NM. I answered my own question. The log in screen was misleading. Have to stop multi tasking when I do these things. @ me.
KOF33 said:
NM. I answered my own question. The log in screen was misleading. Have to stop multi tasking when I do these things. @ me.
Click to expand...
Click to collapse
Just for fun, the answer is most definitely *NO*. Not if you have any personal information on your google account since this would allow that app to not only steal all your personal information, it would allow the app author to hijack your account, send your login credentials to china, etc.
lbcoder said:
Just for fun, the answer is most definitely *NO*. Not if you have any personal information on your google account since this would allow that app to not only steal all your personal information, it would allow the app author to hijack your account, send your login credentials to china, etc.
Click to expand...
Click to collapse
So can't use GDoc or Greed?
cigar3tte said:
So can't use GDoc or Greed?
Click to expand...
Click to collapse
I wouldnt...
Unless you know the code and compiled it yourself.
Or if you definitely don't have any sensitive info on your account.
There's no telling what they'll do with it.
Do you know the author? Have you met them? Do you even know what country they're in?
If you have a rooted device then id watch out for any apps you install, I've read about malware that uploads you browser.db and other data, and we all know that google didn't implement encryption into password storage.
I'm developing a shell app to do this over adb or on the phone console I have implemented
Browser database
Contact database
Ebuddy password
you could always use a password you just made up out of the blue. the app won't be able to recognize whether it's your actual gmail password or not.
tazz9690 said:
you could always use a password you just made up out of the blue. the app won't be able to recognize whether it's your actual gmail password or not.
Click to expand...
Click to collapse
Well the app that made me ask didnt "Require" it. But just recently after that A Gmail/Fbook sync app asks for both passwords.
Without it it wont work. I dont feel comfortable giving my PW to some random app.
Sudox-
Do you mean installing from non marketplace ?
Even rooted marketplace should be ok no ?
Ive never looked extensively at the safety precautions Google implemented.
KOF33 said:
Well the app that made me ask didnt "Require" it. But just recently after that A Gmail/Fbook sync app asks for both passwords.
Without it it wont work. I dont feel comfortable giving my PW to some random app.
Sudox-
Do you mean installing from non marketplace ?
Even rooted marketplace should be ok no ?
Ive never looked extensively at the safety precautions Google implemented.
Click to expand...
Click to collapse
The only thing that the market gives you is a partial assurance that the publisher's market account can be traced back to them based on the credit card number that was used to sign up. Google does NOT security verify the applications that are posted there. The security is built in to the OS -- and note that the app shows you what kind of data it can access at install time. It is therefore UP TO YOU to ensure that the application doesn't get any information that you would consider "sensitive".
And as for root access... this is a potential danger if you aren't careful about limiting root access from certain applications. The community-root scheme is fairly OK, but any program to which you grant ROOT PERMISSION will have access to *everything*. Be careful about what applications you give root to.
lbcoder said:
The only thing that the market gives you is a partial assurance that the publisher's market account can be traced back to them based on the credit card number that was used to sign up. Google does NOT security verify the applications that are posted there. The security is built in to the OS -- and note that the app shows you what kind of data it can access at install time. It is therefore UP TO YOU to ensure that the application doesn't get any information that you would consider "sensitive".
And as for root access... this is a potential danger if you aren't careful about limiting root access from certain applications. The community-root scheme is fairly OK, but any program to which you grant ROOT PERMISSION will have access to *everything*. Be careful about what applications you give root to.
Click to expand...
Click to collapse
This is something I have been wondering for a while now. Say you grant an app SU rights, however upon installation that app did not specify "Internet Access", meaning that the permissions for that program do not allow access to the internet (for sending of any information it could possibly gather). Can that app somehow access the internet, or modify it's own permissions in packages.xml?
daveid said:
This is something I have been wondering for a while now. Say you grant an app SU rights, however upon installation that app did not specify "Internet Access", meaning that the permissions for that program do not allow access to the internet (for sending of any information it could possibly gather). Can that app somehow access the internet, or modify it's own permissions in packages.xml?
Click to expand...
Click to collapse
Yes, any app with root access *can* change its own permissions, yes, any app with root access can access the internet, even withOUT internet permissions, and yes, an update to the app can come with additional permissions than an earlier version.
Note possible attack;
publish an app withOUT internet and/or read contacts permission,
app tries to send sensitive information to china -- permission denied, catch exception, no visible effect to the user. App granted ROOT access, alters /data/system/packages.xml to add internet and read contacts permissions and immediately the phone "randomly" reboots, upon reboot, that app has permissions required to send sensitive information to china.
And yes, the root app is NOT completely secure/trustworthy. There are several vulnerabilities that need to be considered...
1) A *pair* of apps can conspire to break out... i.e., one "trusted" app with root can modify a DIFFERENT app into the whitelist. This can include granting blanket root access.
2) The userid of an uninstalled application may remain in the whitelist, allowing it to be replaced by a *different* app that could later use that root access to do all kinds of nasty things.
In general, a better form for the community root database app would be along the following lines;
1) There should be NO WHITELIST.
2) The root permission state should remain in *memory* for a limited period of time (i.e. 1 minute).
3) The root app should request a PASSWORD (to prevent other people from tampering with it) -- store a password hash in the app's home directory,
4) The root app should be *forced* to be a *system* app in order to eliminate possibility of other user uninstalling and reinstalling it to bypass the password.
1 and 2 should be considered essential. 3 and 4 make it bulletproof, but still can't possibly do anything to stop an app given root from running amok.
In fact, note this;
Even WITH a secured root app, all any app needs is a MOMENT with root to do severe nastiness -- like give itself its very own su command that can't be stopped by the root-app...
Note: in order to *really* give decent security, the su command/app should work more like 'sudo' than like 'su'.
I.e., some app runs "sudo somecommand". This invokes the "sudo" app, which says... "XYZ is attempting to run this command as root: ---. Do you want to allow it?" You know, it is a much stronger position to be in if you can see *exactly* what some root-wanting app is trying to run. Also, nice to prevent some app from just going off as root any time it wants to.
Related
http://www.tgdaily.com/security-brief/50862-as-many-as-4-million-people-downloaded-data-stealing-android-app
Mike Luttrell | Thu 29th Jul 2010, 08:30 am
A seemingly innocuous Android app that let users change their phone's wallpaper has actually been stealing private user information and may have been downloaded millions of times.
Users should be concerned if they downloaded an app from "Jackeey Wallpaper." While it does perform the functions described in the app download page, it also ends up taking the phone's Internet browser history, mobile phone number, every single text message, and voicemail password. That information is then sent to a website based in Shenzhen, China.
Click to expand...
Click to collapse
http://phandroid.com/2010/07/29/another-app-stealing-data/
[Update]: MyLookout chimed in with us to clarify some details that other outlets have been reporting. Specifically, the app does collect data from your phone, but only the device’s phone number, subscriber identifier, and voicemail number fields are retrieved. SMS and browsing history are not touched by any of the apps they analyzed throughout their Blackhat conference. Your voicemail’s password is also not transmitted unless you included the password in your phone’s voicemail number field.
We’re not yet certain on what the developer’s intentions are for using the pieces of data it does send to China – so we can’t outright call it malicious – but it is collecting and sending data nevertheless. Hopefully that clears up some of the confusion everyone’s been faced with regarding the read-only property READ_PHONE_STATE that the application uses to access certain pieces of data.
Click to expand...
Click to collapse
So no SMS, browsing history or voice mail password taken.
FOR REAL?!?!
All your data belongs to somebody else
jp_macaroni said:
http://www.tgdaily.com/security-brief/50862-as-many-as-4-million-people-downloaded-data-stealing-android-app
Click to expand...
Click to collapse
Free isn't free: http://www.androidpolice.com/2010/0...t-all-your-data-are-belong-to…-somebody-else/
Same happened to me with an app posted here for movies
Flixster for android
http://www.flixster.com/
I did find out ON TIME , that someone was messing with my gmail account , had to change my password inmediatly
I received an altert from an IP ( from their site ) trying to change my password !
You've been warned , happened to me !
It's not like it doesn't show you the stuff when you install apps.. And this "Genome Project" thing is out of context nonsense.... 14% of free apps have access to your contacts. You realize that includes IM programs, SMS programs, Email programs, etc....
If you install a wallpaper app that requests access to your Accounts and Contacts, well....
http://www.cyrket.com/search?q=Jackeey+Wallpaper
I don't see such permissions on the 2-3 I looked through, but maybe specific ones did.
Another thing about this "lookout" app and Genome Project.. Look at the permissions on their app on the market:
Permissions: ACCESS_COARSE_LOCATION , ACCESS_FINE_LOCATION , ACCESS_NETWORK_STATE , CLEAR_APP_CACHE , DISABLE_KEYGUARD , GET_ACCOUNTS , INTERNET , MANAGE_ACCOUNTS , MODIFY_AUDIO_SETTINGS , PERSISTENT_ACTIVITY , READ_CONTACTS , READ_LOGS , READ_OWNER_DATA , READ_PHONE_STATE , READ_SMS , READ_SYNC_SETTINGS , READ_USER_DICTIONARY , RECEIVE_BOOT_COMPLETED , RECEIVE_SMS , VIBRATE , WAKE_LOCK , WRITE_CALENDAR , WRITE_CONTACTS , WRITE_SETTINGS , WRITE_SMS , WRITE_SYNC_SETTINGS , WRITE_USER_DICTIONARY , com.android.browser.permission.READ_HISTORY_BOOKMARKS , com.android.browser.permission.WRITE_HISTORY_BOOKMARKS
What if the 'AV' software itself turns out to be the one stealing data? If anything could, it could.
we get that all apps ask for permission to allow access to our location, contacts, emails etc....but to gather our private info and sell them to China.....thats messed up.
time to sue.
That information is then sent to a website based in Shenzhen, China.
Click to expand...
Click to collapse
question:
if this app was downloaded and used by US government....would it be considered as a SPY? lol
It's a big deal, but it illustrates very well that android users are in a ffa environment without someone looking over their shoulder to protect them.
It's good and bad. Some people will call bad on google for not protecting them, but others will see it for the truth of it and know they have to cover their own ass.
Wouldnt a functional firewall app work for this?
cutting off apps access to non essential portions of data...but also from data transmitting?
Flixster is malicious??
pvillasuso said:
Same happened to me with an app posted here for movies
Flixster for android
http://www.flixster.com/
I did find out ON TIME , that someone was messing with my gmail account , had to change my password inmediatly
I received an altert from an IP ( from their site ) trying to change my password !
You've been warned , happened to me !
Click to expand...
Click to collapse
Woaaah now... I have used this app on almost ever ROM I flash - downloaded straight from the market each time. I've never had an indication that my information was compromised in any way... Are you 100% sure that Flixster was the culprit? That's a pretty heavy claim for what I think is a very widely used (and recommended) app.
and what about all the gmail notifiers?
More fears:
I will preface this by saying I don't know much about Android security, but to me, it's as secure as any PC.
So: what about gmail notifier apps and apps that ask for access to your gmail account?
Do they have access to your gmail password? Seems like it. So what's to stop malicious gmail notifier developers from stealing your gmail passwords and having their way with your google account, for example, grepping your mailbox for banking information.
Also think about keyboard apps, what's to top malicious keyboard developers from writing a keyboard which logs all your keystrokes to a zipfile then uploads it to a russian server for analysis of B-A-N-K and P-A-S-S-W-O-R-D and then the next keystrokes which follow that?
It doesn't end there. Picture apps which can steal your pictures. Apps which can record your phone conversations and upload the audio to servers a few hours later so you don't notice that data going on.
bwolmarans said:
More fears:
I will preface this by saying I don't know much about Android security, but to me, it's as secure as any PC.
So: what about gmail notifier apps and apps that ask for access to your gmail account?
Do they have access to your gmail password? Seems like it. So what's to stop malicious gmail notifier developers from stealing your gmail passwords and having their way with your google account, for example, grepping your mailbox for banking information.
Also think about keyboard apps, what's to top malicious keyboard developers from writing a keyboard which logs all your keystrokes to a zipfile then uploads it to a russian server for analysis of B-A-N-K and P-A-S-S-W-O-R-D and then the next keystrokes which follow that?
It doesn't end there. Picture apps which can steal your pictures. Apps which can record your phone conversations and upload the audio to servers a few hours later so you don't notice that data going on.
Click to expand...
Click to collapse
The same things are possible for a regular computer as well. You can connect to a site and it could execute a download that then snoops your keystrokes and uploads them somewhere.
The difference (so far) is that on android you have to install an app to do that.
The takehome message is to excersize caution and install apps you can verify where they come from and what they do.
This will happen more and more. Mobile is where people are doing most of there communication and beginning alot of banking.
Not just Android all mobile OS.
Like I said a zonealarm/lilsnitch like app would be of great use. Even if logging or reading they still need to communicate out. An easy low mem/bat/cpu usage app that monitors this behaviour would go along way.
This is becomming a bigger issue and we do need some type of security alert monitor!
http://www.newsfactor.com/story.xhtml?story_id=13100EVAC2WI
"Mobile apps on Android-powered smartphones and Apple's iPhone can disclose more personal data than most users realize, security vendor Lookout revealed Wednesday at the Black Hat USA 2010 conference in Las Vegas. Rather than being malicious, users often give the apps permission to access data when they are installed...."
jp_macaroni said:
http://www.tgdaily.com/security-brief/50862-as-many-as-4-million-people-downloaded-data-stealing-android-app
Click to expand...
Click to collapse
Opps missed this post prior to posting my thread...
http://forum.xda-developers.com/showthread.php?t=739446
Arcarsenal said:
Woaaah now... I have used this app on almost ever ROM I flash - downloaded straight from the market each time. I've never had an indication that my information was compromised in any way... Are you 100% sure that Flixster was the culprit? That's a pretty heavy claim for what I think is a very widely used (and recommended) app.
Click to expand...
Click to collapse
100% sure , I checked out the IP involved , and it pointed directly to their website !!!
pvillasuso said:
Same happened to me with an app posted here for movies
Flixster for android
http://www.flixster.com/
I did find out ON TIME , that someone was messing with my gmail account , had to change my password inmediatly
I received an altert from an IP ( from their site ) trying to change my password !
You've been warned , happened to me !
Click to expand...
Click to collapse
Don't be stupid. Flixster is a 100% legitimate app. Don't bad mouth it because you fell for a phishing scam some place else.
GldRush98 said:
Don't be stupid. Flixster is a 100% legitimate app. Don't bad mouth it because you fell for a phishing scam some place else.
Click to expand...
Click to collapse
Use it then, who cares anyway ..!
Hope u get your gmail account hacked ...
samagon said:
The takehome message is to excersize caution and install apps you can verify where they come from and what they do.
Click to expand...
Click to collapse
Easy to say, but how do you 'verify where they come from and what they do'?
How does the Android community ban apps that ask for crazy permissions? For people who root and have some level of sophistication - we're not going to fall for bad behaving apps.
But for all those who don't even know what permissions are, they need to be warned.
Take a look at this one:
https://market.android.com/details?id=com.antonio.fashion&feature=search_result
Comes from a banned company called Plankton that rebranded itself as StartApp.
I feel sorry for people that install this and can't get rid of all the nasty stuff they injected into their device.
Android Market said:
Permissions
This application has access to the following:
Network communication
full Internet access
Allows an application to create network sockets.
Your personal information
write Browser's history and bookmarks
Allows an application to modify the Browser's history or bookmarks stored on your device. Malicious applications can use this to erase or modify your Browser's data.
read Browser's history and bookmarks
Allows the application to read all the URLs that the Browser has visited, and all of the Browser's bookmarks.
Phone calls
read phone state and identity
Allows the application to access the phone features of the device. An application with this permission can determine the phone number and serial number of this phone, whether a call is active, the number that call is connected to and the like.
Storage
modify/delete USB storage contents modify/delete SD card contents
Allows an application to write to the USB storage. Allows an application to write to the SD card.
Show all
Network communication
view network state
Allows an application to view the state of all networks.
view Wi-Fi state
Allows an application to view the information about the state of Wi-Fi.
System tools
automatically start at boot
Allows an application to have itself started as soon as the system has finished booting. This can make it take longer to start the device and allow the application to slow down the overall device by always running.
Click to expand...
Click to collapse
I have a problem with an app that supposedly just displays pictures but needs access to my phone, my browser AND starts on boot. The network communication and SD modify I understand since it needs to retrieve the pictures from somewhere and save them in the memory other than the internal one but the rest of the permissions are just completely unnecessary.
Wow that's crazy, I fully agree!
Wow! Those permissions are crazy. That company should be banned. People are having a similar issue with the Amazon "Free app of the day" today. It's a game that is asking for a ton of permissions. There were a lot of complaints and the developer remarked on their Twitter account that they accidentally uploaded a version with "remnant permissions." Ya..right. Too many companies are getting away with this "we accidentally uploaded a test/alpha/beta/developer...etc version of our app." *rolls eyes
Sent from my PC36100 using xda premium
With 4.2 it will be possible to add account on tablets, ok but someone know if It will be possible to set an account as "administrator" and other ones as "users" to avoid unwantend installation or modification? I'm not speaking about real admin (like the one that you can have with root), only admin as capable to install or unistall app from market.
Thankyou
rodem77 said:
With 4.2 it will be possible to add account on tablets, ok but someone know if It will be possible to set an account as "administrator" and other ones as "users" to avoid unwantend installation or modification? I'm not speaking about real admin (like the one that you can have with root), only admin as capable to install or unistall app from market.
Thankyou
Click to expand...
Click to collapse
I have used jellybean roms with multiuser support, so I'm assuming this will be close to the same. The way it works is, the person initially signed into the tablet is the 'admin' in which can create accounts - no one else. The user also gets to choose which apps are available to any user that the 'admin' creates. Then, you can add a password to the main account, so any other user would have to know it in order to get into your 'account'. If settings is an app that you allow others to use, it will lack functionality for them so they cannot alter the tablet in a way that would effect other users. Hope that helps.
Hi all
After updated to 4.2 I created new user for my wife.
"Installed" same games but they are 'new' for new user.
I want to copy data games files from my user to her user.
Anyone knows how to do it?
Need to be root?
Thanks
Sent from my Nexus 7 using xda app-developers app
Assuming they are free games, as paid ones will need to be purchased twice. You can use titanium backup to back them up on your account and then restore them into her account. You do need to be root for titanium though.
Sent from my Nexus 7 using Tapatalk 2
dr.m0x said:
Assuming they are free games, as paid ones will need to be purchased twice. You can use titanium backup to back them up on your account and then restore them into her account. You do need to be root for titanium though.
Sent from my Nexus 7 using Tapatalk 2
Click to expand...
Click to collapse
Sorry - misinformation.
Paid apps do not need to be purchased twice, or restored into her user ID. That would be a really bad idea anyway - you would have two copies of the app.
With root use file explorer to find your save file under /sdcard/o/...something. Copy that file to an identical file structure under /sdcard/1, or whatever number your second user uses.
Apps done the correct way for multi-user never download a second copy. The Play store just sets a link to them in the main user.
Assuming app is available to both:
adb backup/restore might work for unrooted. Me, I'd Titanium Backup if it was important.
On a slight tangent, is there a shared data area that I could put shared files and videos that each user account would be able to view? If so do I need root access? Thanks.
bertracoon said:
On a slight tangent, is there a shared data area that I could put shared files and videos that each user account would be able to view? If so do I need root access? Thanks.
Click to expand...
Click to collapse
Don't forget a shared data area would mean the contents, like high scores, are shared between the users.
Most of the time, different users will want their own customizable data.
Technically, you need to purchase the app twice for two different account under playstore, that's the whole purpose of multiuser right?
Sent from my Nexus 7 using xda premium
Leechoonhwee said:
Technically, you need to purchase the app twice for two different account under playstore, that's the whole purpose of multiuser right?
Sent from my Nexus 7 using xda premium
Click to expand...
Click to collapse
Multi-user is not a developer enrichment scheme.
Your tablet has one owner, and apps are sold to that owner on an account basis - not by user or device ID.
The owner is able to make them available to any other users of that tablet without repurchase.
I suppose you would want an eye sensor, to make sure the person using the app is the one that paid for it?
No need to pay twice.just install twice.
Seems I need root.
I used some file explorer, find this:
/storage/emulated
/storage/sdcard0
/sdcard
All seems point to the same folders.
No sdcard1.
More than this, can't find data game. I have to explain that I have free games (from play store) and paid games (humble pack). If I search imaginarium game with Astro, no resulta found -.-'
Pd: No root at this moment, original 4.2 room
Sent from my Nexus 7 using xda app-developers app
Sorry - misinformation.
Paid apps do not need to be purchased twice, or restored into her user ID. That would be a really bad idea anyway - you would have two copies of the app.
Click to expand...
Click to collapse
Can you clarify this, apps are linked to the gmail account they were purchased with no? I haven't tried multiuser yet but I thought I read from others you have to add the primary gmail account to any secondary account to access the bought apps. Is this not correct? And if it is correct, can one add it only to google play and not have a secondary account access the associated email?
sark666 said:
Can you clarify this, apps are linked to the gmail account they were purchased with no? I haven't tried multiuser yet but I thought I read from others you have to add the primary gmail account to any secondary account to access the bought apps. Is this not correct? And if it is correct, can one add it only to google play and not have a secondary account access the associated email?
Click to expand...
Click to collapse
Set up a secondary user. Secondary user needs a Google account. Create a new one if appropriate.
Open Google Play on the secondary user. Click Options, then Add Account. Add your primary account (the one that owns your apps).
You will be given a choice of items to synch - uncheck them all. All you want is app access.
Display your apps (they are now visible to you). Install the ones you want the secondary user to have. They will NOT download - this user just gets a link.
When done, you can delete the main account from this user - or just leave it
I am going to start cutting and pasting this description - I keep having to retype it...
rmm200 said:
Don't forget a shared data area would mean the contents, like high scores, are shared between the users.
Most of the time, different users will want their own customizable data.
Click to expand...
Click to collapse
I appreciate that, I was just wondering whether there was a shared folder everyone could access as well as completely private areas for each user. Sounds as though there is absolutely no difference between multi user and having two completely separate tablets.
Well... Biggest difference is that only one copy of the app is shared by all the users.
Sent from my Nexus 7 using xda app-developers app
When done, you can delete the main account from this user - or just leave it
Click to expand...
Click to collapse
Thanks, but one more thing. If I leave it in google play do they have access to the associated gmail? I would prefer to just leave it for future apps and add a password for google wallet so they can't purchase things. Hmm, I guess though they can uninstall things that I wouldn't want uninstalled. I"m thinking of a kid mucking about where he shouldn't.
sark666 said:
Thanks, but one more thing. If I leave it in google play do they have access to the associated gmail? I would prefer to just leave it for future apps and add a password for google wallet so they can't purchase things. Hmm, I guess though they can uninstall things that I wouldn't want uninstalled. I"m thinking of a kid mucking about where he shouldn't.
Click to expand...
Click to collapse
You could try an 'app lock' app. i've tried 'app lock' on the play store which allows you to pin protect stuff like settings and install/uninstall and other apps - although couldn't lock gmail or certain system apps. But it should work for the play store. Maybe there are similar apps that allow you protect gmail.
rmm200 said:
They will NOT download - this user just gets a link.
Click to expand...
Click to collapse
Is it possible to move apps and its data from one user to another? To to so can I just uninstall app from first user? After that will this app and its data still be available for new user?
rmm200 said:
Set up a secondary user. Secondary user needs a Google account. Create a new one if appropriate.
Open Google Play on the secondary user. Click Options, then Add Account. Add your primary account (the one that owns your apps).
You will be given a choice of items to synch - uncheck them all. All you want is app access.
Display your apps (they are now visible to you). Install the ones you want the secondary user to have. They will NOT download - this user just gets a link.
When done, you can delete the main account from this user - or just leave it
I am going to start cutting and pasting this description - I keep having to retype it...
Click to expand...
Click to collapse
I tried to follow these instructions but a) I didn't get the sync message b) Play store doesn't display my bought apps in one place so it's not easy to find them and c) I have the feeling that it really double installs (I was hoping for a link).
I looked into the databases for Boxer & Gmail and found that they both are storing passwords in plain text. Boxer I found only stored my exchange password(which is my most important) and Gmail was storing all. I would of been fine with any type of password hashing but having them in plain text is completely unacceptable to me, anyone think the same?
Here are some example queries to show your passwords(must be rooted)
Boxer
Code:
su
/system/xbin/sqlite3 /data/data/com.boxer.email/databases/EmailProvider.db "SELECT password FROM HostAuth WHERE protocol IN ('eas')"
Gmail
Code:
su
/system/xbin/sqlite3 /data/data/com.google.android.gm/databases/EmailProvider.db "SELECT password FROM HostAuth WHERE protocol IN ('gEas')"
Stock Email(Play Store app)
Code:
su
/system/xbin/sqlite3 /data/data/com.google.android.email/databases/EmailProvider.db "SELECT password FROM HostAuth WHERE protocol IN ('gEas')"
This is bad...
terrible this must be fixed, passwords should be encrypted
Doesn't return me any rows when looking up that database by such command. I am currently looking into the database though.
EDIT: Not sure if I am blind or the info isn't displayed when looking inside database with a database browser.
Someguyfromhell said:
Doesn't return me any rows when looking up that database by such command. I am currently looking into the database though.
EDIT: Not sure if I am blind or the info isn't displayed when looking inside database with a database browser.
Click to expand...
Click to collapse
Depends on the browser you using but through terminal you will see it. If you can't see anything with either command, then your emails are not setup as EAS. IMAP or POP may do the same thing, I just don't have any accounts that use it to test it
Calkulin said:
Depends on the browser you using but through terminal you will see it. If you can't see anything with either command, then your emails are not setup as EAS. IMAP or POP may do the same thing, I just don't have any accounts that use it to test it
Click to expand...
Click to collapse
I doubt the browser would make any difference, the database should still include/display same data.
I believe the issue for not seeing any is this EAS, which I am not familiar with.
this should be front page
Is this for any device they are installed on? Not just specific to our OPO?
So if your rooted and someone managed to get access to your phone they could get these passwords easily enough. [emoji53]
gsmyth said:
Is this for any device they are installed on? Not just specific to our OPO?
So if your rooted and someone managed to get access to your phone they could get these passwords easily enough. [emoji53]
Click to expand...
Click to collapse
any phone, same root location, or altered, just a question of knowing where to look
as long as you don't give shady apps root permission, you're fine.
sprremix said:
as long as you don't give shady apps root permission, you're fine.
Click to expand...
Click to collapse
its still verry verry wrong...
plus it doesnt prevent anyone else from getting it from your phoen
Someguyfromhell said:
I doubt the browser would make any difference, the database should still include/display same data.
I believe the issue for not seeing any is this EAS, which I am not familiar with.
Click to expand...
Click to collapse
Do you see anything in the HostAuth table?
bachera said:
this should be front page
Click to expand...
Click to collapse
Definitely should be
gsmyth said:
Is this for any device they are installed on? Not just specific to our OPO?
So if your rooted and someone managed to get access to your phone they could get these passwords easily enough. [emoji53]
Click to expand...
Click to collapse
It's app specific and through recovery it can be had also
bachera said:
its still verry verry wrong...
plus it doesnt prevent anyone else from getting it from your phoen
Click to expand...
Click to collapse
Correct, very very bad
Calkulin said:
Do you see anything in the HostAuth table?
Definitely should be
It's app specific and through recovery it can be had also
Correct, very very bad
Click to expand...
Click to collapse
You should raise with Google and maybe even get rewarded? :fingers-crossed:
http://www.google.co.uk/about/appsecurity/reward-program/
gsmyth said:
You should raise with Google and maybe even get rewarded? :fingers-crossed:
http://www.google.co.uk/about/appsecurity/reward-program/
Click to expand...
Click to collapse
Thanks, I sent a report to see if I get a response
Only my eas password shows up in boxes - the imap and smtp passwords for my gmail accounts in boxer don't show up.
I don't have email sync for the stock gmail app enabled, perhaps that's why there are no rows in the HostAuth table for the gmail db?
I can confirm this worked with Boxer. It showed my exchange passwords but not my IMAP password. This is BAD BAD BAD. Thanks for finding this...how did you stumble upon this anyways?
Submitted a tip on the front page regarding this and also sent boxer an email.
Guys seriously. The only reason you can see your password is because you rooted your device. the /data partition which is where the app databases are stored does not grant read permissions to a non-root user. The fact that you chose to root your device is well within your rights but you have to understand that by doing so you are opening up the door for a virus or rogue app to get access to your previously secure data. I'm happy to help answer any questions you might have but this drum has been beat millions of times so you have not stumbled across something new. All Android apps do this, ALL. That's because on a non-rooted device this data is secure in a sandbox environment.
---------- Post added at 02:02 PM ---------- Previous post was at 01:56 PM ----------
Here's an article from 2010 discussing this http://www.androidcentral.com/android-passwords-rooted-clear-text
shafty023 said:
Guys seriously. The only reason you can see your password is because you rooted your device. the /data partition which is where the app databases are stored does not grant read permissions to a non-root user. The fact that you chose to root your device is well within your rights but you have to understand that by doing so you are opening up the door for a virus or rogue app to get access to your previously secure data. I'm happy to help answer any questions you might have but this drum has been beat millions of times so you have not stumbled across something new. All Android apps do this, ALL. That's because on a non-rooted device this data is secure in a sandbox environment.
---------- Post added at 02:02 PM ---------- Previous post was at 01:56 PM ----------
Here's an article from 2010 discussing this http://www.androidcentral.com/android-passwords-rooted-clear-text
Click to expand...
Click to collapse
yeah well, its to easy to say only rooted users affected, its still a flaw and sloppy security, I believe google should have covered this to at least provide an additional security.
what if due to some flaw other then root it becomes accessible. then its up for grabs. Just a small fix for a potential big hole.
not sure but security companies audit on this stuff
anyway, it makes it very interesting for business users and other shady usecases.
bachera said:
yeah well, its to easy to say only rooted users affected, its still a flaw and sloppy security, I believe google should have covered this to at least provide an additional security.
what if due to some flaw other then root it becomes accessible. then its up for grabs. Just a small fix for a potential big hole.
not sure but security companies audit on this stuff
anyway, it makes it very interesting for business users and other shady usecases.
Click to expand...
Click to collapse
The same concept is used in Chrome for each tab. The same thing is used for Virtual Machines which operate in their own sandboxed environment. The same thing is used in virtual servers that people rent out from Amazon. The whole purpose is if you don't have root then you don't have access to the sandboxed data. If you didn't have root you would have no way of obtaining this information. Google is well aware of how sandboxed environments work and they provide the necessary security to protect against this as long as you don't root your device.
Think about this further, in order to encrypt that password the hash/key would need to be stored somewhere.....get access to that key and once again you have the passwords accessible. The only real solution would be requiring you to enter a pin/password every time the app needed to decrypt the password. Otherwise if you need to enter it every time then you lose the ability to background sync because the password is needed for every connection. This can go round-robin. This is likely why Google did not encrypt the password. To allow for background syncing. If you have a solution to the problem feel free to mention it because obviously Google couldn't think of one. They felt the sandboxed environment was secure enough.
shafty023 said:
Guys seriously. The only reason you can see your password is because you rooted your device. the /data partition which is where the app databases are stored does not grant read permissions to a non-root user. The fact that you chose to root your device is well within your rights but you have to understand that by doing so you are opening up the door for a virus or rogue app to get access to your previously secure data. I'm happy to help answer any questions you might have but this drum has been beat millions of times so you have not stumbled across something new. All Android apps do this, ALL. That's because on a non-rooted device this data is secure in a sandbox environment.
---------- Post added at 02:02 PM ---------- Previous post was at 01:56 PM ----------
Here's an article from 2010 discussing this http://www.androidcentral.com/android-passwords-rooted-clear-text
Click to expand...
Click to collapse
You're missing the point, my issue is that it's being stored in plain text, not about who can access that info
Calkulin said:
You're missing the point, my issue is that it's being stored in plain text, not about who can access that info
Click to expand...
Click to collapse
Did you read my previous message regarding the downside of encrypting that password? How you would no longer have background syncing? Is that a trade off you're willing to accept? It's one thing to complain about something, it's another to actually have a solution.