There are two major holes in Google Wallet's security. One that gives a person access to your pin by using a rooted app, and the other that gives a person the ability to change your pin.
http://thesmartphonechamp.com/security-flaw-found-in-google-wallet/
This one is the biggest security hole as it effects all users regardless of if they are rooted or not.
http://thesmartphonechamp.com/secon...le-wallet-rooted-or-not-no-one-is-safe-video/
I'm not worried in the slightest.. Android Central made a very good point.
You'll need to have a phone with Google Wallet, AND have rooted your device, AND have not set a secure lock screen, AND then lose your phone. The person who finds it THEN can use the app the fellows at zvleo have made and since distributed to brute-force the PIN and THEN can use your phone to make payments, just like they could if they found your credit card, which likely would be quicker and easier than any of this.
Click to expand...
Click to collapse
adaimespechip said:
I'm not worried in the slightest.. Android Central made a very good point.
Click to expand...
Click to collapse
That's true only for the method where you try to discover the person's pin. With the changing the pin method, all you need to do is lose your phone and it not have a pin lock on it. Look at the video in that link, it's pretty easy to change the pin in Google Wallet. You don't need root, you don't need any special apps or anything to do it. All they need is access to your phone. In other words if your phone is stolen and you don't have a password to keep someone from logging into it, they can very easily access your Google Wallet.
Yes, true. But you have to admit that anyone who uses their phone for confidential data (such as credit card info or payments) and who doesn't set a single security feature is kind of a silly person.
Android central updates:
"The zvelo study was conducted on their own phone on which they disabled the security mechanisms that protect Google Wallet by rooting the device. To date, there is no known vulnerability that enables someone to take a consumer phone and gain root access while preserving any Wallet information such as the PIN.
We strongly encourage people to not install Google Wallet on rooted devices and to always set up a screen lock as an additional layer of security for their phone."
Click to expand...
Click to collapse
Google are right.. If you don't want to be at risk, don't root your phone.
its still a million times safer than NFC card.
Sent from my Nexus S using Tapatalk
Does anyone think it could be possible to develop a malicious app that requires root privileges (say a program that most rooted uses would use like Root Explorer), and use it to send your Google Wallet info at the time your phone is making a purchase using Google Wallet? So instead of one purchase for $5 it would also add another. Google wants you to make in person and online purchases with Wallet, as it has replaced Google Checkout.
It's not google's fault. it's user's fault.
DON'T ROOT YOUR PHONE IF YOU WANT SECURITY!!!
First off anyone worried about security doesn't have their phone rooted. Google is storing the pin encrypted on the phone. Of course it is accessible if you have your phone rooted and of course a brute force attack will work. It's really a non-issue.
adaimespechip said:
Android central updates:
Google are right.. If you don't want to be at risk, don't root your phone.
Click to expand...
Click to collapse
kerry_xu_cs said:
It's not google's fault. it's user's fault.
DON'T ROOT YOUR PHONE IF YOU WANT SECURITY!!!
Click to expand...
Click to collapse
bozzykid said:
First off anyone worried about security doesn't have their phone rooted. Google is storing the pin encrypted on the phone. Of course it is accessible if you have your phone rooted and of course a brute force attack will work. It's really a non-issue.
Click to expand...
Click to collapse
You guys are all thinking only of the brute force method that requires root. But the other method that you just simple clear Google Wallet's storage allows you to change the pin without having ever known the pin in the first place. The method used in that video doesn't require any sort of system level access at all. In other words it doesn't matter if you're rooted or not, that method will still gain access to your Google Wallet.
canca14 said:
You guys are all thinking only of the brute force method that requires root. But the other method that you just simple clear Google Wallet's storage allows you to change the pin without having ever known the pin in the first place. The method used in that video doesn't require any sort of system level access at all. In other words it doesn't matter if you're rooted or not, that method will still gain access to your Google Wallet.
Click to expand...
Click to collapse
Again, someone has to break the lock on your phone and steal your phone. If someone steals my computer, they can probably get many of my passwords. It is as much a security concern as any personal device.
bozzykid said:
Again, someone has to break the lock on your phone and steal your phone. If someone steals my computer, they can probably get many of my passwords. It is as much a security concern as any personal device.
Click to expand...
Click to collapse
Right but I was responding to the people who stated this only effects rooted phones. What I am saying to those people is that there are two methods listed on the link I provided. The second method doesn't require root and effects 100% of all Google Wallet users. Of course pin locking your device would add a level of security that would provide a barrier for someone to cross before they can compromise your device.
canca14 said:
That's true only for the method where you try to discover the person's pin. With the changing the pin method, all you need to do is lose your phone and it not have a pin lock on it. Look at the video in that link, it's pretty easy to change the pin in Google Wallet. You don't need root, you don't need any special apps or anything to do it. All they need is access to your phone. In other words if your phone is stolen and you don't have a password to keep someone from logging into it, they can very easily access your Google Wallet.
Click to expand...
Click to collapse
if you lose your wallet it is easier for a thief to use your credit cards then to try and change your pin on Google wallet if you lose your phone.
Sent from my Nexus S 4G using xda premium
Also since Google Wallet supports so few credit card companies, about the most a thief could do is use your prepaid card. You can't add money to the prepaid card without the CV2 code anyways.
first of all, if i lose my phone, i'm wiping the freaking data.
Second of all, I have like $10 on google wallet. if they steal my phone and use the $10, i'm gonna be more pissed about the phone being stolen then them buying lunch.
this is just stupid.
bozzykid said:
Also since Google Wallet supports so few credit card companies, about the most a thief could do is use your prepaid card. You can't add money to the prepaid card without the CV2 code anyways.
Click to expand...
Click to collapse
All the more reason why this flaw is more potentially damaging. Most people who use Google Wallet are going to be using the Google pre-paid card, meaning whatever funds are in the account are going to be compromised.
derekwilkinson said:
first of all, if i lose my phone, i'm wiping the freaking data.
Second of all, I have like $10 on google wallet. if they steal my phone and use the $10, i'm gonna be more pissed about the phone being stolen then them buying lunch.
this is just stupid.
Click to expand...
Click to collapse
How much you keep in the account doesn't matter. The bottom line is they have a gaping hole in their security. The level of inconvenience for you doesn't change that this is a major hole they need to fix ASAP. Google stated that they are working on getting more cards to work with Google Wallet. I for one would not want to link my bank card knowing that a person who steals my phone would have full unfettered access to my account.
canca14 said:
All the more reason why this flaw is more potentially damaging. Most people who use Google Wallet are going to be using the Google pre-paid card, meaning whatever funds are in the account are going to be compromised.
Click to expand...
Click to collapse
How is it more damaging? I'm pretty sure the limit on credit cards is much higher than what is in an average Google Wallet prepaid card. I doubt people keep much money on prepaid cards since it can only be used with your phone.
---------- Post added at 01:21 PM ---------- Previous post was at 01:20 PM ----------
canca14 said:
How much you keep in the account doesn't matter. The bottom line is they have a gaping hole in their security. The level of inconvenience for you doesn't change that this is a major hole they need to fix ASAP. Google stated that they are working on getting more cards to work with Google Wallet. I for one would not want to link my bank card knowing that a person who steals my phone would have full unfettered access to my account.
Click to expand...
Click to collapse
At most, they could add a way to disable cards from the Google Wallet web site. I don't see them adding any major new security measures in the app itself.
canca14 said:
How much you keep in the account doesn't matter. The bottom line is they have a gaping hole in their security. The level of inconvenience for you doesn't change that this is a major hole they need to fix ASAP. Google stated that they are working on getting more cards to work with Google Wallet. I for one would not want to link my bank card knowing that a person who steals my phone would have full unfettered access to my account.
Click to expand...
Click to collapse
lol are you serious dude? you completely ignored me saying i'd wipe my data. and it isn't a "gaping hole in the security". do you know how few people actually root their phones??? it's a small number.
secondly, what if someone steals your wallet? it falling out of your pocket or being pick-pocketed is a major security hole. Wallet makers need to add a lock to the wallet.
Stop being so damn paranoid.
bozzykid said:
How is it more damaging? I'm pretty sure the limit on credit cards is much higher than what is in an average Google Wallet prepaid card. I doubt people keep much money on prepaid cards since it can only be used with your phone.
Click to expand...
Click to collapse
The point isn't how much money people have in it. The point is that anything in your account is at risk regardless of if you keep a large amount in it or not. A hole is a hole and this one needs to be plugged regardless of how much you keep in the account.
derekwilkinson said:
lol are you serious dude? you completely ignored me saying i'd wipe my data. and it isn't a "gaping hole in the security". do you know how few people actually root their phones??? it's a small number.
secondly, what if someone steals your wallet? it falling out of your pocket or being pick-pocketed is a major security hole. Wallet makers need to add a lock to the wallet.
Stop being so damn paranoid.
Click to expand...
Click to collapse
You obviously didn't read the link I provided. Having root has no bearing on someone being able to access your Google Wallet account. BTW if they access your Google Wallet they could easily turn the radio on the phone off and you wouldn't be able to wipe it, but the could still use Google Wallet since it doesn't use data to make purchases.
Related
Just a heads up, somehow someone compromised my account, and was able to deactivate my phone, and activate their own EVO on my account, change plans, and change all the security info, PIN security question, and security email. A bit of a wakeup call, running rooted phones, installing apps that give themselves unfettered access...
Yes, "its your own damn fault", but whatever, just keep your eyes constantly peeled, and make sure your sprint "myaccount" settings are secure...
What ROM where you using? Any idea what apps you had installed that might have been compromising your data?
Take some screenshots of all your installed apps. Couldn't hurt.
This is more of a Sprint thing. They have a problem with internal fraud
Was using CM6 at the time. According to the rep I spoke with (that actually helped me, the first guy was a turd), they had been calling in between the 28th and 30th, on the 30th they were able to remove my device and add theirs.
I don't think it was any of the apps I have installed. I'm thinking it was either an inside job, or someone else (ie, haxor) on Sprint's nodes during the last week sniffing packets. Reason I think that is that they seemed to have compromised the security by way of changing the e-mail address that security updates go to. I don't know, its just a crappy feeling overall. Kind of like when I was mugged many years ago...
hondoslack said:
Was using CM6 at the time. According to the rep I spoke with (that actually helped me, the first guy was a turd), they had been calling in between the 28th and 30th, on the 30th they were able to remove my device and add theirs.
I don't think it was any of the apps I have installed. I'm thinking it was either an inside job, or someone else (ie, haxor) on Sprint's nodes during the last week sniffing packets. Reason I think that is that they seemed to have compromised the security by way of changing the e-mail address that security updates go to. I don't know, its just a crappy feeling overall. Kind of like when I was mugged many years ago...
Click to expand...
Click to collapse
Sprint should should just clone that account, deactivate it, ban the new ESN.
I fail to see the benefit of account jacking (especially after account owner's phone gets deactivated)
jerryparid said:
Sprint should should just clone that account, deactivate it, ban the new ESN.
I fail to see the benefit of account jacking (especially after account owner's phone gets deactivated)
Click to expand...
Click to collapse
I like what happens (and it rarely happens,Ive heard stories of things that have happened way back,which are always good for a chuckle) where I work when someone does something illegal,or commits crimes using sensitive information at work. The US Marshals come,drag them out in handcuffs for everyone to see and then they get their room and board on the US Government for the next few years.
Every phone is legally required to have GPS that is available at all times and it sounds like they are committing identity theft. Have the police, or if they are in a different state possibly FBI, go get them.
This was an inside job and has nothing to do with your ROM or the fact that you rooted your phone. Threads like this could easily scare people away from rooting for no good reason.
I think you might have gave someone your info!!
dallashigh said:
This was an inside job and has nothing to do with your ROM or the fact that you rooted your phone. Threads like this could easily scare people away from rooting for no good reason.
Click to expand...
Click to collapse
This may not have had anything to do with his phone being rooted but it is possible that could have had something to do with it too. When you root your phone you are effectively bypassing just about every single security feature put on there.
You are lying to yourself if you think rooting your phone doesn't make your information much easier to steal.
jahnile said:
This is a strange story, def.ly a wake up call.
http://WWW.rootznculture.com
Click to expand...
Click to collapse
NVM wrong thread
xHausx said:
This may not have had anything to do with his phone being rooted but it is possible that could have had something to do with it too. When you root your phone you are effectively bypassing just about every single security feature put on there.
You are lying to yourself if you think rooting your phone doesn't make your information much easier to steal.
Click to expand...
Click to collapse
That is patently false. If you install a custom ROM then you are trusting the ROM developer not to put anything sneaky in there. Considering CM6 is open-source and used by thousands of people, it's unlikely to be the ROM's fault.
An app with root can do just about anything. That is why the Superuser app is there to make sure only apps that need it can get root access.
Installing apps from non-Market sources is much riskier than rooting your phone. Installing an SSH daemon would make it possible to access your system remotely. That would also be a security risk.
Enabling USB debugging will make it easier for someone with physical access to your device to access your information. That much is true.
There is absolutely nothing about the act of rooting that puts your information in jeopardy.
dallashigh said:
That is patently false. If you install a custom ROM then you are trusting the ROM developer not to put anything sneaky in there. Considering CM6 is open-source and used by thousands of people, it's unlikely to be the ROM's fault.
An app with root can do just about anything. That is why the Superuser app is there to make sure only apps that need it can get root access.
Installing apps from non-Market sources is much riskier than rooting your phone. Installing an SSH daemon would make it possible to access your system remotely. That would also be a security risk.
Enabling USB debugging will make it easier for someone with physical access to your device to access your information. That much is true.
There is absolutely nothing about the act of rooting that puts your information in jeopardy.
Click to expand...
Click to collapse
You say any app with root can do just about anything, you just confirmed what I said. If whatever terminal app you are using can give you root(superuser) access without a password than any app can do it.
A SSH shell is for communicating over a network, it has nothing to do with root access.
If you read recently at defcon someone showed a market app that could root your phone without your permission and take some private info. So without root your screwed to. So you can probably blame an app before root. Also all data is encrypted so I doubt it was a packet sniffer.
This is a Sprint issue. I've seen and heard of it happening way too many times for me to assume that it's Android related even in the slightest bit.
I don't really think it's fair to lump rooting and basic modification in with account theft. There are always multiple sides to any story.
dallashigh said:
That is patently false. If you install a custom ROM then you are trusting the ROM developer not to put anything sneaky in there. Considering CM6 is open-source and used by thousands of people, it's unlikely to be the ROM's fault.
An app with root can do just about anything. That is why the Superuser app is there to make sure only apps that need it can get root access.
Installing apps from non-Market sources is much riskier than rooting your phone. Installing an SSH daemon would make it possible to access your system remotely. That would also be a security risk.
Enabling USB debugging will make it easier for someone with physical access to your device to access your information. That much is true.
There is absolutely nothing about the act of rooting that puts your information in jeopardy.
Click to expand...
Click to collapse
Then what is this article referring to? http://phandroid.com/2010/07/31/hackers-release-data-stealing-program-to-push-google-to-plug-holes-at-security-conference/
xHausx said:
You say any app with root can do just about anything, you just confirmed what I said. If whatever terminal app you are using can give you root(superuser) access without a password than any app can do it.
Click to expand...
Click to collapse
Sure you don't have to enter a password, but the first time the app runs, you DO have to confirm that you want to give it root access. And again that would be the APP that is malicious and not the mere fact that your phone is rooted.
xHausx said:
A SSH shell is for communicating over a network, it has nothing to do with root access.
Click to expand...
Click to collapse
I know what SSH is. I'm not an idiot. An SSH server is something that would actually put your device at risk of being remotely accessed without your knowledge or permission.
redrazr7791 said:
Then what is this article referring to? http://phandroid.com/2010/07/31/hackers-release-data-stealing-program-to-push-google-to-plug-holes-at-security-conference/
Click to expand...
Click to collapse
They distributed a trojan that installed malware at the same time it rooted your phone.
I'm finding a lot of threads about changing from pin/password to pattern unlock, but not having any luck in completely disabling the security feature BS...
Is it possible to completely eliminate the password lock required by my exchange server? I have tried lockpicker and no lock, neither of which worked.
I would like to keep syncing but am not going to deal with this unlocking all the time (they JUST started enforcing it)...any help would be appreciated.
BTW, running Calkulin's EViO 2 v 1.7 (sense, so HTC mail)
Nope, this is tightly integrated down to the OS in order to pass MS requirements, and it reports the control level back to exchange so it can make sure it's in compliance with their mobile device policy.
In theory you can make an app that proxies the API and lies about what the phone can do ... but it wont be done with a simple APK/market app ... it's integration goes much deeper.
Honestly your best best: this is clearly a new policy. complain repeatedly to your IT staff. You're probably not the only one upset ... and noise will result in policy change ... because reality: IT staff hate dealing with people. They want to deal with servers.
Option 2: if you have a buddy on the exchange team he can put you on the same policy he undoubtedly created for himself and his team, that's 10x as lenient so he can mess with his little pet projects he plays with on the side.
Justin.G11 said:
Nope, this is tightly integrated down to the OS in order to pass MS requirements, and it reports the control level back to exchange so it can make sure it's in compliance with their mobile device policy.
In theory you can make an app that proxies the API and lies about what the phone can do ... but it wont be done with a simple APK/market app ... it's integration goes much deeper.
Honestly your best best: this is clearly a new policy. complain repeatedly to your IT staff. You're probably not the only one upset ... and noise will result in policy change ... because reality: IT staff hate dealing with people. They want to deal with servers.
Option 2: if you have a buddy on the exchange team he can put you on the same policy he undoubtedly created for himself and his team, that's 10x as lenient so he can mess with his little pet projects he plays with on the side.
Click to expand...
Click to collapse
Thanks...I figured it wouldn't be that easy but I had to ask.
Justin.G11 said:
Honestly your best best: this is clearly a new policy. complain repeatedly to your IT staff. You're probably not the only one upset ... and noise will result in policy change ... because reality: IT staff hate dealing with people. They want to deal with servers.
Click to expand...
Click to collapse
I get complaints all the time about policies. 99.999% of the time, the policies are created/approved by steering committees, the legal department or executive management. There is usually nothing IT can do about it as the policies are put into place for legal reasons or company security.
Additionally, if IT departments are not compliant in company policies there could be legal ramifications if the company has to comply with certain government guidelines.
And IT staff don't hate dealing with people...it sounds like your work environment is not like others.
Check out this thread to see if it does what you are looking for.
http://forum.xda-developers.com/showthread.php?t=775007
They modified the actual email.apk app to remove the security requirement that was hardcoded in it.
It was taken from CM7 which is AOSP, so I cannot say whether or not it will work on sense.
EDIT: After searching some more, droidforums has a modified email.apk file that you can install, that you use instead of the HTC mail, which tricks your exchange server into thinking that you have your security enabeled.
http://www.droidforums.net/forum/dr...onal-froyo-bypass-exchange-server-policy.html
Just download the zip, and extract the apk from it, then place the apk on your SDCard and install it just like a regular app.
Khilbron said:
Check out this thread to see if it does what you are looking for.
http://forum.xda-developers.com/showthread.php?t=775007
They modified the actual email.apk app to remove the security requirement that was hardcoded in it.
It was taken from CM7 which is AOSP, so I cannot say whether or not it will work on sense.
EDIT: After searching some more, droidforums has a modified email.apk file that you can install, that you use instead of the HTC mail, which tricks your exchange server into thinking that you have your security enabeled.
http://www.droidforums.net/forum/dr...onal-froyo-bypass-exchange-server-policy.html
Just download the zip, and extract the apk from it, then place the apk on your SDCard and install it just like a regular app.
Click to expand...
Click to collapse
Will look into that. Thank you very much!
I ended up using the modified email.apk from CM7...works like a charm!!! The Droid forums version kept coming up with security errors. THANKS AGAIN Khilbron!!!
awenthol said:
I ended up using the modified email.apk from CM7...works like a charm!!! The Droid forums version kept coming up with security errors. THANKS AGAIN Khilbron!!!
Click to expand...
Click to collapse
Can you please post a link to the one you used?
Sent from my PC36100 using XDA App
Justin.G11 said:
Nope, this is tightly integrated down to the OS in order to pass MS requirements, and it reports the control level back to exchange so it can make sure it's in compliance with their mobile device policy.
In theory you can make an app that proxies the API and lies about what the phone can do ... but it wont be done with a simple APK/market app ... it's integration goes much deeper.
Honestly your best best: this is clearly a new policy. complain repeatedly to your IT staff. You're probably not the only one upset ... and noise will result in policy change ... because reality: IT staff hate dealing with people. They want to deal with servers.
Option 2: if you have a buddy on the exchange team he can put you on the same policy he undoubtedly created for himself and his team, that's 10x as lenient so he can mess with his little pet projects he plays with on the side.
Click to expand...
Click to collapse
Yes..this reply really isn't correct. There have been some sqlite modifications that can be made or using the mail.apk from this link (http://forum.xda-developers.com/showthread.php?t=775007) works perfect, even with the new CM7-RC2
Bypassing Exchange security
I had this same issue with my work email. My way of bypassing it and still using the stock Mail app is by installing widgetlocker. Unfortunately the newest version does not bypass your encryption, but the older version before the most recent update does. Also it allows you to fully customize your lockscreen and add widgets and what have you. All in all pretty cool app.
widgetlocker.teslacoilsw.com/general/widgetlocker-1-2-9/
(unfortunately because i have never posted before i cannot post links so pm if the link does not work)
Amazing! So you guys have a device in your pocket that has complete access to your work mail server (something you don't own), and you apparently don't care if that falls into the wrong hands?
I don't want to get preachy but this is serious stuff:
1. Are you aware of the damage that can fall on an organization, its IP and reputation if a hacker/spammer has access to a mail account?
2. Your company's mail server is an assett of the company. Gaining access and leaving it unlocked is like borrowing something from work and leaving it on the street.
I understand that IT policies are annoying to the end user, but they are there for good reason.
Would you leave the company vehicle unlocked because it is annoying to get the key out? No.
Oh, and by the way, you can be held directly liable for damages for disabling/ hacking around policies. I have seen employees get fired for it.
Sent from my device.
ramiss said:
Amazing! So you guys have a device in your pocket that has complete access to your work mail server (something you don't own), and you apparently don't care if that falls into the wrong hands?
I don't want to get preachy but this is serious stuff:
1. Are you aware of the damage that can fall on an organization, its IP and reputation if a hacker/spammer has access to a mail account?
2. Your company's mail server is an assett of the company. Gaining access and leaving it unlocked is like borrowing something from work and leaving it on the street.
I understand that IT policies are annoying to the end user, but they are there for good reason.
Would you leave the company vehicle unlocked because it is annoying to get the key out? No.
Oh, and by the way, you can be held directly liable for damages for disabling/ hacking around policies. I have seen employees get fired for it.
Sent from my device.
Click to expand...
Click to collapse
The issue I have is with the idea that the company gets to dictate how my entire device functions. Your points are valid, but why not just require a password on the email app, not on the whole phone? Why do I have to consent to allowing them to order a full device wipe, instead of just a wipe of the company data?
bkrodgers said:
The issue I have is with the idea that the company gets to dictate how my entire device functions. Your points are valid, but why not just require a password on the email app, not on the whole phone? Why do I have to consent to allowing them to order a full device wipe, instead of just a wipe of the company data?
Click to expand...
Click to collapse
Those are some good points and questions:
If you just locked the mail app then the app would need to encrypt/decrypt all data, which would make it MUCH slower. However, the main reason is that the app lock approach is much more hackable..one simple example would be to load a proxy on the phone to intercept communication before it could be encrypted.
The idea behind the device lock is that it happens on a deeper level and is the most secure answer.
The question about having a choice with your device is actually a simple one to answer...if you don't agree with the work policy then don't use your personal device for work email.
The other thing is that, besides not having a choice, the forced answer is beneficial for everyone....if I lose my device then I definitely don't want strangers crank calling my family or getting personal info. I have read about some horrible stories.
The real question is...If your phone is lost why would you NOT want it to be secure and erased asap??
Sent from my "locked" device.
ramiss said:
Those are some good points and questions:
If you just locked the mail app then the app would need to encrypt/decrypt all data, which would make it MUCH slower. However, the main reason is that the app lock approach is much more hackable..one simple example would be to load a proxy on the phone to intercept communication before it could be encrypted.
The idea behind the device lock is that it happens on a deeper level and is the most secure answer.
Click to expand...
Click to collapse
Yes and no. There are approaches that are easier if you aren't securing the whole device, but that doesn't mean it can't still be hacked.
The question about having a choice with your device is actually a simple one to answer...if you don't agree with the work policy then don't use your personal device for work email.
Click to expand...
Click to collapse
Overall I agree with that, although I think at a company that offers mobile email, there's a sort of "peer pressure" to use it. Not to say that's a good reason. I'd imagine that it'd be hard for a company to actually require you to use mobile email on your personal device -- if your job truly requires it, I'd think they'd have to provide you a device if you don't have a compatible device or aren't willing to use it that way. So yes, you're probably right that you have the choice. It doesn't mean that we can't complain though.
The other thing is that, besides not having a choice, the forced answer is beneficial for everyone....if I lose my device then I definitely don't want strangers crank calling my family or getting personal info. I have read about some horrible stories.
The real question is...If your phone is lost why would you NOT want it to be secure and erased asap??
Click to expand...
Click to collapse
If it's really lost forever, yes. But what if:
- The exchange admin sends the wipe command to the wrong phone. ("Hi, I'm John Smith and I've lost my phone.")
- The "wipe after X invalid passcode" policy is enabled. A friend or a kid picks up the phone and tries to play with it. Whoops.
- Something else goes wrong...bottom line is that the company should have no right to wipe anything other than their own data.
I understand the need for locking the device...I really do. But, if someone does happen to find my phone (knock on wood but HIGHLY, HIGHLY unlikely, as I've never even almost forgotten any phone, anywhere, ever) they aren't going to find ANYTHING of value in my emails. I'm pretty low on the totem pole.
If I had sensitive data on my phone...no questions asked, I would keep it p-word locked.
matt2053 said:
Can you please post a link to the one you used?
Sent from my PC36100 using XDA App
Click to expand...
Click to collapse
http://forum.xda-developers.com/showthread.php?t=775007
awenthol said:
I understand the need for locking the device...I really do. But, if someone does happen to find my phone (knock on wood but HIGHLY, HIGHLY unlikely, as I've never even almost forgotten any phone, anywhere, ever) they aren't going to find ANYTHING of value in my emails. I'm pretty low on the totem pole.
If I had sensitive data on my phone...no questions asked, I would keep it p-word locked.
Click to expand...
Click to collapse
Your Exchange Admin (or you depending on the version of Exchange you're using) has the ability to remotely wipe your device in the event it gets stolen/lost.
Could anyone give a brief possible explanation of why I can connect to my exchange server easily using Touchdown, but not using the Android integrated Exchange Account Sync?
Sent from my PC36100 using XDA App
Just found this thread as I've encountered the same issue on a HTC Sensation, just setup Exchange ActiveSync, and bam, have to set up the PIN lock on the phone.
However I've noticed that once you've done it, you can then go into Settings, Security and change the timeout before it locks up to 1 hour (I think that is dependent on your company setting). Mine was defaulting to every time the screen locked, but changing it to 1 hour I find I hardly ever have to unlock the phone now apart from first thing in the morning as I tend to use it regularly through the day.
Forgive me if this is in the wrong place.
As stated in the title, I'm willing to offer a $50 bounty to anyone who can create this app for me, the perfect thief catcher app. Here's how it works:
The app runs in the background constantly (possibly as a service to avoid task killers), so it must be as minimal as possible. Upon receipt of a specifically worded text message, the app will trigger the GPS and wait 5-10 minutes for full lock. After this time has passed, the app will text the GPS coordinates to a preconfigured email address and then disable the GPS.
Optional function: Activate the front facing cam (silently and invisibly if possible), take a picture, and attach to said text message to be sent to preconfigured email address.
The main focus of this app is to accurately capture the location of the device while being light on battery, so that optimal capture can take place in the event the device is stolen.
If something like this already exists, please let me know so that I can donate to that developer.
Specifics: I have an Evo with CM7, if it matters in coding the app at all.
Lookout has lost phone features similar to what you are asking for. I have Lookout on my phone, uses almost no battery.
They also have an app called Plan B that you can install after the phone is lost to get a GPS location on it.
Both are free.
I don't expect the bounty, but feel free to buy me a sandwich for helping.
Lookout causes too many problems from what I've seen. I'll check out the Plan B app.
Bounty is still up.
I'm not the "fastest" coder in the world, but I would hazard a guess of minimum 20 hours for development, testing, etc.
Great app idea but I'm not writing code for $2.50 an hour ...just sayn'
And Android OS prevents someone from NOT being able to stop a Service.
Try apps "Where's My Droid" or GPS Tracker. Both have remote activation capabilities.
________________________________
http://ron-droid.blogspot.com
rigman said:
Try apps "Where's My Droid" or GPS Tracker. Both have remote activation capabilities.
________________________________
http://ron-droid.blogspot.com
Click to expand...
Click to collapse
Did you read the entire OP? I realize WMD has a few of the features that I listed, but I want ALL of the features working like I stated.
I'm no coder, but I could quite easily make a Tasker profile to do this.
Sunsparc said:
Did you read the entire OP? I realize WMD has a few of the features that I listed, but I want ALL of the features working like I stated.
Click to expand...
Click to collapse
Yes I read the entire op and wasn't very impressed. Texting coordinates wouldn't be very reliable way to catch someone. There's a very good chance the person could be driving at the moment you send your activation text.
Same for turning on the camera. Highly unlikely they'd have the camera pointed at their face or anything recognizable. Or even if they did, probably couldn't make out much without the flash.
Just my opinion. But I'd much rather have an app that gave me continuous GPS coordinates as does the apps I suggested.
________________________________
http://ron-droid.blogspot.com
Look up Prey. it runs as a background service and has a lot of cool stuff. Google it, they have a whole web interface and everything, you can use the same service on your laptop under the same account. I think it would suit your needs.
Sent from my MIUI SCH-i500
The best lost/stolen app imo is Theft Aware. From the app's website:
Theft Aware runs (and this is worldwide UNIQUE) completely invisible in the background. That's right! Theft Aware is COMPLETELY INVISIBLE. You'll be able to remotely control your phone by SMS at any time. Theft Aware will reply to your commands by SMS as well. The sent or received SMS leave no trace on the mobile phone, no signal will alert the thief - who will feel safe!
Sure, as soon as the thief changes the SIM card of the phone, the phone number of it will change. NO PROBLEM. Theft Aware will detect the change and will inform your buddy automatically about the new phone number by SMS.
Click to expand...
Click to collapse
Best thing to do with lost or stolen phone?
-Call provider and they'll kill the phone.
-Buy new phone
Edit: Mainly a reply to an edited out part of a post but still applicable so I'll leave what I wrote
At 9.99 EUR, Theft Aware is far from free but I understand your point. It's good to watch for security and privacy issues. I would only caution that one could easily miss out on good/helpful apps if generalizations are made based on one bad app(le) or the possibility of one. But really this is what Android is all about...individual choice. To each their own.
I've been using Prey for a while now and I'm very happy with it.
All the current apps are dependent on your sim card remaining in the phone so you can text it. So in the reality of your phone being stole they will be useless.
Sent from my Nexus One using XDA App
nutsnut said:
All the current apps are dependent on your sim card remaining in the phone so you can text it. So in the reality of your phone being stole they will be useless.
Click to expand...
Click to collapse
Since you must not have read my first post...
If a thief changes the SIM card, Theft Aware will proactively send you the location and the new phone number of the thief to predefined friends of yours. Once you got the new number, you will again be able to locate your phone at any time.
Click to expand...
Click to collapse
So even if the SIM card is changed, the app will inform you the phone number associated with that new card by messaging both of the numbers you assigned when you set it up. Once you have that, you can message commands invisibly to that new number to control Theft Aware as well as now knowing the thief's phone number to hand over to police, your carrier, or to figure out the owner of that number on your own.
nutsnut said:
All the current apps are dependent on your sim card remaining in the phone so you can text it. So in the reality of your phone being stole they will be useless.
Sent from my Nexus One using XDA App
Click to expand...
Click to collapse
I think you mean if you have a gsm phone.. i have a CDMA, so I really don't need to worry about it. However, if i ever stole someones phone, the first thing I would do is take out the battery and let it sit on the shelf for a month or two until the previous owner has given up. And trust me, you will if it happens to you. It happened to me.
Sent from my HERO200 using XDA Premium App
Theft Aware
Theft Aware isn't sim card depending. If the sim gets changed a sms is sent to up to two notification numbers you define on installing theft aware.
it meets all requirements you specify (except that the location is sent via sms not email).
but that will soon be available via a webinterface where you can control your device.
I don't need the bounty either - try theft aware and buy a license. thats enough compensation as my company sells theft aware
Check out "watch droid"......
Every beginning thief knows that if you steal a smartphone you get out the body the battery and SIM card as first thing. Second thing is looking for hard reset instructions.
It should be something deeper than OS level.
Khisha said:
Every beginning thief knows that if you steal a smartphone you get out the body the battery and SIM card as first thing. Second thing is looking for hard reset instructions.
It should be something deeper than OS level.
Click to expand...
Click to collapse
It's been said a couple times that Theft Aware can detect a SIM card change and inform you of the new number so you can continue to control it through text messages. It will also survive a factory reset if you have rooted your phone and installed it appropriately. It won't survive a full data wipe like you would do when flashing a new ROM through recovery, but nothing can...that's the point of a full wipe. If you are waiting for or expecting something to come out that will persist through a full wipe, then you will never be satisfied.
My Galaxy 1 was stolen from me in Feb, after that i went through a lent s3 and now proud owner of an s4 (i9500).
So i have two questions on this:
1) is there an equivalent for what a bios password is in a PC?
(have to go short something in hardware to bypass, only is asked upon powerup/hard reboot).
2) Is is technically possible for an app to lock on custom sim? (possibly modifying efs folder)
Thanks!
Abrojo said:
My Galaxy 1 was stolen from me in Feb, after that i went through a lent s3 and now proud owner of an s4 (i9500).
So i have two questions on this:
1) is there an equivalent for what a bios password is in a PC?
(have to go short something in hardware to bypass, only is asked upon powerup/hard reboot).
2) Is is technically possible for an app to lock on custom sim? (possibly modifying efs folder)
Thanks!
Click to expand...
Click to collapse
http://bit.ly/174zPh6
LeJolly said:
http://bit.ly/174zPh6
Click to expand...
Click to collapse
Thank you for patronizing me but that didnt answer my question, already been through pages of results when i previous galaxy was stolen (even tried locking from google play). None of the apps listed on a google search for locking and tracking do what i ask.
Centralized cloud based locking doesnt work (a blacklisted imei can get reinstated fairly easy), neither does the standard password Operating System level password.
Thats why i am asking for specific alternative ways of locking the phone that should be (if possible) more tampering resistant.
1) bios equivalent password.(requiering hardware shorting to bypass)
2) custom simlock
I use avast! free mobile security (https://play.google.com/store/apps/details?id=com.avast.android.mobilesecurity&hl=en),
the anti-theft module has option to block the phone if the sim card is changed
LeJolly said:
http://bit.ly/174zPh6
Click to expand...
Click to collapse
What a woeful answer. Try reading before you be a ****.
In answer, no there is nothing similar to a BIOS lock on Android phones, however like mist813 said, Avast is quite good. If you have root access you can install it as a system apk then even if the thief wipes your phone, it's still there.
You could also try lookout its free. Can do tracking, remote wipe and also takes a photo of anyone trying to unlock your phone.
I don't think there is anything that can prevent someone from just flashing a new firmware and wiping the phone completely.
Sent from my Nexus 10 using Tapatalk 2
I don't think there is an equivalent to BIOS lock in Android. I'm not sure if you tried Lookout or the native Samsung remote control under security settings. Both gives you the options to locate, lock, scream or wipe your data. I tried the locate and scream options and they work. Never tried lock or wipe, but they should also work! Now going to the fact of wether someone can bypass or overcome these security measures, then I personally think it's possible and whatever we do he can find a way to go around it depending on how smart and resourceful he is! If my phone is stolen, frankly speaking I won't waste my time trying to find it or just lock it. All what I'll care about is to wipe the data off, and hopefully these softwares will work if needed!
Sent from my SGS IV using Tapatalk 2
Abrojo said:
Thank you for patronizing me but that didnt answer my question, already been through pages of results when i previous galaxy was stolen (even tried locking from google play). None of the apps listed on a google search for locking and tracking do what i ask.
Centralized cloud based locking doesnt work (a blacklisted imei can get reinstated fairly easy), neither does the standard password Operating System level password.
Thats why i am asking for specific alternative ways of locking the phone that should be (if possible) more tampering resistant.
1) bios equivalent password.(requiering hardware shorting to bypass)
2) custom simlock
Click to expand...
Click to collapse
Okay lets not be a **** this time.
1) There's nothing equivalent to that bios thing
2) http://stackoverflow.com/questions/...-the-device-on-removal-of-sim-card-or-sd-card
There are also apps that just notify you if sim card is changed for example this https://play.google.com/store/apps/details?id=instigate.simCardChangeNotifier&hl=fi
And of course there are some apps that let you remotely control your phone for example http://forum.xda-developers.com/showthread.php?p=7567932
Abrojo,
You don't really need a third-party app for this.
Please check out the Samsung Dive service. (www.samsungdive.com)
You can track your phone, lock it with a custom password, sound an alarm, etc...
The problem is, the phone needs to have Internet access.
I am using the Cerberus app (https://play.google.com/store/apps/details?id=com.lsdroid.cerberus&hl=en)
This is the best rated Anti-theft app you can find for your Android.
a license costs 3USD if I remember correctly. With one license you can secure up to five Android phones.
Featuers:
Track your phone
Remote lock
Remote wipe
And a lot more options...
A couple of things that I think are extremely useful:
When a wrong password or pattern is drawn to unlock your phone, a picture is taken with the front camera and emailed to you together with the location of the phone.
When the SIM is swapped, you can configure up to three phone numbers that will receive an SMS with the new SIM card number and the location of the phone.
You can hide the app from the App Drawer.
Check it out... very useful
i use also cerberusapp 4 years now. everything is perfect. when u install as system app u can do everything.
Sent from my ThL W8 using xda premium
Apparently there is also rumors of LoJack already being built into these phones, with the possibility to activate it some time in the near future. Don't remember all the details, but I just read an article about that. Not being patronizing when I say it, but Google Galaxy S4 LoJack and look into it.
Also, I am on Verizon, and am testing out their mobile security app that is preinstalled. It's $1 a month, but they allow you to remotely lock your phone, wipe it, and track it should you lose it. I don't believe it embedded at the hardware level, but it is something that gives me a little piece of mind.
Edit: I went to switch to the Norton Mobile Security app, since I use it for all of my other devices, and discovered that the Verizon Mobile Security App - once activated - cannot be uninstalled, force stopped, you cannot clear the data, and you cannot disable it. In order to do so, I first have to go into my Verizon account online, sign in, and unsubscribe from the service. After realizing that, I have chosen to keep the Verizon security app, because it has that extra layer of security. Are there ways of bypassing that, I'm sure there are. But assuming that my phone is stolen by some low level thief and not some crazy high level criminal circuit, I should have no problem retrieving it.
Samsung Dive down?
I cant seem to have this page load up www.samsungdive.com
Is it down for you too?
Sm007hCriminal said:
I cant seem to have this page load up www.samsungdive.com
Is it down for you too?
Click to expand...
Click to collapse
It's working with me.
Sent from my SGS IV using Tapatalk 2
I just purchased the Amazon Moto G4 edition for my son who is 8yrs old, and I understand he's a little young for a phone. However, a few of his buddies have phones and I thought it was a great way to help him read and type better through texting. I'm also not planning on paying for Cell service but rather use Wifi for SMS and Calls through hangout. And maybe get him freedom pop for in an emergency.
Now, with that said I created a gmail account that I control (my password, my recovery email/phone #, etc.) and then used this to setup the Play store. I set up all the restrictions in the play store to what I believe is appropriate and of course I locked it by setting up my own PIN code so he couldn't change them.
I also setup his own google voice number and tied it to google hangouts/dialer but I can also monitor what he is doing on my phone periodically if I wanted. I'm not interested in him using Snapchat, WhatsApp, or any other kind of social network.
I've also setup OpenDNS on the wifi account he uses at home. So I think I have things pretty much locked down with the exception of installing from Unknown sources. And although he probably isn't computer savvy enough yet, at some point he will be.
So, with that said is there anyway I can build a rom that disables installing from Unknown Sources? Also, any other recommendations and tips from others are welcome.
Thanks.
He can get rid of everything you did if he could factory reset
seth.dean02 said:
He can get rid of everything you did if he could factory reset
Click to expand...
Click to collapse
Of course he could, but he's 8! He's probably not savvy enough to circumvent my efforts yet and when he is I'll change my approach.
pabdaddy1995 said:
Of course he could, but he's 8! He's probably not savvy enough to circumvent my efforts yet and when he is I'll change my approach.
Click to expand...
Click to collapse
Try one of the apps that allows you to lock apps. One is Applock and you may be able to lock down settings. That would prevent him from changing anything. You've probably thought of it already but some type of tracking app is a necessary safety measure for a child's phone. LOL, when he becomes a teenager you'll need the tracking for many more reasons.