[Q] Is AOKP a good choice for privacy-consious users? - AOKP Q&A

Hi,
Stock ROMs aren't really trustworthy by default (e.g., phandroid.com/2014/11/06/carrier-iq-settlement).
Some manufacturers' devices aren't really trustworthy, even with stock ROMs removed (e.g., theepochtimes.com/n3/830922-chinas-xiaomi-smartphones-may-be-spying-on-you).
Cyanogenmod went donwhill:
We may collect information such as occupation, language, zip code, area code, unique device identifier, location, and the time zone where your product or device is used so that we can better understand customer behavior and improve our products, services, and advertising.
Click to expand...
Click to collapse
(from cyngn.com/legal/privacy-policy) They started on this path long ago, but I won’t go there now.
I would like to buy a new Android phone. I won’t have national secrets on it, but I still don't want any Google-style spying. Assuming I don't add GApps, is AOKP a good choice for me? Does it respect the privacy of its users? Does it contain any components that would ever connect anywhere to trunsmit any information like GApps do. Obivously, I'm not talking about user initiated events.
One more thing, does it have a permission manager? Ideally, something that allows the user to choose for each permission for each apps whether real, fake or blank data is shared, but a bit cleaner than XPrivacy.
Thanks!

Related

[Q][Paranoia] Can GO Launcher really be trusted?

GO Launcher seems to be the "go to" launcher of choice for many people, including well read, influential online publications, like lifehacker. I can't bring myself to trust GO Launcher EX though. Outside of the eye candy and polished interface, its aggressive pushing of its own storefronts, apps, libraries, and widgets, many of which request unusual permissions like log file access and root, leaves me feeling that it's very liberal with what it does with any information it collects or tries to collect.
To confirm my suspicions, I whitelisted the launcher in Droidwall and monitored the connections and packets it sent out using Android Network Log .
What I found wasn't all too surprising and honestly not that different from most of the fun "free" apps on the marketplace that phone home and monetize user data. It's just that GO Launcher is phoning home to servers in Bejing, as well as a Chinese operated personalized content delivery network (ChinaCache) with servers in the US (essentially the Chinese counterpart to our Akamai). Many of the packets were directed to 69.28.54.217, which is a ChinaCache Los Angeles CDN server. I'm sure those hundreds of packets was all very intredasting data that gets sent to Beijing, too. Which is why one of 3G.cn/GO Launcher's employees has a linkedin page, one where she obviously forgot to confer with her company's marketing/PR department prior to candidly listing some of her responsibilities which include, verbatim, "data mining". lol. I'm very sure it's to 'serve personalized ads, quality products, and actionable data to high value customers', but still, the writing is on the wall. With how active Chinese companies are in tailoring the online footprint/reputation of their products and software on various websites, I'm sure that linkedin page will be taken down or revised.
Western corporations that broker information vs state influenced Chinese corporations that broker information. While I view both as not the most trustworthy entities in regards to my privacy, I do feel that there are at least some restrictions that could be theoretically enforced to limit the scope of the data shared by corporations in the West.
While I can easily block outbound packets and revoke permissions from GO Launcher EX, I just don't feel like I want to bother using it anymore.
ADWLauncher EX, my main launcher on several of my Android devices, does not generating any outbound traffic and there are no indications that it is collecting or selling my data. A much friendlier option to privacy, in my opinion.
Should I be this paranoid? Should you? I was surprised that I didn't see too much information about GO Launcher's data collection on the web, so I thought I'd share. Thoughts?
Just stick with adw launcher. I use sock launcher to save battery but it is what you prefer to use so sick with it.
~-~-~-~-~-~-~-~-~-~-~-~-~
Phone: Samsung galaxy s2 t989
Rom: Jedi knight 6 4.0.4
Kernel: Jedi kernel 2
-~-~-~-~-~-~-~-~-~-~-~-~-
and you thought celebrities weren't smart. =P
Not paranoid at all. Good info, thanks for sharing.
Sent from my SAMSUNG-SGH-I997 using xda app-developers app
Very detailed and helpful post. I have always felt this about GO products, but thanks for doing your research and making it publicly known.
Sent from my Desire HD using xda premium
To be honest I don't trust Go products at all after they refused to say how their SMS app was able to remember someone used their app even after changing phones and phone numbers. We have to remember that there are things that are legal in China but not in the States which include monitoring of personal data.
Batcom2
zelendel said:
To be honest I don't trust Go products at all after they refused to say how their SMS app was able to remember someone used their app even after changing phones and phone numbers. We have to remember that there are things that are legal in China but not in the States which include monitoring of personal data.
Batcom2
Click to expand...
Click to collapse
That's definitely a very scary factoid. Can you link me to the thread or webpage where they did that? I have seen the developer be very active in shutting down any negative comments towards the software, with some explanations that no identifiable information is stored or accessed, which runs counter to what is actually happening.
One of the reasons I started more heavily scrutinizing app developers is that I've seen the American press increasingly lauding, praising, and recommending Chinese developed software products, without fully vetting just what these products do, or what kind of security concerns they possibly present. Of them, was a remote desktop access software called Splashtop, which inexplicably had numerous foreign field offices, several being in mainland China. Among those offices, one was literally next door to a "Party Member Service Office". Splashtop, for many years, used zero end to end encryption, without any valid reason. Remote desktop applications and launchers provide so much unfettered user whitelisted access to elevated privileges, file system, network communications, root access, and keystroke/input monitoring, that it seems unconscionable to voluntarily install such a huge backdoor.
With many millions of downloads to date, they have quite a lot of data immediately available, to entities whose endgame is unknown, in a country that lacks the kind of regulatory checks, balances, and accountability that, for the most part, have earned user's trust of Western corporations and developers.
A worst case scenario I can imagine is that with all of the unique device ID's stored in their database (GO Launcher also creates a copy of your device ID and places is it in the file system, in plain text, which remains after uninstall) and likely profiling of each user, a malevolent company could essentially push a custom software update on someone's phone that deploys a more aggressive/invasive payload. With today's level of technology and the state of rampant state sponsored corporate espionage, I see it definitely within the realm of possibility.
MifuneT said:
That's definitely a very scary factoid. Can you link me to the thread or webpage where they did that? I have seen the developer be very active in shutting down any negative comments towards the software, with some explanations that no identifiable information is stored or accessed, which runs counter to what is actually happening.
One of the reasons I started more heavily scrutinizing app developers is that I've seen the American press increasingly lauding, praising, and recommending Chinese developed software products, without fully vetting just what these products do, or what kind of security concerns they possibly present. Of them, was a remote desktop access software called Splashtop, which inexplicably had numerous foreign field offices, several being in mainland China. Among those offices, one was literally next door to a "Party Member Service Office". Splashtop, for many years, used zero end to end encryption, without any valid reason. Remote desktop applications and launchers provide so much unfettered user whitelisted access to elevated privileges, file system, network communications, root access, and keystroke/input monitoring, that it seems unconscionable to voluntarily install such a huge backdoor.
With many millions of downloads to date, they have quite a lot of data immediately available, to entities whose endgame is unknown, in a country that lacks the kind of regulatory checks, balances, and accountability that, for the most part, have earned user's trust of Western corporations and developers.
A worst case scenario I can imagine is that with all of the unique device ID's stored in their database (GO Launcher also creates a copy of your device ID and places is it in the file system, in plain text, which remains after uninstall) and likely profiling of each user, a malevolent company could essentially push a custom software update on someone's phone that deploys a more aggressive/invasive payload. With today's level of technology and the state of rampant state sponsored corporate espionage, I see it definitely within the realm of possibility.
Click to expand...
Click to collapse
Search for the Go sms thread. I and another Mod brought it up in the thread and they tried to BS us. Then toss in a keylogger that was found (and removed?) in the Go keyboard and it has given me enough not to trust them.
of course you can, but I prefer Apex
zelendel said:
Search for the Go sms thread. I and another Mod brought it up in the thread and they tried to BS us. Then toss in a keylogger that was found (and removed?) in the Go keyboard and it has given me enough not to trust them.
Click to expand...
Click to collapse
Didn't know that. Never used their products but shouldn't that be enough to merit a ban from XDA? Bugless Pete was booted for less (source code issues but nothing as malicious as a keylogger).
We need solid proof and they will be.
Batcom2
zelendel said:
We need solid proof and they will be.
Batcom2
Click to expand...
Click to collapse
With the aggressive number of "updates" they immediately push once you install one of their products or add ons, I don't imagine it shouldn't be too difficult to find something of interest to confirm or deny suspicions. I did find it odd in that GO SMS thread that there were some mentions of whitelisting GO SMS to prevent AV from interfering with it.
I'll see about installing GO on one of my spare devices and routers after work, along with something like wireshark, so I can analyze packet data. This isn't something that I'm too familiar with so it may be a little bit while I re-acclimate myself to the program. If anyone is more familiar with packet analysis and wants to run tests alongside, it can build a stronger case for or against the dev.
Bump. I use go sms, so I would really like to know if this app is doing any other malicious things.
Sent from my XT720 using xda premium
good thread, :good:
anyway i hate this launcher since the day i have an android device.
its tooooooooooo overloaded with useless things.
its my opinion,i prefer apex,adw or holo.less wheight in data,ram,battery usage and looks more cool as the parishilton go launcher a.....s........ssss.lol.
Well, I'm running cm9, and for whatever reason, it won't let me download picture messages with the stock messenger. I actually use google voice for my texts, but that doesn't get mms. Go sms is the only thing that actually let's me download the pictures that get sent to me, so I just use it for that specifically.
Sent from my XT720 using xda premium
i stop using Go Products since they force people to use their CLOUD storage to backup people sms on Go SMS.
i dont know about now, local backup is back or not.
it was really fishy back there.
and many other thing, like many permission things needed for something like launcher and sms app.
their looks are cartoonish iphoney and cute (like many asian app) which is not my taste at all.
also overloaded with a bunch of crap.
that's my opinion.
---
Sent from Android Device
marhensa said:
i stop using Go Products since they force people to use their CLOUD storage to backup people sms on Go SMS.
i dont know about now, local backup is back or not.
it was really fishy back there.
and many other thing, like many permission things needed for something like launcher and sms app.
their looks are cartoonish iphoney and cute (like many asian app) which is not my taste at all.
also overloaded with a bunch of crap.
that's my opinion.
---
Sent from Android Device
Click to expand...
Click to collapse
Too true. The last product I used years back was GO SMS, and I stopped after they started insisting on registering for their Go Chat service and backing up SMS. I couldn't even unregister from Go Chat once I logged in by mistake, and they never responded to my emails about deleting my account. Very shady behaviour.
Sent from my Desire HD using Tapatalk 4
sashank said:
Too true. The last product I used years back was GO SMS, and I stopped after they started insisting on registering for their Go Chat service and backing up SMS. I couldn't even unregister from Go Chat once I logged in by mistake, and they never responded to my emails about deleting my account. Very shady behaviour.
Sent from my Desire HD using Tapatalk 4
Click to expand...
Click to collapse
Go Launcher + EX were my first "custom" ones but after reading about their data-collection-stories I've decided to go and stick with Apex Launcher never regretted doing so. I always thought Go was and is too agressive in pushing their widgets, services I don't like that
frankgreimes said:
Go Launcher + EX were my first "custom" ones but after reading about their data-collection-stories I've decided to go and stick with Apex Launcher never regretted doing so. I always thought Go was and is too agressive in pushing their widgets, services I don't like that
Click to expand...
Click to collapse
Exactly. I used Go Launcher EX & Go SMS Pro a lot on CM7. They were good till they became creepy. And most of the services were opt-out not opt-in. That's sucks.
Sent from my Nexus 7 using Tapatalk 4
A key question now is can the "Next" launcher be trusted? Can anybody run the same packet tests on this one? I'm officially ready to remove Go (launcher Ex from my old Tbolt and HD/Pad from my TF300) but I wonder if I'm also going to remove Next from a device.
NapalmDawn said:
A key question now is can the "Next" launcher be trusted? Can anybody run the same packet tests on this one? I'm officially ready to remove Go (launcher Ex from my old Tbolt and HD/Pad from my TF300) but I wonder if I'm also going to remove Next from a device.
Click to expand...
Click to collapse
Not sure, but just to be safe I'd stay awake from anything by the Go Dev Team. Too shady for my taste.

[App] NFC Safe (Freeware)

Hi,
I made a new app: NFC Safe!
With NFC Safe you will be able to encrypt your private data with a NFC Tag (e.g. NFC Key Fob). You can add unlimited custom folder and entries. You will have only access to those entries with the specific NFC Tag! This is much more secure than protecting your data only with a password!
You can use any NFC Tag for this app! Your NFC Tag will be written with some data so it can only be used for this app.
NFC Safe | Windows Phone Apps+Games Store (United States)
Would be nice, if you test my app! My app is available for free!
With one of the next releases it will be also possible to encrypt/decrypt media files (images, audio, etc.)
Best Regards,
Sascha
I don't have any NFC tags on me right now nor would i really use this, but i have to say, this is a really cool idea!
While I understand if you're hesitant to post it, I'd want to review the app's source code before using it myself. Getting cryptography right, even when just using existing and well, implemented pieces, is vastly harder than getting it wrong. What algorithm do you use to encrypt the data? How about generating the key data? Are you using secure buffers? Initialization vectors? How are you detecting which key is correct for the data you're trying to access; is there a hash? What hash function? There are a lot of other important questions here, too.
With that said, the idea is fantastic. It would be especially great if you could support two-factor authentication (password + NFC tag, in this case) for extra-sensitive data, although password management in crypto has its own set of problems (what key derivation function, with what parameters? How are the password verifiers stored? Etc.)
Sorry for late reply!
xandros9 said:
I don't have any NFC tags on me right now nor would i really use this, but i have to say, this is a really cool idea!
Click to expand...
Click to collapse
Then you should buy an NFC Tag! They are really cheap. For example you could buy a NFC keyfob, so you will have your NFC tag always in your pocket and as said, such a NFC Tag costs ca. 1 USD at ebay
GoodDayToDie said:
While I understand if you're hesitant to post it, I'd want to review the app's source code before using it myself. Getting cryptography right, even when just using existing and well, implemented pieces, is vastly harder than getting it wrong. What algorithm do you use to encrypt the data? How about generating the key data? Are you using secure buffers? Initialization vectors? How are you detecting which key is correct for the data you're trying to access; is there a hash? What hash function? There are a lot of other important questions here, too.
With that said, the idea is fantastic. It would be especially great if you could support two-factor authentication (password + NFC tag, in this case) for extra-sensitive data, although password management in crypto has its own set of problems (what key derivation function, with what parameters? How are the password verifiers stored? Etc.)
Click to expand...
Click to collapse
Hi thanks for your feedback and your questions! I think you misunderstood my app. It's not a military app, where the highest security is important! My app doesn't need to encrypt the data, because the data is stored on your Windows Phone in the application data storage. Noone has access to this. If ever any person has access to those data, you and all other Windows Phone users have a very big problem!
So, my app is an app, not a Windows Application, where virus, NSA, etc. have access to your data There are a lot of apps which protect your personal data with a password. So if someone else has your phone (stolen, or a friend while you are not watching at it), he will be able to see your data, if the know your password (this is not impossible!) or guess your password! So my app protects your data with an NFC Tag. It's very comfortable to use and faster than typing a password and also more secure, because the third-person needs your phone AND your NFC Tag.
However, my app also encrypts the whole data, so even if someone have access to the application data storage, he will be unable to read your data. Windows Phone has a built in encryption mechanism, which can be used from an API. I'm using this encryption mechanism. This mechanism uses Triple-DES. It uses the user credentials and a randomly generated password (GUID with 36 chars/numbers and "-"-sign) to encrypt the data.
Hi! Welcome to XDA-Developers, where all of your assumptions about what cannot be accessed on the phone are wrong, or will be shortly!
OK, that's half a joke. But only half... as it turns out, the claim that "... Windows Phone in the application data storage. Noone has access to this." has been untrue for months. Check the Dev&Hacking forum, especially the Interop-unlock and SamWP8 Tools threads. We have the ability to access the entire WP8 file system. Currently that access is only via MTP (USB connection), but I and other people are working on extending it to homebrew apps as well.
Moving on... 3DES (even if used with a good mode of operation and a unique initialization vector, which I am guessing you probably didn't do) is obsolete and should not be used anymore. While it is considered adequate for existing code, it should not be used in new software, and cryptographers have been recommending a move to newer ciphers (such as AES) for years. As for using a GUID as a password, GUIDs are 128 bits (the dashes don't count, because they are always the same value in the same place, and each of the other 32 digits is hexadecimal only, meaning merely 4 bits of data), which is plenty if they are generated securely; however, most GUID generators do not use cryptographically secure random number generators. GUIDs are supposed to be unique (that's what the U stands for), but are not guaranteed to be unpredictable (which is one of the key requirements for an encryption key), and the way they are generated reflects this.
Oh, and good security is important in an awful lot more places than "a military app"! In fact, there's no such thing as "military-grade" encryption, really; there's only good encryption, and encryption which shouldn't be used for any purpose. For example, modern TLS (Transport Layer Security, the replacement for SSL or Secure Sockets Layer) cipher suites are intended to be secure even against governments and megacorporations (although there is of course suspicion as to whether the NSA have broken some of those cipher suites)... but TLS isn't just used on extremely sensitive stuff like top-secret documents and such, it's also used when browsing Facebook and Twitter, or accessing Gmail, or many other things of similarly minor sensitivity.
Thank you for explaining the intended use cases of the app, though. Do please be careful when making claims such as that something is "much more secure", though; you are liable to mislead people. TrueCrypt, a PC app that performs disk encryption and is intended to stand up to very powerful adversaries, uses only a password most of the time - but I would expect that, given a well-chosen password, it is more secure than this app. There are many critical components to security, and only the weakest link in the chain matters.
For what it's worth, if you are interested, I would be happy to help secure the app (on my own time, free of charge) as it sounds like something that I would quite like to use, if I could trust its security.
What exactly is your problem?!?!
I said, that noone has access to the Application Data Storage and this is true! There is no Virus available for Windows Phone and there is no App in the Store available which has access to another app's data storage! We are not talking about some special cases where the third-person already have STOLEN your device, because nothing in this world is safe! NOTHING! Everything can be hacked! Also I didnt know that all current Lumia devices were hacked. Other devices are not relevant (Nokia has a market share of more than 90%!).
The built-in encryption mechanism in Windows Phone is the same almost ANY Windows Phone app uses! Any banking app, Facebook, eBay, PayPal. The Wallet feature of Windows Phone uses it. If you have set up accounts (E-Mail, Microsoft Account, Office365, etc.) your passwords were encrypted with the SAME API my app uses. So if you think this API is totally unsafe, WHY THE HELL are you using Windows Phone? Also Windows Vista, 7, 8 and 8.1 uses THE SAME API for a lot of thinks. So please don't use Windows anymore!
I said, my app is more secure THAN AN APP which only uses a password and that is true. Also my app additionally encrypts the data and not only block the access to the data (which a lot of other apps only do!).
Please decrypt the attached file and tell me, how you did that and how long it took Thanks!
Whoa, whoa, calm down.
First of all, don't count on that "no app in the store..." business; There's *probably* no malicious app that can do so, but OEM apps can, if they have som reason to do so, access other app's install and data folders. I've written apps (using the Samsung OEM components, which are clumsy for the purpose but *do* work) to do it myself. It's not something you're likely to see in widespread use, but it's possible.
If you aren't bothering with the case of your phone being stolen, what's the point of the encryption anyhow? I mean, prevention of data loss in the event of device theft is one of *the* key use cases for data storage encryption! It's the rationale behind things like BitLocker (which is available on WP8, but only if the user has connected their phone to a company's Exchange server that pushes a policy requiring device encryption).
If you were honestly worried about market share, you probably wouldn't target WP at all; Nokia's fraction of the WP market share is lower than WP's fraction of the smartphone market share. Nonetheless, you are correct that, at this time, Nokia WP8 devices haven't been cracked. Nor have HTC's phones. I'm confident that this will change in time, though. You might have misunderstood my little joke at the start of my last post... but breaking into smartphone operating systems, getting past the lockdown policies that say "noone[sic] has access" (it's "nobody" or "no one", by the way) and taking those decisions into our own hands.
I guarantee you that the vast majority of WP apps don't use 3DES. I *know* full well that the Microsoft code doesn't; they had already deprecated that cipher years ago, when I interned there, long before even WP7 existed; its use was prohibited for new code. Just because you used the DPAPI (Data Protection API) doesn't mean you used it correctly (and by the way, that internship involved working on encryption in Windows, writing test tools for it). Please don't take this as some kind of personal insult; in my line of work (security engineer), I see a ton of misuse of cryptography. It is, as I said in my first post, hard to get right. That's why I offered to help.
I'm not going to bother taking the time to figure out what cipher you used on that file, and what its contents are supposed to look like enough to start doing any cryptanalysis, but I guarantee you it's not very good. There are repeated patterns, including long strings of null bytes, that are phenomenally unlikely to occur in a file that short after passing it through even a half-decent cipher (we're talking 1-in-several-billion chance here, no joke). Coming to this conclusion took all of a few seconds, by the way, using no tool more sophisticated than Notepad++. If I was pulling it off of a phone, I'd have a lot more idea of what type of plaintext to expect, and I could examine the decompilation of the app to see what ciphers were used, which would make things a lot easier. I'd say "for all I know, you just took the output of CryptGenRandom and put it in a file" but if you had, it wouldn't have had obvious patterns in it... in any case, it doesn't matter. I don't have to prove anything to you. I'm *trying* to help, and offer some good advice as well, but I can't force you to take it. There's no call for getting defensive, though. I wrote a file encryption utility myself one, in fact. It sucked, so then I wrote a program to break its encryption. Both experiences (but mostly the latter) taught me things.
A new version is available now, which includes image/photo encryption, OneDrive backup, bugfixes and other small improvments!
http://www.windowsphone.com/s?appid=0a8656d4-ed32-4bb5-baac-1317827e18d8
Hi,
I have a question:
My app is available in German and English since one year now! It was downloaded over 1000 times in Germany, but only 80 times in USA, UK, etc. I got 40 reviews (4-5 stars) in Germany and only one bad review in USA. So could someone explain what's wrong with my app? Is it not visible in the US Windows Phone store? Is my app very bad translated? Are there no Windows Phone users in the USA? Or maybe no one use NFC in the USA?
Best regards,
Sascha
Sorry, I don't tried your app yet but will try to answer your questions.
First, probably it's something wrong with your marketing, not the app Le me say: 1080 downloads per year - it's too small number (even 1000 in Germany). For example, my "marketplace entry ticket", "Lunar Lander Touch" app, very unpopular and underrated (but it's still one of my favorite games on WP, and good alcohol tester ), has 4078 for the year 2013.
As for NFC: I've tried to use it but stopped because of very uncomfortable WP implementation. That service should work flawlessly, without user interaction, stupid questions and dialogs, to be useful and popular. But unfortunately it's not (for the Windows Phones). Microsoft must add an option to disable NFC warnings.
P.S. I may recommend you to use "Snowden case" for advertizing
Thanks for your feedback!
Yes, I know that the download numbers are very bad, but I don't have an idea how to improve this. Because of my app is free and my private hobby I don't have money to buy ads, etc.
Improving my app had not effect. Thanks to DVLUP I "bought" ads for 50$ with AdDuplex, but this also had no effect.
It's really hard for individuals to get their apps famous and in a higher ranking in the Windows Phone Store without investing money
I understand... AdDuplex is really bad: I've tried once ($100 from DVLUP meeting plus I've bought another $100 coupon for $40) during a week - no results at all. Complained to AdDuplex support and manager gave me additional $300 for free, to spend within one day (sic! He-he, I wish to get $300 daily from my app!) - still no visible results, just a regular download fluctuations...
What you may try: advertise on more forums, prepare good pictures/screenshots; may be, video clip "howto" will be helpful. Embed RateMyApp Nokia's control (check NuGet) to your form. If you have XP on DVLUP, spend 'em for advertising campaign (these ones are extremely effective!).
P.S. I also thought about xda-based developers club, with "rate 5 stars my apps, and I'll rate yours" rule but I don't know how to implement it properly (but good customer rating is very important for the app distribution).
Thanks!
I already added RateMyApp. This was really helpfull to get more reviews. It's a pity that I had not implemented such a thing from the very first time my app was added to the Windows Phone Store :-/
I "bought" 1 week in App Social (DVLUP). Hope this helps. But it is also only in Germany.... I have enough users and reviews in Germany, I need them in USA, UK, etc. The problem with the DVLUP campaigns is, that you need at least 50 or 100 reviews (and 4,5 stars) as a requirement for the advertising. But you don't have so many reviews and that's the reason why you need the campaign to get more reviews, but you can't buy the campaign... A vicious circle!
I will do my best to get more downloads in other countries than Germany!
Hey, thanks for this app i find it realy useful.
Danke!
And here is the idea for the ad banner
Great idea
btw: Version 2.1 with new type "User Credentials" is available now!
Ok, I stopped developing, it's not worth. Sorry!

[Q] Security framework aproach (ROM for Kids)? APP or ROM?

Hello.
I am here seeking for help and advice on how to approach the development of a security framework (via APP or via hacked Android ROM to be used by kids, that could be monitored by adults (parents or legal tutors).
The idea would be to develop a (white hat) hacked ROM, that would allow the kids to communicate with their friends, but also would allow their parents to supervise/monitor in real time what their children are doing, who are they communicating with and that way protect their children. The thing is not to spy on our kids, but to be able to check regularly if there is anything wrong going on with our kids (mobbing, insults or harassment). Kids aged (10-14) could be influenced by other kids, adults, or adults simulating being kids, and on some occasions they can be tricked to do things without their parents consent/knowledge that can lead to a tricky situation.
When I was a kid, we had the telephone (wired telephone, of course) on the middle of the hallway, so all our conversations were basically family-public. The truth is that there are not many secret things a 10yo kid could/should talk about, but nowadays, it could be a little bit worrying to lend a smartphone to a kid. I think it's just as letting a kid drive a car; he can do it right, or not be able to evaluate the whole consequences of driving a car.
Talking to other parents around me, they all found very interesting the idea of having a telephone that one could lend to their son, having the kid available all the time, and with the peace of mind that you could know what's going on. Of course the kid should be aware of this, and that the telephone comms are being supervised. I think it's no big deal. "Kid, it's very simple. The telephone is mine, and if you want to use it you have to use it under my terms".
Probably, all of us working for a company, have also our communications supervised, cannot make personal phonecalls with the company's telephones, probably cannot navigate to webs looking for personal content, and we asume those rules (because neither the company's phones nor the computers are ours but our company's). It's basically the same, switching the company-employee role to a father-son one.
So, let's get to the point (technically). I am a tech-geek, linux pro-user, have compiled a few ROMs just for personal use, but don't feel capable enough of starting a project of these magnitude alone. If there is anyone willing to help, opine, or whatever, will be very welcome.
First of all, APP or ROM? I basically think that the ROM is the way to go, but I'm asking just in case someone can convince me on the contrary. I will make a poll on this question.
APP An APP could be easily downloaded and installed but would require a rooted phone, and I don't see it clearly if an APP could resolve all the needed issues (access to communications for example) and could be fairly easily uninstalled too.
ROM On the other hand, a ROM would be trickier to uninstall (basically flashing another ROM) but wouldn't be as easy to install as an APP (though the installer model of cyanogenmod could be kind of a solution). There could be an universal (if possible) independent flashable module, over whatever android ROM, or an entire ROM solution.
Features that I want to develop in this ROM (by the way, I call it 'Vigilante ROM'):
Suitable for as many devices as possible
Web interface for parents available to see device-related information
Some hack-proof measures to avoid kids bypassing the ROM's security
Alerts triggered on some events (offensive words, whatever)
Position of the mobile -just in case-
Suitable for as many devices as possible
The first thing I though was what platform should be used for this ROM. To select Android over others (iOS, Blackberry, W7) was a no-brainer. Now, the question is should we use pure Android or make a CyanogenMod fork?
In my opinion, even though every phone maker has to supply their ROM sources publicly, they usually introduce so many modifications (HTC Sense, Samsung Touchwizz and so on) that it looks more difficult to develop a common security framework over each manufacturer's version of Android, rather than using a more standardized one like CyanogenMod.
CyanogenMod already works with a wide number of devices (and a wider one if you count the unofficial supported devices), I think CyanogenMod should be the base of this ROM. If all the 'things' needed could be flash on top of any Android device, would be even better, but technically I need help with this one.
I understand that basically there should be an internal proxy setup, so that all the communications go through this internal proxy, and based on the kind of communication, we could log whatever we need. For example:
Visited URLs
Whatsapp or other messaging apps should be decrypted
Incoming/Outgoing calls/SMS
Social network activity
I know the Whatsapp protocol because I'm familiar with a project called WhatAPI. The key point to be able to intercept whatsapp messaging is a key generated and exchanged during the app install (although there are ways to later ask the Whatsapp server to renegotiate this keyword) and that's used later to encrypt all the messages between the phone and the whatsapp server.
Web interface for parents available to see device-related information
Behind every kid with a smartphone there should be a responsible adult supervising the kid -even if it's remotely-. In my idea, logs of messaging activity, incoming/outgoing calls/SMS and even the position should be available to the supervisor through a web interface.
Some hack-proof measures to avoid kids bypassing the ROM's security
That's an easy one. CRC checks on some keyfiles would guarantee that the device is not being 'counter-hacked'. Some kids are also very techie, and we should make some defences against kids trying to hack (counter-hack?) the phone.
Alerts triggered on some events (offensive words, whatever)
It could be interesting if somehow the supervisor could receive a notification whenever the kid sends/receives and offensive word, or tries to enter some special tagged website.

New to android, custom security rom

Hello,
First of all I would like to say that I'm completely new to android (except for the occasional dabblin on a friends phone) so please go easy on me. I am tech savy, but just never had anything to do with this platform, due to my not so nice opinion of google...
I am on blackberry passport and am/was a loyal bb customer with all that follows. But please I do not wish to start android vs bb vs ios etc thread. It is a matter of taste in the end.
So long story short, never had anything to do with IOS or android as I prefered BB for security, productivity and slimeline OS. However due to recent BB swithc to android and priv (which id god awful imho) and apparent abandonment of OS10 i am faced with increasing frustraton over current passport usage as it is more and more laggy problematic every day. So seeming that bb has abandoned os10 I have finnaly decided that perhaps it is a time for a different platform.
I am considering getting the oneplus 3.
So my questions are:
- What kernel and ROM to flash? I explicitly do not want anything to do with google or google services, i do not have gmail and have no intentions to open one. I do not use any service connected to google, no cloud sync, no FB, no instagram etc.... I want my phone google free, bloatware, spyware, ads free, cloud sync free etc. so basically I want as much control over what is installed as possible, with preferably NO personal info shared to any service.
- What is the most open source build? (coming from a viewpoint that google is evil, apple too.. I am putting my trust in the open source community) - replicant project peaked my interest, but the supported phones are too old and too few. I would be extremely pleased tho, if sth like this existed for newer phones.
- Encryption is a must, both of memory and communication (pgp)
- advanced app permission control is a must
- if there exist sth like BB hub or other similar true multitasking option even better
to put it simply, what custom rom and kernel to flash to get the most secure, opensource, google and similar companies free phone with maximum control over os and no to minimum personal info shared.
I would very much appreciate if you could point me in the right direction. As i said no experiance with android, but am quick learner and tech savy. so no need to dumb it down for me.
Thank you !!

How much would it cost to create a professional custom OS / firmware ROM of Android (on average)?

Whilst I understand that there are no hard and fast rules when it comes to software development, and that the cost ultimately comes down to the scope of the project. It would however be nice to figure out as to how much it normally costs for a fully customised version of Android OS that can be used professionally. This customised ROM of Android would then need to be flashed to a device.
I understand that I have a choice of either reusing an existing ROM, or starting with AOSP. In both cases, I would need to customise that, and then package it along with the OEM vendor's kernel and drivers.
I know that there will be a lot of work involved, and also understand that I need to get a professional onboard. I don't however know / understand as to how much something like this will cost.
The plan would be to create a ROM that would be fairly similar to how the firmware on the Switch operates. In this way, the ROM must have the following features:
be devoid of all bloatware so as to increase performance of the hardware and to also allow apps to load and run faster.
tangentially... the ROM must "feel" native to the device, and allow developers to maximise performance of the device by creating and running apps that run as if they've been "written to the metal".
has a variation of the Google Play Store from which apps can be bought and downloaded from.
ROM is linked to host website.
has DRM and copy-protection features implemented where the OS checks for the authenticity of the device it's running on, and the authenticity of the app where only apps sold via the store will be able to run on the customised ROM of the Android OS. This would also probably mean that the apps would need to be authenticated by the server on a regular basis, otherwise there would be an online ban.
allows for Android apps and exports from gaming engines such as Unity, GameMaker, Unreal to be made available and to run on the device - with DRM / Copy Protection features.
development of all necessary API.
not allow the device to be easily hackable / rooted, or even be customisable by casual users.
acts as a launcher for (gaming) apps, and minimises / stops all other processes from running in the background.
I just don't know how much something like the above would cost...
How many hours would it take to create a ROM based on the above specification, and assuming that the developer charged $30 per hour, what sort of budget should I be looking at?
A stock ROM is the adaptation of the telephone's working framework that accompanies your telephone when you get it.
A custom ROM is a completely independent adaptation of the OS, including the piece (which makes everything run), applications, administrations, and so on - all you require to work the gadget, with the exception of it's redone by somebody here and there.
So what does the "altered" part mean? Since Android is open source, engineers are allowed to take stock ROMs, adjust them, strip them of trash, streamline them, add things, and essentially do whatever their creative mind and abilities permit.

Categories

Resources