Related
NM. I answered my own question. The log in screen was misleading. Have to stop multi tasking when I do these things. @ me.
KOF33 said:
NM. I answered my own question. The log in screen was misleading. Have to stop multi tasking when I do these things. @ me.
Click to expand...
Click to collapse
Just for fun, the answer is most definitely *NO*. Not if you have any personal information on your google account since this would allow that app to not only steal all your personal information, it would allow the app author to hijack your account, send your login credentials to china, etc.
lbcoder said:
Just for fun, the answer is most definitely *NO*. Not if you have any personal information on your google account since this would allow that app to not only steal all your personal information, it would allow the app author to hijack your account, send your login credentials to china, etc.
Click to expand...
Click to collapse
So can't use GDoc or Greed?
cigar3tte said:
So can't use GDoc or Greed?
Click to expand...
Click to collapse
I wouldnt...
Unless you know the code and compiled it yourself.
Or if you definitely don't have any sensitive info on your account.
There's no telling what they'll do with it.
Do you know the author? Have you met them? Do you even know what country they're in?
If you have a rooted device then id watch out for any apps you install, I've read about malware that uploads you browser.db and other data, and we all know that google didn't implement encryption into password storage.
I'm developing a shell app to do this over adb or on the phone console I have implemented
Browser database
Contact database
Ebuddy password
you could always use a password you just made up out of the blue. the app won't be able to recognize whether it's your actual gmail password or not.
tazz9690 said:
you could always use a password you just made up out of the blue. the app won't be able to recognize whether it's your actual gmail password or not.
Click to expand...
Click to collapse
Well the app that made me ask didnt "Require" it. But just recently after that A Gmail/Fbook sync app asks for both passwords.
Without it it wont work. I dont feel comfortable giving my PW to some random app.
Sudox-
Do you mean installing from non marketplace ?
Even rooted marketplace should be ok no ?
Ive never looked extensively at the safety precautions Google implemented.
KOF33 said:
Well the app that made me ask didnt "Require" it. But just recently after that A Gmail/Fbook sync app asks for both passwords.
Without it it wont work. I dont feel comfortable giving my PW to some random app.
Sudox-
Do you mean installing from non marketplace ?
Even rooted marketplace should be ok no ?
Ive never looked extensively at the safety precautions Google implemented.
Click to expand...
Click to collapse
The only thing that the market gives you is a partial assurance that the publisher's market account can be traced back to them based on the credit card number that was used to sign up. Google does NOT security verify the applications that are posted there. The security is built in to the OS -- and note that the app shows you what kind of data it can access at install time. It is therefore UP TO YOU to ensure that the application doesn't get any information that you would consider "sensitive".
And as for root access... this is a potential danger if you aren't careful about limiting root access from certain applications. The community-root scheme is fairly OK, but any program to which you grant ROOT PERMISSION will have access to *everything*. Be careful about what applications you give root to.
lbcoder said:
The only thing that the market gives you is a partial assurance that the publisher's market account can be traced back to them based on the credit card number that was used to sign up. Google does NOT security verify the applications that are posted there. The security is built in to the OS -- and note that the app shows you what kind of data it can access at install time. It is therefore UP TO YOU to ensure that the application doesn't get any information that you would consider "sensitive".
And as for root access... this is a potential danger if you aren't careful about limiting root access from certain applications. The community-root scheme is fairly OK, but any program to which you grant ROOT PERMISSION will have access to *everything*. Be careful about what applications you give root to.
Click to expand...
Click to collapse
This is something I have been wondering for a while now. Say you grant an app SU rights, however upon installation that app did not specify "Internet Access", meaning that the permissions for that program do not allow access to the internet (for sending of any information it could possibly gather). Can that app somehow access the internet, or modify it's own permissions in packages.xml?
daveid said:
This is something I have been wondering for a while now. Say you grant an app SU rights, however upon installation that app did not specify "Internet Access", meaning that the permissions for that program do not allow access to the internet (for sending of any information it could possibly gather). Can that app somehow access the internet, or modify it's own permissions in packages.xml?
Click to expand...
Click to collapse
Yes, any app with root access *can* change its own permissions, yes, any app with root access can access the internet, even withOUT internet permissions, and yes, an update to the app can come with additional permissions than an earlier version.
Note possible attack;
publish an app withOUT internet and/or read contacts permission,
app tries to send sensitive information to china -- permission denied, catch exception, no visible effect to the user. App granted ROOT access, alters /data/system/packages.xml to add internet and read contacts permissions and immediately the phone "randomly" reboots, upon reboot, that app has permissions required to send sensitive information to china.
And yes, the root app is NOT completely secure/trustworthy. There are several vulnerabilities that need to be considered...
1) A *pair* of apps can conspire to break out... i.e., one "trusted" app with root can modify a DIFFERENT app into the whitelist. This can include granting blanket root access.
2) The userid of an uninstalled application may remain in the whitelist, allowing it to be replaced by a *different* app that could later use that root access to do all kinds of nasty things.
In general, a better form for the community root database app would be along the following lines;
1) There should be NO WHITELIST.
2) The root permission state should remain in *memory* for a limited period of time (i.e. 1 minute).
3) The root app should request a PASSWORD (to prevent other people from tampering with it) -- store a password hash in the app's home directory,
4) The root app should be *forced* to be a *system* app in order to eliminate possibility of other user uninstalling and reinstalling it to bypass the password.
1 and 2 should be considered essential. 3 and 4 make it bulletproof, but still can't possibly do anything to stop an app given root from running amok.
In fact, note this;
Even WITH a secured root app, all any app needs is a MOMENT with root to do severe nastiness -- like give itself its very own su command that can't be stopped by the root-app...
Note: in order to *really* give decent security, the su command/app should work more like 'sudo' than like 'su'.
I.e., some app runs "sudo somecommand". This invokes the "sudo" app, which says... "XYZ is attempting to run this command as root: ---. Do you want to allow it?" You know, it is a much stronger position to be in if you can see *exactly* what some root-wanting app is trying to run. Also, nice to prevent some app from just going off as root any time it wants to.
Had the thought that perhaps the new feature, to send your nexus a direct link from your computer, might be exploitable by some unfriendly people.
What do you all think the risks are, if any?
If it can tell your phone to open the browser and launch a website, whats to stop someone from telling your phone to buy ten thousand copies of Conan the Barbarian, or destroying itself and catching on fire. Kidding of course, but you get what i mean.
Very difficult. It'd be just as likely as someone stealing your Gmail account.
Mmm, ok. Thought I would ask
It has the potential, under the right circumstances, to be used for evil though! EVIL!
I'm not entirely sure, but from what I understand all intents go through google servers. I assume google is doing checks for malicious behaviour on their end.
Don't you have to register a phone to a gmail account and be logged into that account to send to the phone?
Haven't tried the app myself make it wouldn't make sense any other way ;-)
You have to be logged in. And i thing info is sendt via google servers, so unless someone steals your google account, i think you should be safe
it only triggers the browser or maps. I guess the risk would be real, but on the phone side you have the option to set it to do nothing but notify you FIRST prior to any action. If you didn't initiate anything, then you could click cancel at that time.
chromiumcloud said:
it only triggers the browser or maps. I guess the risk would be real, but on the phone side you have the option to set it to do nothing but notify you FIRST prior to any action. If you didn't initiate anything, then you could click cancel at that time.
Click to expand...
Click to collapse
one of the things being worked on is making the phone dial a number selected on the browser. that could get interesting
I believe that Google are running a closed beta at present too, so the only people that can write apps that use cloud messaging will have been vetted by Google.
All the components of the extension (chrome extension, android application and application server) are open source, what prevent anyone from developing an other extention that use google cloud service to communicate with android ?
ludo218 said:
All the components of the extension (chrome extension, android application and application server) are open source, what prevent anyone from developing an other extention that use google cloud service to communicate with android ?
Click to expand...
Click to collapse
All of the messages go through the Google servers
As I understand, the application engine part of the extension (which runs on google application engine) register itself to "the cloud" using google api. Anyone should be able to use these api, no?
It most certainly could be exploited. I can think of a javascript exploit that would work right now.
However the consequences of an exploit are severely limited by the security model that Android uses. Something can not run in another security context unless you allow it to.
The day "Chrmoe2Phone" asks for root access is the day it should be removed from your phone. Until then they most it could do is tell an app to do something that you've already allowed that app to do (which could arguably be undesirable things).
The user needs to explicitly permit all security privileges in Android remember (read that app install page with security details!). If it can do something, you've permitted it to do so.
tanman1975 said:
one of the things being worked on is making the phone dial a number selected on the browser. that could get interesting
Click to expand...
Click to collapse
That is true, but if i recall correctly, when you choose a phone number link from the browser, it will bring the number up in your dialer application, but you must initiate the call with the green call button, so there is a level of security there.
actually this could be a pretty nifty security feature. Is the phone gets stolen how great would It be to able to enable the gps, camera or mic? Given proper security protocols of course...
@tanman1975
Didn't think of that one. T'would be a very powerful tool against the robbers out there. Nice.
Here's a guide on how to delete the Blur account for a phone with a Blur based ROM that has already signed in. The reason you may want to do this is because Motorola has no business knowing who you are and potentially tracking you.
On top of this, Motorola also does a lousy job protecting the Blur password. It's stored in plaintext on the device and transmitted in plaintext over the network. Assuming you use this password somewhere else, it would be wise to change it wherever you use it.
Here's how you delete the account:
1. Have a rooted phone
2. Install SQLite Editor from the Play store
3. Go to the Files tab in the SQLlite editor and navigate to /data/system/ and select accounts.db
4. Click on "accounts"
5. Long-click on the "Motorola" account and select "Delete Record"
6. Exit and reboot
If you check Accounts in Setup, the "MOTOBlur" account is now deleted. This doesn't uninstall any Blur components, it just deletes the account.
My phone seems perfectly fine after deleting this account.
rootshot said:
Here's a guide on how to delete the Blur account for a phone with a Blur based ROM that has already signed in. The reason you may want to do this is because Motorola has no business knowing who you are and potentially tracking you.
On top of this, Motorola also does a lousy job protecting the Blur password. It's stored in plaintext on the device and transmitted in plaintext over the network. Assuming you use this password somewhere else, it would be wise to change it wherever you use it.
Here's how you delete the account:
1. Have a rooted phone
2. Install SQLite Editor from the Play store
3. Go to the Files tab in the SQLlite editor and navigate to /data/system/ and select accounts.db
4. Click on "accounts"
5. Long-click on the "Motorola" account and select "Delete Record"
6. Exit and reboot
If you check Accounts in Setup, the "MOTOBlur" account is now deleted. This doesn't uninstall any Blur components, it just deletes the account.
My phone seems perfectly fine after deleting this account.
Click to expand...
Click to collapse
What happens when you check for updates? Does it check, or does it ask you to set up a blur account?
Update / Blur
Yes, OTA update check does ask you to log in to Blur. If you're running anything but stock, this really doesn't matter.
rootshot said:
Yes, OTA update check does ask you to log in to Blur. If you're running anything but stock, this really doesn't matter.
Click to expand...
Click to collapse
Very cool. Could you create a new Blur account and check for updates?
Re-Add Blur Account
I see no reason why you wouldn't able to re-add it at a later time. I received the following prompt when I tried OTA update:
"MOTOBLUR account required
Software updates are not available without a MOTOBLUR account. Would you like to setup an account now?"
Deleting a Blur account is nothing new. But being able to delete a Blur account and set up a new one without wiping data in CWM is unprecedented.
If this works, and you had come up with this even just a few months ago, you'd be a hero. This would have been invaluable for cheesecaking.
Could still be useful for other moto phones that are still receiving updates Might want to spread the word to other forums for a test... *shrug*
Good idea. I already sent a PM to samcripp about the possibility of incorporating this in to the Project Cheesecake App.
Maybe there is still time to be a hero.
Already posted in the relevant thread.
Not sure how often Sam checks that thread anymore though (or if at all), so PMing will probably be faster.
ravilov said:
Already posted in the relevant thread.
Not sure how often Sam checks that thread anymore though (or if at all), so PMing will probably be faster.
Click to expand...
Click to collapse
No idea what "cheesecake" is. Let me know if it was useful.
Thank you for sharing this with us!!!!!
Nice discovery
thank you!
Very nice! Thank you
@OP, the editor you mentioned is a paid version. Could you please list a free version that can be safely used for this purpose.
Thanks for your efforts !!
etMind said:
@OP, the editor you mentioned is a paid version. Could you please list a free version that can be safely used for this purpose.
Thanks for your efforts !!
Click to expand...
Click to collapse
There aren't any free SQLite editors with a nice UI that I know of, but there's always the command-line sqlite3 tool that comes with every ROM. It does however mean you need to have quite advanced knowledge of SQL. Nevertheless, maybe the OP can add instructions for using that tool as well.
Hi all
After updated to 4.2 I created new user for my wife.
"Installed" same games but they are 'new' for new user.
I want to copy data games files from my user to her user.
Anyone knows how to do it?
Need to be root?
Thanks
Sent from my Nexus 7 using xda app-developers app
Assuming they are free games, as paid ones will need to be purchased twice. You can use titanium backup to back them up on your account and then restore them into her account. You do need to be root for titanium though.
Sent from my Nexus 7 using Tapatalk 2
dr.m0x said:
Assuming they are free games, as paid ones will need to be purchased twice. You can use titanium backup to back them up on your account and then restore them into her account. You do need to be root for titanium though.
Sent from my Nexus 7 using Tapatalk 2
Click to expand...
Click to collapse
Sorry - misinformation.
Paid apps do not need to be purchased twice, or restored into her user ID. That would be a really bad idea anyway - you would have two copies of the app.
With root use file explorer to find your save file under /sdcard/o/...something. Copy that file to an identical file structure under /sdcard/1, or whatever number your second user uses.
Apps done the correct way for multi-user never download a second copy. The Play store just sets a link to them in the main user.
Assuming app is available to both:
adb backup/restore might work for unrooted. Me, I'd Titanium Backup if it was important.
On a slight tangent, is there a shared data area that I could put shared files and videos that each user account would be able to view? If so do I need root access? Thanks.
bertracoon said:
On a slight tangent, is there a shared data area that I could put shared files and videos that each user account would be able to view? If so do I need root access? Thanks.
Click to expand...
Click to collapse
Don't forget a shared data area would mean the contents, like high scores, are shared between the users.
Most of the time, different users will want their own customizable data.
Technically, you need to purchase the app twice for two different account under playstore, that's the whole purpose of multiuser right?
Sent from my Nexus 7 using xda premium
Leechoonhwee said:
Technically, you need to purchase the app twice for two different account under playstore, that's the whole purpose of multiuser right?
Sent from my Nexus 7 using xda premium
Click to expand...
Click to collapse
Multi-user is not a developer enrichment scheme.
Your tablet has one owner, and apps are sold to that owner on an account basis - not by user or device ID.
The owner is able to make them available to any other users of that tablet without repurchase.
I suppose you would want an eye sensor, to make sure the person using the app is the one that paid for it?
No need to pay twice.just install twice.
Seems I need root.
I used some file explorer, find this:
/storage/emulated
/storage/sdcard0
/sdcard
All seems point to the same folders.
No sdcard1.
More than this, can't find data game. I have to explain that I have free games (from play store) and paid games (humble pack). If I search imaginarium game with Astro, no resulta found -.-'
Pd: No root at this moment, original 4.2 room
Sent from my Nexus 7 using xda app-developers app
Sorry - misinformation.
Paid apps do not need to be purchased twice, or restored into her user ID. That would be a really bad idea anyway - you would have two copies of the app.
Click to expand...
Click to collapse
Can you clarify this, apps are linked to the gmail account they were purchased with no? I haven't tried multiuser yet but I thought I read from others you have to add the primary gmail account to any secondary account to access the bought apps. Is this not correct? And if it is correct, can one add it only to google play and not have a secondary account access the associated email?
sark666 said:
Can you clarify this, apps are linked to the gmail account they were purchased with no? I haven't tried multiuser yet but I thought I read from others you have to add the primary gmail account to any secondary account to access the bought apps. Is this not correct? And if it is correct, can one add it only to google play and not have a secondary account access the associated email?
Click to expand...
Click to collapse
Set up a secondary user. Secondary user needs a Google account. Create a new one if appropriate.
Open Google Play on the secondary user. Click Options, then Add Account. Add your primary account (the one that owns your apps).
You will be given a choice of items to synch - uncheck them all. All you want is app access.
Display your apps (they are now visible to you). Install the ones you want the secondary user to have. They will NOT download - this user just gets a link.
When done, you can delete the main account from this user - or just leave it
I am going to start cutting and pasting this description - I keep having to retype it...
rmm200 said:
Don't forget a shared data area would mean the contents, like high scores, are shared between the users.
Most of the time, different users will want their own customizable data.
Click to expand...
Click to collapse
I appreciate that, I was just wondering whether there was a shared folder everyone could access as well as completely private areas for each user. Sounds as though there is absolutely no difference between multi user and having two completely separate tablets.
Well... Biggest difference is that only one copy of the app is shared by all the users.
Sent from my Nexus 7 using xda app-developers app
When done, you can delete the main account from this user - or just leave it
Click to expand...
Click to collapse
Thanks, but one more thing. If I leave it in google play do they have access to the associated gmail? I would prefer to just leave it for future apps and add a password for google wallet so they can't purchase things. Hmm, I guess though they can uninstall things that I wouldn't want uninstalled. I"m thinking of a kid mucking about where he shouldn't.
sark666 said:
Thanks, but one more thing. If I leave it in google play do they have access to the associated gmail? I would prefer to just leave it for future apps and add a password for google wallet so they can't purchase things. Hmm, I guess though they can uninstall things that I wouldn't want uninstalled. I"m thinking of a kid mucking about where he shouldn't.
Click to expand...
Click to collapse
You could try an 'app lock' app. i've tried 'app lock' on the play store which allows you to pin protect stuff like settings and install/uninstall and other apps - although couldn't lock gmail or certain system apps. But it should work for the play store. Maybe there are similar apps that allow you protect gmail.
rmm200 said:
They will NOT download - this user just gets a link.
Click to expand...
Click to collapse
Is it possible to move apps and its data from one user to another? To to so can I just uninstall app from first user? After that will this app and its data still be available for new user?
rmm200 said:
Set up a secondary user. Secondary user needs a Google account. Create a new one if appropriate.
Open Google Play on the secondary user. Click Options, then Add Account. Add your primary account (the one that owns your apps).
You will be given a choice of items to synch - uncheck them all. All you want is app access.
Display your apps (they are now visible to you). Install the ones you want the secondary user to have. They will NOT download - this user just gets a link.
When done, you can delete the main account from this user - or just leave it
I am going to start cutting and pasting this description - I keep having to retype it...
Click to expand...
Click to collapse
I tried to follow these instructions but a) I didn't get the sync message b) Play store doesn't display my bought apps in one place so it's not easy to find them and c) I have the feeling that it really double installs (I was hoping for a link).
Anyone tinkered with the restricted user profiles yet on 4.3? I'd like to set some restrictions on the profiles I'd set-up for my kids, but I can't see any way to set them on existing users. It looks like it can only be done when creating new users. Is this accurate?
I would like to know the same thing because I'd like to set up some restrictions for my little brother and sisters account (they share one) but I don't want to have to delete it and reset it up for them. They'd probably get mad if all their games were deleted too lol
Sent from my Nexus 10 using xda app-developers app
The restricted profiles are different from users. They take an existing user and give them access to a limited subset of that users apps. Limited profiles don't have their own Google account associated with them. If you already had logins for your kids set up before upgrading to 4.3, then they are not profiles, they are users.
pfmiller said:
The restricted profiles are different from users. They take an existing user and give them access to a limited subset of that users apps. Limited profiles don't have their own Google account associated with them. If you already had logins for your kids set up before upgrading to 4.3, then they are not profiles, they are users.
Click to expand...
Click to collapse
OK thanks that makes sense
Sent from my Nexus 10 using xda app-developers app
pfmiller said:
The restricted profiles are different from users. They take an existing user and give them access to a limited subset of that users apps. Limited profiles don't have their own Google account associated with them. If you already had logins for your kids set up before upgrading to 4.3, then they are not profiles, they are users.
Click to expand...
Click to collapse
Is it possible to convert an existing user into a profile, so I can add restrictions on those accounts?
DLAddict said:
Is it possible to convert an existing user into a profile, so I can add restrictions on those accounts?
Click to expand...
Click to collapse
No, what I think you could do is create a profile based on an existing user and add restrictions to it. The problem is you would still have the original user account on your tablet.
Also, the profile I created didn't have a way to enable the Gmail app. That could be a big problem for some users. It works great for my guest account, but not sure how it would work as someones main account.