hello,
anyone else a bit paranoid using third party software to store passwords and bank information? what keeps the program from sending over the pw/login file to someplace and have it hacked?
therefore, im looking for an encryption program and found secubox. however, id like something like truecrypt. anyone know of better?
thanks
Encryption for Passwords
Try keepass, can be found at http://keepass.info open source. The download section also contains link to a PPC and smartphone version.
Not had any problems so far and been using it for about 7 months.
you can also go to your settings > systems > and encyption.
to only allow your device to see whats in the storage card
Solution
koloa said:
therefore, im looking for an encryption program and found secubox. however, id like something like truecrypt. anyone know of better?thanks
Click to expand...
Click to collapse
It sounds like you're looking for FreeOTFE4PDA and FreeOTFE, which works on both PCs and Windows Mobile (see: www.FreeOTFE.org)
Has anyone in their rom building and reverse engineering ever found anything Big Brotherish in the code? Keyloggers and hidden processes that phone home
your location come to mind.
When you set up the phone there is a question about sharing your location with google
jsapp said:
When you set up the phone there is a question about sharing your location with google
Click to expand...
Click to collapse
But that is upfront, I'm asking about hidden processes. One that would crop up after you say no.
I'm sure Google wouldn't stick a keylogger or hidden process for the fun of it in a fresh build of the OS. I doubt it, like if you choose "No" it will tell the OS not to send location data to google.
Coburn64 said:
I'm sure Google wouldn't stick a keylogger or hidden process for the fun of it in a fresh build of the OS. I doubt it, like if you choose "No" it will tell the OS not to send location data to google.
Click to expand...
Click to collapse
Yes, but what about HTC? T-Mobile? No offense but have you actually dug around the code? I don't know much about code besides web but I wouldn't put it past a company to do something like that.
ATT already got busted for helping DHS spy on citizens. I'm not paranoid, just curious.
Danny double post. Srry
thedroid said:
Yes, but what about HTC? T-Mobile? No offense but have you actually dug around the code? I don't know much about code besides web but I wouldn't put it past a company to do something like that.
ATT already got busted for helping DHS spy on citizens. I'm not paranoid, just curious.
Click to expand...
Click to collapse
I am wondering also now that u guys bring this up. Maybe someone could ask the devs. I faintly remebering a dev saying "got rid of shady HTC log apk". I think it might of been cyanogen but I'm not 100% on that. So if I gave credit to the wrong dev feel free to correct me.
Well it wouldn't be incredibly smart to put in something like that, and then make it open source.
jsapp said:
Well it wouldn't be incredibly smart to put in something like that, and then make it open source.
Click to expand...
Click to collapse
HTC's code is technically closed source AFAIK.
jsapp said:
Well it wouldn't be incredibly smart to put in something like that, and then make it open source.
Click to expand...
Click to collapse
This is the biggest reason I love open source. The more people with the code the better.
thedroid said:
I'm not paranoid, just curious.
Click to expand...
Click to collapse
Im curious too, and paranoid
I just assume the governments watching me all the time, and I make sure to give them something to talk about.
thedroid said:
ATT already got busted for helping DHS spy on citizens. I'm not paranoid, just curious.
Click to expand...
Click to collapse
Why would a telecom company put spying code on the mobile? It would be so much easier to just snoop on their server end, where there's little possibility you could discover such an intrusion.
Thoughts and responses appreciated
Privacy policy from Google suggest private user information IS sent to Google*. I am moving from HTCs WM devices to the G1 and I'm getting quite concerned about things of this nature. I can see that a user has the option to share or withold some information but not sure if there are options to withhold ALL personal details (location, contacts etc). Are there any options or methods that COMPLETELY stop ANY information being sent to Google or any other party? (Device config options, ROMs etc???)
I am new to Android and still learning so any help would be appreciated. (also posting in a hurry!)
Thanks
*G1-specific information we collect
* In order to set up your device, we ask you to sign-in with your Google Account (if you already have one) or create a new, free Google Account. Your Google Account information is stored by Google. If you change your device, you will have to associate the new device with your Google Account before we can authenticate you.
* Each device is assigned one or more unique identification numbers. These identification numbers are associated with your Google Account and the IMEI number, mobile country code, and mobile network code of your device (which is also stored by your wireless operator), and allow your device to sync your Google email, contacts, and other Google services.
* In order to continually improve our services and provide a better user experience, we collect some basic usage statistics from your device. Information such as the hardware model of your device and the version of the Android software you are running is collected but not stored in association with your Google Account. In addition, we collect some information on device-level events such as crashes that is associated with your Google Account temporarily in order to provide customer service. Neither of these categories of usage statistics contains application-level information such as the content of emails or phone call records.
* Certain applications or features of your G1 device may cause other information to be sent to Google but in a fashion that cannot be identified with you personally.
* Your device may send us location information (for example, Cell ID or GPS information) that is not associated with your Account.
* Using some applications or features may send information to Google that is stored with your Google Account. If you use standard Google services on your G1 device, for example by creating new contacts or Calendar events, then this information will be associated with your Google Account and stored consistent with the privacy policies for those services. Likewise, if you use the Android Market, information about your downloads, comments, and ratings will be stored with and accessible through your Google Account. You have the option to disable or not use these features, in which case Google will not receive this data.
* Certain of our products and services allow you to personalize the content you receive from us. For these products and services, we will store your preferences and the information you provide for customization. These preferences may be associated with your Google Account or elsewhere with Google, as explained in the Privacy Policies for those products.
Yes in settings and during setup it asks you if you want info to be sent...However you should know that microsofts has the win update which sends info about your pc. You shouldnt be concerned though...Contacts/emails/calender is sent/stored on servers.
Ace42 said:
Yes in settings and during setup it asks you if you want info to be sent...However you should know that microsofts has the win update which sends info about your pc. You shouldnt be concerned though...Contacts/emails/calender is sent/stored on servers.
Click to expand...
Click to collapse
I was curious to know if all the data collection methods could be switched off reliably. Thanks for the quick response Ace
MOD EDIT: Thread closed by OP's request.
If you have used reker's proxy, you will notice the "by @reker" entry on top of the list with search results. If we could do the same with the SamWP8 tool (and link his app to a similar app page), maybe we could bypass the interop unlock requirement (the error you receive if you try to sideload a app with interop capabilities on a non-interop unlocked phone) because apps installed in the store don't get this check (as compu829 demonstrated by saying the original Microsoft youtube app contained the ID_CAP_MEDIALIB_PHOTO_FULL entry in the WMAppManifest.xml, and how could you install this app on phones without having an interop-unlock, exactly : the app was installed through the store).
Correct me if I'm wrong, I'm still learning how the WP OS is build and how it functions.
To admins, I can't post this in the Windows Phone 8 Development and Hacking thread because I don't have the required 10 posts yet.
Seems like a feasible idea, I'll take a look on how the store works but I think the XAP's still need to be signed by a trusted root to this works.
I'll post any updates here as I can't post on dev section x.x
This idea is older than WP8, and it doesn't work. First of all, the apps themselves (as opposed to the data about them) are delivered over an encrypted channel that uses certificate pinning; we can't intercept or modify it. Second, the Store will only install Microsoft-signed (and probably only DRMed) apps. Unsigned apps failed to install through this channel back on WP7. Third, even if we could install the apps this way, hey would still be unsigned. The OS would thus treat them as developer apps. Developer apps on phones where the MaxUnsignedApp registry value is less than 300 are limited to the standard third-party app capabilities, meaning no INTEROPSERVICES or similar.
By all means, go ahead and poke at it - WP8 has surprised me before with weaknesses it has relative to WP7 - but don't expect this to work even if you get past the first issue (which *does* exist on WP8).
Did someone contact reker? We need to figure out how he did this. I can't tell if he succeeded into linking an app to the custom app page because when I click install, I get an error message : "This app is not available for your region", maybe I need to change my region to China and try again.
@GoodDayToDie : Won't the phone be tricked by the store installation, thinking it's an encrypted app? Does it matter whether the app is encrypted or not if someone manages to link an app to a custom app page, because Windows Phone app weren't always encrypted to my recollection (this may predate the WP8 era, if so we're screwed ). And if it matters, can we encrypt the app ourselves by using a encryption method like AES, SHA, MD5, ... ? Unlikely hypothesis, but if someone would succeed in doing all this, could the SamWP8 tool be used to increase the HKEY_Local_Machine\Software\Microsoft\DeviceReg\Install MaxUnsignedApp value beyond 300 to unlock interop capabilities? Are the EnableAllSideloading.xap and Bootstapper.xap also usable on other WP than Samsung or do they need to be recoded to work on WP of other manufacturers?
EnableAllSideloading.xap and Bootstapper.xap depends on Samsung diagnosis tool and it's RPC server that runs on LocalSystem account that has "unlimited" registry access, it's not available on other manufacturers.
Tonight I will start my experiments on it.
greenboxal said:
EnableAllSideloading.xap and Bootstapper.xap depends on Samsung diagnosis tool and it's RPC server that runs on LocalSystem account that has "unlimited" registry access, it's not available on other manufacturers.
Tonight I will start my experiments on it.
Click to expand...
Click to collapse
I was wondering how you could flash the bootloader of Android on the Ativ S as the Secure Boot made by Qualcomm is locked by a blown fuse (it's a hardware issue, not only a software issue you must deal with).
bruce142 said:
I was wondering how you could flash the bootloader of Android on the Ativ S as the Secure Boot made by Qualcomm is locked by a blown fuse (it's a hardware issue, not only a software issue you must deal with).
Click to expand...
Click to collapse
SecureBoot checks signature of the bootloader by a known public key, the case is that Samsumg uses the *same* key for android and wp8 bootloaders.
greenboxal said:
SecureBoot checks signature of the bootloader by a known public key, the case is that Samsumg uses the *same* key for android and wp8 bootloaders.
Click to expand...
Click to collapse
If this checks out, what does it mean, could we flash android on the Ativ S? Or could you even make a dual-boot scenario possible? Great find by the way, :good:.
bruce142 said:
If this checks out, what does it mean, could we flash android on the Ativ S? Or could you even make a dual-boot scenario possible? Great find by the way, :good:.
Click to expand...
Click to collapse
Yes, it's the same hardware as SGS3 Snapdragon 4 version. But let go back to the topic, if you have some question about it send me a PM or post on my R&D thread
greenboxal said:
Yes, it's the same hardware as SGS3 Snapdragon 4 version. But let go back to the topic, if you have some question about it send me a PM or post on my R&D thread
Click to expand...
Click to collapse
I can't post yet in your R&D thread because I don't have the met the 10 post requirement yet.
Edit : I can install reker's "by @ reker" app when changing the region to China, and this is interesting (pasted directly from his WMAppManifest.xml) :
<?xml version="1.0" encoding="UTF-8"?>
-<Deployment AppPlatformVersion="8.0" xmlns="http://schemas.microsoft.com/windowsphone/2012/deployment">
<DefaultLanguage xmlns="" code="zh-CN"/>
-<Languages xmlns="">
<Language code="zh-Hans"/>
</Languages>
-<App xmlns="" PublisherId="{9b1d1b5b-f206-4b27-a139-89659591061b}" IsBeta="false" PublisherID="{b259af64-2f7d-4a89-983f-836325480629}" Publisher="智机网_WPXAP" Description="智机市场官方版" Author="智机网_WPXAP" Genre="apps.normal" Version="2.0.0.0" RuntimeType="Silverlight" Title="智机市场" ProductID="{59bd999b-496e-4e05-afce-94b67ba6e862}">
<IconPath IsResource="false" IsRelative="true">Assets\ApplicationIcon.png</IconPath>
-<Capabilities>
<Capability Name="ID_CAP_IDENTITY_DEVICE"/>
<Capability Name="ID_CAP_IDENTITY_USER"/>
<Capability Name="ID_CAP_NETWORKING"/>
<Capability Name="ID_CAP_PUSH_NOTIFICATION"/>
<Capability Name="ID_CAP_SENSORS"/>
<Capability Name="ID_CAP_WEBBROWSERCOMPONENT"/>
<Capability Name="ID_CAP_APPOINTMENTS"/>
</Capabilities>
-<Tasks>
<DefaultTask Name="_default" ActivationPolicy="Resume" NavigationPage="MainPage.xaml"/>
</Tasks>
-<Tokens>
-<PrimaryToken TaskName="_default" TokenID="WpXapToken">
-<TemplateFlip>
<SmallImageURI IsResource="false" IsRelative="true">Assets\Tiles\FlipCycleTileSmall.png</SmallImageURI>
<Count>0</Count>
<BackgroundImageURI IsResource="false" IsRelative="true">Assets\Tiles\FlipCycleTileMedium.png</BackgroundImageURI>
<Title/>
<BackContent/>
<BackBackgroundImageURI/>
<BackTitle/>
<DeviceLockImageURI/>
<HasLarge/>
</TemplateFlip>
</PrimaryToken>
</Tokens>
-<Extensions>
<Protocol Name="wpxap" TaskID="_default" NavUriFragment="encodedLaunchUri=%s"/>
</Extensions>
-<ScreenResolutions>
<ScreenResolution Name="ID_RESOLUTION_WVGA"/>
<ScreenResolution Name="ID_RESOLUTION_WXGA"/>
<ScreenResolution Name="ID_RESOLUTION_HD720P"/>
</ScreenResolutions>
</App>
</Deployment>
@bruce142: The store may or may not care about the DRM - that was in place by the time WP8 came out, but WP7 didn't have it for a long time - but it absolutely cares about the signatures. More accurately, actually, the XAP install code (which the store invokes) cares about the signatures. There's no "tricking" it; the signature is quite plainly there, or it's not. You don't exactly have to look hard to find it. The app launch code *also* cares about signatures. Non-sideloaded apps won't have ID_CAP_DEVELOPERUNLOCK, which is a special capability automatically added to sideloaded apps to allow them to launch even though they don't have signatures. Without that capability (or rather, without the SID which the token of an app with that capability gets at chamber creation), the kernel will refuse to load the unsigned executable binaries.
GoodDayToDie said:
@bruce142: The store may or may not care about the DRM - that was in place by the time WP8 came out, but WP7 didn't have it for a long time - but it absolutely cares about the signatures. More accurately, actually, the XAP install code (which the store invokes) cares about the signatures. There's no "tricking" it; the signature is quite plainly there, or it's not. You don't exactly have to look hard to find it. The app launch code *also* cares about signatures. Non-sideloaded apps won't have ID_CAP_DEVELOPERUNLOCK, which is a special capability automatically added to sideloaded apps to allow them to launch even though they don't have signatures. Without that capability (or rather, without the SID which the token of an app with that capability gets at chamber creation), the kernel will refuse to load the unsigned executable binaries.
Click to expand...
Click to collapse
I understand, the app has to be signed before it can be uploaded to the store, but does the developer of an app not sign its app when he assembles it or does the store sign the app itself? I see no threshold here, as signing an app is not a problem, or is it? I still admire that reker managed to make an app page by using a proxy which isn't normally there and successfully linked an app to it, which I was able to download and it contained elevated capabilities, I thought the ID_CAP capabilities were all interop capabilities (correct me if I'm wrong). Could someone make the old version of the Samsung Diagnostic tool available this way which users with other WP than the Ativ S/Ativ S Neo might able to use to modify the MaxAppUnsigned value and unlock more capabilities, or is this impossible? If only we knew how reker did this, ...
bruce142 said:
I understand, the app has to be signed before it can be uploaded to the store, but does the developer of an app not sign its app when he assembles it or does the store sign the app itself? I see no threshold here, as signing an app is not a problem, or is it? I still admire that reker managed to make an app page by using a proxy which isn't normally there and successfully linked an app to it, which I was able to download and it contained elevated capabilities, I thought the ID_CAP capabilities were all interop capabilities (correct me if I'm wrong). Could someone make the old version of the Samsung Diagnostic tool available this way which users with other WP than the Ativ S/Ativ S Neo might able to use to modify the MaxAppUnsigned value and unlock more capabilities, or is this impossible? If only we knew how reker did this, ...
Click to expand...
Click to collapse
ID_CAP's aren't all Interop capabilities, most of them are available for every app, and the ones you posted are, afaik, normal ones that don't need and Interop Unlock.
GoodDayToDie is right. His answer is very detail.
You may replace a xap with homebrew one in theory, but phone will never launch a store app without MS signature. Every single dll is signed by MS, and phone will check it.
Few questions and opinions:
The signature is used only for allowing the app to be installed on the device right?
Is the signature after added to the app a constant for the whole time or is it changing from time to time?
If the signature is used only for allowing an app to be installed, can we somehow make an virtual MS Server (Using FIddler for example), who can clone the real one and give us an offline signing of the app`s when installing them?
Can a signature be pulled off from an original installed app and the be put in to an another one?
cevi said:
Few questions and opinions:
The signature is used only for allowing the app to be installed on the device right?
Is the signature after added to the app a constant for the whole time or is it changing from time to time?
If the signature is used only for allowing an app to be installed, can we somehow make an virtual MS Server (Using FIddler for example), who can clone the real one and give us an offline signing of the app`s when installing them?
Can a signature be pulled off from an original installed app and the be put in to an another one?
Click to expand...
Click to collapse
The signature is checked when running the application, every PE image on the device should have a valid digital signature.
You don't seem to understand how it works, the signature is any kind of hash, let's say, SHA256, of the entire file. This signature is encrypted with the signee private key. If you change one single bit of the file, the hash will change, and so the signature will be invalid.
There are few ways to exploit this kind of security, like generating a hash collision or breaking the private key, both would take million of years.
I do really don't understand the whole process I was just giving some noob suggestions.
It's strange for me that after the app is installed it doesn't require an active network to start.So I am wondering if it could be possible to trick the app to start somehow?
Sent from my Windows Phone 8S by HTC using Tapatalk
While suggestions are always welcome, you really should read up on digital signatures and how they work. @greenboxal's explanation seems like it might have gone over your head a bit... The fact that you didn't understand about ID_CAP_* also means you've probably never looked at WP development, or even looked at the manifest of a WP app, either; you may want to do some of that. Until you do so, it would be only by the sheerest crazy luck that you managed to hit on a solution, because you don't even know what you're actually trying to accomplish!
For example, it's pretty obvious why there's no need for a network connection to start an app, once it's installed. There's a license on WP apps, which is checked when the app is installed (requires Internet access) and is then valid for some time (never checked how long exactly, probably years though). The signatures are different. When the app is installed, the signing certificate (which contains the public key, but not the private key, of the keypair used to sign the app) is extracted from the app and checked to see whether it is trusted by Microsoft (the phone has Microsoft's certificates embedded in the OS; it doesn't need a network connection for this). When you try to launch the app, it checks to see whether the signatures on each binary (which are, as greenboxal mentioned, created by taking the cryptographically secure hash of the binary and then applying something like encryption to it using the private key) are valid (it applies the public key to the signature to get the signing hash back, and checks whether that hash still matches). We (developers) can't fake store signatures ourselves, because we don't have Microsoft's private keys. Therefore the phone wouldn't trust our signatures (make sure you read up on the concept of a "chain of trust" and the concepts of public key cryptography and public key infrastructure in general too) and would refuse to load the binaries. The process of verifying signatures is just a bunch of math once you've already got the public keys, and those are, as I said, extracted from the app at install (for individual apps) and stored in WP8 itself (for the Store-wide signing key); no need to access the network.
Thanks guys for clearing this up for me.I know that it`s not that simple as i say.Anyway, just keep up the good work.We the Noobs depend from you.
If you are not those who you really are i personally know that i will never buy a Windows Phone again.You are the reason for the MS`s profit.
Sorry again for jumping in into this "battle".
This thread is becoming way out of hand, question is asked and answered : adding a app via proxy which may interop-unlock other WP is not possible. Locking thread now.
PS : yay, ten posts.
Even after 5 days of trying I didn't manage to spoof an Android app. My configuration is: Lenovo Vibe P1 (P1a42_288_160721_ROW) + ROOT + TWRP + XPOSED. The thing is that android APP somehow tracks me and I get ban immediately. In Terms & Conditions is stated, that this app tracks: device and device identification number, device IMEI country IP address browser type and version operating system Internet service providers advertising identifier of your device visitor identifier I tried following modules but with no success: Device ID Masker, Android Device Info Viever & Changer, Hijack Suite, Phone ID Changer, Serial Number Changer, ID Changer Exposed, Exchange User Agent Faker. Donkey Gunard didn't work on my Lenovo nor on Xiaomi because of Force Close.
As for me, the best is Device ID Masker because it changes almost everything (I have a PRO edition) and it was updated few months ago. But even using this nice module wasn't enough to solve my problem. The APP somehow tracks me and I get ban everytime I try to sign up.
every time I use a new phone number which is 100% unused in that app
every time I change my IP
every time I change Google Advertisement ID manually and all available values in Device ID Masker
every time I clean Data and Cache and after that I restart my phone
every time I spoof all values for all available apps, even system
The only thing I'm not able to change is Android Version/Release, because I get a bootloop if I try to to that. I discovered that the APP does't work properly without Google Services, so I guess that it tracks me somehow through Google Sercices.
Do you have any advices or hints what I shold do in order to make the APP unable to track me?
Thank you in advance ǃ
Phones and other electronics have many IDs, some websites and apps have more advanced user tracking. They can use a combination of information from hardware, behavior, networking information and the smallest of details to make each user a one in a billion or as unique enough to flag and track. This information can be used aginst the users, sold, and carry other privacy concerns. Your best bet is to make your information as generic as possible and to change as many IDs as possible. Trial and error, Its not easy beating big budget company stalkers.
More about ids
Is it possible to block a phone from my app? Do phones have some ID that can be accessed?
Hello I ask this question because I have an app where people will have to post very serious stuff and if a user posts something that is not right, then I want to ban that person forever but how can I
stackoverflow.com
@Tausif882 are you referring to zomato app?
Tausif882 said:
Even after 5 days of trying I didn't manage to spoof an Android app. My configuration is: Lenovo Vibe P1 (P1a42_288_160721_ROW) + ROOT + TWRP + XPOSED. The thing is that android APP somehow tracks me and I get ban immediately. In Terms & Conditions is stated, that this app tracks: device and device identification number, device IMEI country IP address browser type and version operating system Internet service providers advertising identifier of your device visitor identifier I tried following modules but with no success: Device ID Masker, Android Device Info Viever & Changer, Hijack Suite, Phone ID Changer, Serial Number Changer, ID Changer Exposed, Exchange User Agent Faker. Donkey Gunard didn't work on my Lenovo nor on Xiaomi because of Force Close.
As for me, the best is Device ID Masker because it changes almost everything (I have a PRO edition) and it was updated few months ago. But even using this nice module wasn't enough to solve my problem. The APP somehow tracks me and I get ban everytime I try to sign up.
every time I use a new phone number which is 100% unused in that app
every time I change my IP
every time I change Google Advertisement ID manually and all available values in Device ID Masker
every time I clean Data and Cache and after that I restart my phone
every time I spoof all values for all available apps, even system
The only thing I'm not able to change is Android Version/Release, because I get a bootloop if I try to to that. I discovered that the APP does't work properly without Google Services, so I guess that it tracks me somehow through Google Sercices.
Do you have any advices or hints what I shold do in order to make the APP unable to track me?
Thank you in advance ǃ
Click to expand...
Click to collapse
Did you find the solution or not?