Root access and apps question - Android Q&A, Help & Troubleshooting

Hey Guys!
I've been a lurker for a while on this site. The tutorials here helped guide me through rooting my i9505
Now that I've got root access though, I've become increasingly paranoid about what apps I grant root access to. To my understanding, granting root permissions gives the program unrestricted access to do whatever it likes to your device. It will have free rein over the phone and if it was programmed to, could install backdoors or send your contacts/messages to a remote server or other malicious things and I'd be none the wiser.
With that in mind, there is an app that I want to use called apps2sd. The developer is actually a senior member of these forums. While I would like to just blindly trust that the app is clean and won't do anything bad. How does anyone know the app is everything it say's it is? I believe it's closed source, so how can a fellow developer give root to it and know it's not malware?
I don't mean to sound rude or unappreciative of the hard work that went into the app. I'm just wondering if someone out there can share their knowledge of development on this and if my reservations have merit or if other developers have analysed the app to determine that it is safe to use.
Is app checking a thing or are people just relying on safety in numbers?

Related

[Q] Super User Requests

I recently responded to a thread in Themes and Apps about the HBO Go app. I mentioned installing the app and readily accepting the su request, considering the legitimacy of the source. A more knowledgeable person than I am cautioned against allowing access without knowing the reason behind that request. This is very sound advice and something I really should've considered. Since the source was legit, I just accepted the request. My question is: is the user able to determine why a su request is needed and/or what the request will be doing to the phone? I have since blocked the app from su and it's working fine.
A superuser request is basically asking for higher privileges than is normally available to the average user. Apps don't usually specify what they need root for...you'd have to go into their source code to find out. Superuser only logs the requests, not what each app did.
If you have Android Terminal Emulator installed, let's pretend to be an app as an example. Go into terminal emulator, and then type "su". You'll see that the prompt becomes a # to signify superuser access. Now, you can do anything, such as mounting /system to make it writeable and then install files as system files.
I am reminded of one time when I wanted to see if NFC worked in our phones. I downloaded an app from the market with only 13 downloads. It asked for superuser access, and I approved it without thinking about it. If my NFC was working, who knows if it scanned my cards and sent them to the author, etc. I'm not even sure why it needed access if NFC is supposed to be a service that is available on an unrooted phone (eventually).
Your app might be running fine since it has probably already finished doing everything it needed superuser for. We have to be careful with superuser because we then basically give the app control over the system.
If an app asks for su permissions comes from a reputable developer, you should be able to contact that developer and that developer should be willing to give full discloser on everything that app is doing. And that developer should have a good reputation with with other good people.
Second once given su permissions an app could do almost anything and could hide its tracks so well that the majority of us average users could never track down every thing it did - if it was coded well enough by a talented hacker (only other talented people wood be able to work out exactly what is going on).
So be very stingy with su, because every time you give those permissions your giving out the keys to the castle - so to speak.
--- edit below added to post ---
I still don't know why that version of HBO go was asking for su permissions, there has since been an update that is no longer asking for su permissions. This is just a guess but it was probably an an attempt to check for whether or not the phone is rooted because the media type companies fear those of us who root our phones, their afraid we can record their streams and cut down on their ability to make more money off of us.
Sent from my SAMSUNG-SGH-I777 using XDA App
Dayv, thanks for your advice. If a developer wants to check for root access, won't there be some type of traceable commuication between the app and the developer? I did install the updates and no su requests on HBO, MAX, or SHO.
dayv said:
If an app asks for su permissions comes from a reputable developer, you should be able to contact that developer and that developer should be willing to give full discloser on everything that app is doing. And that developer should have a good reputation with with other good people.
Second once given su permissions an app could do almost anything and could hide its tracks so well that the majority of us average users could never track down every thing it did - if it was coded well enough by a talented hacker (only other talented people wood be able to work out exactly what is going on).
So be very stingy with su, because every time you give those permissions your giving out the keys to the castle - so to speak.
--- edit below added to post ---
I still don't know why that version of HBO go was asking for su permissions, there has since been an update that is no longer asking for su permissions. This is just a guess but it was probably an an attempt to check for whether or not the phone is rooted because the media type companies fear those of us who root our phones, their afraid we can record their streams and cut down on their ability to make more money off of us.
Sent from my SAMSUNG-SGH-I777 using XDA App
Click to expand...
Click to collapse
mcann said:
Dayv, thanks for your advice. If a developer wants to check for root access, won't there be some type of traceable commuication between the app and the developer? I did install the updates and no su requests on HBO, MAX, or SHO.
Click to expand...
Click to collapse
Su permission does not necessarily mean the app would send data back to the developer, but if a dev was good enough they could write it into the app to steal data, send it to them, then have the app coded to go back and erase any and all evidence that data was sent, even reset data counters.
making so that you have to catch the app right in the act - which could be very hard cause these things could be done so fast you would not be capable.
then the only way to catch wood require access to logs from some router the information was sent through which you are probably not going to have access to.
A malicious app would do damage until a talented enough white hat with the sophistication (both in intelligence and hardware) capable of catching the bad actor gets ahold of the app.
If you or I get a hold of a bad app and give it su permission days or Weeks before a good white hat analyzes the app we could literally get robbed blind before the news hits as to what the app is up to.
Sent from my SAMSUNG-SGH-I777 using XDA App
I would like to think that a developer working at someplace like HBO isn't writing malicious code into their apps. I would also like to think that they are screened by someone either at the company or Google before being posted in the Market. Either way, I guess the safest way to go would be to know the source and even then deny su access and see if the app runs. If it does, great. If not, then decide if you really want or need that particular app. Obviously apps like TiBu need root access, but HBO? Hmmm...
dayv said:
Su permission does not necessarily mean the app would send data back to the developer, but if a dev was good enough they could write it into the app to steal data, send it to them, then have the app coded to go back and erase any and all evidence that data was sent, even reset data counters.
making so that you have to catch the app right in the act - which could be very hard cause these things could be done so fast you would not be capable.
then the only way to catch wood require access to logs from some router the information was sent through which you are probably not going to have access to.
A malicious app would do damage until a talented enough white hat with the sophistication (both in intelligence and hardware) capable of catching the bad actor gets ahold of the app.
If you or I get a hold of a bad app and give it su permission days or Weeks before a good white hat analyzes the app we could literally get robbed blind before the news hits as to what the app is up to.
Click to expand...
Click to collapse
mcann said:
I would like to think that a developer working at someplace like HBO isn't writing malicious code into their apps. I would also like to think that they are screened by someone either at the company or Google before being posted in the Market. Either way, I guess the safest way to go would be to know the source and even then deny su access and see if the app runs. If it does, great. If not, then decide if you really want or need that particular app. Obviously apps like TiBu need root access, but HBO? Hmmm...
Click to expand...
Click to collapse
What I think HBO may have been doing, and this is just a guess, is trying to see who is rooted and not. Then they could control or cut off what is sent to rooted phones.
I doubt they were trying to steal any other info, but they may have been for controlling advertising you receive.
even though this is not as bad as what someone evil would be up to, it is still bad and they should not have done it with out disclosing their intentions.
I think the fact that they are still refusing to explain what that su request in that version was is quite telling that it was not likely something that would go over as a positive if it gets out.
And they probably will never tell us unless enough people make enough of a complaint about it.
But that won't happen because there were not enough people affected for it to become big news.
Sent from my SAMSUNG-SGH-I777 using XDA App
While we are kind of picking on HBO here, I think the lesson to noobs and olds (is there even a title for those more experienced??) is to be cautious about allowing su access to app requests. I am going to stick with my idea of denying su requests if it doesn't make sense to allow it. I can always allow access, if necessary. But I'll see if it works without it first. Hopefully others will follow this advice. Similar to running Windows 7 as a standard user, never admin.
dayv said:
What I think HBO may have been doing, and this is just a guess, is trying to see who is rooted and not. Then they could control or cut off what is sent to rooted phones.
I think the fact that they are still refusing to explain what that su request in that version was is quite telling that it was not likely something that would go over as a positive if it gets out.
But that won't happen because there were not enough people affected for it to become big news.
Sent from my SAMSUNG-SGH-I777 using XDA App
Click to expand...
Click to collapse

[Q] Brief overview of everything?

Hi there. I just got my first smartphone a couple weeks ago and I'm loving it. Samsung Galaxy SII i777 with gingerbread. I was talking with my friend today and he told me about this site and how amazing it is so I decided to check it out! However I'm incredibly lost. I see all the posts about how to root your phone and everything that says HOW TO, but I couldn't find any "WHAT IS" threads (surprisingly not in the stickies).
So could someone do a noob a favor and explain what all these different things are? Like rooting, kernel, etc. I dont plan on using anything other than the default gingerbread/ICS any time soon, but my friend told me there are tons of good benefits behind the scenes from kernels, namely getting double the battery life I'm getting now, so I definitely want to start looking into all that -- I just need to get a foundation on what's what.
Thanks in advance for the help
Read the design section from this wikipedia article about the Android operating system for an explanation of of what the kernel is
http://en.m.wikipedia.org/wiki/Android_(operating_system)#section_2
Here is an explanation of rooting and Android phone
http://en.m.wikipedia.org/wiki/Rooting_(Android_OS)
For basic definitions of terms like this google and wikipedia are great resources, as well as the stickies posted in these forums.
Now once your learn some about this things after looking and reading you will then be able to ask more specific questions which people here are very helpful with.
However general basic questions about terms and definitions like this post will sometimes generate some not so friendly responses here.
Sent from my SGH-I777 using XDA Premium HD app
http://forum.xda-developers.com/showthread.php?t=1511999
I looked through the sticky before posting, and the wikipedia links don't answer my question. I just want to know what exactly a kernel is, the different benefits of rooting your phone, etc. Any BASIC (not overly detailed) stuff people should known when first starting to do this stuff
The FAQ had "what is rooting?" and that was it..
http://www.reddit.com/r/Android/comments/distm/allwhy_should_i_root_here_is_why/
http://www.reddit.com/r/Android/comments/dctbb/okay_so_you_rooted_this_is_what/
Will add more as I find them.
ScelestusAnimus said:
I looked through the sticky before posting, and the wikipedia links don't answer my question. I just want to know what exactly a kernel is, the different benefits of rooting your phone, etc. Any BASIC (not overly detailed) stuff people should known when first starting to do this stuff
The FAQ had "what is rooting?" and that was it..
Click to expand...
Click to collapse
The BASIC stuff you should know when starting "to do this stuff" is don't skip the details they are important and they will help keep you from making big mistakes.
The main reason/benefit that drives most average people to root their phones is to get direct access control over the /system partition and the applications installed there - to have more control over the "system apps". This allows them to debloat their device and to directly back up system apps (i.e. Titanium Backup).
Though there is allot more available to them and many different things that different people do with root. Once you have root access as the term root suggests, root gives you access to the very root partition "/" and everything below it (this means that root privileges gives you access to everything on your phone). It allows you access to troubleshooting, tweaking and theming that you would not otherwise be able to do.
Just remember the saying "with great knowledge comes great responsibly". Because once you have root access, you can then give applications that same root access - and that will allow that app free run through everything on your phone, as well as any and all accounts you have sync'd to your phone. So be careful to be stingy with what apps you allow root privileges, because if you allow a rogue or pirate app such control it could do quite allot of damage and steal quite allot from you before you ever know what happened.
As to exactly what the kernel is (summarizing part of the Wikipedia article says because it does tell you exactly what the kernel is) - the android kernel is the core of the android operating system (just like the Linux kernel is the core of the Linux OS as the android kernel is built directly from the Linux kernel). The kernel is the part of the OS that allows the user input and application inputs to interface with the hardware - it is the drivers and communication translation between the user controls/applications and the hardware it operates on.

Communicating with Mobile Wallet Apps

Hi, all.
I apologise if this is a weird/stupid question or if it's in the wrong place but I'm relatively new to Android development in general and I'm just looking to get a feel for what is possible and what isn't.
I know that the stuff regarding the secure element inside certain phones is kept on a strictly need-to-know basis and Google only lets certain people have access, but how about the apps that are running on the phone, such as Google Wallet?
What I mean is, is it possible to write an App that communicates with something like Google Wallet (not necessarily this app specifically) instead of an NFC device? At its simplest, when you pass your phone over a credit card terminal, it communicates via the NFC chip to the wallet application. What I'm looking to do is bypass that terminal and just communicate directly with the app via another app, sending the necessary commands directly. Is this possible? (If so, I'm not looking for a how-to, just if it's doable or not).
I know it might be complicated and there's a lot to learn, APDU commands and all that - that's fine, but as I said above I'm a bit of an Android n00b and I don't want to put a lot of effort into building a test app and learning all the API commands if what I want to do isn't possible.
If someone could chime in with their knowledge, I'd be very appreciative.
FYI: I work in the credit card industry, but my company doesn't deal with mobile (yet) and I'm putting the feelers out for what is and isn't possible in that area.
Thanks in advance!
Please ask questions in the Q&A forum, not development.
Thread moved.
Also, OP - this may help
https://developers.google.com/in-app-payments/docs/
Sorry, my mistake.
Also that link is about in app payments, I'm not looking into doing anything like that. Rather I need to communicate specifically with the applets that are stored on the SE within the phone. I presumed this would be through whatever app installed them (i.e. google wallet) but I feel I may be mistaken on that.

Noob needing a little direction

Just purchased SGS3 and SGN10.1, havent downloaded any apps as of yet because I am not comfortable with the permissions issue.
I also have not rooted as I am waiting for my sandisk extreme pro sd cards, but i have some clarity i need in moving forward.
How can i best protect my phone and the info in it - mostly for the protection of my clients contact info and just the general fact that nobody needs to know my info without my knowing why.
I have been online for the last 5 days trying to understand what i need to worry about and what i dont.
I have a copy of whispercore 0.5.2 and would like to know if i can use it on my sgs3
Do i need to root my device to give optinal protection PROS/CONS
How is the avast protection
And most importantly - are these protections necessary or have i been sidewiped by chicken little?
How can i determine the best app for me - preferrably with no permissions
I really need a good mail app, document editing app, pdf app, and possibly a CAD app
I have been overwhelmed with info over the last 5 days and need some help with clarification and facts.
Thank you in advance for your help,
Confus-ed:silly:
An app with no permissions has the ability to access nothing so in essence will be of little use. Contacts are synced with Google unless you opt out that decreases security. Personally if your clients details are that sensitive use a dumb phone for work and keep your S3 for less sensitive tasks.
Sent from my GT-I9300 using Tapatalk 2
Are you trolling me?
Just running through the threads trying to increase your reply and post count?
I would appreciate that if you dont have any real information to share, dont waste my time with your non-answer.
confus-ed said:
Are you trolling me?
Just running through the threads trying to increase your reply and post count?
I would appreciate that if you dont have any real information to share, dont waste my time with your non-answer.
Click to expand...
Click to collapse
What?
He answered your question, an app that asks for no permissions can't do much, apps need to have permissions to do various tasks.
If you're that paranoid about safety don't root and just use reputable apps from Google play store.
Edit: in fact the more I read you reply to him the more I see that you have a terrible attitude.
Good luck finding help when you act like that.
Sent from my GT-I9300 using xda premium
No attitude, i thought that i had explained in my original post that i have just spent 5 days scouring the web (which included xda).
I didnt ask about permissions nor did i ask about contacts being synced with google, I understand what the permissions do, but i also have read where you have control over the permissions when you root the phone.
Not paranoid, I just know the data mining that goes on and i am sure that my clients wouldnt want some random solicitation due to an app that has no need to access my contact list. such as a document editior.
My reply may have been a little short but ghost did not address any of my questions or concerns.
confus-ed said:
No attitude, i thought that i had explained in my original post that i have just spent 5 days scouring the web (which included xda).
I didnt ask about permissions nor did i ask about contacts being synced with google, I understand what the permissions do, but i also have read where you have control over the permissions when you root the phone.
Not paranoid, I just know the data mining that goes on and i am sure that my clients wouldnt want some random solicitation due to an app that has no need to access my contact list. such as a document editior.
My reply may have been a little short but ghost did not address any of my questions or concerns.
Click to expand...
Click to collapse
Yes you do have control permission when you root, but rooting is a double edged sword because root apps actually have more "power" when it comes to your system and if there is malicious code in them it will also have superuser permissions if you give the main app superuser permissions.
The safest option is not to root, if you root you are opening your system up to exploitation.
I have rooted every android phone I have ever had and never had any problems but that choice is yours.
Sent from my GT-I9300 using xda premium
nodstuff said:
Yes you do have control permission when you root, but rooting is a double edged sword because root apps actually have more "power" when it comes to your system and if there is malicious code in them it will also have superuser permissions if you give the main app superuser permissions.
The safest option is not to root, if you root you are opening your system up to exploitation.
I have rooted every android phone I have ever had and never had any problems but that choice is yours.
Click to expand...
Click to collapse
From the perspective of data mining, you're basically just as vulnerable with a non-root app, then only difference being that the non-root app will specifically ask for permissions to use your contacts.
At the end of the day, if you want decent integration between your personal data and your apps, you're going to need to accept some risk and allow someone elses code to run through your data. If you have sensitive client data, you'll most likely be safe if you stick to mainstream, popular apps, and keep a close eye on comments to make sure no one else has had issues with security. If you're really paranoid though, I would recommend you don't keep sensitive information on any device with internet access.
I would recommend LBE privacy guard it will prompt when an app is trying to access something and you decide to allow it or not, you can manage wich permissions you allow for each app, even cut it from any Internet access.
The app does require root to work
Sent from my GT-I9300 using xda app-developers app
Thank you

Root access and Android

Hey Guys!
I've been a lurker for a while on this site. The tutorials here helped guide me through rooting my i9505
Now that I've got root access though, I've become increasingly paranoid about what apps I grant root access to. To my understanding, granting root permissions gives the program unrestricted access to do whatever it likes to your device. It will have free rein over the phone and if it was programmed to, could install backdoors or send your contacts/messages to a remote server or other malicious things and I'd be none the wiser.
With that in mind, there is an app that I want to use called apps2sd. The developer is actually a senior member of these forums. While I would like to just blindly trust that the app is clean and won't do anything bad. How does anyone know the app is everything it say's it is? I believe it's closed source, so how can a fellow developer give root to it and know it's not malware?
I don't mean to sound rude or unappreciative of the hard work that went into the app. I'm just wondering if someone out there can share their knowledge of development on this and if my reservations have merit or if other developers have analysed the app to determine that it is safe to use.
Is app checking a thing or are people just relying on safety in numbers?
staticfog said:
Hey Guys!
I've been a lurker for a while on this site. The tutorials here helped guide me through rooting my i9505
Now that I've got root access though, I've become increasingly paranoid about what apps I grant root access to. To my understanding, granting root permissions gives the program unrestricted access to do whatever it likes to your device. It will have free rein over the phone and if it was programmed to, could install backdoors or send your contacts/messages to a remote server or other malicious things and I'd be none the wiser.
With that in mind, there is an app that I want to use called apps2sd. The developer is actually a senior member of these forums. While I would like to just blindly trust that the app is clean and won't do anything bad. How does anyone know the app is everything it say's it is? I believe it's closed source, so how can a fellow developer give root to it and know it's not malware?
I don't mean to sound rude or unappreciative of the hard work that went into the app. I'm just wondering if someone out there can share their knowledge of development on this and if my reservations have merit or if other developers have analysed the app to determine that it is safe to use.
Is app checking a thing or are people just relying on safety in numbers?
Click to expand...
Click to collapse
why the hell u don't use AppOps and deny unwanted/unnecessary permissions?
BatDroid said:
why the hell u don't use AppOps and deny unwanted/unnecessary permissions?
Click to expand...
Click to collapse
Because that brings it's own security issues. Xposed is one of the biggest security holes made. That's why you will not see any rom dev use it.
staticfog said:
Hey Guys!
I've been a lurker for a while on this site. The tutorials here helped guide me through rooting my i9505
Now that I've got root access though, I've become increasingly paranoid about what apps I grant root access to. To my understanding, granting root permissions gives the program unrestricted access to do whatever it likes to your device. It will have free rein over the phone and if it was programmed to, could install backdoors or send your contacts/messages to a remote server or other malicious things and I'd be none the wiser.
With that in mind, there is an app that I want to use called apps2sd. The developer is actually a senior member of these forums. While I would like to just blindly trust that the app is clean and won't do anything bad. How does anyone know the app is everything it say's it is? I believe it's closed source, so how can a fellow developer give root to it and know it's not malware?
I don't mean to sound rude or unappreciative of the hard work that went into the app. I'm just wondering if someone out there can share their knowledge of development on this and if my reservations have merit or if other developers have analysed the app to determine that it is safe to use.
Is app checking a thing or are people just relying on safety in numbers?
Click to expand...
Click to collapse
Hi,
A few rules that I try to respect:
1. Do not install closed source apps especially if you plan to use root features
2. Use FLOSS softwares to protect your privacy and your security (AFWall+, NetGuard, XPrivacy [the bright side of Xposed]....)
3. If you have no other choice than to use closed source apps, give priority to known independant devs and paid services.

Categories

Resources