Better Mobile App

Money toolkit app?

Hello has anyone used the money toolkit app to access your account?. On my iphone I have an official natwest app, which am sure is safe however a bit worried about this one cause it clearly states not affiliated with any bank.

Hi marvi0
I am Dan - founder of Money Toolkit, so obviously my opinion is not impartial
You are absolutely right to question apps like ours, and I wish more people were more diligent in this resect.
The biggest barrier to using any third party financial app is trust. For a small start up like ours, theres a bit of a catch 22 thing. The best way for people to trust our app is to see others using it, which means having enough early trail blazers use it.
I hope you do read some of the pages on our site regarding security - we have gone to very great lengths to keep you in charge of your credentials.
But this is still only our word. Probably the best thing to help increase your confidence is to look on our get satisfaction pages - (we cant delete messages, so it is an open conversation). Also check the comments on the Android market, again we can't even respond as the developer (which can be frustrating).
I hope others do respond on here, though we only have 500+ active users, so I would be a bit surprised.
There will always be some nervousness committing to our app, ultimately you have to go with your instincts - most people who see our app don't go on to enter their details, which is a shame in my opinion (obviously), because those who do find our app really useful.
Any questions, just ask.
Cheers.
Dan.

I have installed it and it looks pretty good
I have my fingers crossed regarding the security

Thanks for your reply so does this app actually allow me to view my natwest account information?

marvi0 said:
Thanks for your reply so does this app actually allow me to view my natwest account information?
Click to expand...
Click to collapse
it does yeah
you get an overview and then when you click on the account it drills down into the transactions
you cant see direct debits etc
also i wish you could change the theme, the wooden effect is a bit yukky, lol
but it does the job fine
also you have to manually log out or the app will run in the background, and if someone picks up your phone they can see the bank funds etc

winwiz - thanks for that.
You are not alone a few people don't like the wooden theme, so we are thinking of changing that.
The idea was that it continues the web site theme of being a work bench - continuing to follow the tool kit idea! We also didn't want to look like another boring bank, but probably it doesn't work that well on the phones.
Regarding logging out - we keep you logged in on purpose, (it will time out after 5 minutes) it is really annoying when you accidentally go back too far or want to swap to another app and have to log back in. Perhaps we should make that another setting?
some people even choose to keep their password remembered, and rely on the phones own security.
Remember this is a READ ONLY app, there is absolutely no way anyone could transfer funds, or make any changes to your bank.
We've got some nice things planned, like categorising your sending and graphs etc.
So any feedback or ideas really welcome - especially on the get satisfaction pages
Cheers.

MTK-Dan said:
winwiz - thanks for that.
You are not alone a few people don't like the wooden theme, so we are thinking of changing that.
The idea was that it continues the web site theme of being a work bench - continuing to follow the tool kit idea! We also didn't want to look like another boring bank, but probably it doesn't work that well on the phones.
Regarding logging out - we keep you logged in on purpose, (it will time out after 5 minutes) it is really annoying when you accidentally go back too far or want to swap to another app and have to log back in. Perhaps we should make that another setting?
some people even choose to keep their password remembered, and rely on the phones own security.
Remember this is a READ ONLY app, there is absolutely no way anyone could transfer funds, or make any changes to your bank.
We've got some nice things planned, like categorising your sending and graphs etc.
So any feedback or ideas really welcome - especially on the get satisfaction pages
Cheers.
Click to expand...
Click to collapse
Hi Dan,
Thanks for the great feedback. I'd like the option to customise the background, or if this is not possible, a solid black background. The timeout option should be configurable so the user can set the timeout period!
I look forward to the updates

MTK-Dan said:
I am Dan - founder of Money Toolkit, so obviously my opinion is not impartial
...
Any questions, just ask.
Click to expand...
Click to collapse
Hi Dan,
Was just deliberating about using Money Toolkit and I had a couple questions. I've no knowledge in this area so please bare with me.
On the blog post here: hxxp://moneytoolkit.com/2010/09/secure-mobile-banking/
You said that:
"Yodlee then sells your bank data to the web site that you signed up".
Which I agree doesn't sound ideal - but they have to make money to be a sustainable business. How does money toolkit intend to make money? Which part of users financial details will be utilised to do this?
Secondly - regarding the security - the same blog post says:
"Not only would someone have to get access to your phone they would have to go to the same lengths as they would if they wanted to ‘hack’ into a bank, but they would have to do it three times!"
I presume that each location storing data can't login to the bank account in part. Instead a single server instance would have to login - requiring all 3 parts of the information to do so as banks usually randomise the questions asked. That presumption may be wrong however - but if it's correct does that mean a hacker could just hack that single server instance and intercept the traffic being sent to the bank?

You said that:
"Yodlee then sells your bank data to the web site that you signed up".
"but they have to make money to be a sustainable business. How does money toolkit intend to make money? Which part of users financial details will be utilised to do this?""
Click to expand...
Click to collapse
We point out the normal relationship with Yodlee because Yodlee is an independant third party, they are the entity that you end up having the biggest contractual relationship with, in fact you sign over power of attourney to them when you use a web site that uses their aggregation (read the small print).
Regarding Money Toolkit making money, so far we don't! Of course, as you point out, we need to, so we have two options - we will ask for 50p per month (for example), or we will offer good deals with companies we trust (generally not main stream banking companies), where we will make a commission, if we do that we will make the commission obvious and share it with the person taking the offer.
"Secondly - regarding the security...
...does that mean a hacker could just hack that single server instance and intercept the traffic being sent to the bank?"
Click to expand...
Click to collapse
Well your main assumptions is correct, but the reasoning not quite right. Firstly it is not just because of the random nature of the security questions that the three way split is valuable, but literally each part is utterly useless without the other parts, they are three parts of an encrypted file, which MUST come together before it is possible to decrypt.
The decrypted file (now only in volatile memory) then returns values to your phone and it is your phone which sends (over SSL) the right request to the bank, so they would have to breach our own SSL traffic (and custom encryption). Our IP's and the bank's are hard coded so a traditional man in the midle attack is ruled out. They would in effect, have to dupe you into downloading a dodgy Money Toolkit apk for this to be possible.
As you may know, the huge majority of security problems come from static data being discoverable (cd's and memory sticks left on trains for example). In our case the three seperate locations, including your phone make this kind of static data recovery, all but impossible.
However... you are right tht if someone managed to compromise the individual server that, at that moment (we have many), did that specific decryption: then if they were very smart, they might have the ability to detect your secure bank details. Though it would be almost imposible for that to happen and us not know about it. To alter our code and not have our systems detect the intrusion would be phenomenal.

MTK-Dan said:
so we have two options - we will ask for 50p per month (for example), or we will offer good deals with companies we trust (generally not main stream banking companies), where we will make a commission, if we do that we will make the commission obvious and share it with the person taking the offer.
Click to expand...
Click to collapse
Great, both options sound reasonable
MTK-Dan said:
they are three parts of an encrypted file, which MUST come together before it is possible to decrypt.
Click to expand...
Click to collapse
Neat, didn't realise.
MTK-Dan said:
The decrypted file (now only in volatile memory) then returns values to your phone and it is your phone which sends (over SSL) the right request to the bank, so they would have to breach our own SSL traffic (and custom encryption).
They would in effect, have to dupe you into downloading a dodgy Money Toolkit apk for this to be possible.
Click to expand...
Click to collapse
That at least does sound secure (without understanding it more) I suppose there may also be security issues beyond a dodgy .apk file if the Android device has been rooted - because I think that allows apps to work outside of their sandbox. Again, I don't know enough about that.
Thanks for the detailed answers, it gives me more confidence in the service.

aph5 said:
Great, both options sound reasonable
Neat, didn't realise.
That at least does sound secure (without understanding it more) I suppose there may also be security issues beyond a dodgy .apk file if the Android device has been rooted - because I think that allows apps to work outside of their sandbox. Again, I don't know enough about that.
Thanks for the detailed answers, it gives me more confidence in the service.
Click to expand...
Click to collapse
Is it possible to transfer money to whomever you want with this app?

[Q] Privacy on Android using standard VPN Settings?

Since we know the main reason Google did Android was the same as all their other free products - collect more info from users, can the built in VPN settings be trusted? It just seems to me that the only reason Google would be "kind" enough to build in a system to defeat the reason they built Android in the first place would be if they wanted a way to offer "security" with a back door for themselves??? i.e. Maybe all traffic goes through Google before being sent to VPN??
Or maybe a simple question is can Google still see your traffic or get the info they want if you use the built in VPN settings (with a VPN service of course)?
Would using an OpenVPN app be more secure than the standard settings?
Thanks and I'll apologize in advance if this is a stupid question!

Remove the tinfoil hat for a second and listen:
Even if the traffic from the VPN were to be sent to Google, they would only receive the encrypted traffic!

Erm, yeah, that is, if no other part of the VPN framework is sending the encryption key to Google servers -in an encrypted form so as to not be so easily detectable by sniffing the traffic...
Heck, the FBI and the NSA do it with e-mail (google-search "carnivore program" and "Echelon communications interception", you'll find plenty of info on these -surprisingly not well known- topics) and truckloads of other communication forms, why would Google mind ?
You're absolutely right to be wary -especially if you live in the USA, where the "Patriot Acts" 1 and 2 give practically free-hands to the government to wiretap everything they want, in the interest of "national security" (or so they say. Most times though, it's used for more 'impure' intentions), and sometimes forward the collected info to big corporations who can make big money out of it. That's how Boeing practically stole a multibillion $ contract right under the nose of Airbus : the NSA tipped them off after they intercepted emails and faxes emitted by Airbus about the bid, and told Boeing to slightly -just enough- increase their own bid, and voilà... (but they never acknowledge anything by saying "we intercepted comms that said they'll bid so much or so much", nope, it's way more sneaky than this : it goes like "about this contract, we think that it would be a good idea to slightly increase your bid, by say a million or two", never mentioning any wiretapping -and of course the people who benefit from the info are way too glad to think about spoiling the ambiance by asking embarassing questions. "you don't look a gift horse in the mouth", after all...
If you really wanna have a (mostly) relaxed mindset about this, I see only one reliable solution : code your very own VPN app, and keep it to yourself, forever and ever, so it can't be reverse-engineered by no one (and even this is no 100% guarantee, you're never safe from anything in this sorry world)..
That being said, I'm not entirely convinced Google created Android just for gathering info from its sheepish users.. There probably is some of that, sure -althoug, to be a Android user requires way more technical knowledge and curiosity about the device you're using (that is, if you wanna use it at 100% of its capabilities) than the "average frustrated Windows chump".. And this kind of user is way more liable to uncover the "conspiracy", sooner and easier than just a WinMo or iOS user.. It's kind of like sawing the branch you're sitting on..
And if this happened -Google being discovered spying upon the communications of Android users- they'd probably be in biiiig trouble, probably more than what makes it worth trying it. Just look at Apple when it got known that every iPhone has a hidden memory area that stores the GPS coordinates of your every move and periodically uploads them to Apple servers. Jobs managed to dodge the bullet by publicly explaining that it was meant to enhance the algorithms that will be used by future GPS chips, but who the hell believes that ? For one thing, Apple never manufactured GPS chips, and probably never will, mostly because building a chip-foundry factory costs a huge wad of dough (just ask Intel how much they're spending to upgrade their infrastructures each time they reduce the die-sizes by a few nanometers, the amounts are hard to believe when you're making about 15$ an hour like me..), and also because there are already too many competitors out there -most of which are better than Apple at designing quality hardware.. It's probably no mystery if Apple prefers using 3rd-party hardware than making their own : it's cheaper, easier, and at least if you get some f-ed up hardware, you can just blame it on the corporation who sold it to you instead of having to make an embarassing and very public mea-culpa (at this point, the words "HTC", "eMMC" and "Samsung-made chips" are popping into my mind.. Is anyone else feeling those symptoms ? ^^). And it would be way harder -if not downright impossible- for Google to find a believable and reasonable explanation for such a mischief (I think it's even called a felony at this level.. But I'm no yankee, can't be 100% sure about this detail -and right now I'm too lazy to Google it up and find out.. xD).
But then again, who can be 100% sure ? It's always wise to be wary, and always be prepared for every contingency, as far as is humanly possible
I personally think that if Google created Android it's probably more because they wanted to thwart Microsoft from ever gaining complete monopoly of the mobile OS market, like they did with Windows and the PC OS market -which they mercilessly dominate by every means possible, even those that are borderline illegal sometimes, if the outcome makes it very worth the risk..
Google and Microsoft just can't stand each other (just like Microsoft and SCO-Unix couldn't stand each other back in the heroic days.. Actually, Microsoft has had many a foe along the way, IBM is counting among those too -but MS finally managed to kill off their offspring OS/2. It wouldn't die by itself so they had to kill it.. But they only managed to do so because they were more determined on taking it out of the OS scene than IBM was determined on defending it.. ), and they just will do anything that is in their respective grasp to piss off one another -with varying success..
And I gotta admit that they did a pretty good job out of it, all things considered : the Unix open-source community benefits from one more interesting project (even if the sources for every new Android release are often very long to come out. But then, the GNU public licence only states that you have to release the source code with your app if you're reusing some GNU-licensed code, it never mentions any deadlines, or that it has to be released together with the compiled binary), and Microsoft is held back from completely winning a juicy prize, which makes their new CEO Steve Ballmer mad with rage -which is hilariously funny to me (I can't get enough of seeing this fatass enraged. Too bad Bill Gates retired, it'd probably have been equally as funny -if not more- to see him enraged, with Ballmer towering over him by his side and trying to make himself as small as a mouse so he could escape by a crack in the nearest wall, the "angry dwarf and the 'not-too-bright-but-very-bulky' giant". In the movies that's always a winning combo)..

Snakeforhire said:
Erm, yeah, that is, if no other part of the VPN framework is sending the encryption key to Google servers -in an encrypted form so as to not be so easily detectable by sniffing the traffic...
Click to expand...
Click to collapse
Well, if you want to follow that road, what's telling you that the VPN clients around aren't sending that very same key to law enforcement agencies?
The answer is simple, it would be a huge, gigantic ****up, as you said!

read the rest of my post, I address this issue a few lines down.

@Alcap12 I don't generally consider myself to be part of the tin foil hat club. But I am older and have learned (the hard way) the difference between regrets and mistakes - mistakes you can fix. I think there is going to be a whole **** load of young folks who are going to regret not taking their privacy a little more seriously in a few years.
Thanks for the reply SnakeforHire.
I understand the man-in-the-middle type of attack and if you're using an ssl vpn the only thing the middleman sees is encrypted traffic. But Google isn't in the middle they own the starting point. So is it possible: A user sends some data, Android phones home with the metadata, and then Android encrypts the data and sends it to the vpn server? Tons of the apps on the market are tracking you - heck the Dolphin browser just got busted doing it right here on XDA so why not Android itself??
I'm thinking a packet sniffer would tell us the answer. I'm also thinking if I've thought of this one of the professionals here on XDA has too and has checked it out already. At least I'm hoping so. I just posted this thread in the hopes of finding out for sure.

you're assuming the filtered-out data would be sent over to the eavesdropper in an unencrypted form, otherwise the packet sniffer would just see meaningless garbage..
And I kinda doubt that anyone willing to go to such lengths to spy on others would be so foolish as to forget to add encryption to his upload framework.

Well, it seems to be a very good and informative question. I use VPN service and i don' think that google can trace out your traffic though the traffic from the local ISP transmit through a sound means which is absolutely encrypted and protected so there won't be any chance for anyone to look into you data and traffic...
i use the service of hidemyass and i can say that its is the best iphone vpn. I have been searching around the web for several aspects related to vpn and my research concluded that through vpn no data can be traced..All what google or anyone else will receive is the encrypted data like [email protected]#$^^&*. So impossible for anyone to see it

Since the arrival of latest Android Phones, we have been seeing people searching for the most reliable and trustworthy Android VPN Providers. It has not been easy for anyone of us, searching for VPN provider that can support our latest Android Phones settings. In fact this has not been easy for us to compile this entire list of Android VPN Providers.
Setting up commercial VPN on Android 3.0 or older versions is a piece of cake nothing to worry about. You just have to tap here and there on your New Android Phone and you are connected.
Before providing you with the step by step process, I would again mention the ‘disclaimer’ that this blog-post is not for the experts or techies, but this is for those who are new to VPN or android and want to setup their VPN accounts for the first time on their Android Phones.
Let’s cut the crap and start with the tutorial, I will first tell you how to setup a simple PPTP VPN connection on your Android Phone.
Go to your Phone settings.
Tap on Wireless Controls and then VPN Settings.
Click ‘Add VPN’ and you are Half way through J
Tap on “Add PPTP VPN”. Do not worry about others, we will let you know about the other protocols as well.
Add your “VPN Name”. It can be your name, you can even name it “I Do not need VPN”
Now the so-called difficult part arrives, entering the Server Name. Server Name can only be entered, if you have a VPN account, or you have setup your own VPN. If you do not have both, please do not try this, you will not get anything
Server name is being provided by the VPN Provider, it will be like “usa.bestvpnservice.com”.
You can enable the encryption here. (If VPN still does not work, try again after disabling it)
Do not worry about DNS Search Domains until or unless you are planning to use Internal DNS Server, if yes enter them here.
Save the Settings and You are all set with your New VPN Connection on your Android Honeycomb.
Now, comes the connecting part. Go to your VPN Settings and there you will get your added VPN connection. Tap to connect it and enter your Username and Password, which you will get after paying your VPN Provider. You will see a small Key like icon on the Top, which means you are now safe, secure and anonymous in the digital world. You can disconnect your VPN by going to the same area with VPN settings and tapping on your connected VPN Connection.
I hope it will helpful for you to configure settings on your Android. Currently i am Using my Ipad its more easy as compare to Android.
To see Ipad VPN and its seetings:
bestvpnservice.com/blog/how-to-connect-to-a-vpn-on-ipad-2

[Q] Still No Encryption for Android?

Greetings All
Having played with android now for some time Im am suprised that nobody that I am aware of is offering any true full disc encryption for Android.
There are "Security Suites" that offer remote wipe etc but I myself dont consider this to be true security.
RIM has offered full disc encryption and wipe to disc capability for years. Yet Android still doesnt truly have this capability (I am aware the latest versions do have weak so called encryption capability). Android devices certainly have the power to run encryption.
And with Whyspersys having been acquired by Twitter that doesnt seem to be a viable option any longer. Besides, they only really offered encryption for two models of phones.
There has been a DARPA request for this, so somebody must be working on it....
So, my questions are:
Why isnt there any stand alone encryption software available? It cant be that hard to create given that its already been available on other types of handsets that could be considered inferior and less powerful. Blackberry handsets have had full disc encryption with wipe to disc capability for years.
Why havent the larger companies (ie symantec etc) offered it? I believe it would be economically viable as there are many that would buy it particularly if it sold as outside of the Google Market and could be managed from the desktop.
For that matter, why hasnt some whippersnapper wrote a program say even at 168 encryption? Again, it cant be that difficult?
Perfect package in my mind would be 256 AES two fish (or 168), sold on a disc rather than the online market, and come with a desktop manager.
Thanks, for any comments-

I know there's encryption inside ICS natively, but I don't know how strong it is.

endeavour123 said:
I know there's encryption inside ICS natively, but I don't know how strong it is.
Click to expand...
Click to collapse
Not very strong or effective.
Easily defeated with cellex, celbrite, JTAG etc as is iOS etc.
Unfortunately BBerry is the only handset to offer amazing encryption and wipe to disc encryption. Which why Im amazed nobody else does, or that DARPA has to appeal to the community at large in order to solve this....
Most products address end to end encryption of calls, txt, email etc and location options.
Remote wipe is NOT a true solution if you are carrying important data for business if industrial espionage is a consideration let alone 4th Amendment rights.
I love Android devices, but still....

wallflood said:
Not very strong or effective.
Easily defeated with cellex, celbrite, JTAG etc as is iOS etc.
Unfortunately BBerry is the only handset to offer amazing encryption and wipe to disc encryption. Which why Im amazed nobody else does, or that DARPA has to appeal to the community at large in order to solve this....
Most products address end to end encryption of calls, txt, email etc and location options.
Remote wipe is NOT a true solution if you are carrying important data for business if industrial espionage is a consideration let alone 4th Amendment rights.
I love Android devices, but still....
Click to expand...
Click to collapse
To be honest no matter what you do as long as android is built using an open source platform you will never be able to compare it to a device that was made for business.
Sent from my Inspire 4G using Tapatalk 2

zelendel said:
To be honest no matter what you do as long as android is built using an open source platform you will never be able to compare it to a device that was made for business.
Sent from my Inspire 4G using Tapatalk 2
Click to expand...
Click to collapse
Could you clarify this argument? In my oppinion Open source is the key to secure encryption. The more people are able so review the source code and the encryption algorithms, the less exploits will be able to stay unfound.

zelendel said:
To be honest no matter what you do as long as android is built using an open source platform you will never be able to compare it to a device that was made for business.
Sent from my Inspire 4G using Tapatalk 2
Click to expand...
Click to collapse
I think I understand where you are coming from, but I respectfully disagree with that position.
Having been a BB user for several years, I think Android OS is superior in all ways.
But I think the OS, not having come from one company with one goal in mind, is what put Android OS in this position.
As well as the overall obsssion with the collection of tech date by companies and governments, I cant help but feel developers are actually discouraged from creating encryption programs that secure handsets and tablets-

...Interestingly, DARPA is releasing a secure version of Android OS and is open source so the public can view it.
And the NSA is revealing its SE Android, also open source.
But these versions of the OS focus on being able to store and transmit.recieve classified information.
They also focus on limiting permissions of apps.
For general public use (and Enterprise use) it would be nice to just have a system that was encrypted to disc, and could wipe to disc-

I Know

Please use the Q&A Forum for questions &
Read the Forum Rules Ref Posting
Thanks ✟
Moving to Q&A

Please elaborate
Not very strong or effective.
Easily defeated with cellex, celbrite, JTAG etc as is iOS etc.
Unfortunately BBerry is the only handset to offer amazing encryption and wipe to disc encryption. Which why Im amazed nobody else does, or that DARPA has to appeal to the community at large in order to solve this....
Most products address end to end encryption of calls, txt, email etc and location options.
Remote wipe is NOT a true solution if you are carrying important data for business if industrial espionage is a consideration let alone 4th Amendment rights.
Click to expand...
Click to collapse
Not sure where your info is coming from.
As of Android 2.3.4 device encryption has been available. Granted most manufactures didn't implement the ability very quickly. I have two GB devices niether give me an option to encrypt my device on the stock ROMs, but some did. I am running 4.1.2, and encryption is as full as it gets. If I boot into CWM recovery I can adb into a minimal root shell, but the revocery partition doesn't "see" any of the actual data. I think this suffices. As far as circumventing this encryption, I don't think a JTAG or cellebrite will help you with this. As of Android 3.0 (tablet only I know...) the encryption standard is 128 bit AES, I wish they would have used 256 bit...but whatever. No doubt Android is late in the game, I just don't think they thought it necissary until the smartphone evolved to something more powerful.
Android Encryption: http://source.android.com/tech/encryption/android_crypto_implementation.html
Cellebrite: Their schtick, as far as Android and BB devices are concerned, is recovering data from a locked device, ie you forgot the password and the backup etc etc. They go out of their way to not mention the word DECRYPTION when talking about Android or BB. I say this because in thier iOS section, they repeatedly mention their ability to DECRYPT the device data on the fly. So again it would appear to me that, for Android, they use some custom revocery ROMs and adb to revocer UNENCRYPTED data (with their special hardware).
in fact this is from Cellebrite themselves:
for ALL Android OS versions including Android 4.X (Ice Cream Sandwich). Physical extraction for any locked device is only available if the USB debugging has been switched on
Click to expand...
Click to collapse
Cellebrite on Android: http://www.cellebrite.com/forensic-solutions/android-forensics.html
Encryption is encryption, if it uses AES, as far as I know you have to be able to crack AES to get at the data once it's encrypted.
You need the password, or brute force, OR find a weakness in the algorithm.
If you're that worried, find another way to transport/store your private data. Companies with this much at stake are stupid to entrust sensitive data to any of these devices in any of their current states. For you and me, I don't think yo uneed to worry about your stuff that much. This is like the old adage that locks keep honest people honest. Most people find a phone, maybe try a few cheap easy tricks and wipe if they fail. Although AES is considered safe against brute force, if you need more, use truecrypt with hidden partitions or something like this and a real computer. Even then....

[Q] Backdoors in alternative Firmwares?

Hello there.
I'm working in the field of privacy protection. Recently Mister Snowden found out, that a big state agency in the US with three letters has backdoors in Android, Windows Phone and Black Berry.
So i have to ask you guys if you know something about this.
As we already know, these back doors do exist in the stock firmware, but what about let's say CM or all the others. Do they have these back doors as well?
And optionally for those of you, who know the european privacy protection laws, is there a way to demand of samsung to remove these backdoors to comply with these privacy protection laws?

Just imagine such kind of rootkit could be implemented already in dalvik-vm (low-level). Who's able to dump and verify it? Short answer: no one without JTAG hardware and advanced assembler skills
But that's nothing I would worry about.
Sent from my GT-I9300 using xda app-developers app

I always believed, i could find the guys you were writing of there as well.

The vulnerability is there for everyone. It's stitched into the android firmware and I very much doubt the CyanogenMOD team could do anything about it.
As Edward Snowden said, though, you can avoid this by using strong encryption and isn't commercial (openSource is better) on your entire ingoing and outgoing data connection. You can also encrypt your storage.
SELinux is useless, since, the NSA wrote it.

Kryten2k35 said:
The vulnerability is there for everyone. It's stitched into the android firmware and I very much doubt the CyanogenMOD team could do anything about it.
As Edward Snowden said, though, you can avoid this by using strong encryption and isn't commercial (openSource is better) on your entire ingoing and outgoing data connection. You can also encrypt your storage.
SELinux is useless, since, the NSA wrote it.
Click to expand...
Click to collapse
It's a good start (OpenVPN, PGP, drive encryption + custom bootloader and ROM, F-Droid). But if we dig further, what good is encryption if firmware can log key 'presses' on your virtual keyboard and microphone can be remotely controlled for sending data in the pre-encryption state? It seems much easier to implement on Android devices with so much non-free firmware (look closely at http://redmine.replicant.us/projects/replicant/wiki/ReplicantStatus and http://redmine.replicant.us/projects/replicant/wiki/TargetsEvaluation) than on PC, where you can go without non-free firmware in many cases and only need to suspect Intel/AMD backdoors (mainly in RNGs) and those in the BIOS/UEFI. On the other hand, with SSDs and their non-free firmware becoming more common...

Sorry but what will they get from my phone?

Anything from gapps data to the conversation you're having while not thinking the microphone in your phone laying at the table is set on, for the starters.

What are the chances of getting a device compromised?

I had an argument with a friend the other day... I was arguing that a mobile device is a very sensitive thing because it allows to glean far more intimate information that may harm you very much and that people should be wary at what features are added to the phone. To which he replied "So what? What are the chances that an intruder would get remote access to my phone?".
Hrmp...
What are actually the chances of a non tech savvy but a conservative user (meaning that he largely doesn't experiment with completely unknown apps and he uses only the official markets to download) of getting someday his phone remotely accessed (at least once in his lifetime)?
If for instance we add a feature to the phone where it can destroy all of our home appliances- would it be wise? Is there a realistic risk involved? Why would someone want to destroy our possessions even if he gained entry?
Thanks

oy-ster said:
I had an argument with a friend the other day... I was arguing that a mobile device is a very sensitive thing because it allows to glean far more intimate information that may harm you very much and that people should be wary at what features are added to the phone. To which he replied "So what? What are the chances that an intruder would get remote access to my phone?".
Hrmp...
What are actually the chances of a non tech savvy but a conservative user (meaning that he largely doesn't experiment with completely unknown apps and he uses only the official markets to download) of getting someday his phone remotely accessed (at least once in his lifetime)?
If for instance we add a feature to the phone where it can destroy all of our home appliances- would it be wise? Is there a realistic risk involved? Why would someone want to destroy our possessions even if he gained entry?
Thanks
Click to expand...
Click to collapse
Malware is widespread on Android phones. Just search the web for "android malware" and you can find plenty of information about these threats. You can get malware-infected apps from Google Play, and sometimes legitimate-looking apps have been repackaged with malware.by someone else.
An attacker probably is more likely to take personal information: Your contacts, passwords, email/SMS, banking and financial info, health info, etc. They can use it to steal money (e.g., from your bank account or by using your credit card), impersonate you for purposes of identity theft, or for other reasons.

Well that is the thing- my wariness comes exactly from searches like that, from subscribing to various security blogs, from reading coverings of Blackhat, Defcon and the myriad ways a phone can be intruded. Not just by downloading and running software but by browsing the web, plugging things into USB cables/outlets, weaknesses in assorted programs and tons of other possibilities.
The abilities are copious. In theory.
The device seems so inherently dangerous that I basically treat it as if it was hacked (well, try to. It's hard to minimize information pass through), but then there are links like that: http://bgr.com/2015/02/17/android-vs-windows-malware-infection/ where even people with some vested interest talk about practical numbers of less than 1%.
I suppose that as a random for-profit-hacker I too would be firstly interested in stealing data and money directly, but there are other kinds of intruders (like police/for-the-lulz/ combination of the 3 and etc) and I'm not sure if in practicality concerns over other types of damage (other than steal info) are substantial.
I did recognized one type of financial profit from attacks of physical damage though- ransomware, but I can't think of any other monetary gain.