for concern, this is my only suggestion:
Change your phone number
Immediately change all relevant passwords - minimum 10 characters, a mix of upper case, lower case, numbers, and special characters, do not reuse them
Enable 2 factor authentication on all accounts, ensuring your 2nd factor is something that you and only you have access to
Once done, sign out all devices signed into those accounts
Perform a factory reset on your device; even better, reflash factory firmware. Keep bootloader locked.
Do not use questionable apps