Just a general warning to those who seek out APK's on the internet.
I've noticed an increasing number of people posting APK links on XDA-developers using 3rd party hosting such as multi-upload instead of the official developers websites. This is a potential security risk to your own phone, because Android code CAN be decompiled, and dodgy code can be added before re-uploading. You at a greater risk of downloading compromised APK's if you download them from an untrusted party.
Many of these APK's seem to be hosted officially by the developers already, so please link directly to the developers OWN servers when possible, and those who use their phone for business or store sensitive data on it, should avoid using APK's from sources which weren't set up by the original developers.
andrewluecke said:
Just a general warning to those who seek out APK's on the internet.
I've noticed an increasing number of people posting APK links on XDA-developers using 3rd party hosting such as multi-upload instead of the official developers websites. This is a potential security risk to your own phone, because Android code CAN be decompiled, and dodgy code can be added before re-uploading. You at a greater risk of downloading compromised APK's if you download them from an untrusted party.
Many of these APK's seem to be hosted officially by the developers already, so please link directly to the developers OWN servers when possible, and those who use their phone for business or store sensitive data on it, should avoid using APK's from sources which weren't set up by the original developers.
Click to expand...
Click to collapse
First off: Who's to say the original developer can't put this so-called "dodgy code" in their own apks?
Secondly: The Android marketplace doesn't have any strict rules as to what someone can post, and the code isn't even checked. You have just as high a chance of getting this "dodgy code" from any app you download straight from the market.
Nobody. But it is a hell of a lot safer from a trusted first party, than being passed down a chain of untrusted people before it makes it's way to you. Especially since apk's don't seem to be digitally signed (I may be wrong).
I'm just concerned that you can post any APK you want here which have an official website, insert a trojan, and nobody would be none the wiser. I'd simply like to see a change in attitude.. If someone posts an unofficial link to an APK which is already available by developers, I'd like to see people stand up and point to the OFFICIAL website.
At the moment, people are actually ENCOURAGING bad security practices, and doing so makes XDA a target ripe for future attack. And I don't want to wake up to a forum of people *****ing about Samsung, for a problem caused because of a trojaned copy of Angry birds beta on XDA.
We should build awareness now for people to get files from the last link in the chain, rather than wait for someone to try it (which they probably will, and may have already done)
andrewluecke said:
Nobody. But it is a hell of a lot safer from a trusted first party, than being passed down a chain of untrusted people before it makes it's way to you. Especially since apk's don't seem to be digitally signed (I may be wrong).
I'm just concerned that you can post any APK you want here which have an official website, insert a trojan, and nobody would be none the wiser. I'd simply like to see a change in attitude.. If someone posts an unofficial link to an APK which is already available by developers, I'd like to see people stand up and point to the OFFICIAL website.
At the moment, people are actually ENCOURAGING bad security practices, and doing so makes XDA a target ripe for future attack. And I don't want to wake up to a forum of people *****ing about Samsung, for a problem caused because of a trojaned copy of Angry birds beta on XDA.
We should build awareness now for people to get files from the last link in the chain, rather than wait for someone to try it (which they probably will, and may have already done)
Click to expand...
Click to collapse
Are you familiar with modifying an APK? It is not nearly as easy as you make it seem. If the developer doesn't release the source code, it can't easily be functionally modified minus a few graphics and the like. Not to mention, this is how the iPhone jailbreak system works in regards to getting content. And has been going on with PC for years.
I really do not think it's something we have to worry about. Just install an anti-virus on your phone if you're worried.
1) Grab 7zip to decompress your apk package.
2) And yep, there are tools to decompile dex files too. Technically it seems to be more like disassembly, but can probably easily be modified to cause the app to ring russian phone sex numbers every 10 minutes without your consent, or do other nasty things. There are some security mechanisms in place, but that doesn't make them invincible.
You tell me, what is the advantage of encouraging reposting of APK's with already existing websites? Because it doesn't seem to have any advantages, but can have BAD security implications.
Good thing to raise awareness among users, but alas - most of them don't even bother to read the permissions requested by apps downloaded from the market.
There are actually quite few people that have an idea of what could happen if they had a rouge app on their phones. I recently tried to give a similar general warning in another forum that people should take care when flashing "beta" firmwares downloaded from some hosting site and not from the developer... You think most of them cared? Sadly they didn't...
There's nothing wrong with being a bit cautious and smart about the way we do things. I'll trust the app if I see the dev is in "the" community.
Sent from my GT-I9000M using XDA App
andrewluecke said:
1) Grab 7zip to decompress your apk package.
2) And yep, there are tools to decompile dex files too. Technically it seems to be more like disassembly, but can probably easily be modified to cause the app to ring russian phone sex numbers every 10 minutes without your consent, or do other nasty things. There are some security mechanisms in place, but that doesn't make them invincible.
You tell me, what is the advantage of encouraging reposting of APK's with already existing websites? Because it doesn't seem to have any advantages, but can have BAD security implications.
Click to expand...
Click to collapse
So, obviously you've never tried to actually edit one of those XML files within it. try that and get back to me.
APK's are not open source and cannot be decompiled and edited. The only way for what you are suggesting can happen, to happen, is if the APK in question had its sources released so someone else could release an edited version of the program, made from scratch, in java.
"can probably" is not very sure. The chances of someone posting a completely separate app with the name of a well known app is much more likely than someone editing an existing app (assuming the sources were available).
If you have no clue about android apk development why even bother arguing?
opensourcefan said:
There's nothing wrong with being a bit cautious and smart about the way we do things. I'll trust the app if I see the dev is in "the" community.
Sent from my GT-I9000M using XDA App
Click to expand...
Click to collapse
Agree 100%. Much better said! You don't know who's releasing what, so watch what you're installing and just make sure it looks like the program you were looking for in the first place..
Electroz said:
So, obviously you've never tried to actually edit one of those XML files within it. try that and get back to me.
Click to expand...
Click to collapse
Refer to apktool Link
Or Apk Manager (My Signature)
Xml's can be 100% decompiled/recompiled from binary to human readable and back thanks to apktool.
2 options to make sure ur safe :
1. Dont install root applications (they require 0 upfront standard android api permissions hence u won't know what its doing behind the scenes)
2. Install apps by transferring them to ur phone and using the package manager, that way you can see standard permissions (if any) and judge accordingly.
You know what would be cool, if superuser could log the "su" commands a root requiring app executes
Daneshm90 said:
Refer to apktool Link
Or Apk Manager (My Signature)
Xml's can be 100% decompiled/recompiled from binary to human readable and back thanks to apktool.
Click to expand...
Click to collapse
Wow, my bad.... But no wonder major game companies aren't developing for the platform yet.
But even if the apk that u downloaded from the net have a virus (eg. sends SMS to get money), you will still see the permission when installing so an antivirus isnt needed, or am i wrong?
leoon said:
But even if the apk that u downloaded from the net have a virus (eg. sends SMS to get money), you will still see the permission when installing so an antivirus isnt needed, or am i wrong?
Click to expand...
Click to collapse
If its a non-root requiring app then yes, it must disclose its permissions prior to installing it through package manager not if u use adb to install.
You just have to judge, if a wifi toggle app is asking for email/sms permissions, you might want to be careful
As for root-requiring apps, theres not much you can do other than read reviews for that app or decompile and try to understand what its doing behind the scenes.
Electroz said:
Wow, my bad.... But no wonder major game companies aren't developing for the platform yet.
Click to expand...
Click to collapse
It's quite easy to modify disassembled app code as well - trust me ;-) Also I think we will have possibility to decompile to Java code in the future.
Just don't think of your phone as a smaller PC (especially Windows), because this isn't true. There will never be antiviruses for Android and your only protection are permissions. Anyone could create market account and upload malicious app.
About game companies: they usually write in native code and it's really hard to decompile (or maybe even impossible for now). Besides... did you heard about gameloft's recent games? They're really awesome. Note that first 3d-gaming capable Android phones were released just ~10 months ago, so it's still quite early.
leoon said:
But even if the apk that u downloaded from the net have a virus (eg. sends SMS to get money), you will still see the permission when installing so an antivirus isnt needed, or am i wrong?
Click to expand...
Click to collapse
It should, however, what if it is an alternate launcher, in which case, you'd expect it to be able to send SMS's and make phone calls. That's all fine, until you realise the copy of launcherPro you downloaded using a multi-upload in XDA is having phone sex with a russian operator costing you hundreds of dollars.
It's actually good Brut spoke here. Brut[Maps] is relevant, because it introduces new features which distinguishes it from Google's version. However, can we trust Brut as much as we can trust Google? He seems trustworthy yes, but as trustworthy as Google? Questionable. (Btw Brut, good work on your mod). Of course, his mod does have considerable benefits showing he is interested in helping the community and he hasn't caused any problems thus far. That only means his official multi-upload posts are safe though, if I repost them elsewhere, you shouldn't trust my copies.
It's common sense that programs should pass by as few hands as possible to remain secure. We need to build awareness about security practices (particularly for business users who may compromise their companies security or information). I'm not saying all rom's are safe.. Think about it though, if an APK is already readily accessible, why would someone go through the effort of re-uploading it?
Furthermore, we should encourage people using their phone's for important purposes to use the official Kies releases, not random firmware's available from Samfirmware's (which may not even be final versions).
Remember, trojans are common in the warez world, and it's better to change the attitude of the community before they become a problem here too (otherwise, people will be stuck in a poor mindset that compromises herd immunity). XDA is a website targeted at the technical crowd, and we should set a good example.
@Electroz. Haven't disassembled them myself, but checked a tutorial. But someone has responded already anyway.. Just because I don't have experience doing it myself anyway, doesn't mean it isn't widely known to be possible.
Several big guys already launched Antivirus For Android
Norton, Trend, and a few more
i think we are pretty safe with those
however... it's suck if they run in the background all the time eating the juice+cpu power away
Anti-virus only helps for known trojans anyway, and since so few people have it installed, it doesn't help much. When Android has it built in though, it may be more useful.
Anti-virus should be considered a last line of defense anyway. And either way, I'm not concerned, because I try to minimise the risks of my own sgs. However, it's a concern that people here don't believe such a risk exists, and are actually encouraging a global attitude which might make the Android population ripe for social engineering attacks in the future.
@andrewluecke
I understand you, I don't say there is no problem with security. I say it doesn't matter you will get malicious software from mirror or Market itself. We could assume apps downloaded from WWW are more dangerous, but this problem is general one: people should be cautious whenever they install something with critical permissions. If they won't they will have problems anyway - it's just a matter of time.
I agree with you: it's important to aware people of that problem. This is actually only one thing we can do: be aware and cautious.
Ahh and in many situations it's possible to protect yourself against problem with redistribution. First, you could check md5 - many developers give it to people, I do. Second: signatures. Each app is signed by its author, so you could check its authenticity. You could check signatures of downloaded apk using public key uploaded by dev to his WWW or using "safe" apk you downloaded earlier. Unfortunately there are no tools to do that easily :-/ Also Android does this check automatically when you install new software. So if you have installed e.g. GM modded by me, then you have downloaded new version from some mirror and succeed at installing it, you can be sure it was also from me and nobody modified it.
AllGamer said:
Several big guys already launched Antivirus For Android
Norton, Trend, and a few more
Click to expand...
Click to collapse
Hmm? I think it's impossible, cause apps can't get to data and resources of others apps. And creating an app for root users only wouldn't have much sense.
I have found Norton Smartphone Security for Android and it's anti-theft protection, not anti-virus.
I'm not a coder and came from IT field so I have lots of general questions about apk security and found this thread...great discussion. TY
Just a general question about apk security...how easy is it to alter apk for malicious intent? And is it possible for spyware writers to turn some freebie apk or rom into a bunch of botnet drone? ...just kinda scary to imagine
the news about android virus gets me nervous about installing any apk released from any individual
http://www.talkandroid.com/24949-new-android-trojan-virus-discovered-dubbed-gemini/
kobesabi said:
how easy is it to alter apk for malicious intent?
Click to expand...
Click to collapse
Quite easy for a good developer.
kobesabi said:
And is it possible for spyware writers to turn some freebie apk or rom into a bunch of botnet drone?
Click to expand...
Click to collapse
Yes, but I think that would be quickly noticed by people and then these apks, roms and developers would be banned from every forum in the internet.
Brut.all said:
Quite easy for a good developer.
Yes, but I think that would be quickly noticed by people and then these apks, roms and developers would be banned from every forum in the internet.
Click to expand...
Click to collapse
Wow, scary. Unless there is something else, that they can't get away, I don't think banning would deter much, they just laugh at the weak security as a fun challenge. If they already got tons of ip under their control...banning by account, ip, or email will not help much...they can always get new ones.
Is there a way user can authenticate/verify apk signing from authentic author/writer? Many just post apk but did not post md5 or sha sum so how can a user find out if it is original or not?
Anyway to test these apk without loading up to real phone?
Related
(Note posting in this topic as to dev category for obvious reasons)
This whole incident has taken me by surprise with the actions of Google against Cyanogen. Now the actions from my understanding so far are likely the result of the early release of the Market app with his new Donut based releases. There is a valid argument for Google in which it is their own proprietary code in which they want to release on their terms I would assume, however I prefer to take the side of the community. The community around XDA has supported and nurtured the development of the Android OS and the devices based upon it, with the developers pushing the limits on what they can do and implementing smarter and better solutions. We the community in a sense become beta testers for the latest and greatest Android has to offer, how many applications do you think have already added support for 1.6 due to Cyanogen's mods and our feedback?
In summary, I believe while Google does have a valid argument against, but it would better serve them to not continue with this course of action. I invite you all to write and use all social networks available to you to spread the world, submit to every news site, raise awareness of the problem. Don't waste your time with petitions, just spread the word, go viral with it.
Digg search for cyanogen:
http://digg.com/search?s=cyanogen
Original article:
http://androidandme.com/2009/09/hacks/cyanogenmod-in-trouble/
Facebook group:
http://www.facebook.com/group.php?gid=144634407186&ref=nf
Send tweets to @google also, flood the information stream.
Email the people at Engadget, Slashdot, Gizmodo, all the major blogs just to keep focus upon it.
Someone should put it up on reddit too, get some visibility on wired.com!
Listen, this situation is really cut and dry. Cyanogen had NO LICENSE to distribute the CLOSED SOURCE APPS. The rest of it is perfectly fine.
The solution:
Develop the roms, DELETE the closed source apps, sign, publish. When someone installs the roms, let them install the closed source apps themselves -- i.e., *somebody* (who won't be linked back to cyanogen) will likely post a simple "closed-source-google-apps-for-cyanogenmod-4.xx.xx.xx.zip" which can be installed from recovery mode.
Problem solved.
wont that person then be "under-fire"?
gospeed.racer said:
wont that person then be "under-fire"?
Click to expand...
Click to collapse
Only if the person gets caught.
tool to extract non free files and create a update image
If the binary files in a existing ROM can be used by cyanogenMod, what we need is a tool to reuse them in cyanogenMod. Am I wrong?
Or is it rebuild from source code ?
lbcoder said:
Listen, this situation is really cut and dry. Cyanogen had NO LICENSE to distribute the CLOSED SOURCE APPS. The rest of it is perfectly fine.
The solution:
Develop the roms, DELETE the closed source apps, sign, publish. When someone installs the roms, let them install the closed source apps themselves -- i.e., *somebody* (who won't be linked back to cyanogen) will likely post a simple "closed-source-google-apps-for-cyanogenmod-4.xx.xx.xx.zip" which can be installed from recovery mode.
Problem solved.
Click to expand...
Click to collapse
Are you a lawyer? no. So don't give your interpretation of what Cyanogen's license was and wasn't. You already started a thread about it and you're spamming the hell out of another. Don't mess with legal guesses, it's a bad bad idea. As I am someone who is studying law (and also a programmer/generally tech-smart), I am doing and suggesting to stay the hell away from that part when possible. Law -> politics -> flamewars -> ad hominem/bad posts. This is not tvtropes.
Meanwhile, can you even get past the start/initialization page without having the closed source apps, as they are market/gmail? This question is to actual modders.
Google has made a mess of thus, if they stop him from distributing with the apps it's only going to get *waaaay* messier.
You, are an IDIOT.
What happens when you *assume*? I'm sure that if you are, in fact, a law student (as you imply yourself to be, though you really only call yourself a "student" of the law, which could mean that you simply watch CNN from time to time), that this would have been answered on the first day of your first class.
Cyanogen's license *IS EXACTLY* the same as the license granted to *ALL OTHER USERS*. You want to read it? Its in your phone under About Phone --> Legal Information --> Google legal. Until you have read and understand *it all*, you should immediately cease offering your suggestions.
Edit: I just noticed your post count... 3.
Amazing, the audacity of some people. Whenever things start to get beyond the understanding of the average, all the chicken-littles come out from the woodwork and start crying about how evil the big company is. It is a direct function of a lack of understanding of the issues.
My advise: FORGET ABOUT IT. This has nothing to do with you and most likely won't have any (significant) impact on your life. At worst, you will have to add ONE SMALL STEP to the process of flashing the latest modrom.
Let me repeat: THIS IS NOT A BIG DEAL! IT DOESN'T REALLY MATTER! Your phone is NOT about to catch on fire or start spying on you.
Oh, and for you information: regarding how I know what Cyanogen's license was....
1) the fact that it is included with the phone.
2) the fact that he received a c&d order (which they wouldn't send if he was licensed, or if they had, it would be the simplest matter to resolve).
3) the fact that he said so himself.
designerfx said:
Are you a lawyer? no. So don't give your interpretation of what Cyanogen's license was and wasn't. You already started a thread about it and you're spamming the hell out of another. Don't mess with legal guesses, it's a bad bad idea. As I am someone who is studying law (and also a programmer/generally tech-smart), I am doing and suggesting to stay the hell away from that part when possible. Law -> politics -> flamewars -> ad hominem/bad posts. This is not tvtropes.
Meanwhile, can you even get past the start/initialization page without having the closed source apps, as they are market/gmail? This question is to actual modders.
Google has made a mess of thus, if they stop him from distributing with the apps it's only going to get *waaaay* messier.
Click to expand...
Click to collapse
gospeed.racer said:
wont that person then be "under-fire"?
Click to expand...
Click to collapse
At this point we're talking warez, and though I won't advocate warez, when was the last time you saw Ahmed Ahmed Ahmed from Iran get persecuted for distributing warez?
Remember that the US government can't even find Bin Laden....
Or the apps can be pulled by the users from *legitimate* images, like ADP1. This, at least, is legal for owners of ADP1's for use on ADP1's.
Frankly, adding a step to complicate the process would probably go at least a little way in getting the super-noobs out of the game. They get *really* annoying.
Oh FYI: I got that board you sent me more-or-less cleaned up now, going to start mapping it out soon.
setupr said:
If the binary files in a existing ROM can be used by cyanogenMod, what we need is a tool to reuse them in cyanogenMod. Am I wrong?
Or is it rebuild from source code ?
Click to expand...
Click to collapse
Exactly. It is incredibly simple.
unzip (official-update.zip) /path/to/file1toextract /path/to/file2toextract ... /path/to/filentoextract
zip -g (mod-rom-update.zip) /path/to/file1extract /path/to/file2extract ... /path/to/filenextract
java -jar testsign.jar (mod-rom-update.zip)
Then just copy file to /sdcard/, recovery, flash, done.
Yeah, I know that us modders will continue to be doing the same thing and continue on, I know they aren't going after the entire community. It was for distributing the new Market app before its release as I understand currently. Hell, all I would do I an adb pull from a rom and push it into a new release. Just like I will be doing with the Market app if he can't put it in another release haha.
However the point of this thread was not to see if Google had the right to do that, they did. It is that simple. It is their proprietary code that was released early, by cyanogen, but I think it is unnecessary. The point of it was to support cyanogen for more ideological reasons, this community pushes the development at a rapid pace. My Dream would have been a nightmare without the likes of JF, haykuro, cyanogen, Dude, etc. With cyanogen releasing Donut in his builds, our community has been pushing developers to up their support to it and fix bugs relating to 1.6 before it is pushed as an update. The same thing with the Market app applies, how many of those apps have screenshots already? Why alienate the true heart of the device, we are basically beta testers for those of us running experimental roms. I understand the Google position, I just wish they would see that no harm, no foul.
And don't equate the amount someone posts to the boards to their understanding of a situation. There are quite a few people that just get the ROMs, run them and can use a search button if they have problems.
holy cow batman, flame much? Some people lurk for a long time before registering such as I.
I agree it's a small issue, and cyanogen is probably already working on it at least based off of his twitter. However, it doesn't matter what you or I feels about the licensing, nor even what the courts would interpret were it to get to that point.
It however, is very inappropriate to be ad hominem and/or bar threatening to people over this issue, basically getting worked up yourself. Honestly, playing seniority and insulting my schooling? I was not trying to be threatning to you, simply pointing out that you are not a spokesperson for interpreting a software license. Really, it's like you went into an emotional rage the minute cyanogen got the C&D.
Cyanogen in trouble
I can't believe Google is pulling this crap. I can only hope that Google is smart enough to work something out with Cyanogen so he may continue to share his awesome developments. I would expect some restrictions, but they need to work with him and let him do his thing. Otherwise, where's the incentive for anyone else following in his footsteps to make programs better for Google?
setupr said:
If the binary files in a existing ROM can be used by cyanogenMod, what we need is a tool to reuse them in cyanogenMod. Am I wrong?
Or is it rebuild from source code ?
Click to expand...
Click to collapse
Maybe this is the answer?
cyanogen : And regarding the keep-proprietary-apps-on-device-for-custom-rom install, with all the odexing and resource id mismatches... Ugh.http://twitter.com/cyanogen/status/4384352484
How can I know that a custom rom has not been tainted with malicious code or rootkits somewhere along the line? Is it usual to get google security updates from the developers for a particular rom? Is there a team that audits code? It would nice if xda rom developers had homepages that discussed these issues - I haven't found any yet. If there are some that exist, please let me know.
I mean no disrespect to devs, and I do appreciate all your hard work.
However,
+1
Basically you have to have some blind faith and the hope that some ROM users check codes.
Also +1
Sent from my ADR6300 using XDA App
Usually we are pretty good at finding these kinds of ROM's / Malicious code thanks to the diligent community of developers. Although we haven't seen any it is quite possible for it to happen with some "rogue" app included. The main reason this doesn't happen is the fact that editing system APK's is tough as editing them can break down other app's dependencies which would raise a flag quickly for users. In my opinion we are pretty safe, if you do encounter such an instance please report the offending thread and it will be handled.
Captainkrtek said:
Usually we are pretty good at finding these kinds of ROM's / Malicious code thanks to the diligent community of developers. Although we haven't seen any it is quite possible for it to happen with some "rogue" app included. The main reason this doesn't happen is the fact that editing system APK's is tough as editing them can break down other app's dependencies which would raise a flag quickly for users. In my opinion we are pretty safe, if you do encounter such an instance please report the offending thread and it will be handled.
Click to expand...
Click to collapse
I wonder how many lines of Kernel code it would take to do a malicious kernel exploit. What of there was a malicious version of ls or mv? Would anyone notice in time to prevent a drastic failure?
/!\ BE AWARE OF YOUR APP, DavinciDevelopers try to steal them and sell them on the market !!
Hello guys,
Be careful, if you post an apk of your free app here, somebody will try to take the apk, remove the signature, and upload it as a paid version on the market !
The proofs : (edited to add new stolen softwares)
Llamadroid
- http://forum.xda-developers.com/showthread.php?p=10113570#post10113570
- http://www.androlib.com/android.application.com-kebab-llamadroid-zzjjD.aspx
(removed today, on 5th january)
Typo clock
- http://forum.xda-developers.com/showthread.php?t=814054
- http://www.appbrain.com/app/beautiful-clock-widget-3d/com.semicuda.typoclock
Iron soldiers
- http://forum.xda-developers.com/showthread.php?t=862875
- http://www.appbrain.com/app/iron-soldiers/vuxia.ironSoldiers
(removed from market today, on 5th january, but still referenced)
Championship racing 2010
- http://www.vividgames.com/sub_game.php?id=42
- http://www.androlib.com/android.application.com-vividgames-championship_racing_2010-zzxwq.aspx
(removed today, on 5th january)
Liquid wallpaper
http://forum.xda-developers.com/showthread.php?t=878252
http://www.appbrain.com/app/liquid-physics/livewallpaper.liquid
Bluetooth Scanner
http://forum.xda-developers.com/showthread.php?t=900923
http://www.androidzoom.com/android_games/casual/bluetooth-scanner_pvqg.html
(New !! Now, we have proof that ALL his apps are stolen)
And even Gameloft best sellers (paid games) :
http://www.androlib.com/android.app...ndroid-gand-gloftspaw-heroofsparta-zjCDi.aspx
(removed from market today, on 5th january, but still referenced)
http://www.androlib.com/android.application.com-gameloft-android-gand-gloftavar-avatar-zjCEx.aspx
(removed from market today, on 5th january, but still referenced)
Minigore
http://minigore.blogspot.com/2009/07/what-minigore-is.html
http://www.appbrain.com/app/minigore-hd/com.ambushgames.minigore
http://www.androlib.com/android.application.com-ambushgames-minigore-zzjqD.aspx
Zuma's revenge
Original
http://www.zumasrevengegame.com/
http://store.steampowered.com/app/3620/
Scammers
http://www.appbrain.com/app/zumas-revenge-hd/com.popcap.zumas_revenge
http://www.appbrain.com/app/zumas-revenge/com.fox.game.zumasrevenge
How is it possible ?
Google does not check your apk signature when you upload a software.
Even if you signed yous apk with you key, somebody else can put this on his google account.
The signature can be deleted easily if needed.
He can change the title of your app, so nobody see it, but he can't change the apk name nor the icon.
Why do we post our apk here ?
To have testers, to correct bugs, to have a perfect look and feel before put it on the market.
Because on the market people are rude, we have only one chance, so we need to avoid bugs.
And when we put our app online, we want to choose if it's paid or free (with ads or not).
What is the problem ?
If DavinciDevelopers steal and upload your app, he will lock your pak name.
2 apps can't have the same name on the market.
You may have a name like com.myname.myapp.apk
Where "myname" is the same in every app you do.
If he take that, this is a major issue for you because you will be associated to him on every search (google.com, market...).
So, you will have to change your app name and maybe your company name....
Within 1 or 2 days, the market is parsed from androlib, androidzoom, appbrain... and it's done. Google.com will see those websites, and you are trapped.
You will have your buggy app on the market, some people will pay for that, the thief will have some money, and every users will have a bad opinion of your app.
Why DavinciDevelopers does this ?
To make benefit from your work.
Because he doesn't care you are working from a long time on your app.
Because he doesn't care if your work is ruined, he will find somebody else.
How can we be protected ?
Because 2 apps can't have the same name, you should put your app on the market first.
If your app is in development stage, you can upload it as "draft", so it will not be visible on the market, but the name will be locked.
Who is DavinciDevelopers ?
Somebody that have 83 apps on the market !
Almost all of them are themes.
If you look the package name you can see for example :
com.nd.android.pandatheme.p__3d_android_theme
at :
http://www.androlib.com/android.application.com-nd-android-pandatheme-p__3d_android_theme-qAmiz.aspx
google search : "pandatheme", first link :
http://home.pandaapp.com:888/
So he is not a developer. He makes themes with a free online tool and sell them... nice.
And for the real apps he uploaded (about 5), they all are stolen, coming from poland, germany, and other places.
Almost every of them comes from XDA dev forums.
ps : this message should be marked as sticky in every development section.
Is it worth marking all these apps as objectionable to draw Google's attention to this issue?
Sent from my Desire HD using XDA App
Today, 2 of those links has been removed already !
Maybe somebody sent emails to every publishers...
I hope google will understand this and ban this thief.
I have posted about it on reddit
http://www.reddit.com/r/Android/comments/ew4e8/android_market_is_still_the_wild_west/?sort=hot
Someone who works for google replied and said they're looking into it.
@jgittins
Could you please link this post to you post ? Or give to the "google man" the list of the apps we found here ?
This kind of guy should be banned from google forever (if it's possible )
One thing I don't understand :
Google should give to every developer a private key that we could use to compile the apk.
Something we should not be able to remove.
So the developer who generates the apk could be sure it would be uploadable only into his account.
It sounds simple but...
thanaos2042 said:
@jgittins
Could you please link this post to you post ? Or give to the "google man" the list of the apps we found here ?
Click to expand...
Click to collapse
I've linked to this thread from the reddit story.
Also, you have written that Zuma's Revenge is by Blue_sprit. But the real zuma's revenge is a famous game from popcap, I think blue_spirit is actually another scammer.
http://www.zumasrevengegame.com/
http://store.steampowered.com/app/3620/
Well done post edited !
thanaos2042 said:
Google should give to every developer a private key that we could use to compile the apk.
Something we should not be able to remove.
Click to expand...
Click to collapse
It's not possible to add something, that is impossible to remove. Cryptography makes possible to check that something was created by someone, but not that it wasn't.
Dang that sucks that people are ripping dev's off. I have high respect for Dev's. Not being one, I don't know all the ins and outs of developing apps but I'm sure it's a very deeply involved process that nobody should rip off. Jeez. I hope these idiots are banned from the market. Is there a formal process that someone can start to get these apps credited to their rightful owners?
Thank you for informing the community of this!
Thanks a lot! As a developer, this information I will be very useful.
This is absolute putrid behavior. This is one of the downsides to having an open-source OS and Google being so hands-off. There better be some justice in this matter......
PS - moderators/admins should require this to be a stickie in EVERY forum
I post it to tweeter.
This is disgusting.. I will make comments on all his posted apps in the market and warn people how this guy rips them off..
jhepoy said:
This is disgusting.. I will make comments on all his posted apps in the market and warn people how this guy rips them off..
Click to expand...
Click to collapse
thats not going to stop many people if they want the app.....thats what sucks
TopShelf10 said:
thats not going to stop many people if they want the app.....thats what sucks
Click to expand...
Click to collapse
if more of us from xda will post comments how douche this guy is, then maybe we could prevent others from patronizing his posted apps.. being a frustrated programmer also, I know how hard it is to code.. and I am very grateful to devs who gives us free apps over here at xda..
These davincidevelopers retards are also releasing retail gameloft games on the market, we need to stop these fuken retards, get them banned from the market.
What a penga ! We want to protect our community from the pirates, Thank you for the heads up,
Lets spam this Guy!! Anybody got his email??
Sent from the almighty Vibrant!!!
So, guys..
I was going through some blogs, which stated that there are so many malicious apps in android market. Recently, Avast, which has launched an app in market, reported to google about some malicious apps.
Here is the article:-
https://blog.avast.com/2011/12/13/android-malware-in-the-open-marketplace/
So, what i was thinking is that do we really need an Antivirus app, to protect our android phone??
Using an antivirus app will mean that, it will consume RAM continuously, and so will consume battery too.
I am starting this thread, so that we can discuss, here ,if we really need it.
So, share your views, experiences with any malicious app in the market place, and also suggestions about which antivirus app should we use, if this kind of thing exists in android.
Of course you do, i use Lookout Mobile Security and it has caught a few trojans which were potenially harmful to my phone, not too many but it did quarantine a few since ive had it.
Basically anyone who doesn't have any type of protection on their dog and bone is taking a big chance.
The answer is NO.
I've posted an article from tech2.com in Indian thread where someone from Google said it while talking about Trozan AV apps.
ithehappy said:
The answer is NO.
I've posted an article from tech2.com in Indian thread where someone from Google said it while talking about Trozan AV apps.
Click to expand...
Click to collapse
Did u read the link i posted?
It really shows the possibility of some malicious apps, co-existing in Android Market. Don't we need to be protected?
ithehappy said:
The answer is NO.
I've posted an article from tech2.com in Indian thread where someone from Google said it while talking about Trozan AV apps.
Click to expand...
Click to collapse
Well if you ever get a trojan on your SGSII don't come crying on here, ever heard of better be safe than sorry!!
jonny68 said:
Well if you ever get a trojan on your SGSII don't come crying on here, ever heard of better be safe than sorry!!
Click to expand...
Click to collapse
Thats what i am trying here "Better be safe than sorry"
Well you should've created this thread without the 'Do' and '?'. Everyone is entitled to his/her own opinion. You didn't like my post IGNORE it, don't quote me and advice me what I need to do. A '?' thread should only be created where everyone can share his/her opinion and then it's up to the Thread starter what he/she will take from all the answers.
Anyway, keep using what you are using.
@jonny68- Have you seen such a thread like that in this 8 + months?
This is what Chris Dibona, Google's Open Source Program Manager said,
Chris DiBona, Google's open-source programs manager stated in a blog post, “No major cell phone has a 'virus' problem in the traditional sense that Windows and some Mac machines have seen. Virus companies are playing on your fears to try to sell you bulls***protection software for Android.”
Click to expand...
Click to collapse
Source:
http://tech2.in.com/news/android/go...-antivirus-apps-in-android-marketplace/260952
Sorry I had to BOLD the line for you guys, it's a shame to modify some other comments.
Another thing, if someone even said that Antiviruses are needed for Android I would never use it.
The story is exactly the opposite when I use my Desktop PC fyi.
Regards.
ithehappy said:
Well you should've created this thread without the 'Do' and '?'. Everyone is entitled to his/her own opinion. You didn't like my post IGNORE it, don't quote me and advice me what I need to do. A '?' thread should only be created where everyone can share his/her opinion and then it's up to the Thread starter what he/she will take from all the answers.
Anyway, keep using what you are using.
@jonny68- Have you seen such a thread like that in this 8 + months?
This is what Chris Dibona, Google's Open Source Program Manager said,
Source:
http://tech2.in.com/news/android/go...-antivirus-apps-in-android-marketplace/260952
Sorry I had to BOLD the line for you guys, it's a shame to modify some other comments.
Another thing, if someone even said that Antiviruses are needed for Android I would never use it.
The story is exactly the opposite when I use my Desktop PC fyi.
Regards.
Click to expand...
Click to collapse
You forgot the rest of this story:
"Honestly, anti-virus software are not needed on mobiles, just as long as you don’t download random apps you should be just fine" ...
Most people in here download and install tons of apps, modifications and tweeaks on rooted phones ... LOL
Why not just instal a free one?
Better safe than sorry...
Send from my GT-I(OVER-9000) using XDA App.
ithehappy said:
Well you should've created this thread without the 'Do' and '?'. Everyone is entitled to his/her own opinion. You didn't like my post IGNORE it, don't quote me and advice me what I need to do. A '?' thread should only be created where everyone can share his/her opinion and then it's up to the Thread starter what he/she will take from all the answers.
Anyway, keep using what you are using.
@jonny68- Have you seen such a thread like that in this 8 + months?
This is what Chris Dibona, Google's Open Source Program Manager said,
Source:
http://tech2.in.com/news/android/go...-antivirus-apps-in-android-marketplace/260952
Sorry I had to BOLD the line for you guys, it's a shame to modify some other comments.
Another thing, if someone even said that Antiviruses are needed for Android I would never use it.
The story is exactly the opposite when I use my Desktop PC fyi.
Regards.
Click to expand...
Click to collapse
M sorry, if it hurted u.
Everyone has absolute right to express their views.Be it wrong or right.
Sent from my GT-I9100 using XDA App
Well Google are hardly gonna freely admit the fact that there are some rogue apps in the Android Market which contain trojans as this will put off many people (not just talking anti-virus here), the simple facts are despite the nonsense by Chris DeBona or whoever is the fact that you are taking a calculated rick by not having some type of protection on your phone, this is even more so if you do happen to download apps from other sources but even in the Android Market you can never be totally sure, Lookout Mobile Security is totally and utterly 100% legit and used by many thousands of people and business' alike,clearly there are some rogue apps masquerading as anti-virus apps but also others too.
Smartphones are like pc's now. What you can do with your computer your smartphone does it for you on the go. You have so many apps you browse over the net even if you are using the wireless one from home say for example anything can come through..Say if you are downloading a rom or a leak you never know what might be in them...As the OP and Jonny said above.."always be safe than sorry" that is how i see things
http://androidship.com/2011/05/29/the-android-anti-virus-epidemic/
Read that.
If you plan on downloading apps without looking at who makes them or looking at any reviews, then yes, there's a chance you can get an app that causes issues.
And that applies for ALL os's. How many apple laptop/desktop users run an antivirus? Android is built on the same type of platform, unix.
That doesn't mean an 'antivirus' app will do anything special. It uninstalls apps the same way you do under manage applications.
Sent from my páhhōniē
I all true sense you need to have read the permission that the applications needs when you install a app. If your are lazy enough to not do that have application like LBE security installed to monitor what each applications is up to ... i believe rather then a antivirus a good app fire wall is needed.
You probably don't need one, just as any power Windows user doesn't. That said you'd be crazy to not have one in Windows. Difference being a desktop has a tremendous amount of resources and allocating some to an antivirus program is no big deal. Not so on a phone. Plus there's the consideration of battery impact.
In a nutshell I'd say you'd be just fine without one.
I feel much the same way about antiviruses on Android as I do about hand-holding paid antivirus programs on Windows. If you know what you're doing, you don't need them at all. On the other hand, if you're going to download hundreds of dodgy applications at random and pay no attention to reviews/permissions/odd behaviour, then more fool you, get an antivirus app.
LBE privacy guard is a different story, since it performs a rather different function, and allows you to enjoy apps like Facebook without giving them access to the likes of text messages and phone ID.
You guys know Samsung have their own lightweight security suite in Samsung apps, yeah?
Sent from my GT-I9100 using xda premium
ithehappy said:
Well you should've created this thread without the 'Do' and '?'. Everyone is entitled to his/her own opinion. You didn't like my post IGNORE it, don't quote me and advice me what I need to do. A '?' thread should only be created where everyone can share his/her opinion and then it's up to the Thread starter what he/she will take from all the answers.
Anyway, keep using what you are using.
@jonny68- Have you seen such a thread like that in this 8 + months?
This is what Chris Dibona, Google's Open Source Program Manager said,
Source:
http://tech2.in.com/news/android/go...-antivirus-apps-in-android-marketplace/260952
Sorry I had to BOLD the line for you guys, it's a shame to modify some other comments.
Another thing, if someone even said that Antiviruses are needed for Android I would never use it.
The story is exactly the opposite when I use my Desktop PC fyi.
Regards.
Click to expand...
Click to collapse
I totally agree, like task killers and power managers, useless...
I hate the kind of pseudo-logic that is thrown around in these discussions, which paraphrase to look something like this...
LogicLord221 said:
<insert random bull**** about why their point is valid> there's a million million trojans out there and platform x is so insecure, I read this and this which says we're all in danger!
Click to expand...
Click to collapse
Basically, the point people are trying to make is that danger lurks everywhere, and you need to protect yourself, or you'll be sorry later. Scare tactics at best.
While I am an advocate for protection by prevention, that doesn't automatically lead to the conclusion that you need antivirus software for your device! It's that kind of bull**** logic that annoys the **** out of me. To quote the Oxford English Dictionary:
"Prevention"
Pronunciation: /prɪˈvɛnʃn/
noun
[mass noun]
The action of stopping something from happening or arising.
Phrases:
Prevention is better than cure.
Click to expand...
Click to collapse
Do you see the problem here? It doesn't say "The action of installing an antivirus", it says to stop something from happening. There are many ways to go about preventing infection of your device:
1) Check what you're downloading comes from either a) a reputable source, b) is backed by a reputable source, or c) is backed by numerous (>50-100) positive comments, reviews, etc. This means, don't download that app that has a bunch of one-star reviews, and has people screaming "TROJAN!" in the comments field.
2) Stick to the Market. While it's true that a lot of the infected content will indeed come from the Market itself, Google do a good job of removing offending apps, so compared to other sources of content (e.g. just downloading the APK from a server), it's a lot safer.
3) Don't pirate ****. This is probably the number-one source of malware on Android. Don't be a cheap dumbass.
4) Stay away from 'questionable' material. This includes, but isn't limited to:
- porn
- pirated content
- file sharing sites
5) Have some common sense! I can't stress this one enough, you can have the most advanced piece of software in the world, but if you're acting like a reckless child, you don't deserve to use the device, and you're bound to find yourself neck-deep in malware. Apart from the above, take some active steps to secure yourself. Change your browser settings to run Flash content on-demand instead of automatically, (if possible) set it to have you manually accept cookies, etc. Perhaps the best use of common sense would be in checking the permissions you allow an app access to when it's installed. Look, if an app that is designed to parse a line of text is requesting full internet access, access to SMS capabilities, etc., it'd be best to leave it alone, don't you think? Moreover, if something's requesting superuser permissions, it'd better have a damn good reason why. Read the permissions, and understand what you're allowing.
...because in the end, that's the hard truth -you're the one allowing access.
If you follow these simple steps, you'll protect yourself from 99% of malware. If you're worried about that 1%, don't be. Android malware hasn't progressed to the point where it's a major threat yet, so even if something does get through, it'll more than likely be nothing too major, and you'll figure out something's up pretty quick anyway. This may not be the case in say 12 months, but for now, it's fine.
If you're really paranoid, keep an app on standby, and run a scan every week or two, but disable any background process it has, it's more of a waste of time anyway. On a final note, keep in mind that it's been shown multiple times that Android antivirus software is, to be blunt, rubbish at detecting even the most common pieces of malware.
Remember, prevention is better than a cure
Im using kasperky mobile security cause i got a 1 year licence from a magazine.. But i never got an alarm until now (1,5 months), so i think atm its not necessary to use it .. Perhaps in some months when there are more viruses out in the web^^
Sent from my GT-I9100 using Tapatalk
screamworks said:
3) Don't pirate ****. This is probably the number-one source of malware on Android. Don't be a cheap dumbass.
Click to expand...
Click to collapse
Most Android apps are of such low quality they don't deserve to be purchased.
Sent from my SGH-I897
Although there is no (yet) statistics showing the real number to how bad the piracy on Android is, there are reports saying more than 90% of installs on Android were not paid for (Google). There have been lots and lotsa blows exchange between developers and hackers (and for gods sake this is never gonna end). Anti-piracy solutions are being discussed here and there, all the discussions are (eventually) pointing towards server authentication as the only way to counter piracy effectively.
As a developer, I am not excused from all this hack-and-anti-hack things. And (obviously) I have no better solution than anyone else. Here, I am gonna share a small library that I have coded to help scan for pirate apps on the device. This library is really simple, what it does is to grab a list (I called it pirate-app-list) from the internet and scan it through the device to determine whether an offended app is installed on the device.
This project is actually a product from the 1st suggestion in this XDA thread. In the thread, it recommends to search for the pirate apps and force the user to uninstall it. I implemented the former part of the suggestion, while leaving the latter to the developers to decide. The only difference that I have made is to put this static list on the internet instead of hard-coding it to save us the trouble of updating the app for the purpose of updating the list.
This project is by no means a solution to anti-hacking. Rather, its a hope that developers can work together to make sure users stay away from those apps (by forcing/reminding them to uninstall it). I believe those apps will not survive if it does not gain enough active users? Or maybe it does..
This project is open-sourced on GitHub together with the pirate-app-list. Feel free to check it out.
Currently, only "Lucky Patcher" and "Freedom" are listed on the pirate-app-list (with filters). Anybody interested in the project are free to join so we can work on the list and more importantly, the definition of what a pirate app is.
Your feedback is very much appreciated.
Thank you.
reserved
reserved
Lucky patcher is also used for functions that do not concern piracy, such as running two versions of the same app... I think that you can't force or continuosly remind a user to uninstall an app that he needs.
Edit: Also, I think that most of the piracy is based on pirated apk, not apps like LP or Freedom, which only act for IAP. The solution to prevent IAP piracy is server validation, but for pirated APK it's not.
Coraz said:
Lucky patcher is also used for functions that do not concern piracy, such as running two versions of the same app... I think that you can't force or continuosly remind a user to uninstall an app that he needs.
Edit: Also, I think that most of the piracy is based on pirated apk, not apps like LP or Freedom, which only act for IAP. The solution to prevent IAP piracy is server validation, but for pirated APK it's not.
Click to expand...
Click to collapse
Thank you for your reply.
Actually, as I have pointed out in the thread, this project implements only the scanner part, it doesn't act for the developers. Developers have to decide what they want to do with the detected piracy. Its really nice to be able to run 2 versions of the same app on 1 device, I believe ChelpuS should make another app with this feature, or without other features in Lucky Patcher.
I'm sorry, but if an app tells me to uninstall something - I'm uninstalling that app first
DANIEL TAN said:
Although there is no (yet) statistics showing the real number to how bad the piracy on Android is, there are reports saying more than 90% of installs on Android were not paid for (Google). There have been lots and lotsa blows exchange between developers and hackers (and for gods sake this is never gonna end). Anti-piracy solutions are being discussed here and there, all the discussions are (eventually) pointing towards server authentication as the only way to counter piracy effectively.
As a developer, I am not excused from all this hack-and-anti-hack things. And (obviously) I have no better solution than anyone else. Here, I am gonna share a small library that I have coded to help scan for pirate apps on the device. This library is really simple, what it does is to grab a list (I called it pirate-app-list) from the internet and scan it through the device to determine whether an offended app is installed on the device.
This project is actually a product from the 1st suggestion in this XDA thread. In the thread, it recommends to search for the pirate apps and force the user to uninstall it. I implemented the former part of the suggestion, while leaving the latter to the developers to decide. The only difference that I have made is to put this static list on the internet instead of hard-coding it to save us the trouble of updating the app for the purpose of updating the list.
This project is by no means a solution to anti-hacking. Rather, its a hope that developers can work together to make sure users stay away from those apps (by forcing/reminding them to uninstall it). I believe those apps will not survive if it does not gain enough active users? Or maybe it does..
This project is open-sourced on GitHub together with the pirate-app-list. Feel free to check it out.
Currently, only "Lucky Patcher" and "Freedom" are listed on the pirate-app-list (with filters). Anybody interested in the project are free to join so we can work on the list and more importantly, the definition of what a pirate app is.
Your feedback is very much appreciated.
Thank you.
Click to expand...
Click to collapse
Sorry to tell you. But XDA rule number 6 States that you are not allowed to talk about apps like Lucky Patcher and Freedom. I hope the moderators will ignore you for a noob.
Regards,
PoseidonKing
PoseidonKing said:
Sorry to tell you. But XDA rule number 6 States that you are not allowed to talk about apps like Lucky Patcher and Freedom. I hope the moderators will ignore you for a noob.
Regards,
PoseidonKing
Click to expand...
Click to collapse
You are misinformed. We allow threads such as these because they are educational and are about preventative purposes against those applications. I would suggest you actually read what the purpose of this thread is about before telling other users about what the XDA rules say, which incidentally is not your 'job' to do.