Not sure what the full impact of this is yet, I'll let those that understand the inner workings of Android better explain it.
http://bluebox.com/corporate-blog/bluebox-uncovers-android-master-key/
Someone can embed malicious code in any .apk file making a seemingly innocent apk not function... innocently.
Sent from my ADR6425LVW using Tapatalk 2
Changing apk content while maintaining the signature is nothing new. Lucky Patcher has been doing this to mod apps for users for a good while now. I'm should think other devs and security experts have known this too.
The problem doesn't seem as scary as they make it sound due to lack of an easy attack vector. A non-rooted user likely isn't going to encounter a modded apk on the official Play Store as Google reviews app content. Rooted users should be careful about third party sources, use antivirus if they do sideload apps, and examine logcats for fishy content if truly curious.
The system apk vulnerability only seems possible for the average non-rooted user if a dev at the manufacturer goes "rogue" and slips a trojan program by the big wigs on a launch ROM or OTA package. That or a service technician does some work to a phone, gains root access and injects their malicious app to the ROM before the device is returned.
Rooted users may also flash a ROM by a dev with bad intentions and a trojan app inside. Not accusatory, just possible.
The scary statistics language in the article aside, it is quite possible for a careless Android owner to get a trojan app on their phone from someone else. It just doesn't seem plausible for the average owner to get themselves in the situation to be vulnerable.
I've just upgraded to the s9+ from the s7edge. So far, everything about the experience has truly been an upgrade with the exception of ad blocking.
On my s7edge, I was happy with the ad blocking provided by DISCONNECT PRO and would like to use the same with my new phone. I recall that configuring the app required me to download the MY KNOX app and setup KNOX.
A search in GALAXY APPS on the S9+ does not yield the MY KNOX app. Instead, there is an app called KNOX DEPLOYMENT. Unfortunately, when I put in my credentials this app just seems to get stuck on authenticating.
I have DISCONNECT PRO on my s9+ and it claims to be working and giving me statistics but, in web browsing in Chrome, it doesn't appear to be doing anything. If memory serves, this was my experience on the s7edge until I configured with MY KNOX.
Can someone point me in the right direction?
Samsung discontinued My Knox earlier in the year. You have to use Secure Folder now
Hello there!
I use a Motorola Moto G6 that's running on Android 9 Pie (Build no. PPS29.118-11-1) and I was wondering if there was a way to block certain apps from being installed on my device by their package name. I want to be able to do this for the same reason I use very strict settings on Digital Wellbeing: self control.
I know that you can install and block apps and I know that you can use parental settings on your phone but that simply won't help in this situation. I'm also aware that an app with these capabilities might not be available. My question isn't if it's possible now or with the utilities currently provided through apps developed for my Android OS; I'm trying to figure out if it's possible to block apps by their Package Name in any way and if it's impossible to make (in theory) an app that can do it.
I'm not sure how it can be done. Can it be done by having an app that reads through an app that's attempting to be installed and generates bricked app directories where it should chuck out the app's resources so it can't be installed? Maybe. Can it be done by cancelling the installation request of an app that has a Package Name matching one inputted into a list on the hypothetical app in question? Not sure. If anyone knows the answer to those two proposals or has their own suggestions, please do your best to answer my post and keep in mind, this has to be done without the phone being rooted.
An additional but important factor: this is about self control. I can easily bring myself to not remove or otherwise disable restrictive measures on my phone, but I'd like to know if I can make it so that you cannot remove a Package Name that has been blocked in the phone no matter the method used in the first part (other than uninstalling the blocker app, of course).
Regards,
Yoki Aza
So I currently have a Tmobile Note 8 that I just found out that rooting it will prevent me from installing apps like bank apps and using samsung pay. I also have an At&t Note 10 plus for work but I dont want to root it as if something happens how will I explain it to my boss lol. So being that my Note 8 is 3 years old I decided that it's time to upgrade to a new phone. My question is what phone can I buy that I will still be able to install bank apps and keep using google or samsung pay. I'm open to any suggestions
Thank you
David
these guidelines will help
--- find out if rooting is easily available for the phone
--- take a look at extant ROMs and see what are the problems associated with those ... in the latest update and how easy it is to fix them or else live with them
--- broader the user base better it is find support available for various issues
--- coming to your question on banking apps it has nothing to do with what phone you want to buy
if you root that phone and the banking app has various checks and balances to detect root you may not be able to use it. with passage of time banking apps are clamping down on root detection and unfortunately Evasive measures are not sufficient so those fighting for root and wanting to use banking apps ... are on the losing side
Sent from my Redmi 8A using Tapatalk
I decided to root ky Pixel 6 and found out that i couldn't get around the security from germans banking apps.
simple soloution. have magisk/zygisk installed and set the root mode to "user" in the settings of magisk manager.
then go to your settings and setup a second user (wont have root) install your banking apps and enjoy the ability to use them with an rooted device
edit: this method was tested for Sparkasse app's
• S-Push Tan
• Mobiles Bezahlen
IndubidablyStoned said:
I decided to root ky Pixel 6 and found out that i couldn't get around the security from germans banking apps.
simple soloution. have magisk/zygisk installed and set the root mode to "user" in the settings of magisk manager.
then go to your settings and setup a second user (wont have root) install your banking apps and enjoy the ability to use them with an rooted device
Click to expand...
Click to collapse
I'm not being critical of your choices but why would anyone chance having a banking institution or any financial app including
GPay on a rooted device? Isn't there a much greater chance of being compromised by an app or inadvertent web link? And if the banking institution sees that a bogus user was created what are the chances of recovering funds obtained through fraudulent activity? I understand why people want to root don't get me wrong, but money transfers and transactions on that device seem a little reckless to me. But I could be wrong, just curious of the thinking here.
i Understand, but if you want to have an custom DAC like Viper4Android you kinda need root. my intention isnt to do fraudulent activity, as i mentioned in the Post you dont have Root access on that second user
IndubidablyStoned said:
i Understand, but if you want to have an custom DAC like Viper4Android you kinda need root. my intention isnt to do fraudulent activity, as i mentioned in the Post you dont have Root access on that second user
Click to expand...
Click to collapse
You misunderstood my concern wrt banking activity. I didn't suggest that you were doing anything fraudulent but if you were the victim of fraudulent activity would the bank still cover you with a bogus account you created? I don't know if what you did was entirely proper or not but that was not the issue I thought you might be concerned about.
As I said, I completely understand your desire to root be it V4A or DAC or even ad blocking. I just wonder the benefit vs the exposure if you are using banking apps. Without financial transactions occurring on the phone I doubt there is much to worry about other than what we are all concerned about root or not.
bobby janow said:
I'm not being critical of your choices but why would anyone chance having a banking institution or any financial app including
GPay on a rooted device? Isn't there a much greater chance of being compromised by an app or inadvertent web link? And if the banking institution sees that a bogus user was created what are the chances of recovering funds obtained through fraudulent activity? I understand why people want to root don't get me wrong, but money transfers and transactions on that device seem a little reckless to me. But I could be wrong, just curious of the thinking here.
Click to expand...
Click to collapse
Considering DirtyPipe exists and has not been patched yet (plus how long it already took to even acknowledge the problem in the first place), rooting is the least of our worries when it comes to monetary transactions/banking and android.
Bear in mind that DirtyPipe is only one elevation exploit that we've heard about. And for every disclosed vulnerability there are dozens of others that nobody's aware of. The market for rooted android users is very small compared to the overall android phone-user market. Creating exploits specifically targeting rooted phones would be a waste of time and effort compared to working on privilege escalation on non-rooted devices; from a hacker's perspective you want to hit the largest volume of targets in cases like these.
I've been rooting my phones for 10 years now, and my usage of banking/fintech apps on my devices has increased consistently. Applying common sense opsec/infosec practices can negate a large percentage of the perceived risk that root access exposes you to.
On the other hand, if someone wants to target you specifically, as an individual, you're screwed, root or no root, unless you're aware of the risks that come with technology and the pitfalls of android (iOS can be perceived as more secure but when it comes to individual targeting/attacks, there are expensive tools made by some of the world's top intelligence organizations that can wreck havoc on iOS as well)
TL;DR you're never truly safe, root or no root.
Unfortunately that doesn't worked for me
I tested the following apps:
SecureGo
VR SecureGo
Mobiles bezahlen
Every App doesn't launch. Sparkasse is quitting instantly and SecureGo Apps are stuck with their logo.
On the rootet user I get the Browser-warning (of SecureGo) that my device doesn't meet the security requierements. So far so good, but on the non-rooted uses i would have expect that they're working.
Any Idea? I'm on April Build.
i dont know currently, i dont have root anymore since i had to update to the April Update. i'll update if there is something that can be done
Maybe you could confirm that these Apps launch on April build without root? That could help to research the problem a bit. Thanks!
hanni2301 said:
...but on the non-rooted uses i would have expect that they're working.
Any Idea? I'm on April Build.
Click to expand...
Click to collapse
Maybe these apps are not supporting fully Android 12?
I have an app which, until recently, was freezing when the location was enabled. To be exact, when "Use precise location" was enabled. Only location access the app was not freezing, but couldn't get the coordinates.
Maye this is a similar situation here.
Cheers
Tom
hanni2301 said:
Unfortunately that doesn't worked for me
I tested the following apps:
SecureGo
VR SecureGo
Mobiles bezahlen
Every App doesn't launch. Sparkasse is quitting instantly and SecureGo Apps are stuck with their logo.
On the rootet user I get the Browser-warning (of SecureGo) that my device doesn't meet the security requierements. So far so good, but on the non-rooted uses i would have expect that they're working.
Any Idea? I'm on April Build.
Click to expand...
Click to collapse
I managed to get the VR Secure Go app working by doing the steps in the op plus using ice box and freezing magisk and the bank apps. I'm on April, too and I'm using radioactive kernel. Rooted stock kernel works as well on my device, but I had issues with the bank apps on some other kernels.
So to confirm, you need to freeze magisk on the rooted user and you're able to use the bank apps on the second (non rooted) user?
On which user you would freeze the bank apps? I doesn't have them installed on the rooted user.
Thanks in advance that you can definitely confirm its not the fault of April built.
hanni2301 said:
So to confirm, you need to freeze magisk on the rooted user and you're able to use the bank apps on the second (non rooted) user?
On which user you would freeze the bank apps? I doesn't have them installed on the rooted user.
Thanks in advance that you can definitely confirm its not the fault of April built.
Click to expand...
Click to collapse
I only have one user (the rooted user). I've done the following steps:
1. Configure magisk: activate Zygisk and setup deny list for the banking apps
2. Hide magisk app
3. Freeze magisk and banking apps with Ice Box
ok, that is the normal way which is different to the approach the thread starter has chosen.
I use deny list plus hide my applist and works fine with Sparkasse, s-push and mobil bezahlen no need to freeze or use a second user profile
How do you do that, hide applist?
You can bypass it by
Download App Named Shelter from Play store.
The App will create work profile and you can bypass any bank or app you facing issue with it.
When completed create work profile you can clone Bank App and use if.
As Information, It works out of the Box with Magisk denylist,
You only need to Install Ice Box and hide Magisk Manager, even if it is using a random name, "Mobiles Bezahlen" would detect it.
Magisk + Ice Box is sufficient on latest Miui 13 as well!
Regards!
Not sure but I think island could help not sure though as I'm not rooted the app is made by greenify
Only as info, these 2 Apps, Postbank Finanzassistent and Postbank BestSign working by default on a rooted device.
I like Postbank