Related
Hi Everyone,
So Sony PSN join the ranks of Gizmod, Play.com, Facebook, Sky, Apple, AOL [there are many more] as leaker's of our information.
What are peoples thoughts on this?
It seems that more often than not our passwords and details are not safe with companies anymore, but how can we protect against this?
Although it is best practice to use different passwords for every site and to use secure passwords (i.e. mix of numbers and letters) surely this is not practical since our heads are only capable of remembering so much. I also try to avoid trying out multiple passwords when logins fail, afterall, what happens if that is logged!
What solutions exist to combat this issue? Are there any alternatives?
I think it is safe to say that if at least one of your passwords has not been leaked by now, then it is simply a matter of time. I just don't think passwords are good enough now, we need something better.
Do you mean the latest PSN Network problem? If you talking about that:
Sony will have to repay people for stolen account info such as credit card info! Its because sony security was so weak that this happened!!
Now i agree that passwords are not always the best protection for us. And never use public computers to check email and stuff since most have keyloggers!
For Password i use a real strong password using all sort of simbols and its meaning its not related to me nor family... Makes it hard to guess for people
xploz1on said:
Do you mean the latest PSN Network problem? If you talking about that:
Sony will have to repay people for stolen account info such as credit card info! Its because sony security was so weak that this happened!!
Now i agree that passwords are not always the best protection for us. And never use public computers to check email and stuff since most have keyloggers!
For Password i use a real strong password using all sort of simbols and its meaning its not related to me nor family... Makes it hard to guess for people
Click to expand...
Click to collapse
The problem is that not matter how strong the password is, once it is stolen it doesn't matter anymore unless you have strong passwords for each and every site and a Rain-Man brain to recall them all.
I agree about public computers, you can add to that Open Wifi connections and those people who think it is a great idea to keep their wifi unsecured!
I think as people have become aware of password security, they do use better passwords, but they still use them everywhere.
I know some people use apps to store their passwords, but not only is that inconvenient but what happens if you battery is flat?
For such a big problem, there must be some kind of answer.
Sony are a bit of a joke these days. To be fair, it's not definate that CC info was taken as they don't actually know, and to the best of my knowledge nobody has reported actually having been defrauded yet. Credit Cards are covered by fraud protection anyway so it would only be the inconvenience that it causes people rather than a loss of money.
PSN passwords and account info is another matter though. That should all be encrypted and if it's not they have a lot to answer for! Also, why did it take them a week to report this problem to the account holders?
Just read this: http://www.fudzilla.com/games/item/22562-sony-now-saying-there-was-no-leak
Hi! When I read about this Sony issue i shocked! I mean, if that happens to sony... i think i'm not buying anything else without a virtual credit card.
Regarding to the passwords... i found this article in a blog the other day that recommended to use long passwords, with different elements, one common and one specific for every site. For example:
p4ssw0rd_fBk for facebook, or p4ss_gM41L for gmail... i think thats an interesting idea!
neival said:
Hi! When I read about this Sony issue i shocked! I mean, if that happens to sony... i think i'm not buying anything else without a virtual credit card.
Regarding to the passwords... i found this article in a blog the other day that recommended to use long passwords, with different elements, one common and one specific for every site. For example:
p4ssw0rd_fBk for facebook, or p4ss_gM41L for gmail... i think thats an interesting idea!
Click to expand...
Click to collapse
yeah I was thinking of something along similar lines.
I guess you have to make it slightly more than a simple combo though or there is still a chance it could be used. It would stop most automated attacks though, which would be far better than using the same password.
A different take on using a combo of random letters/numbers is suggested here http://www.baekdal.com/tips/password-security-usability. Interesting that "It is 10 times more secure to use "this is fun" as your password, than "J4fS<2"" even though you are using common words and you are much more likely to remember it...makes sense I suppose, there are only 128 ascii chars but far more possible common words so even three is enough. It goes against what most password advice of using mixed case etc, but in fact it is right - although note that WAP2 talks about a pass-phrase rather than a password, you can see why now. Obviously unrelated words would be better, i.e. not using famous quotes etc , and you still have the problem of putting a unique bit in for the site itself which can't be used to access your other accounts, if they get your password from somewhere else.
I think if I did use such a system it would be worth keeping note of the codes you've used (somewhere nice and safe of course) or you could end up locking yourself out of a lot of places (or at least keep track of which places you've adopted the system on).
Could also having a system so you can change your passwords periodically but still remember them i.e. a year code or something, 1st letter of your car reg perhaps.
Another thing you could do is to protect your email address (since that is a prime target once your details have been lost...i.e. they now have a password (or variations to try) and related email account to try it on) is to use email aliases (like hotmail allows), so that the signed up email address does not even relate to an actual real account (hotmail just says the password is incorrect, even if you are using the correct one for the linked account!).
The only other issue is down to security questions and password reminders on sites, a password is useless if they just reset it due to a simple security question. (Does sony have that info as part of sign up or is it just your email address they use for reminders - I can't remember now).
After-all, if they just need you to supply your D-O-B or mothers maiden-name and it was stored on a site which has lost it's data, it is not something you can change (unless you lie of course from now on). What info would they use to verify you if you told them you've lost access to your email address, would that info also have been included in the "lost" data from these companies???
New to the Android platform. It's surprising how 'connected' they are. Apologies if this is the wrong forum. I'll be happy to post elsewhere or see this post moved.
I have an Epic 4G Touch.
I've been pondering the security and privacy aspect of these Android phones, and it seems to me that precautions are prudent, but I’m not exactly sure what precautions are necessary and how to put them into practice. I’m really not even sure what questions to ask. I’m very computer literate, so I guess that gives me a head start of sorts.
I guess complete privacy, information safety and anonymity is impossible, but I hope there is some sort of method that will allow as much as is available.
The questions below are examples of some of the questions I have.
Is there some sort of primer that covers these and other details that should be known?
Questions that occur:
1. What is the most secure way to purchase apps? How do the ‘savvy’ users handle this? And should they be purchased online or via the phone? What method of payment are most comfortable with?
2. Is it a bad idea to access other online accounts from the phone, or is it better to establish some sort of new account with a ‘credit limit’ or a low limit credit card?
3. I’m using a few of my ‘anonymous’ Gmail accounts on the phone. I’m not sure how much privacy this provides, given that the phone is in my name?
4. Are there practices that should be avoided (i.e., emailing my 'non-mobile’ accounts)?
5. After getting up to speed, I’ll likely be rooting. Any extra security precautions required? I guess an app like LBE Privacy Guard is warranted?
I suppose a good primer will cover much more. Thanks for any help .
Sam
I can't really help with the purchasing of apps questions, as I don't invest much money into apps, but I would definitely recommend LBE. It helps get your app permissions under control.
Sam Sung;19111758]New to the Android platform. It's surprising how 'connected' they are. Apologies if this is the wrong forum. I'll be happy to post elsewhere or see this post moved.
I have an Epic 4G Touch.
I've been pondering the security and privacy aspect of these Android phones, and it seems to me that precautions are prudent, but I’m not exactly sure what precautions are necessary and how to put them into practice. I’m really not even sure what questions to ask. I’m very computer literate, so I guess that gives me a head start of sorts.
I guess complete privacy, information safety and anonymity is impossible, but I hope there is some sort of method that will allow as much as is available.
The questions below are examples of some of the questions I have.
Is there some sort of primer that covers these and other details that should be known?
Questions that occur:
1. What is the most secure way to purchase apps? How do the ‘savvy’ users handle this? And should they be purchased online or via the phone? What method of payment are most comfortable with?
I do it via phone and bill to my phone bill.
2. Is it a bad idea to access other online accounts from the phone, or is it better to establish some sort of new account with a ‘credit limit’ or a low limit credit card?
I check my info with the banks application.
3. I’m using a few of my ‘anonymous’ Gmail accounts on the phone. I’m not sure how much privacy this provides, given that the phone is in my name?
Probably not much.
4. Are there practices that should be avoided (i.e., emailing my 'non-mobile’ accounts)?
I can't think of any shouldn't make a difference.
5. After getting up to speed, I’ll likely be rooting. Any extra security precautions required? I guess an app like LBE Privacy Guard is warranted?
Only security precaution I suggest is read perms. Lol
I suppose a good primer will cover much more. Thanks for any help .
Sent from my PC36100 using xda premium
First you need to decide how private you want to be.
Hiding your activity from Sprint for example would be fairly difficult. The ET4G is setup to route all internet traffic through sprint's proxies, you can change this (search the ET4g forums to find out how) but I'm certain that sprint could still monitor your activity if they wanted to unless you setup some kind of VPN which I don't even know if we can do on our phones.
Next up would be google, they make money by gathering information about you... so yeah if you want to hide from them your a tad limited since this is android. I guess you could just not associate a gmail account with the phone, but then whats the point of running android?
Personally I'm not insanely worried about the above two entities. What concerns me is the tons of random apps people load onto phones that have every permission granted you could think of. This is where LBE Privacy Guard comes into play and should be used regardless of rooting. Safest place to get apps is the official market, downloading cracked apps opens you up to who knows what.
Anyway thats my spiel
Sam Sung said:
New to the Android platform. It's surprising how 'connected' they are. Apologies if this is the wrong forum. I'll be happy to post elsewhere or see this post moved.
I have an Epic 4G Touch.
I've been pondering the security and privacy aspect of these Android phones, and it seems to me that precautions are prudent, but I’m not exactly sure what precautions are necessary and how to put them into practice. I’m really not even sure what questions to ask. I’m very computer literate, so I guess that gives me a head start of sorts.
I guess complete privacy, information safety and anonymity is impossible, but I hope there is some sort of method that will allow as much as is available.
The questions below are examples of some of the questions I have.
Is there some sort of primer that covers these and other details that should be known?
Questions that occur:
1. What is the most secure way to purchase apps? How do the ‘savvy’ users handle this? And should they be purchased online or via the phone? What method of payment are most comfortable with?
2. Is it a bad idea to access other online accounts from the phone, or is it better to establish some sort of new account with a ‘credit limit’ or a low limit credit card?
3. I’m using a few of my ‘anonymous’ Gmail accounts on the phone. I’m not sure how much privacy this provides, given that the phone is in my name?
4. Are there practices that should be avoided (i.e., emailing my 'non-mobile’ accounts)?
5. After getting up to speed, I’ll likely be rooting. Any extra security precautions required? I guess an app like LBE Privacy Guard is warranted?
I suppose a good primer will cover much more. Thanks for any help .
Sam
Click to expand...
Click to collapse
.
Thread moved to Q&A due to it being a question. Would advise you to read forum rules and post in correct section.
Failure to comply with forum rules will result in an infraction and/or ban depending on severity of rule break.
Thanks to all for your comments.
R1ptide said:
First you need to decide how private you want to be.
Hiding your activity from Sprint for example would be fairly difficult. The ET4G is setup to route all internet traffic through sprint's proxies, you can change this (search the ET4g forums to find out how) but I'm certain that sprint could still monitor your activity if they wanted to unless you setup some kind of VPN which I don't even know if we can do on our phones.
Next up would be google, they make money by gathering information about you... so yeah if you want to hide from them your a tad limited since this is android. I guess you could just not associate a gmail account with the phone, but then whats the point of running android?
Click to expand...
Click to collapse
I agree. Although I've always been very 'privacy centered', I've come to accept the reality that there is a compromise required here. It never occurred to me that I should worry about Sprint. The 'Big Picture' where Google is concerned is somewhat disturbing, but I suppose the (unacceptable) alternative is to throw away my android and limit all of my online activity.
At this point, I can safely say that I won't be tossing my Android unless I become a fugitive of justice .
However, I'm only willing to give up what I have to. The problem is, at my current level of experience, I'm not quite sure what that is. And that is the question I should have included in my OP:
If I want to protect my privacy, data, acounts, and all else to the greatest degree possible without giving up my Android (and still retaining the lion's share of functionality and features), how would I best accomplish that?
I do understand that common sense plays a large role here, and I'm not looking to overide that, but whatever practices, software, some kind of anonymous payment methods or whatever else that can provide the greatest degree of protection, privacy and anonymity without shelving all functionality is what I'm after.
Personally I'm not insanely worried about the above two entities. What concerns me is the tons of random apps people load onto phones that have every permission granted you could think of. This is where LBE Privacy Guard comes into play and should be used regardless of rooting. Safest place to get apps is the official market, downloading cracked apps opens you up to who knows what.
Anyway thats my spiel
Click to expand...
Click to collapse
I appreciate your well thought out response. As far as cracked apps, I apply the same caution here as I do to my computers. No questionable software or sites. No 'off the beaten path' practices unless thoroughly researched.
Where LBE is concerned...the Market description (and a thread I read in these forums) states that Root is required. Is that not correct?
Again, thanks for your (and any other) responses.
Sam Sung said:
Where LBE is concerned...the Market description (and a thread I read in these forums) states that Root is required. Is that not correct?
Click to expand...
Click to collapse
That is correct, and if you're getting at what I think you are, then yes, some people have a problem with this. It's hard accepting that LBE protects you from bad apps, while LBE itself has full access to every inch of your phone. That being said, I don't believe anyone has come up with any solid evidence that the app itself is harmful; people, however, can still be skeptics.
Without it, when you come across an app with a questionable permission, your only option is to not use the app. Every other permission blocker I've come across does so forcefully, which leaves the apps useless (force closes, etc). LBE, on the other hand, maintains the usability of the apps while still preventing them those permissions. In my opinion, it's a wonderfully helpful app. Your decision to use it may be different though, depending on your paranoia.
upichie said:
That is correct, and if you're getting at what I think you are...
In my opinion, it's a wonderfully helpful app. Your decision to use it may be different though, depending on your paranoia.
Click to expand...
Click to collapse
Well, actually, my question was based on the reality that I would be running it now if my phone was rooted (and the supposition that it will be pointless to install to an unrooted phone). I will be rooting this phone (Epic 4G Touch) eventually. The only reasons I haven't are:
1) This is my first Android phone and therefore I have no experience with rooting (still reading different rooting threads). I tend to research before I leap into something new.
2) I just don't have the time right now to troubleshoot if something goes wrong. And this phone is so incredible, I'd rather not be without it for any extended length of time (I use it as an 'appliance' rather than a phone...I have other phones for such menial tasks)
But I'm definitely convinced of the virtues of rooting, largely due to the app functionality. I also want to be prepared for the caveats. I'm not sure what they may be right now, but there must be some security risks.
Thanks!
Apps can be purchased via PC web browser at AppStoreHQ.
Gapps are optional. After rooting you could remove them or just those you don't need. Market is a tough one to live without, IMO.
If you don't plan to use your device for email then create a new email account specifically for the phone. Don't give it out. This will allow you to use the Market, etc.
Install Shark for Root + SharkReader to look at network traffic, or do it via router. Use hosts file to block google analytics etc. Routinely wipe the cache.
If you root install busybox and a terminal emulator and you can control the apps and system yourself. Everything LBE does you can do manually. Compile/install a kernel with tun.ko module and connect to a VPN. Or change DNS if you want. It's Linux, always keep that in mind.
My BIGGEST problem with Android is the lack of timely updates which include security patches. For this reason these devices are a security nightmare. Turn off WiFi, data, gps, Bluetooth when not using them. Disable install from unknown sources and debugging when not in us. Follow blogs that report on security issues and understand where you're vulnerable.
I'm security conscious as well and don't purchase or do banking with my phone. Sure it's convenient but it can wait until I get home. If someone is sniffing my traffic or should my phone be stolen I'm not scurrying to cancel credit cards and change passwords. This gives me the piece of mind I need to enjoy my smartphone. It also limits it, but I'm ok with that.
Turducken said:
Apps can be purchased via PC web browser at AppStoreHQ.
Click to expand...
Click to collapse
Is there a more anonymous payment method than standard CC?
Gapps are optional. After rooting you could remove them or just those you don't need. Market is a tough one to live without, IMO.
If you don't plan to use your device for email then create a new email account specifically for the phone. Don't give it out. This will allow you to use the Market, etc.
Click to expand...
Click to collapse
Actually, I have 3 gmail accts on the phone. One for market, one for clients, one for logins.
Install Shark for Root + SharkReader to look at network traffic, or do it via router. Use hosts file to block google analytics etc. Routinely wipe the cache.
If you root install busybox and a terminal emulator and you can control the apps and system yourself. Everything LBE does you can do manually. Compile/install a kernel with tun.ko module and connect to a VPN. Or change DNS if you want. It's Linux, always keep that in mind.
My BIGGEST problem with Android is the lack of timely updates which include security patches. For this reason these devices are a security nightmare. Turn off WiFi, data, gps, Bluetooth when not using them. Disable install from unknown sources and debugging when not in us. Follow blogs that report on security issues and understand where you're vulnerable.
I'm security conscious as well and don't purchase or do banking with my phone. Sure it's convenient but it can wait until I get home. If someone is sniffing my traffic or should my phone be stolen I'm not scurrying to cancel credit cards and change passwords. This gives me the piece of mind I need to enjoy my smartphone. It also limits it, but I'm ok with that.
Click to expand...
Click to collapse
Thanks, Turducken. This is really good information. All the more reason I need to get up to speed w/rooting so that I can batten down the hatches. I'm not quite sure how to use some of this info yet, but time and educating myself will remedy that.
One app I just ran across looks interesting (which I can't use until I root) is Logging Test.
It was originally written for HTC phones, but the paid version will support more devices.
Please consider this thread ongoing. Any information and/or links pertinent to security, data and privacy protection is enthusiastically welcomed!
Ive been through the entire security forum. Must say till a little raw but it will mature hopefully. Still a lot of noobs talking and no serious dev talk. Im not a developer but I have done some research esp on encryption systems and keep myself updated with the loopholes in various apps. Until such time when they do join in I think it would be a good idea (esp if the higher-level know-its) would share their list of apps they use for their everyday functioning and especially how you currently protect yourself best against unwarranted attacks to the types other forums are talking about.
My list is:
K-9 mail : for email. I use APG with that though im still not convinced its worth it cause the keys would be a easy to 'reverse engineer' as you can easily detect the device you use to send the mail and thus an estimate of the computing power essentially showing them the narrow range of prime numbers in which the key could have been generated. But you would need to be a dedicated target for that. Plus its open-source and very popular.
Xprivacy: its good for apps with too many unnecessary permissions but it wont protect you against intruder attacks.
network connections: just switched over to this from wire shark. Still undergoing testing. But it tell you the current internet connections and seem promising. You can block the suspicious IPs using xposed framework called peerblock (look into the xposed mod index). Needless to say but I think blacklisting google would be perhaps make you life considerably old-fashioned esp if your plugging the google 'backdoor' access they provide to 'he-who-shall-not-be-named' organizations.
Browser: im using the native AOSP browser. Firefox would be a better alternative in my opinion to chrome or others. I wish we had chromium for android.
Quickpic: using it instead of the native gallery after i found that it was connecting to the internet.
Calander: using the native AOSP calander but deleted the calander sync cause i try to avoid relying on google too much. selectively Denied internet permission.
ES file manager: a very complete tool. root explorer with checksum built-in. denied internet permissions.
TextSecure : Using this for standard texting because it seems to offer more encryption that any other texting app at the moment. Plus its going to be the default messaging app in Cyanogen ROMs in the future. Offers One-Time-Pad system encryption which is encryption theoretically secure (what that means for the common man is that this encryption is the only one that has stood the test of time to be unbreakable of used properly. All other encryption systems rely on the fact that the decrypting systems used to 'crack' the encryption lag behind the algorithms. Lets hope the devs did implement it properly)
Remove Google from CM10+ ROMs : http://www.xda-developers.com/android/remove-the-google-from-cyanogenmod-with-freecygn/
"Not every user particularly cares for Google’s proprietary bits and its tendency to put them everywhere. As such, XDA Senior Member MaR-V-iN has created a script to clear out Google proprietary binaries from all CM10+ ROMs. Freecyngn disassembles the CyanogenMod settings app and replaces Google Analytics library with the free NoAnalytics. The whole process doesn’t break the Settings app, and turns your device into one that is Google-free"
Click to expand...
Click to collapse
Thanks to @SecUpwN for the site: www.prism-break.org As you will see by visiting this site its not secure but just a list of more open-source projects.
I dont use a lot of google products like gmail or chrome or maps but i would like to minus the uneasiness that i have using it. And i dont use public wifi at all. The great things in life are hardly ever free!
Needless to say but i use CM 10.1 since its well developed and open-source. Looking forward to omniROM by chainfire and other great devs. I do believe we need some serious stenographic programs for android because encryption alone is not the way to go. Maybe they will take this more seriously. This remains a work in progress. As always hit thanks if it helps.
CM is now for profit. It's CyanogenMOD Inc. Anyway, this is a pretty naive approach, IMHO. You want to keep something secret you can't tell technology about it. Check out "Schneier on Security."
where did you download "network connections" from?
@aejazhaq: See www.prism-break.org!
runwithme said:
where did you download "network connections" from?
Click to expand...
Click to collapse
I downloaded it when the dev was giving the pro version free for a limited time to XDA members. How ever its available on the play store...https://play.google.com/store/apps/details?id=com.antispycell.connmonitor&hl=en
SecUpwN said:
@aejazhaq: See www.prism-break.org!
Click to expand...
Click to collapse
Yes i cam across that just a week ago. It seems to me as my knowledge progress' that the apps available are just to keep the selective data eg your mails private if you use APG with that. @pan.droid I think anything on your device is still as vulnerable as can be honestly and don't think, at least as of now that you can protect your data on you device with any satisfactory means, at least not yet. I'm interested in stenographic means more now than ever because I think encryption alone wont cut it esp keys generated on the phone; the prime numbers needed for a foreseeable future (3+ yrs) protection are elusive on the phone, perhaps the PC can do a better job, but again with its fallacies esp with emails being stored in the cloud permanently means that there's an expiration date on such material you choose to share. And given it lacks forward secrecy and anyone using PGP in emails is definitely shouting encrypted msgs being transmitted perhaps arousing more suspension and the subsequent package.
Thus I do agree the list is currently very naive but perhaps the best we can do at the moment. Thats why I'll leave people to share their opinions on this because this is perhaps an ongoing discussion.
I'm really interested in a contacts replacement. I hate the new style google version but I don't trust ANYTHING free from the app store. They all download your contacts!
You didn't mention AFWall+, the iptables firewall I consider instrumental in blocking most phone home attempts.
SecUpwN said:
@aejazhaq: See www.prism-break.org!
Click to expand...
Click to collapse
Actually, pretty great site!
pan.droid said:
Actually, pretty great site!
Click to expand...
Click to collapse
You're welcome. If you're interested in security projects, have a look!
I'd totally jump on board with that, but all I have is a WI-FI tablet, ATM. Great activist project for anyone serious about security.
pan.droid said:
I'd totally jump on board with that, but all I have is a WI-FI tablet, ATM. Great activist project for anyone serious about security.
Click to expand...
Click to collapse
Sadly, our project is missing real security enthusiasts and DEVELOPERS. Do you know anyone I should get in touch with?
I use "Keepass2Android Offline" to manage my passwords. This "offline" version removes Internet access permissions which I consider essential for security of my database.
I'm thinking of buying password safe from the play store. But I wanna make sure its secure since i'll be entering my financial info in it. Is it worth getting?
By the looks of the permissions the app needs, it does not pose a big threat.
WRITE_EXTERNAL_STORAGE: For database storage.
BILLING: For In-App-Purchase of PasswordSafe Pro.
KILL_BACKGROUND_PROCESSES: Its needed to kill app after restoring database in order to apply security-patch from Google correctly.
SYSTEM_ALERT_WINDOW: This is needed to show floating window.
Click to expand...
Click to collapse
thanks fir the heads up
i dont trust password apps...
Keepass Droid is great, and multi platforms
... and it's opensource...
Sent from my ME173X using xda app-developers app
Agree with Keepass being the top choice. It's one of those must have apps for me, and it's free and open source. Store more than 50+ accounts on it, and haven't had a single problem so far.
Usually the app itself seems to be safe enough. But I'm much more worried about if the database of such app may be stolen or accidentally leak?
I got used to password keepers on PC because I understand (more or less) what is possible and what is not in PC OS. But I do not imagine the android OS internal mechanisms of encrypting, sharing etc, so I even can't think where the threat may come from... But, for example I'm always scared when google suggest me to synchronize passwords with account, cause I'm not sure one day my account will not be hacked (perhaps just for someone's fun).
The experience of android experts is highly appreciated here to understand how to protect your passwords being kept in one basket: what to worry about and what is not a reason for panic.
well, keepass offers a way to include a 'passfile'. means the actual place to store ya passwords won't open without the corresponding passfile.
Single point of failure
Perhaps the biggest problem with password keeper apps is that, if someone discovers your master password, it compromises all your accounts, even accounts that might have been unknown previously to an attacker.
Many websites now have two-factor authentication, which provides an additional layer of security, but some additional inconvenience.
KeeDroid does have the advantage that it is open source, so that it can be independently audited.
---------- Post added at 09:22 PM ---------- Previous post was at 09:12 PM ----------
BTW, Lifehacker has a number of articles on password security, reviews of password keepers and useful links, like how to enable two-factor authentication.
I always try to opt for open source software where I can, especially when it comes to security. You get more of a trust factor that there won't be anything malicious in their software. Even with all the NSA hype, they still contributed to SELinux back in the day, which is open source and trusted. I think most anti-virus are just closed source because they rely on that income to support the manpower and resources to keep track of all the latest threats. I know there's ClamAV, but it just sadly can't compete with Kaspersky or the like.
Keepass is my favorite password software anyway.
Tenterhook said:
Perhaps the biggest problem with password keeper apps is that, if someone discovers your master password, it compromises all your accounts, even accounts that might have been unknown previously to an attacker.
Click to expand...
Click to collapse
Yep, I'm at home here! I've been making that argument for years. For example, the desktop version of Keepass stores all the passwords in a nice little .kdbx file. If someone where to get infected with a thing that looks for that file extension, and then uploads it back to them... All they'd have to do is run a brute force on it, dictionary attack or the like, and all you could do is pray the password you set as your Keepass master password would hold up. It's a odd thing too. You have the Keepass to make managing very complex and long passwords (stuff like zlw'W6b`qhyu"l3,U\b?UvsB!vqS3Qhh ) easier and sane. Yet, I bet most people wouldn't want to type something like that for their Keepass master password each and every time they want to acess their other passwords. BUT if your system is comprised to that extent- you have bigger problems anyway!
Online sites like LastPass have been comprised too at certain points in the past, so I'd rather just take the chance of having all my passwords on me.
Veeshush said:
I always try to opt for open source software where I can, especially when it comes to security. You get more of a trust factor that there won't be anything malicious in their software. Even with all the NSA hype, they still contributed to SELinux back in the day, which is open source and trusted. I think most anti-virus are just closed source because they rely on that income to support the manpower and resources to keep track of all the latest threats. I know there's ClamAV, but it just sadly can't compete with Kaspersky or the like.
Keepass is my favorite password software anyway.
Yep, I'm at home here! I've been making that argument for years. For example, the desktop version of Keepass stores all the passwords in a nice little .kdbx file. If someone where to get infected with a thing that looks for that file extension, and then uploads it back to them... All they'd have to do is run a brute force on it, dictionary attack or the like, and all you could do is pray the password you set as your Keepass master password would hold up. It's a odd thing too. You have the Keepass to make managing very complex and long passwords (stuff like zlw'W6b`qhyu"l3,U\b?UvsB!vqS3Qhh ) easier and sane. Yet, I bet most people wouldn't want to type something like that for their Keepass master password each and every time they want to acess their other passwords. BUT if your system is comprised to that extent- you have bigger problems anyway!
Online sites like LastPass have been comprised too at certain points in the past, so I'd rather just take the chance of having all my passwords on me.
Click to expand...
Click to collapse
I agree with you
tyler0707 said:
I agree with you
Click to expand...
Click to collapse
Thanks. It's kind of a relief to come across other security interested people, though I'm only just a security hobbyist at best. Some sites I've been on the user base barely keep up with the security related updates.
one cannot maintain software security as long as their hardware security can be violated. there are ways to code your data but in the right hands, there's always a way to decode your data.
Before I begin, I'm not here to flame tbe devs as I would love this app if these issues weren't present and do hope this problem is resolved as a result of bringing it to the attention of the community and hopefully this app's devs.
This application has serious vulnerabilities, some of which should be quite easily patched yet have not been for months to a year or so of them having been made public by a reputable security researcher working for Zimperium.
Login information via the browser is not utilizing a secure form of encryption for both web.airdroid.com or when accessing via local IP despite their SSL cert being valid for *.airdroid.com. The key for the DES encryption being used to hash the password and e-mail being hardcoded into the application despite having a POC for an attack on their users is inexcusable and shows a blatant disregard for their application's level of access as well as their user's safety and security.
My finding (as a security noob) has also deeply disturbed me following no response to bug reports or email contact. While attempting to check out their Windows desktop client, my antivirus discovered the installer attempting to download a variant of adware which monitored the user's activities and provides monetary incentives to developers which include it within their programs and applications. I do understand that if something is free, the product is you. However, I am a paying customer of this service as I'm sure many who use xda would be in an effort to support development of software and applications we enjoy. This adware was ran through and confirmed with VirusTotal and certainly is not a false positive. This desktop client also does not use SSL for communication.
Due to discovering these problems, I immediately discontinued use (the same day I renewed my yearly subscription). However, I was unable to remove the application from my phone without a full factory reset even after both application updates and upgrading android versions. With it set as a device administrator, it's access must first be revoked before uninstalling. However, across multiple devices and versions of android, attempting to remove it from device administrators causes a crash of the android settings app.
I had planned to do a POC for what I feel is an extremely likely scenario based off both public vulnerabilities as well as what I had discovered myself, but I have been far too busy with a few other projects as well as work to complete it yet. I had just stumbled across this section of the xda forums while looking for something else and hoped to get a response from the devs of this app.
I would love to be able to utilize an app with this functionality. However, there needs to be far more focus on security in its design before I would ever feel comfortable utilizing it again.
In theory, it would be entirely possible for an unstable, technically inclined person at a local coffee shop (or other public location with unsecured an wireless network) to hijack a user's login information with minimal skill level required then giving them full, unadulterated access to the application's functions such as forcing gps or camera on to track or watch someone without their consent as all connections aren't even requiring the user to accept the incoming connection on their phone to perform these actions. That is not a farfetched scenario and presents a possible threat to someone's physical safety.
Link to said researcher's findings can be found on his blog by searching Zimperium airdroid multiple vulnerabilities as I just created this account for this post and can not yet post outside links.
Thanks a lot for all this information. I really appreciate it.
Why hasn't this been addressed yet?
I remember reading this a while ago, realizing that it is a serious issue, and just how little the devs care about security on their app.
This is mainly because most end-users don't dive this deep into an app, and don't fully comprehend the severity of such vulnerabilities until it is too late.
We should make a bigger fuss about these things!
I've always been very careful with RAT-type apps and so I was when checking out AirDroid. I've uninstalled it after 30 minutes of using, just because I didn't like the fact, there's a chance some undesirable person could start spying on me. As I read this thread, I'm realising how right I was that time.