Related
I need a better cloud storage app for windows phone..
Because I know Skydrive won't let you upload nude content to the cloud or else it'll get removed with a chance of you getting banned.
Yes, I have pictures that I want to upload to the cloud like that, so what? Skydrive is a great cloud service, but the privacy is what bugs me.
I wish Google Drive was on windows phone but the only two apps of Drive on the WP8 are terrible and hardly work.
Anyone have any advice?
Ehm..didn't know skydrive removed nude pics ( actually I doubt that ).
Btw just set up a dropbox account and use a third party app in the market...
Inviato dal mio ST26i con Tapatalk 2
Taurenking said:
Ehm..didn't know skydrive removed nude pics ( actually I doubt that ).
Btw just set up a dropbox account and use a third party app in the market...
Inviato dal mio ST26i con Tapatalk 2
Click to expand...
Click to collapse
Skydrive actually does. Had a whole topic going on tweakers.net (dutch/belgium site) about a guy that saved some pictures of his GF with the result of his outlook account being perma-banned.
Taurenking said:
Ehm..didn't know skydrive removed nude pics ( actually I doubt that ).
Btw just set up a dropbox account and use a third party app in the market...
Inviato dal mio ST26i con Tapatalk 2
Click to expand...
Click to collapse
This is taken from the agreement from Microsoft services.
"You will not upload, post, transmit, transfer, distribute or facilitate distribution of any content (including text, images, sound, video, data, information or software) or otherwise use the service in a way that:
depicts nudity of any sort including full or partial human nudity or nudity in non-human forms such as cartoons, fantasy art or manga.
incites, advocates, or expresses pornography, obscenity, vulgarity, profanity, hatred, bigotry, racism, or gratuitous violence."
Yes, they do not allow it.
I wish I could find a dropbox app that had multi-select.. I have a lot of pictures and files I want to save. :/
nhvider said:
This is taken from the agreement from Microsoft services.
"You will not upload, post, transmit, transfer, distribute or facilitate distribution of any content (including text, images, sound, video, data, information or software) or otherwise use the service in a way that:
depicts nudity of any sort including full or partial human nudity or nudity in non-human forms such as cartoons, fantasy art or manga.
incites, advocates, or expresses pornography, obscenity, vulgarity, profanity, hatred, bigotry, racism, or gratuitous violence."
Yes, they do not allow it.
I wish I could find a dropbox app that had multi-select.. I have a lot of pictures and files I want to save. :/
Click to expand...
Click to collapse
What about Box.com ? They got an app as well and it works very well. I do not really like Skydrive. Ther´s no privacy so i switched to Box and its perfect for me.
Manafest said:
What about Box.com ? They got an app as well and it works very well. I do not really like Skydrive. Ther´s no privacy so i switched to Box and its perfect for me.
Click to expand...
Click to collapse
YESSS. Thank you! I never even knew about this. Thanks a lot.
nhvider said:
This is taken from the agreement from Microsoft services.
"You will not upload, post, transmit, transfer, distribute or facilitate distribution of any content (including text, images, sound, video, data, information or software) or otherwise use the service in a way that:
depicts nudity of any sort including full or partial human nudity or nudity in non-human forms such as cartoons, fantasy art or manga.
incites, advocates, or expresses pornography, obscenity, vulgarity, profanity, hatred, bigotry, racism, or gratuitous violence."
Yes, they do not allow it.
I wish I could find a dropbox app that had multi-select.. I have a lot of pictures and files I want to save. :/
Click to expand...
Click to collapse
Wow i should really start to read those terms of agreement...and seriously??? Microsoft?? Looking into my stuff??? That's not cool at all...
Inviato dal mio ST26i con Tapatalk 2
Taurenking said:
Wow i should really start to read those terms of agreement...and seriously??? Microsoft?? Looking into my stuff??? That's not cool at all...
Inviato dal mio ST26i con Tapatalk 2
Click to expand...
Click to collapse
All cloud-storage solutions look through your stuff.
*sigh*
taken from
https://www.box.com/static/html/terms.html
section 8, paragraph (h):
(h) use the Service to: (i) engage in any unlawful or fraudulent activity or perpetrate a hoax or engage in phishing schemes or forgery or other similar falsification or manipulation of data; (ii) send unsolicited or unauthorized junk mail, spam, chain letters, pyramid schemes or any other form of duplicative or unsolicited messages, whether commercial or otherwise; (iii) advertise or promote a commercial product or service that is not available through Box unless your account is subject to a small office, home office, business or enterprise subscription; (iv) store or transmit inappropriate Content, such as Content: (1) containing unlawful, defamatory, threatening, pornographic, abusive, libelous or otherwise objectionable material of any kind or nature, (2) containing any material that encourages conduct that could constitute a criminal offense, or (3) that violates the intellectual property rights or rights to the publicity or privacy of others; (iv) store or transmit any Content that contains or is used to initiate a denial of service attack, software viruses or other harmful or deleterious computer code, files or programs such as Trojan horses, worms, time bombs, cancelbots, or spyware; or (v) abuse, harass, stalk or otherwise violate the legal rights of a third party;
Click to expand...
Click to collapse
good luck trying to explain their legal team that your nudes aren't "objectionable material", as nebulous as that definition is
look, you're subscribing to a free service in order to store sensitive data, and you are expecting privacy? ahahahahahahaha :silly:
and most hilariously for the guy wishing for the comfort and security of his trusted big brother google (the biggest oxymoron ever), be aware that google not only will snitch you to the cops if they feel it's appropriate -see point 3- but also will keep the pictures for jerking off afterwards:
By using Google services, you acknowledge and agree that Google may access, preserve, and disclose your account information and any Content associated with that account if required to do so by law or in a good faith belief that such access preservation or disclosure is reasonably necessary to: (a) satisfy any applicable law, regulation, legal process or enforceable governmental request, (b) enforce the Terms, including investigation of potential violations hereof, (c) detect, prevent, or otherwise address fraud, security or technical issues (including, without limitation, the filtering of spam), or (d) protect against imminent harm to the rights, property or safety of Google, its users or the public as required or permitted by law.
Click to expand...
Click to collapse
"good faith belief" being legalese for "whenever we want"
When you upload or otherwise submit content to our Services, you give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content. The rights you grant in this license are for the limited purpose of operating, promoting, and improving our Services, and to develop new ones. This license continues even if you stop using our Services
Click to expand...
Click to collapse
but seriously, where's your common sense guys?
I want to disable the E911 on my phone. People if you dont agree keep it to yourself. I want to disable it. It should not matter why I want to especially not on site designed for people customizing the hell out of their phone. If you think I am paranoid I think your a sheep.
Can anyone actually provide some beneficial help towards my goal.
Maybe being a little more nice will get you your answer. You get more flies with sugar than vinegar.
Sent from my SCH-I500 using xda premium
Do you want to just disable E911 or disable all phone functionality? I haven't seen any way to just disable E911 on any mobile device. By default, every manufacturer puts stuff in that lets 911 locate your phone, and there is no way to disable it in software or hardware without basically stripping the software of its phone functions.
If you are still interested, and want software that strips this phone of all phone services and apps (including E911) try the GeeWiz Media ROM
As a Communications supervisor in a 911 center, I can tell you firsthand that disabling e911 won't prevent us from locating you. I've disabled e911 on several android phones that I've owned over the years and it still reports your Phase II Lat/Long
Sippi4x4man said:
As a Communications supervisor in a 911 center, I can tell you firsthand that disabling e911 won't prevent us from locating you. I've disabled e911 on several android phones that I've owned over the years and it still reports your Phase II Lat/Long
Click to expand...
Click to collapse
lol sippi, idk about the OP's reason for this, but ive personally seen people i know last week disable e911 on their phones (through ways like the Geewiz media rom+software mods) to do a drug dealing of all things, little did they know what u said was true and they were tracked not only by 911, but also by the stupidity of leaving my app (SMS Tasks) on their phones, leaving the person who ratted them out (not me but they did know their pass phrase), gave their phone to the local authorites and gave them the command [email protected]****** and with the version my app had on it (unofficial build), it located them with google-maps link that was clicked and gave a perfect track (because the people had gps on of all things), thus leading to the arrest (i personnaly felt good about it cause if i didnt make that app (SMS Tasks) they would be on the loose for a little bit longer causing who knows what cause the police officer said that they were having trouble tracking them with the e911 system for a "unknown error reported" as they told him so idk if it was a glitch with the tracking in my area's e911 or they acually disabled whatever it is that makes them track you (please dont reply with what it was just to be safe), but my app acually lead to an arrest =) so by what i saw i think there might be some workaround, or just a glitch, im not encouraging it one bit, but i know personally that there was at least one person capible of doing it (again unless it was a glitch in their system) =S
I'd also be curious to learn to disable this. I, unlike the previous poster, wouldn't pride myself on incarcerating someone for a business transaction and otherwise victimless crime.
If anything, the post above highlights exactly why you should not install apps which ask for unnecessary permissions, because some nanny state developer just might invade your privacy and track your movements instead of focus on the purpose of the app.
Domush said:
I'd also be curious to learn to disable this. I, unlike the previous poster, wouldn't pride myself on incarcerating someone for a business transaction and otherwise victimless crime.
If anything, the post above highlights exactly why you should not install apps which ask for unnecessary permissions, because some nanny state developer just might invade your privacy and track your movements instead of focus on the purpose of the app.
Click to expand...
Click to collapse
its acually a function of the app, not invasion of privacy, my app is open-sourced on my gitbub as-is for the app's released versions, thats locate command is one of the listed features on the thread, i update the github more then the thread but all the commands are safe, it was just some clever ideas for them to use my app to solve a criminal case thats all, as for the "business transaction and otherwise victimless crime" heroin and drug dealing is highly illegal in this area where it took place at, and the now ex-girlfriend of the guy was a victim from it because before he got out to buy it he beat her black and blue... >=( theres nothing funny about drug dealing making it a "victimless crime" as its a nuicence in our society no matter how many "benefits" people say it has, as for my app its clearly states in the thread for you to keep your pass phrase a secret, as he didnt, and all the commands+usage are all on there and clear warnings for the potentially dangerous commands, but the version he had on his phone was a newer beta test version that uses google-maps links instead of general GEOLocation area. all that was done was completely legal, and not abuse of my app or permissions as it still gives people to where it tells who sent the message in the tracking menu (by phone number) since its a new feature in my beta tester version so it did give full telling who it came from. but ive already been given warnings by the police from an earlier situation with the same people on the same kind of activity about regulations on tracking without consent, so i had to add that prompt to show who initiated the tracking, and am working on a button that will stop it remotely. so until i can comply with the regulations, while keeping it stable, i havent been able to update the app with them untill i get the new tracking system with prompts stable, but to do all that with the new systems i have in the app it needs to be installed in CWM recovery cause the system-app Reboot permissions, and better GPS/wifi Toggling
sorry if it seems like im ranting, im truly not, but that situation was really personally to me and i felt like what i did was the right thing, not a "abuse of permissions app", or to "incarcerating someone for a business transaction and otherwise victimless crime.", as it was more for the fact that he beat her and then he want to do an illegal activity
Wow, Im sorry for the long delay. I had switched phones and forgot all about this thread. I appreciate ALL who provided input. I still dont like the idea of it, but it doesnt bother me as much.
Not sure how far back...
Preexisting rom file from pre-e911 might work
Hi,
I made a new app: NFC Safe!
With NFC Safe you will be able to encrypt your private data with a NFC Tag (e.g. NFC Key Fob). You can add unlimited custom folder and entries. You will have only access to those entries with the specific NFC Tag! This is much more secure than protecting your data only with a password!
You can use any NFC Tag for this app! Your NFC Tag will be written with some data so it can only be used for this app.
NFC Safe | Windows Phone Apps+Games Store (United States)
Would be nice, if you test my app! My app is available for free!
With one of the next releases it will be also possible to encrypt/decrypt media files (images, audio, etc.)
Best Regards,
Sascha
I don't have any NFC tags on me right now nor would i really use this, but i have to say, this is a really cool idea!
While I understand if you're hesitant to post it, I'd want to review the app's source code before using it myself. Getting cryptography right, even when just using existing and well, implemented pieces, is vastly harder than getting it wrong. What algorithm do you use to encrypt the data? How about generating the key data? Are you using secure buffers? Initialization vectors? How are you detecting which key is correct for the data you're trying to access; is there a hash? What hash function? There are a lot of other important questions here, too.
With that said, the idea is fantastic. It would be especially great if you could support two-factor authentication (password + NFC tag, in this case) for extra-sensitive data, although password management in crypto has its own set of problems (what key derivation function, with what parameters? How are the password verifiers stored? Etc.)
Sorry for late reply!
xandros9 said:
I don't have any NFC tags on me right now nor would i really use this, but i have to say, this is a really cool idea!
Click to expand...
Click to collapse
Then you should buy an NFC Tag! They are really cheap. For example you could buy a NFC keyfob, so you will have your NFC tag always in your pocket and as said, such a NFC Tag costs ca. 1 USD at ebay
GoodDayToDie said:
While I understand if you're hesitant to post it, I'd want to review the app's source code before using it myself. Getting cryptography right, even when just using existing and well, implemented pieces, is vastly harder than getting it wrong. What algorithm do you use to encrypt the data? How about generating the key data? Are you using secure buffers? Initialization vectors? How are you detecting which key is correct for the data you're trying to access; is there a hash? What hash function? There are a lot of other important questions here, too.
With that said, the idea is fantastic. It would be especially great if you could support two-factor authentication (password + NFC tag, in this case) for extra-sensitive data, although password management in crypto has its own set of problems (what key derivation function, with what parameters? How are the password verifiers stored? Etc.)
Click to expand...
Click to collapse
Hi thanks for your feedback and your questions! I think you misunderstood my app. It's not a military app, where the highest security is important! My app doesn't need to encrypt the data, because the data is stored on your Windows Phone in the application data storage. Noone has access to this. If ever any person has access to those data, you and all other Windows Phone users have a very big problem!
So, my app is an app, not a Windows Application, where virus, NSA, etc. have access to your data There are a lot of apps which protect your personal data with a password. So if someone else has your phone (stolen, or a friend while you are not watching at it), he will be able to see your data, if the know your password (this is not impossible!) or guess your password! So my app protects your data with an NFC Tag. It's very comfortable to use and faster than typing a password and also more secure, because the third-person needs your phone AND your NFC Tag.
However, my app also encrypts the whole data, so even if someone have access to the application data storage, he will be unable to read your data. Windows Phone has a built in encryption mechanism, which can be used from an API. I'm using this encryption mechanism. This mechanism uses Triple-DES. It uses the user credentials and a randomly generated password (GUID with 36 chars/numbers and "-"-sign) to encrypt the data.
Hi! Welcome to XDA-Developers, where all of your assumptions about what cannot be accessed on the phone are wrong, or will be shortly!
OK, that's half a joke. But only half... as it turns out, the claim that "... Windows Phone in the application data storage. Noone has access to this." has been untrue for months. Check the Dev&Hacking forum, especially the Interop-unlock and SamWP8 Tools threads. We have the ability to access the entire WP8 file system. Currently that access is only via MTP (USB connection), but I and other people are working on extending it to homebrew apps as well.
Moving on... 3DES (even if used with a good mode of operation and a unique initialization vector, which I am guessing you probably didn't do) is obsolete and should not be used anymore. While it is considered adequate for existing code, it should not be used in new software, and cryptographers have been recommending a move to newer ciphers (such as AES) for years. As for using a GUID as a password, GUIDs are 128 bits (the dashes don't count, because they are always the same value in the same place, and each of the other 32 digits is hexadecimal only, meaning merely 4 bits of data), which is plenty if they are generated securely; however, most GUID generators do not use cryptographically secure random number generators. GUIDs are supposed to be unique (that's what the U stands for), but are not guaranteed to be unpredictable (which is one of the key requirements for an encryption key), and the way they are generated reflects this.
Oh, and good security is important in an awful lot more places than "a military app"! In fact, there's no such thing as "military-grade" encryption, really; there's only good encryption, and encryption which shouldn't be used for any purpose. For example, modern TLS (Transport Layer Security, the replacement for SSL or Secure Sockets Layer) cipher suites are intended to be secure even against governments and megacorporations (although there is of course suspicion as to whether the NSA have broken some of those cipher suites)... but TLS isn't just used on extremely sensitive stuff like top-secret documents and such, it's also used when browsing Facebook and Twitter, or accessing Gmail, or many other things of similarly minor sensitivity.
Thank you for explaining the intended use cases of the app, though. Do please be careful when making claims such as that something is "much more secure", though; you are liable to mislead people. TrueCrypt, a PC app that performs disk encryption and is intended to stand up to very powerful adversaries, uses only a password most of the time - but I would expect that, given a well-chosen password, it is more secure than this app. There are many critical components to security, and only the weakest link in the chain matters.
For what it's worth, if you are interested, I would be happy to help secure the app (on my own time, free of charge) as it sounds like something that I would quite like to use, if I could trust its security.
What exactly is your problem?!?!
I said, that noone has access to the Application Data Storage and this is true! There is no Virus available for Windows Phone and there is no App in the Store available which has access to another app's data storage! We are not talking about some special cases where the third-person already have STOLEN your device, because nothing in this world is safe! NOTHING! Everything can be hacked! Also I didnt know that all current Lumia devices were hacked. Other devices are not relevant (Nokia has a market share of more than 90%!).
The built-in encryption mechanism in Windows Phone is the same almost ANY Windows Phone app uses! Any banking app, Facebook, eBay, PayPal. The Wallet feature of Windows Phone uses it. If you have set up accounts (E-Mail, Microsoft Account, Office365, etc.) your passwords were encrypted with the SAME API my app uses. So if you think this API is totally unsafe, WHY THE HELL are you using Windows Phone? Also Windows Vista, 7, 8 and 8.1 uses THE SAME API for a lot of thinks. So please don't use Windows anymore!
I said, my app is more secure THAN AN APP which only uses a password and that is true. Also my app additionally encrypts the data and not only block the access to the data (which a lot of other apps only do!).
Please decrypt the attached file and tell me, how you did that and how long it took Thanks!
Whoa, whoa, calm down.
First of all, don't count on that "no app in the store..." business; There's *probably* no malicious app that can do so, but OEM apps can, if they have som reason to do so, access other app's install and data folders. I've written apps (using the Samsung OEM components, which are clumsy for the purpose but *do* work) to do it myself. It's not something you're likely to see in widespread use, but it's possible.
If you aren't bothering with the case of your phone being stolen, what's the point of the encryption anyhow? I mean, prevention of data loss in the event of device theft is one of *the* key use cases for data storage encryption! It's the rationale behind things like BitLocker (which is available on WP8, but only if the user has connected their phone to a company's Exchange server that pushes a policy requiring device encryption).
If you were honestly worried about market share, you probably wouldn't target WP at all; Nokia's fraction of the WP market share is lower than WP's fraction of the smartphone market share. Nonetheless, you are correct that, at this time, Nokia WP8 devices haven't been cracked. Nor have HTC's phones. I'm confident that this will change in time, though. You might have misunderstood my little joke at the start of my last post... but breaking into smartphone operating systems, getting past the lockdown policies that say "noone[sic] has access" (it's "nobody" or "no one", by the way) and taking those decisions into our own hands.
I guarantee you that the vast majority of WP apps don't use 3DES. I *know* full well that the Microsoft code doesn't; they had already deprecated that cipher years ago, when I interned there, long before even WP7 existed; its use was prohibited for new code. Just because you used the DPAPI (Data Protection API) doesn't mean you used it correctly (and by the way, that internship involved working on encryption in Windows, writing test tools for it). Please don't take this as some kind of personal insult; in my line of work (security engineer), I see a ton of misuse of cryptography. It is, as I said in my first post, hard to get right. That's why I offered to help.
I'm not going to bother taking the time to figure out what cipher you used on that file, and what its contents are supposed to look like enough to start doing any cryptanalysis, but I guarantee you it's not very good. There are repeated patterns, including long strings of null bytes, that are phenomenally unlikely to occur in a file that short after passing it through even a half-decent cipher (we're talking 1-in-several-billion chance here, no joke). Coming to this conclusion took all of a few seconds, by the way, using no tool more sophisticated than Notepad++. If I was pulling it off of a phone, I'd have a lot more idea of what type of plaintext to expect, and I could examine the decompilation of the app to see what ciphers were used, which would make things a lot easier. I'd say "for all I know, you just took the output of CryptGenRandom and put it in a file" but if you had, it wouldn't have had obvious patterns in it... in any case, it doesn't matter. I don't have to prove anything to you. I'm *trying* to help, and offer some good advice as well, but I can't force you to take it. There's no call for getting defensive, though. I wrote a file encryption utility myself one, in fact. It sucked, so then I wrote a program to break its encryption. Both experiences (but mostly the latter) taught me things.
A new version is available now, which includes image/photo encryption, OneDrive backup, bugfixes and other small improvments!
http://www.windowsphone.com/s?appid=0a8656d4-ed32-4bb5-baac-1317827e18d8
Hi,
I have a question:
My app is available in German and English since one year now! It was downloaded over 1000 times in Germany, but only 80 times in USA, UK, etc. I got 40 reviews (4-5 stars) in Germany and only one bad review in USA. So could someone explain what's wrong with my app? Is it not visible in the US Windows Phone store? Is my app very bad translated? Are there no Windows Phone users in the USA? Or maybe no one use NFC in the USA?
Best regards,
Sascha
Sorry, I don't tried your app yet but will try to answer your questions.
First, probably it's something wrong with your marketing, not the app Le me say: 1080 downloads per year - it's too small number (even 1000 in Germany). For example, my "marketplace entry ticket", "Lunar Lander Touch" app, very unpopular and underrated (but it's still one of my favorite games on WP, and good alcohol tester ), has 4078 for the year 2013.
As for NFC: I've tried to use it but stopped because of very uncomfortable WP implementation. That service should work flawlessly, without user interaction, stupid questions and dialogs, to be useful and popular. But unfortunately it's not (for the Windows Phones). Microsoft must add an option to disable NFC warnings.
P.S. I may recommend you to use "Snowden case" for advertizing
Thanks for your feedback!
Yes, I know that the download numbers are very bad, but I don't have an idea how to improve this. Because of my app is free and my private hobby I don't have money to buy ads, etc.
Improving my app had not effect. Thanks to DVLUP I "bought" ads for 50$ with AdDuplex, but this also had no effect.
It's really hard for individuals to get their apps famous and in a higher ranking in the Windows Phone Store without investing money
I understand... AdDuplex is really bad: I've tried once ($100 from DVLUP meeting plus I've bought another $100 coupon for $40) during a week - no results at all. Complained to AdDuplex support and manager gave me additional $300 for free, to spend within one day (sic! He-he, I wish to get $300 daily from my app!) - still no visible results, just a regular download fluctuations...
What you may try: advertise on more forums, prepare good pictures/screenshots; may be, video clip "howto" will be helpful. Embed RateMyApp Nokia's control (check NuGet) to your form. If you have XP on DVLUP, spend 'em for advertising campaign (these ones are extremely effective!).
P.S. I also thought about xda-based developers club, with "rate 5 stars my apps, and I'll rate yours" rule but I don't know how to implement it properly (but good customer rating is very important for the app distribution).
Thanks!
I already added RateMyApp. This was really helpfull to get more reviews. It's a pity that I had not implemented such a thing from the very first time my app was added to the Windows Phone Store :-/
I "bought" 1 week in App Social (DVLUP). Hope this helps. But it is also only in Germany.... I have enough users and reviews in Germany, I need them in USA, UK, etc. The problem with the DVLUP campaigns is, that you need at least 50 or 100 reviews (and 4,5 stars) as a requirement for the advertising. But you don't have so many reviews and that's the reason why you need the campaign to get more reviews, but you can't buy the campaign... A vicious circle!
I will do my best to get more downloads in other countries than Germany!
Hey, thanks for this app i find it realy useful.
Danke!
And here is the idea for the ad banner
Great idea
btw: Version 2.1 with new type "User Credentials" is available now!
Ok, I stopped developing, it's not worth. Sorry!
Hi all,
I'd like to share great news. Sicher, our free secure messenger finally comes to Windows Phone.
Sicher features true end-to-end encryption of both text messages and file attachments. With anonymous push notifications and the ability to set a timer for when messages will self-destruct, Sicher also includes password protection for the app itself.
Please try Sicher and share your feedback in this post.
FairyMary
Sicher Team
App is free, store link is here: EDIT: Removed because this thing looks like a scam and its description is a lie
I haven't been able to find a lot of info about how the app works (I'm talking about at a very technical level). My general advice regarding crypto code is to open it up for review, either publicly or by a professional security assessment firm (disclaimer: I work at one of those). If the code is already open for review somewhere, that would be awesome; if not, I recommend getting in touch with some external security experts (same disclaimer, but I can provide contact info if you want). The Internet is full of things that the developer claimed (and often even sincerely believed) were secure.
Aaaand just for fun, I decided to take a look at the app and see if there was anything obviously wrong. Let's start with the presence of no fewer than *three* advertisement networks, shall we? Begun Advertising is Russian and Google-owned, Google AdMob is self-explanatory, as is Microsoft Advertising Mobile. Your store description claims you
don’t use any advertising engines
Click to expand...
Click to collapse
. Did you really think nobody would check this?
WTF are you trying to pull here?!? I can't think of any way to faster burn trust in a "secure" app than to make a claim that is trivially disprovable in a way that benefits nobody except you.
I'll come right out and say it: Sicher looks like a scam!
Oh look, a Facebook library as well. Totally expected to see that, given that you
don’t integrate social network SDKs
Click to expand...
Click to collapse
Oh, and before anybody asks about responsible disclosure, that's for when there's an unintentional bug in somebody's code. This just looks like pure exploitation of your users! (I say "looks like" because I haven't actually decompiled the code to see if those libraries are being used, but it's hard to imagine why you'd have them otherwise...). The only responsible way to disclose malware is to do it publicly, and this looks malicious.
EDIT: I'll give you 24 hours to give me a good argument why I shouldn't report my findings to the stores themselves.
Time's up. You actually got over 48 hours because I was busy yesterday. Hope not too many people got scammed and tracked by your "secure" and "private" app...
Hey @GoodDayToDie, unfortunately I don't know where else to ask this, since you seem to be really interested (and skilled) in this topic, what messengers do you consider secure? WhatsApp is obvious, the only ones on Windows Phone I know of that come to my mind are Telegram and (soon) Threema.
What do you think about the two? I have basically no knowledge, but what seems odd to me about Threema is their faqs answer to "what about MITM?" they just say they use certs, hardcoded in the app. Aren't they with their servers in control then? How I understand this, the Threema servers could perfectly perform a MITM attack.
And Telegram has a completely confusing protocol.. So please share your thoughts!
I have no personal knowledge of one, sadly. Take anything I say here with a huge grain of salt (including the fact that Sicher looks like a scam; I haven't actually verified that it *uses* all those ad networks + Facebook that it integrates, just that it has them) as I'm not spending the time & effort for a full security review of these apps at this time.
Threema actually looks quite good.
Pros:
They don't try to implement the crypto themselves (they use NaCl, which is both written by people who know what they're doing, and well-reviewed).
The design of their end-to-end solution makes sense (it connects through the server since phone networks won't allow incoming/direct connections, but the messages are encrypted to only the recipient and doesn't require that the recipient be online to receive the message).
They are relatively open about how things work (although those *could* be lies; I haven't pulled the app apart).
It is possible for the user to verify the key of another user.
Cons:
They don't have Perfect Forward Secrecy on messages. PFS would require that the intended recipient be online at the start of any given conversation (to negotiate the ephemeral keys) so this isn't terribly surprising, but it is disappointing. An attacker (including a government agency) who gets access to your private key could decrypt historical traffic to you if they'd recorded it.
The app is proprietary; there's nothing stopping them from pushing a malicious update.
The server supplies the public keys of users; until such time as the user validates the other party's key (which is difficult to do except in person) the server could have sent a public key that the server has the private key for (instead of the user's own public key) and then MitM the user's traffic. This would break down when verified though, unless the app lied about the result of the verification process (you don't actually see the key itself).
To address your concern about MitM, the app says they use certificate pinning (a standard and very smart security measure, assuming they did it right) for app-to-server communication, so nobody (including third-party security engineers) can MitM the app traffic. They also claim to use PFS. However, if the server itself is untrusted (i.e. some government thugs show up to demand access, although bear in mind that apparently the servers are all in Switzerland) then the server could give you the wrong public key for a user you try and add, allowing the server to MitM you. Also, the company could push an update that is malicious.
The only protection against the server-sends-wrong-key threat is to either require that the user manually import all keys (think PGP minus keyservers and assuming trustworthy key exchanges) or exactly verify the key (i.e. personally ensure that it matches the other user's key by actually checking the bytes or at least the hash). The only protection against the malicious update is to make the source code available and have a method by which users can either compile it themselves (though see "Reflections on Trusting Trust") and/or have a way to verify the application binaries.
I'll look at Telegram later. For the moment, though, I would loosely recommend Threema once it's available. There's also Skype, of course, but while it was decompiled once long ago (and found to use secure encryption, although some non-crypto vulns were found) that was many versions ago (and, in particular, was before Microsoft bought them).
This one's got me incensed! Answered a question on quora, can Linux be installed on a galaxy tab 2? Everyone said no. I said yes, as debian is installed via Linux deploy on my Wileyfox Swift 2, and supplied screenshots. 62 views, no upvotes, started to think I'm not believed...
So I record my screen, into about phone first, to show the android version, etc.. Then to Linux deploy, start services, then vnc viewer to start the desktop environment. Obviously opened a couple of apps, that was it.
Uploaded it to YouTube so as to post an edit on quora with a link. Processing for at least 30 minutes at 95% done then the following email
Hi paul pinckston,
As you may know, our Community Guidelines describe which content we allow – and don’t allow – on YouTube. Your video "Linux Deploy on Wileyfox Swift 2" was flagged for review. Upon review, we’ve determined that it violates our guidelines. We’ve removed it from YouTube and assigned a Community Guidelines strike, or temporary penalty, to your account.
Video content restrictions
It's not okay to post large amounts of untargeted, unwanted, or repetitive content to YouTube. If the main purpose of your content is to drive people off of YouTube and onto another site, it will likely violate our spam policies. In addition, misleading descriptions, tags, titles, or thumbnails designed to increase views are not allowed. Tags should only be placed in the appropriate tag section and not in the description. Learn more.
The impact of strikes
This is the first strike applied to your account. We understand that users seldom intend to violate our policies. That’s why strikes don’t last forever – this strike will expire in three months. However, it’s important to remember that additional strikes could prevent you from posting content to YouTube or even lead to your account being terminated.
How you can respond
If you believe this was a mistake, we’d like to hear from you. Please follow both of these steps as simply deleting the video won’t resolve the strike on your account.
The next time you sign in you will be asked to acknowledge this strike on your account.
If you would like to appeal this strike, please submit this form. Our team will thoroughly review your appeal and will contact you again very soon.
Sincerely,
- The YouTube Team
Help center • Email options • Report spam
©2018 YouTube, LLC 901 Cherry Ave, San Bruno, CA 94066, USA
It appears that they don't believe me either! "misleading descriptions, tags" etc. is the only thing I can see that could possibly apply.
Any advice, as to what this may be all about, would be gratefully received.
pinckston said:
This one's got me incensed! Answered a question on quora, can Linux be installed on a galaxy tab 2? Everyone said no. I said yes, as debian is installed via Linux deploy on my Wileyfox Swift 2, and supplied screenshots. 62 views, no upvotes, started to think I'm not believed...
So I record my screen, into about phone first, to show the android version, etc.. Then to Linux deploy, start services, then vnc viewer to start the desktop environment. Obviously opened a couple of apps, that was it.
Uploaded it to YouTube so as to post an edit on quora with a link. Processing for at least 30 minutes at 95% done then the following email
Hi paul pinckston,
As you may know, our Community Guidelines describe which content we allow – and don’t allow – on YouTube. Your video "Linux Deploy on Wileyfox Swift 2" was flagged for review. Upon review, we’ve determined that it violates our guidelines. We’ve removed it from YouTube and assigned a Community Guidelines strike, or temporary penalty, to your account.
Video content restrictions
It's not okay to post large amounts of untargeted, unwanted, or repetitive content to YouTube. If the main purpose of your content is to drive people off of YouTube and onto another site, it will likely violate our spam policies. In addition, misleading descriptions, tags, titles, or thumbnails designed to increase views are not allowed. Tags should only be placed in the appropriate tag section and not in the description. Learn more.
The impact of strikes
This is the first strike applied to your account. We understand that users seldom intend to violate our policies. That’s why strikes don’t last forever – this strike will expire in three months. However, it’s important to remember that additional strikes could prevent you from posting content to YouTube or even lead to your account being terminated.
How you can respond
If you believe this was a mistake, we’d like to hear from you. Please follow both of these steps as simply deleting the video won’t resolve the strike on your account.
The next time you sign in you will be asked to acknowledge this strike on your account.
If you would like to appeal this strike, please submit this form. Our team will thoroughly review your appeal and will contact you again very soon.
Sincerely,
- The YouTube Team
Help center • Email options • Report spam
©2018 YouTube, LLC 901 Cherry Ave, San Bruno, CA 94066, USA
It appears that they don't believe me either! "misleading descriptions, tags" etc. is the only thing I can see that could possibly apply.
Any advice, as to what this may be all about, would be gratefully received.
Click to expand...
Click to collapse
But Paul , if I can call you by your name , this forum is about technical problem and support. This problem isn't about a bug or technical problem , but about the famous YouTube hypocrisy ( with thumbnail ) and another forum : Quora.
One advice :
If someone doesn't trust you or your advice , it's his problem . If I understand , you given the advice , if they don't trust it that's losed for them , you don't lose anything. I know this can be frustrating but that's life, too bad for them.
Now you're on XDA , not on Quora or YouTube , next time post questions about technical problems.
No problem, my sincere apologies. Should have put it in off-topic, please move the thread if required.