Related
Is anti virus a waste or is it worth having it run on your phone?
waste......
MrGibbage said:
waste......
Click to expand...
Click to collapse
Why is that?
its a waste, when was the lest time u heard of someone getting a phone virus? lol, plus what are you downloading and running on your phone that might even pose a threat
I vote waste too, for current AV solutions. Like another poster said -- There really aren't any threats at the moment. It's real likely there will be at some point, but I see no reason to believe the current AV providers have any clue what these future hypothetical virii will look like. I'll trust an AV once it is written by a security researcher who has studied live Android virii. Until then they're just wasting resources.
I don't run AV software on my home computers or my phones. I am careful with the email that I open, and when I DL software, I try to be aware of where it is coming from. I am never the guy that that downloads something the day it comes out. If it is nefarious, I'll hear about it. Maybe I'm lucky, but I just don't see the need.
SMS Trojan for Android - http://www.theinquirer.net/inquirer/news/1727325/android-virus-spotted
They do exist just not on a Windows level lol. I'm sure they will jump in numbers as the popularity of the platform continues to explode. Currently, Lookout is one of the top rated AV apps, and its free.
BTW when you install the "SMS Trojan" it asks for permission to send text messages that may cost money.
TOTAL Waste.
Just read the permissions requests when installing apps.
Or go read up on how Android's app sandboxing works. Either way, nothing can harm your phone unless you explicitly allow it to. And if you allow a photo app to read all of your data, and send text messages and connect to the internet, you deserve what you get.
reuthermonkey said:
TOTAL Waste.
Just read the permissions requests when installing apps.
Or go read up on how Android's app sandboxing works. Either way, nothing can harm your phone unless you explicitly allow it to. And if you allow a photo app to read all of your data, and send text messages and connect to the internet, you deserve what you get.
Click to expand...
Click to collapse
Aint that the truth. Idiots need to pay attention to the Android Permissions screen and ask themselves "Why does this flashlight app need to read my contacts, google account and access my dialer, data connection and send SMS??"
Like others have mentioned, threat levels right now are so low that it doesn't warrant the use of money or system resources.
Some apps in the market that are labeled as such are just spam btw.
And also, we are far from a mass infection ala PCs. Just be very careful with what you download. Pay close attention to the permissions and use your very good judgement. If a music player asks permission to read/send/receive text messages and make phone calls, it's probably some type of malware.
jblade1000 said:
SMS Trojan for Android - http://www.theinquirer.net/inquirer/news/1727325/android-virus-spotted
They do exist just not on a Windows level lol. I'm sure they will jump in numbers as the popularity of the platform continues to explode. Currently, Lookout is one of the top rated AV apps, and its free.
Click to expand...
Click to collapse
WASTE ,..,.., hands down......
A virus that has to be manually installed by the user or creator on the host device ????? , and this is after all the warnings to the user before you press ok .,.,.,.,., never mind all the warnings telling you NOT TO DOWNLOAD outside of the market,unless you know what you are doing , download AT YOUR OWN RISK..... Not to mention the anti virus companies CREATING the need for you to install their app ... ever read some of the comments in the market about these "AV" apps ? > 'this app works great, protects my phone'<<<<<? protects it ? from what ???? WTF..
So yes I think it's a waste.....
People make viruses for a living so pretty soon someone will come out with a major one cause it being a phone means nothing its based off of linux and I know linux doesn't have any killer viruses but they do have some just not on a windows level. So ask it takes is one overseas a hole to create one just so he can get famous and then we will need an
Worth installing virus app.
O yea most people only read the permission when installing apps when they are new to android most people don't look at them.especially for apps they regularly use like handcent. Who know what they do with our info?
Sent from my Samsung Vibrant
hmmm lets see, would an app be able to slide in a permission without a warning? as in read contacts after installed but it never showed on the permission screen.
creglenn said:
People make viruses for a living so pretty soon someone will come out with a major one cause it being a phone means nothing its based off of linux and I know linux doesn't have any killer viruses but they do have some just not on a windows level. So ask it takes is one overseas a hole to create one just so he can get famous and then we will need an
Worth installing virus app.
O yea most people only read the permission when installing apps when they are new to android most people don't look at them.especially for apps they regularly use like handcent. Who know what they do with our info?
Sent from my Samsung Vibrant
Click to expand...
Click to collapse
None of that supports a need for an Anti-Virus. Android sandboxes each and every application on the system. It's not like any other Linux distro in how it handles security. It's MORE secure than linux. You can hack individual apps (and thus use their permissions - ie the browser), but that's quickly patched.
The biggest security threat to Android is the same as the biggest security threat for EVERY OS: Lazy users.
reuthermonkey said:
None of that supports a need for an Anti-Virus. Android sandboxes each and every application on the system. It's not like any other Linux distro in how it handles security. It's MORE secure than linux. You can hack individual apps (and thus use their permissions - ie the browser), but that's quickly patched.
The biggest security threat to Android is the same as the biggest security threat for EVERY OS: Lazy users.
Click to expand...
Click to collapse
Thats so true but im speaking on the basic users who dont need a dumbphone instead of a smartphone cause when/if a virus does come out those are the people who ill be flooding the forums. While we sit back and laugh.
everyone is talking **** about anti-virus for taking up resources, but i've found Lookout to be very unobtrusive. Also, besides virus scan, it will locate your phone, send a siren to your device, backup your info, all at schedules you determine.
jamesey10 said:
everyone is talking **** about anti-virus for taking up resources, but i've found Lookout to be very unobtrusive. Also, besides virus scan, it will locate your phone, send a siren to your device, backup your info, all at schedules you determine.
Click to expand...
Click to collapse
Sure, those are a few reasons to keep Lookout installed. But I don't need it scanning all my files for threats that don't exist yet and it probably wouldn't recognize anyway. Fortunately, the AV component is optional.
Most of the app now require acces to the phone calls..even a news app requires it, sms app such as go sms also requires it. So I want to know after knowing that an app will be able to acces your phone call you still download it? And does anyone in what way the developers use such info?
Sent from my E10i using XDA App
Excellent topic, I'm really troubled by this. The business world makes a whole lot of money based on the average persons inertia - their lack of information or willingness when it comes to the products and services they use and the money they use to pay for them. Particular mobile phone network providers come to mind, who are happy to charge the most expensive prices because people don't know or don't care.
This lazy attitude is seeping into the Android app world. It will be a small per centage of us who will realize this threat and do something about it - exactly like cookies and public wifi privacy etc.
For those of us already interested, are there websites or apps which can guide us on this?
I had thought about it before but it seemed to be all apps out there at least need to access your internet, calls, phonebook and etc.. Not sure really if some of these nasty apps has the evil purpose to steal our vital informations in the phone... say if we're checking our bank account or something similar..
What I practice:
1) Installed AVG pro and do scan regularly, and set to scan every newly installed apps.
2) Use both cache cleaner and history eraser to clean up all traces once a day.
3) Hope they don't see me as a target.
Don't worry.
I think access to the phone calls is just to minimize the running app in case you receive a call. In other case you would not even realize an incoming call?!
Deehee3 said:
Don't worry.
I think access to the phone calls is just to minimize the running app in case you receive a call. In other case you would not even realize an incoming call?!
Click to expand...
Click to collapse
What about data? When you install an app in most cases you allow data access to it.
Searching for updates or viewing developers homepage maybe?
Sent from my U20i using XDA App
Deehee3 said:
Searching for updates or viewing developers homepage maybe?
Sent from my U20i using XDA App
Click to expand...
Click to collapse
What if not? What if app you´ve installed is spying on you and sending info to hackers. How would you know?
On android we have the luck that there are a lot of applications that are open source. When I have to choose an application, I always choose and support the open projects!
You will notice that most of those applications don't need all that personal information! Makes you wonder...
On other systems, apps usually have an user/administrator scheme, where the 'user' has access to some things and 'administrator' has access to everything.
There is no such thing on Android (except if you have a rooted phone and some app asks for superuser access, but you get a requester asking for permissions as well).
Each app has to specifically ask for permissions or the system will deny it. A spyware has to ask for those permissions or it won't work.
Some permission requests to look out for:
- "Call phone"
can be used by the application to silently dial some "premium" numbers
- "Send SMS"
can be used to send SMS to special "premium" numbers
- "Record phone calls"
can be harmful if associated with "internet access" permission
- "Access fine location"/"access coarse location" and "internet access"
can be used for tracking purposes
Many apps ask for:
- "Phone identity" / "internet access"
they use it for "statistics purposes" (flurry.com mostly) but it is bad. The developer should always inform the user about those.
BTW, that an app is open source makes no difference. Someone can always (willingly or not) tamper with the final build. And not everyone reviews open source apps.
zapek666 said:
A spyware has to ask for those permissions or it won't work.
Click to expand...
Click to collapse
Sure. But if an app legitimately ask for data transmission and file system access, AND you grant it, how would you know it is not using the granted rights for something else?
ppirate said:
On android we have the luck that there are a lot of applications that are open source. When I have to choose an application, I always choose and support the open projects!
You will notice that most of those applications don't need all that personal information! Makes you wonder...
Click to expand...
Click to collapse
Don´t tell me that you evaluate the source code of each application you load from the market. And even so, how would you know the difference between what is shown to you and the final build, available on the market?
vlissine said:
Sure. But if an app legitimately ask for data transmission and file system access, AND you grant it, how would you know it is not using the granted rights for something else?
Click to expand...
Click to collapse
Filesystem access are limited to the external memory card. An app with such permission cannot access other apps' private data (which are stored on the phone).
Android apps are all sandboxed into their own homes.
A good example of a suspicious application is HTML5 Reference.
"This HTML5 reference lists all tags supported in the HTML5 specification.", fine. Let's look at the permissions:
Network communication: full Internet access
Phone calls: read phone state and identity
While the first 2 could be produced as a side effect of the developer implementing some "statistics library" (flurry.com or so), the next 2:
Your location: fine (GPS) location
Your personal information: read sensitive log data
Are a giveaway that this app does a bit more than just listing HTML reference tags
zapek666 said:
Filesystem access are limited to the external memory card. An app with such permission cannot access other apps' private data (which are stored on the phone).
Click to expand...
Click to collapse
Ok, how about a picture viewer, which usually picks pictures from each and every
directory, no matter if you want it (and not only from memory card).
Hey vlissine and zapek666. You both have a point.
One individual cannot review every code he or she uses. And also one does not only uses his or her own builds of the projects. But every now and then, I have to go into a project, mostly to add functionality. During that time, I usually have to go over a lot of code to understand the program. It is no guarantee, but you can imagine that some strange code will stand out.
I'm surely not the only person. So while one individual is not capable of such an endeavor. A lot are.
Your other point is as valid as can be. But here again, builds are comparable.
Surely, one does not have to find himself or herself obliged to use certain kind of projects. But to me, when I have the change, I use and support the open source project. One important reason is because of the concern raised by the original poster!
http://googlemobile.blogspot.com/2011/03/update-on-android-market-security.html
Apparently we were not that paranoid, thinking of spying apps
Two options:
1) To avoid being spy and get super paranoid about it... ditch your smartphone and get those early 2000 phones with only calls and sms capable.
2) Use the smart phone eg: X10 mini/pro or any android phones and ignore these spying scene and live with it like nothing ever going to happen since this new technologies really live up our life nowadays..
farsight73 said:
Two options:
1) To avoid being spy and get super paranoid about it... ditch your smartphone and get those early 2000 phones with only calls and sms capable.
2) Use the smart phone eg: X10 mini/pro or any android phones and ignore these spying scene and live with it like nothing ever going to happen since this new technologies really live up our life nowadays..
Click to expand...
Click to collapse
One more option - stop giving stupid advises when you have nothing to say.
maybe apps need to call functions or need it to run?
write them your self if your that bothered?
...
Sent from my E10i using the XDA mobile application powered by Tapatalk
Hi,
I made a new app: NFC Safe!
With NFC Safe you will be able to encrypt your private data with a NFC Tag (e.g. NFC Key Fob). You can add unlimited custom folder and entries. You will have only access to those entries with the specific NFC Tag! This is much more secure than protecting your data only with a password!
You can use any NFC Tag for this app! Your NFC Tag will be written with some data so it can only be used for this app.
NFC Safe | Windows Phone Apps+Games Store (United States)
Would be nice, if you test my app! My app is available for free!
With one of the next releases it will be also possible to encrypt/decrypt media files (images, audio, etc.)
Best Regards,
Sascha
I don't have any NFC tags on me right now nor would i really use this, but i have to say, this is a really cool idea!
While I understand if you're hesitant to post it, I'd want to review the app's source code before using it myself. Getting cryptography right, even when just using existing and well, implemented pieces, is vastly harder than getting it wrong. What algorithm do you use to encrypt the data? How about generating the key data? Are you using secure buffers? Initialization vectors? How are you detecting which key is correct for the data you're trying to access; is there a hash? What hash function? There are a lot of other important questions here, too.
With that said, the idea is fantastic. It would be especially great if you could support two-factor authentication (password + NFC tag, in this case) for extra-sensitive data, although password management in crypto has its own set of problems (what key derivation function, with what parameters? How are the password verifiers stored? Etc.)
Sorry for late reply!
xandros9 said:
I don't have any NFC tags on me right now nor would i really use this, but i have to say, this is a really cool idea!
Click to expand...
Click to collapse
Then you should buy an NFC Tag! They are really cheap. For example you could buy a NFC keyfob, so you will have your NFC tag always in your pocket and as said, such a NFC Tag costs ca. 1 USD at ebay
GoodDayToDie said:
While I understand if you're hesitant to post it, I'd want to review the app's source code before using it myself. Getting cryptography right, even when just using existing and well, implemented pieces, is vastly harder than getting it wrong. What algorithm do you use to encrypt the data? How about generating the key data? Are you using secure buffers? Initialization vectors? How are you detecting which key is correct for the data you're trying to access; is there a hash? What hash function? There are a lot of other important questions here, too.
With that said, the idea is fantastic. It would be especially great if you could support two-factor authentication (password + NFC tag, in this case) for extra-sensitive data, although password management in crypto has its own set of problems (what key derivation function, with what parameters? How are the password verifiers stored? Etc.)
Click to expand...
Click to collapse
Hi thanks for your feedback and your questions! I think you misunderstood my app. It's not a military app, where the highest security is important! My app doesn't need to encrypt the data, because the data is stored on your Windows Phone in the application data storage. Noone has access to this. If ever any person has access to those data, you and all other Windows Phone users have a very big problem!
So, my app is an app, not a Windows Application, where virus, NSA, etc. have access to your data There are a lot of apps which protect your personal data with a password. So if someone else has your phone (stolen, or a friend while you are not watching at it), he will be able to see your data, if the know your password (this is not impossible!) or guess your password! So my app protects your data with an NFC Tag. It's very comfortable to use and faster than typing a password and also more secure, because the third-person needs your phone AND your NFC Tag.
However, my app also encrypts the whole data, so even if someone have access to the application data storage, he will be unable to read your data. Windows Phone has a built in encryption mechanism, which can be used from an API. I'm using this encryption mechanism. This mechanism uses Triple-DES. It uses the user credentials and a randomly generated password (GUID with 36 chars/numbers and "-"-sign) to encrypt the data.
Hi! Welcome to XDA-Developers, where all of your assumptions about what cannot be accessed on the phone are wrong, or will be shortly!
OK, that's half a joke. But only half... as it turns out, the claim that "... Windows Phone in the application data storage. Noone has access to this." has been untrue for months. Check the Dev&Hacking forum, especially the Interop-unlock and SamWP8 Tools threads. We have the ability to access the entire WP8 file system. Currently that access is only via MTP (USB connection), but I and other people are working on extending it to homebrew apps as well.
Moving on... 3DES (even if used with a good mode of operation and a unique initialization vector, which I am guessing you probably didn't do) is obsolete and should not be used anymore. While it is considered adequate for existing code, it should not be used in new software, and cryptographers have been recommending a move to newer ciphers (such as AES) for years. As for using a GUID as a password, GUIDs are 128 bits (the dashes don't count, because they are always the same value in the same place, and each of the other 32 digits is hexadecimal only, meaning merely 4 bits of data), which is plenty if they are generated securely; however, most GUID generators do not use cryptographically secure random number generators. GUIDs are supposed to be unique (that's what the U stands for), but are not guaranteed to be unpredictable (which is one of the key requirements for an encryption key), and the way they are generated reflects this.
Oh, and good security is important in an awful lot more places than "a military app"! In fact, there's no such thing as "military-grade" encryption, really; there's only good encryption, and encryption which shouldn't be used for any purpose. For example, modern TLS (Transport Layer Security, the replacement for SSL or Secure Sockets Layer) cipher suites are intended to be secure even against governments and megacorporations (although there is of course suspicion as to whether the NSA have broken some of those cipher suites)... but TLS isn't just used on extremely sensitive stuff like top-secret documents and such, it's also used when browsing Facebook and Twitter, or accessing Gmail, or many other things of similarly minor sensitivity.
Thank you for explaining the intended use cases of the app, though. Do please be careful when making claims such as that something is "much more secure", though; you are liable to mislead people. TrueCrypt, a PC app that performs disk encryption and is intended to stand up to very powerful adversaries, uses only a password most of the time - but I would expect that, given a well-chosen password, it is more secure than this app. There are many critical components to security, and only the weakest link in the chain matters.
For what it's worth, if you are interested, I would be happy to help secure the app (on my own time, free of charge) as it sounds like something that I would quite like to use, if I could trust its security.
What exactly is your problem?!?!
I said, that noone has access to the Application Data Storage and this is true! There is no Virus available for Windows Phone and there is no App in the Store available which has access to another app's data storage! We are not talking about some special cases where the third-person already have STOLEN your device, because nothing in this world is safe! NOTHING! Everything can be hacked! Also I didnt know that all current Lumia devices were hacked. Other devices are not relevant (Nokia has a market share of more than 90%!).
The built-in encryption mechanism in Windows Phone is the same almost ANY Windows Phone app uses! Any banking app, Facebook, eBay, PayPal. The Wallet feature of Windows Phone uses it. If you have set up accounts (E-Mail, Microsoft Account, Office365, etc.) your passwords were encrypted with the SAME API my app uses. So if you think this API is totally unsafe, WHY THE HELL are you using Windows Phone? Also Windows Vista, 7, 8 and 8.1 uses THE SAME API for a lot of thinks. So please don't use Windows anymore!
I said, my app is more secure THAN AN APP which only uses a password and that is true. Also my app additionally encrypts the data and not only block the access to the data (which a lot of other apps only do!).
Please decrypt the attached file and tell me, how you did that and how long it took Thanks!
Whoa, whoa, calm down.
First of all, don't count on that "no app in the store..." business; There's *probably* no malicious app that can do so, but OEM apps can, if they have som reason to do so, access other app's install and data folders. I've written apps (using the Samsung OEM components, which are clumsy for the purpose but *do* work) to do it myself. It's not something you're likely to see in widespread use, but it's possible.
If you aren't bothering with the case of your phone being stolen, what's the point of the encryption anyhow? I mean, prevention of data loss in the event of device theft is one of *the* key use cases for data storage encryption! It's the rationale behind things like BitLocker (which is available on WP8, but only if the user has connected their phone to a company's Exchange server that pushes a policy requiring device encryption).
If you were honestly worried about market share, you probably wouldn't target WP at all; Nokia's fraction of the WP market share is lower than WP's fraction of the smartphone market share. Nonetheless, you are correct that, at this time, Nokia WP8 devices haven't been cracked. Nor have HTC's phones. I'm confident that this will change in time, though. You might have misunderstood my little joke at the start of my last post... but breaking into smartphone operating systems, getting past the lockdown policies that say "noone[sic] has access" (it's "nobody" or "no one", by the way) and taking those decisions into our own hands.
I guarantee you that the vast majority of WP apps don't use 3DES. I *know* full well that the Microsoft code doesn't; they had already deprecated that cipher years ago, when I interned there, long before even WP7 existed; its use was prohibited for new code. Just because you used the DPAPI (Data Protection API) doesn't mean you used it correctly (and by the way, that internship involved working on encryption in Windows, writing test tools for it). Please don't take this as some kind of personal insult; in my line of work (security engineer), I see a ton of misuse of cryptography. It is, as I said in my first post, hard to get right. That's why I offered to help.
I'm not going to bother taking the time to figure out what cipher you used on that file, and what its contents are supposed to look like enough to start doing any cryptanalysis, but I guarantee you it's not very good. There are repeated patterns, including long strings of null bytes, that are phenomenally unlikely to occur in a file that short after passing it through even a half-decent cipher (we're talking 1-in-several-billion chance here, no joke). Coming to this conclusion took all of a few seconds, by the way, using no tool more sophisticated than Notepad++. If I was pulling it off of a phone, I'd have a lot more idea of what type of plaintext to expect, and I could examine the decompilation of the app to see what ciphers were used, which would make things a lot easier. I'd say "for all I know, you just took the output of CryptGenRandom and put it in a file" but if you had, it wouldn't have had obvious patterns in it... in any case, it doesn't matter. I don't have to prove anything to you. I'm *trying* to help, and offer some good advice as well, but I can't force you to take it. There's no call for getting defensive, though. I wrote a file encryption utility myself one, in fact. It sucked, so then I wrote a program to break its encryption. Both experiences (but mostly the latter) taught me things.
A new version is available now, which includes image/photo encryption, OneDrive backup, bugfixes and other small improvments!
http://www.windowsphone.com/s?appid=0a8656d4-ed32-4bb5-baac-1317827e18d8
Hi,
I have a question:
My app is available in German and English since one year now! It was downloaded over 1000 times in Germany, but only 80 times in USA, UK, etc. I got 40 reviews (4-5 stars) in Germany and only one bad review in USA. So could someone explain what's wrong with my app? Is it not visible in the US Windows Phone store? Is my app very bad translated? Are there no Windows Phone users in the USA? Or maybe no one use NFC in the USA?
Best regards,
Sascha
Sorry, I don't tried your app yet but will try to answer your questions.
First, probably it's something wrong with your marketing, not the app Le me say: 1080 downloads per year - it's too small number (even 1000 in Germany). For example, my "marketplace entry ticket", "Lunar Lander Touch" app, very unpopular and underrated (but it's still one of my favorite games on WP, and good alcohol tester ), has 4078 for the year 2013.
As for NFC: I've tried to use it but stopped because of very uncomfortable WP implementation. That service should work flawlessly, without user interaction, stupid questions and dialogs, to be useful and popular. But unfortunately it's not (for the Windows Phones). Microsoft must add an option to disable NFC warnings.
P.S. I may recommend you to use "Snowden case" for advertizing
Thanks for your feedback!
Yes, I know that the download numbers are very bad, but I don't have an idea how to improve this. Because of my app is free and my private hobby I don't have money to buy ads, etc.
Improving my app had not effect. Thanks to DVLUP I "bought" ads for 50$ with AdDuplex, but this also had no effect.
It's really hard for individuals to get their apps famous and in a higher ranking in the Windows Phone Store without investing money
I understand... AdDuplex is really bad: I've tried once ($100 from DVLUP meeting plus I've bought another $100 coupon for $40) during a week - no results at all. Complained to AdDuplex support and manager gave me additional $300 for free, to spend within one day (sic! He-he, I wish to get $300 daily from my app!) - still no visible results, just a regular download fluctuations...
What you may try: advertise on more forums, prepare good pictures/screenshots; may be, video clip "howto" will be helpful. Embed RateMyApp Nokia's control (check NuGet) to your form. If you have XP on DVLUP, spend 'em for advertising campaign (these ones are extremely effective!).
P.S. I also thought about xda-based developers club, with "rate 5 stars my apps, and I'll rate yours" rule but I don't know how to implement it properly (but good customer rating is very important for the app distribution).
Thanks!
I already added RateMyApp. This was really helpfull to get more reviews. It's a pity that I had not implemented such a thing from the very first time my app was added to the Windows Phone Store :-/
I "bought" 1 week in App Social (DVLUP). Hope this helps. But it is also only in Germany.... I have enough users and reviews in Germany, I need them in USA, UK, etc. The problem with the DVLUP campaigns is, that you need at least 50 or 100 reviews (and 4,5 stars) as a requirement for the advertising. But you don't have so many reviews and that's the reason why you need the campaign to get more reviews, but you can't buy the campaign... A vicious circle!
I will do my best to get more downloads in other countries than Germany!
Hey, thanks for this app i find it realy useful.
Danke!
And here is the idea for the ad banner
Great idea
btw: Version 2.1 with new type "User Credentials" is available now!
Ok, I stopped developing, it's not worth. Sorry!
Hi all,
I'd like to share great news. Sicher, our free secure messenger finally comes to Windows Phone.
Sicher features true end-to-end encryption of both text messages and file attachments. With anonymous push notifications and the ability to set a timer for when messages will self-destruct, Sicher also includes password protection for the app itself.
Please try Sicher and share your feedback in this post.
FairyMary
Sicher Team
App is free, store link is here: EDIT: Removed because this thing looks like a scam and its description is a lie
I haven't been able to find a lot of info about how the app works (I'm talking about at a very technical level). My general advice regarding crypto code is to open it up for review, either publicly or by a professional security assessment firm (disclaimer: I work at one of those). If the code is already open for review somewhere, that would be awesome; if not, I recommend getting in touch with some external security experts (same disclaimer, but I can provide contact info if you want). The Internet is full of things that the developer claimed (and often even sincerely believed) were secure.
Aaaand just for fun, I decided to take a look at the app and see if there was anything obviously wrong. Let's start with the presence of no fewer than *three* advertisement networks, shall we? Begun Advertising is Russian and Google-owned, Google AdMob is self-explanatory, as is Microsoft Advertising Mobile. Your store description claims you
don’t use any advertising engines
Click to expand...
Click to collapse
. Did you really think nobody would check this?
WTF are you trying to pull here?!? I can't think of any way to faster burn trust in a "secure" app than to make a claim that is trivially disprovable in a way that benefits nobody except you.
I'll come right out and say it: Sicher looks like a scam!
Oh look, a Facebook library as well. Totally expected to see that, given that you
don’t integrate social network SDKs
Click to expand...
Click to collapse
Oh, and before anybody asks about responsible disclosure, that's for when there's an unintentional bug in somebody's code. This just looks like pure exploitation of your users! (I say "looks like" because I haven't actually decompiled the code to see if those libraries are being used, but it's hard to imagine why you'd have them otherwise...). The only responsible way to disclose malware is to do it publicly, and this looks malicious.
EDIT: I'll give you 24 hours to give me a good argument why I shouldn't report my findings to the stores themselves.
Time's up. You actually got over 48 hours because I was busy yesterday. Hope not too many people got scammed and tracked by your "secure" and "private" app...
Hey @GoodDayToDie, unfortunately I don't know where else to ask this, since you seem to be really interested (and skilled) in this topic, what messengers do you consider secure? WhatsApp is obvious, the only ones on Windows Phone I know of that come to my mind are Telegram and (soon) Threema.
What do you think about the two? I have basically no knowledge, but what seems odd to me about Threema is their faqs answer to "what about MITM?" they just say they use certs, hardcoded in the app. Aren't they with their servers in control then? How I understand this, the Threema servers could perfectly perform a MITM attack.
And Telegram has a completely confusing protocol.. So please share your thoughts!
I have no personal knowledge of one, sadly. Take anything I say here with a huge grain of salt (including the fact that Sicher looks like a scam; I haven't actually verified that it *uses* all those ad networks + Facebook that it integrates, just that it has them) as I'm not spending the time & effort for a full security review of these apps at this time.
Threema actually looks quite good.
Pros:
They don't try to implement the crypto themselves (they use NaCl, which is both written by people who know what they're doing, and well-reviewed).
The design of their end-to-end solution makes sense (it connects through the server since phone networks won't allow incoming/direct connections, but the messages are encrypted to only the recipient and doesn't require that the recipient be online to receive the message).
They are relatively open about how things work (although those *could* be lies; I haven't pulled the app apart).
It is possible for the user to verify the key of another user.
Cons:
They don't have Perfect Forward Secrecy on messages. PFS would require that the intended recipient be online at the start of any given conversation (to negotiate the ephemeral keys) so this isn't terribly surprising, but it is disappointing. An attacker (including a government agency) who gets access to your private key could decrypt historical traffic to you if they'd recorded it.
The app is proprietary; there's nothing stopping them from pushing a malicious update.
The server supplies the public keys of users; until such time as the user validates the other party's key (which is difficult to do except in person) the server could have sent a public key that the server has the private key for (instead of the user's own public key) and then MitM the user's traffic. This would break down when verified though, unless the app lied about the result of the verification process (you don't actually see the key itself).
To address your concern about MitM, the app says they use certificate pinning (a standard and very smart security measure, assuming they did it right) for app-to-server communication, so nobody (including third-party security engineers) can MitM the app traffic. They also claim to use PFS. However, if the server itself is untrusted (i.e. some government thugs show up to demand access, although bear in mind that apparently the servers are all in Switzerland) then the server could give you the wrong public key for a user you try and add, allowing the server to MitM you. Also, the company could push an update that is malicious.
The only protection against the server-sends-wrong-key threat is to either require that the user manually import all keys (think PGP minus keyservers and assuming trustworthy key exchanges) or exactly verify the key (i.e. personally ensure that it matches the other user's key by actually checking the bytes or at least the hash). The only protection against the malicious update is to make the source code available and have a method by which users can either compile it themselves (though see "Reflections on Trusting Trust") and/or have a way to verify the application binaries.
I'll look at Telegram later. For the moment, though, I would loosely recommend Threema once it's available. There's also Skype, of course, but while it was decompiled once long ago (and found to use secure encryption, although some non-crypto vulns were found) that was many versions ago (and, in particular, was before Microsoft bought them).
Hi,
Just joined a new company that requires Company Portal to access Outlook email and other apps on my phone.
Evidently even if you manage to hide root from Company Portal, a major requirement is having an encrypted device with Company Portal.
In order to get rooted 2 years ago, I ran Disable_Dm-Verity_ForceEncrypt during the TWRP setup process so my rooted V30 is not encrypted.
Is there any way to restore encryption now without losing my current stock rom settings and data and maintain root?
I see in LG Settings there is an option to Encrypt Phone and SD Card. Will this suffice so I can maintain root?
If not, is there a way to root and install a TWRP LG Pie Rom zip without disabling encryption via Disable_Dm-Verity_ForceEncrypt?
Or is it impossible to root and use Company Portal with the LG V30?
Thanks in advance!
Drew
drewcu said:
Hi,
Just joined a new company that requires Company Portal to access Outlook email and other apps on my phone.
Evidently even if you manage to hide root from Company Portal, a major requirement is having an encrypted device with Company Portal.
In order to get rooted 2 years ago, I ran Disable_Dm-Verity_ForceEncrypt during the TWRP setup process so my rooted V30 is not encrypted.
Is there any way to restore encryption now without losing my current stock rom settings and data and maintain root?
I see in LG Settings there is an option to Encrypt Phone and SD Card. Will this suffice so I can maintain root?
If not, is there a way to root and install a TWRP LG Pie Rom zip without disabling encryption via Disable_Dm-Verity_ForceEncrypt?
Or is it impossible to root and use Company Portal with the LG V30?
Thanks in advance!
Drew
Click to expand...
Click to collapse
My only solution to this problem was to always use webaccess for my Office365 account. They required the portal to use Outlook, and part of that requirement allowed them to wipe my phone whenever they wanted. It's my phone, so I guess I won't use their email on my phone.
Sounds like your company has yet another behind-the-times IT department (like mine). Although mine is also exceptionally incompetent. They left the IMAP server open and available to anyone, so I simply used that with my GMail account instead. It did require me to allow them admin access to the phone to wipe the device (though I think they can only wipe the email) but it worked. They finally got modern and are using 365 so now it doesn't need these extra things. You might want to see if you can wait until they wake up and/or see if there is a server you can connect to. I found mine because, due to their incompetence, they let iPhones use the native mail app via the IMAP server, but forced Android to use some garbage 3rd party software for it instead of GMail. In both cases, the IMAP server was easily seen and setup.
I also have a company phone, so I don't really care if they can wipe it. Again, if I was going to take data from them, I'd do it before I announced I was leaving like any reasonably-intelligent person... so wiping accomplishes nothing. But, again, these IT departments are really dumb and incompetent...
To answer your initial question, I don't know if there's a way to re-enable encryption... but I also don't think that this is something that they can detect anyway. I'm thinking it may be something else they're tripping over. You may consider installing Magisk, and then using it's HIDE feature to see if you can hide the typical "signs" of rooting/etc. It may be good enough to get you working. If it doesn't you simply remove Magisk again (or just stop using it)?
Thanks @ldeveraux and @schwinn8 for the replies!
I know we use Office 365 but I'll have to ask about web access to see if that is possible. It's my phone and supposedly it's "not required" that I install Company Portal/Outlook/Teams on my phone, but I would be the only one at the firm not doing that and I am a new hire so... kind of a bad look so soon. I am not really comfortable with them being able to wipe my phone either, but that wasn't mentioned to me... yet.
Also would have to ask about IMAP, but I doubt it. No company phones either which is fine.
Pretty sure it is the encryption (or lack thereof in my case) that is the issue. I already use Magisk v22 and Hide all signs of Company Portal and pass Safetynet. On another XDA thread where Company Portal is discussed, I followed the suggested steps to no avail:
1) Install Company Portal V5.0.5067.0
2) Magisk Hide ALL of Company Portal checkboxes
3) Reboot
4) Still pass SafetyNet
5) Launch Company Portal
While the app doesn't specify the encryption as to why it cannot get me to the login screen, that's the only conclusion I can reach at the moment.
Did either of you try or look into encryption built into the LG/Android Settings menu? I don't want to do that unless I know of someone with success with it, but am curious if that would allow root via Magisk Hide, encryption, and Company Portal.
Thanks!
Drew
No I stopped carrying when they wanted permission to wipe. If the company was paying for the phone, that's one thing. If I'm using my personal phone for company use, that doesn't fly.
I realize this doesn't answer your question at all, but it's food for thought!
ldeveraux said:
No I stopped carrying when they wanted permission to wipe. If the company was paying for the phone, that's one thing. If I'm using my personal phone for company use, that doesn't fly.
I realize this doesn't answer your question at all, but it's food for thought!
Click to expand...
Click to collapse
Carrying? Or did you mean caring?
drewcu said:
Carrying? Or did you mean caring?
Click to expand...
Click to collapse
Caring. I don't own a firearm.
ldeveraux said:
Caring. I don't own a firearm.
Click to expand...
Click to collapse
Lol got it. Just making sure I understood what you meant.
Assume you didn't look into the LG rom based encryption then?
drewcu said:
Lol got it. Just making sure I understood what you meant.
Assume you didn't look into the LG rom based encryption then?
Click to expand...
Click to collapse
No at that point I gave up
Hopefully you'll get some help here, because I'd still like to be able to actually use Outlook on my phone!
So, a quick search says that there are modules available and other things that need to be tried. One further thing is to hide root from various Google modules. I remember hearing that for some other apps... that you had to hide root from Google services. I also remember hearing that, in some cases, you have to clear data for apps after the hide, because they apparently save the rooted-status in their own data.
Basically, I doubt encryption is the issue... root is usually the problem and can be a bit tricky to hide properly. You just have to try things. I have never seen any app fail to work because encryption is not available... it's always a root-detection issue.
As for the IMAP thing, the point there is to use the settings you find elsewhere to access email. You're not asking IT for permission or info... you just need to find it. Most Microsoft-based IT places I have worked with have zero clue that this is open and offered, so once you find it it's just a matter of plugging in the right info.
As for the web-interface, again, my company (for example) doesn't tell us that we can use the Outlook app, but it works with no tricks whatsoever. Plug in your company account info and it figures out how to connect.
FYI, the module I mentioned above is referenced here: https://forum.xda-developers.com/t/...ne-company-portal-hider-intune-hider.3780451/ - no idea if this is necessary or even the latest version...
schwinn8 said:
So, a quick search says that there are modules available and other things that need to be tried. One further thing is to hide root from various Google modules. I remember hearing that for some other apps... that you had to hide root from Google services. I also remember hearing that, in some cases, you have to clear data for apps after the hide, because they apparently save the rooted-status in their own data.
Basically, I doubt encryption is the issue... root is usually the problem and can be a bit tricky to hide properly. You just have to try things. I have never seen any app fail to work because encryption is not available... it's always a root-detection issue.
As for the IMAP thing, the point there is to use the settings you find elsewhere to access email. You're not asking IT for permission or info... you just need to find it. Most Microsoft-based IT places I have worked with have zero clue that this is open and offered, so once you find it it's just a matter of plugging in the right info.
As for the web-interface, again, my company (for example) doesn't tell us that we can use the Outlook app, but it works with no tricks whatsoever. Plug in your company account info and it figures out how to connect.
FYI, the module I mentioned above is referenced here: https://forum.xda-developers.com/t/...ne-company-portal-hider-intune-hider.3780451/ - no idea if this is necessary or even the latest version...
Click to expand...
Click to collapse
Thanks for the suggestions! I actually have tried different modules without success both for EdXposed (Security Bypass for Company Portal with CP version 5.0.3013.0 and Bypass Exchange Policies). The closest I got was with CP 5.0.3013.0 where I could enter my credentials but then wasn't able to agree to the Terms and Conditions which is a prerequisite and got denied. The module you linked is no longer needed if using Magisk v22 with Magisk Hide according to people in the thread.
Have also tried the Outlook app, Outlook web access, Gmail, IMAP, POP3 -- all smartly locked down tight for compliance reasons by our IT. Just says to enroll with Company Portal after entering credentials.
Pretty sure the Magisk Hide route would work with V5.0.5067.0 if my device was encrypted. Company Portal checks whether your device is encrypted supposedly, so either you have to actually be encrypted or find a way around that. I am willing to be encrypted if I can still be rooted...
Not sure where to go from here to get it working without an encrypted device... but thanks for the post.
As I recall, Xposed is not really working or functional these days. The module I linked to is a Magisk module. Did you follow those directions, because it sounds like you didn't.
It sounds like you don't want to believe me... that's fine. I believe the answers are out there and it's just a root issue. You probably just need to do more reading and searching. I'm going to give up since you don't seem to want to hear it from me, so good luck...
If you find a solution, do let people know on this thread so the matter can be closed/completed.
I remember the other reason I stopped trying to use the Company Portal. They need permission to wipe my phone, which obviously I'm not cool with. Whenever I disable the Company Portal, mail stops working. That's reason enough!
schwinn8 said:
As I recall, Xposed is not really working or functional these days. The module I linked to is a Magisk module. Did you follow those directions, because it sounds like you didn't.
It sounds like you don't want to believe me... that's fine. I believe the answers are out there and it's just a root issue. You probably just need to do more reading and searching. I'm going to give up since you don't seem to want to hear it from me, so good luck...
If you find a solution, do let people know on this thread so the matter can be closed/completed.
Click to expand...
Click to collapse
Yes I am aware that the module you linked is for Magisk. If you go to the OP, all the text is struck through because the module is no longer necessary as I stated previously.
[MODULE] Microsoft Intune Company Portal Hider (Intune Hider)
Introduction: Simple Module To Hide The Root From Microsoft Intune Company Portal. - After The Installation & 1st Reboot, It Hides The Rooting & Disables Itself [P.S. Disabling Itself For Some Versions] - Enabling This Module From Magisk Manager...
forum.xda-developers.com
kb8no said:
It is easy to be confused. The "module" from the OP was needed before but is now obsolete since Magisk has gained the necessary functionality alone without the "module". There is no "module" in Magisk. Now go back and read the past posts over 2 months. First you hide Magisk so it passes safety net. Then you go into superuser MagiskHide, go into the app (eg Portal) and check everything. You need to understand that they updated Portal so you need to downgrade it so Portal will work again. You need to understand to use latest Magisk and Magisk changed. Not surprising you are confused. Now perhaps you have figured out the basics and the details will make sense.
Click to expand...
Click to collapse
So I followed the steps on page 23 of that thread using Intune Company Portal V5.0.5067.0:
[MODULE] Microsoft Intune Company Portal Hider (Intune Hider)
Introduction: Simple Module To Hide The Root From Microsoft Intune Company Portal. - After The Installation & 1st Reboot, It Hides The Rooting & Disables Itself [P.S. Disabling Itself For Some Versions] - Enabling This Module From Magisk Manager...
forum.xda-developers.com
IlyaKol said:
Good call on the GitHub ticket.
For anyone reading, this is the process I followed:
1) Uninstall the existing Intune Company Portal
2) Reboot
3) Install the APK listed above or from another source (I used APK Pure). DO NOT LAUNCH INTUNE!
4) Before launching, go into Magisk and make sure to hide ALL of it as well as all of Outlook, OneNote, OneDrive, Teams, etc. (whatever uses your company credentails)
5) Launch InTune and set it up.
6) Disable auto-updates of the app as he stated in Google Play Store.
7) Profit.
Click to expand...
Click to collapse
The result is I am still stuck on the "Open the Intune App" screen... No other error messages related to rooting, but cannot even get to log in or download Outlook or Teams. Have tried downloading the Intune App from the Play Store and that tells me to open Company Portal... so going in circles... I'm told I need to only use Company Portal from our IT firm.
I went through the same Magisk module thread and found others talking about not having encryption, and they are in the same position as I am -- following the steps or using the Magisk module (before Magisk v22) and still not getting CP to work.
Thus I am 99.9% sure I cannot use CP because I don't have encryption. You don't have to believe me, but I have tried everything I can think of save for using LG's Encrypt Phone feature... Would do it if I got confirmation I could stay rooted, not lose my data/settings, and then use Company Portal.
But yes, I absolutely would post the solution here if I find it!
Thanks anyway.
I'm rooted and have long had corporate email (two different companies) on a paid app called "Nine". First company was Fortune 100 global media company, and 2nd (past 3 years) is smaller but still has aggressive IT policies. Neither paid for my phone. I specifically remember with the first having to agree they could wipe the phone if it was lost -- but I think due to me being rooted they wouldn't be able to.
Nine - Email & Calendar - Apps on Google Play
Nine is a full-fledged and intuitive email app which supports Exchange and IMAP
play.google.com
ChazzMatt said:
I'm rooted and have long had corporate email (two different companies) on a paid app called "Nine". First company was Fortune 100 global media company, and 2nd (past 3 years) is smaller but still has aggressive IT policies. Neither paid for my phone. I specifically remember with the first having to agree they could wipe the phone if it was lost -- but I think due to me being rooted they wouldn't be able to.
Nine - Email & Calendar - Apps on Google Play
Nine is a full-fledged and intuitive email app which supports Exchange and IMAP
play.google.com
Click to expand...
Click to collapse
Just tried Nine and it also tells me after entering my credentials that I need to use Company Portal (just like Outlook and Web Access).
Do these two companies you worked for use Intune Company Portal to manage policies?
drewcu said:
Just tried Nine and it also tells me after entering my credentials that I need to use Company Portal (just like Outlook and Web Access).
Do these two companies you worked for use Intune Company Portal to manage policies?
Click to expand...
Click to collapse
I just installed portal and outlook, added both as admin or whatever it's called, and have a fully functioning inbox. I don't know if I'll leave it like this for the reasons I mentioned, but it works. I have the latest twrp, latest magisk, and adguard installed. I have no clue if I'm encrypted or not, how would I check? But I was trying to use the older version of Portal and it kept looping, so I installed the latest from the play store and we're up and running.
@ChazzMatt do you really think they can't wipe if they so desire? How could we confirm that? I surely don't want to give them that ability considering if you disable their permissions it stops working completely.
ldeveraux said:
I just installed portal and outlook, added both as admin or whatever it's called, and have a fully functioning inbox. I don't know if I'll leave it like this for the reasons I mentioned, but it works. I have the latest twrp, latest magisk, and adguard installed. I have no clue if I'm encrypted or not, how would I check? But I was trying to use the older version of Portal and it kept looping, so I installed the latest from the play store and we're up and running.
@ChazzMatt do you really think they can't wipe if they so desire? How could we confirm that? I surely don't want to give them that ability considering if you disable their permissions it stops working completely.
Click to expand...
Click to collapse
For Nine I only needed the email server name.
For the previous Fortune 100 company I worked for, it was almost 4 years ago so I don't remember all the details but I remember granting them the privilege but I don't remember adding them as an admin.
ldeveraux said:
I just installed portal and outlook, added both as admin or whatever it's called, and have a fully functioning inbox. I don't know if I'll leave it like this for the reasons I mentioned, but it works. I have the latest twrp, latest magisk, and adguard installed. I have no clue if I'm encrypted or not, how would I check? But I was trying to use the older version of Portal and it kept looping, so I installed the latest from the play store and we're up and running.
@ChazzMatt do you really think they can't wipe if they so desire? How could we confirm that? I surely don't want to give them that ability considering if you disable their permissions it stops working completely.
Click to expand...
Click to collapse
Company Portal didn't used to work for you, correct? What changed? Can you please list your steps this time?
I think to check encryption you use Termux and enter 'getprop ro.crypto.state' -- mine says unencrypted.
One other question is what version of Twrp are you using? I'm using one from 2 years ago -- 3.2.3 and never wanted to bother with the Pie one 3.3 or whatever is latest... Might have something to do with it...