For the community's information, I feel I need to create this thread to warn others:
Global IT security leader, ESET today announced that its engineers have spotted the first instance of a file-encrypting ransomware for Android. Once it has successfully infected a devices, this Android trojan scans the SD card for certain file types, encrypts them, and demands a ransom in order to decrypt the files.
After launch, the trojan displays a ransom message and encrypt files in a separate thread in the background. The ransom message is written in Russian and the payment is demanded in Ukrainian hryvnias. The message roughly translates to:
WARNING your phone is locked!
The device is locked for viewing and distribution child pornography, zoophilia and other perversions.
To unlock you need to pay 260 UAH.
1. Locate the nearest payment kiosk.
2. Select MoneXy
3. Enter {REDACTED}.
4. Make deposit of 260 Hryvnia, and then press pay.
Do not forget to take a receipt!
After payment your device will be unlocked within 24 hours.
In case of no PAYMENT YOU WILL LOSE ALL DATA ON your device!"
The malware directs the victim to pay using the MoneXy service as it is not as easily traceable as using a regular credit card.
Android/Simplocker.A will scan the SD card for files with any of the following image, document or video extensions: jpeg, jpg, png, bmp, gif, pdf, doc, docx, txt, avi, mkv, 3gp, mp4 and encrypt them using AES. It will also contact its Command & Control server and send identifiable information from the device like its IMEI.
The sample analyzed by ESET is in the form of an application called ‘Sex xionix’. It was not found on the official Google Play store and the company estimates that its prevalence is low at this time but believes that this is most likely a proof-of-concept or a work in progress.
In light of such advanced malware, Pradeesh VS, General Manager at ESET Midlde East provided the following advice to Android Users, “We encourage users to protect themselves against these threats by prevention- by using mobile security solutions such as ESET Mobile Security for Android- and adhering to best security practices, such as keeping away from untrustworthy apps and app sources. If they are unfortunate to already be infected, they should recover the files from a backup. Because when you have a backup, then any Filecoder trojan- be it on Android, Windows, or any operating system- is nothing more than just a nuisance.”
Happy I don't keep anything on my phone seeing I'm always flashing,but this is good to know. Thanks for the info
Sent from my HTCONE using XDA Premium 4 mobile app
Jeez...These Trojan coders don't do anything good with their skills... Smh.. Thanks for the information!
Sent from my HTC One using XDA Premium 4 mobile app
Something similar has been effecting iPhones for a couple of weeks. Just be careful what apks you install.
Shouldn't the Verify Apps option in Android protect you from these things? That's basically the point of that option.
Perhaps good news.
http://www.usatoday.com/story/news/...ian-hacked-created-zeus-cryptolocker/9919985/
Prophet16 said:
Shouldn't the Verify Apps option in Android protect you from these things? That's basically the point of that option.
Click to expand...
Click to collapse
Doesnt Verify Apps just check apps on the Play Market? If so this would not work as article states its not found in the Market..
Also, ESET is reporting this and also suggesting users use there virus software lol.. Shamless plug to get the work of their own software out there, self promoting, maybe they have a vested interest..
twerg said:
Doesnt Verify Apps just check apps on the Play Market? If so this would not work as article states its not found in the Market..
Also, ESET is reporting this and also suggesting users use there virus software lol.. Shamless plug to get the work of their own software out there, self promoting, maybe they have a vested interest..
Click to expand...
Click to collapse
No I think Verify Apps was supposed to check only non play store apps. That's why the first time you install an app from a file manager or something it'll ask you to allow Verify Apps to check app security.
Related
Sometimes I come across an app thats not on the Android market and you have to install it manually. Has anyone come across a virus/trojan on Android yet? Im curious how easy or hard it is to modify a legit applications and put a virus/trojan in it?
Lol have not seen one yet. Android isn't that big yet so doubt hackers would really spend time putting trojans to get stuff like your email password lol.
Take everything you know about microshaft windoze and forget it. The system architecture of android is almost completely invulnerable to viruses/worms/etc.
In a typical unix system, hacks can take one of very few possible approaches;
1) service bug targeting, i.e., if one were to discover a security vulnerability in the Apache HTTP server, one could theoretically compromise it. That particular service I mean.
2) user account targeting, i.e., one could convince a user to run something dangerous, which would infect that specific user's account, of course, this attack would limit itself to damaging that user's personal data and would not be able to take down the whole system unless it also targeted a kernel or X-server exploit.
Note specifically regarding #1, that in a well configured system, that targeting a particular service would be restricted to a specific user account just as in #2 since each service runs as its own username.
3) Targeting KERNEL defects; this is perhaps the most frightening possibility. It is also the least likely since it would also require #1 or #2. Any particular kernel attack, particularly in Linux is also very unlikely to work for long due to the open sourced nature of Linux. There are a LOT more people involved in monitoring the fundamental securities of the Linux kernel than any other OS because of its open nature. It is also a source of PRIDE for kernel HACKERS that they ALSO be responsible for openly providing the SOLUTION to any exploits that they discover. And they usually do this with their REAL NAME since it basically immortalizes them. The end result is that every time a kernel exploit is discovered, it tends to be patched within hours of its first application.
Now of course you want to know how this affects Android, since by all appearances, there is no user-level security. WRONG. The Android security level is actually on par with service level security on unix servers. EVERY SINGLE application installed is granted is own user account, which means that if any particular application is dangerous, its range of damage is restricted to that particular application's private data, as well as any permissions that the application is explicitly granted (i.e. when you install an application, it gives you the required security list). There is also the very slim possibility of a kernel exploit (though this is extremely unlikely), and it could damage the data on the sdcard (since it is an MS-crap filesystem with no security restrictions).
Of course you will note that older versions of the ADP1 system image came with an unregulated 'su' command (which you could also end up with using a "cat sh > su; chmod 4755 su" root approach) which basically can be used by any application to take over the whole system. Make sure that you don't have any such su command on your droid. Either use a password-protected su command (which will cause problems for trusted apps requesting root privileges), or the gui-supported su command. Subsequent ADP1 images came with an su command that was restricted to the debugging terminal user, which is fine.
In other words... you don't have much to worry about. Just don't do anything really stupid, like installing an untrusted application that wants a boat load of privileges that it shouldn't be asking for.
lbcoder said:
EVERY SINGLE application installed is granted is own user account, which means that if any particular application is dangerous, its range of damage is restricted to that particular application's private data, as well as any permissions that the application is explicitly granted (i.e. when you install an application, it gives you the required security list).
Click to expand...
Click to collapse
Might be worth pointing out that android apps are for the most part interpreted language apps, meaning the onus of security and stability (just from an apk standpoint) falls largely on the vm. All the lower level subsystems are pretty well protected by the Linux kernel, and these have been significantly tried in fire by decades of Linux server deployment.
lbcoder said:
The system architecture of android is almost completely invulnerable to viruses/worms/etc.
Click to expand...
Click to collapse
jashsu said:
Might be worth pointing out that android apps are for the most part interpreted language apps, meaning the onus of security and stability (just from an apk standpoint) falls largely on the vm. All the lower level subsystems are pretty well protected by the Linux kernel, and these have been significantly tried in fire by decades of Linux server deployment.
Click to expand...
Click to collapse
All the points about the protection offered from the Linux kernel and the VM are valid. Computer secuity is an ongoing battle between the software originators and the hackers trying to get in. I'm not saying it's remotely likely, particularly due to the market share, but rule one in my book is don't taunt the hackers.
lbcoder said:
Take everything you know about microshaft windoze and forget it. The system architecture of android is almost completely invulnerable to viruses/worms/etc.
Click to expand...
Click to collapse
Until the Android Dev team screw up again and lets any app run in the system process when requested (which was why cupcake was delayed in the US).
thanks for the post.
I was curious if someone could unpack a .apk file and modify a application easily, say have it send personal info to xyz server instead of the server the app was designed for or send it to both servers so the user doesnt think anything is wrong.
Are the files in the .apk editable, like an .exe is compiled for windows and the .exe cannot be edited (since its machine code).
androidmonkey said:
thanks for the post.
I was curious if someone could unpack a .apk file and modify a application easily, say have it send personal info to xyz server instead of the server the app was designed for or send it to both servers so the user doesnt think anything is wrong.
Are the files in the .apk editable, like an .exe is compiled for windows and the .exe cannot be edited (since its machine code).
Click to expand...
Click to collapse
Yes, apks are basically just zip files with cryptographic signatures. If you get your apks from Market then there is little to no risk of apks being tampered with. If you install your apks from any source other than Market, then you just have to trust the source that the apk hasn't been modified. Obviously if the apk itself doesn't ask for many permissions then it shouldn't be a problem. For example if you download a game apk from a developer's personal webpage and it asks for just permission to keep the screen alive, there's little risk to your data. However if you download an app that has read/write access to your contacts, or has root access, then you better be sure that the site you get it from is trustworthy.
jashsu said:
Yes, apks are basically just zip files with cryptographic signatures. If you get your apks from Market then there is little to no risk of apks being tampered with. If you install your apks from any source other than Market, then you just have to trust the source that the apk hasn't been modified. Obviously if the apk itself doesn't ask for many permissions then it shouldn't be a problem. For example if you download a game apk from a developer's personal webpage and it asks for just permission to keep the screen alive, there's little risk to your data. However if you download an app that has read/write access to your contacts, or has root access, then you better be sure that the site you get it from is trustworthy.
Click to expand...
Click to collapse
So the files in the .apk not executables, rather interpreted with the VM? Im curious if those files can be read and changed. For instance, can someone open the file in a Java SDK and change the code? Or are those files protected so they cant be modified? For instance, could you download soundboard app from the Market, "unzip" the .apk, and put your own sounds in it?
androidmonkey said:
So the files in the .apk not executables, rather interpreted with the VM? Im curious if those files can be read and changed. For instance, can someone open the file in a Java SDK and change the code? Or are those files protected so they cant be modified? For instance, could you download soundboard app from the Market, "unzip" the .apk, and put your own sounds in it?
Click to expand...
Click to collapse
Unless the classes are specifically performing security/sanity checks, there's nothing keeping you from replacing asset files (pngs, wavs, etc) and then resigning the apk with any key of your choosing. However, altering xmls and classes is more difficult as they are obfuscated/optimized by default.
For apps distributed officially through the Android market, the only way Google can provide assurance for the app producer against tampering is app-protected folder. Of course that assumes that root access is not provided, which is most likely a prerequsite for any phone to be branded "with Google" and have Market access. From the viewpoint of the consumer, apps are guaranteed by Google against tampering only if retrieved through Market. Once the app is on the device, it is protected via Android's use of Linux user access permission model (each app is its own user). The consumer may of course alter the file him/herself, unless it is a protected app, in which case root is required.
sounds buggy. i hope not. this reminds me of when Mozilla firefox became popular i slowly starte dto see code become available to make pop ups n my belloved browser
Virus found on Android phone...
Article 1:
NEWS
An employee at Spanish antivirus firm Panda Security received a new Android-based Vodafone HTC Magic with malware on it, according to researchers at Panda Labs.
"Today one of our colleagues received a brand new Vodafone HTC Magic with Google's Android OS," researcher Pedro Bustamante wrote on the Panda Research Blog on Monday.
"The interesting thing is that when she plugged the phone to her PC via USB, her Panda Cloud Antivirus went off, detecting both an autorun.inf and autorun.exe as malicious," he wrote. "A quick look into the phone quickly revealed it was infected and spreading the infection to any and all PCs that the phone would be plugged into."
Article 2:
Mariposa virus back on Vodafone Android smartphones
HTC Magic According to a Spanish blogger, around 3,000 memory cards supplied by Vodafone Spain were infected with the Mariposa bot client. The mobile network operator has now reportedly confirmed that these included HTC Magic Android-based smartphone models, as well as other devices. A spokesperson for the company has told CNET that it is a "local incident". Vodafone says it has identified customers that could potentially be affected and it will be sending them new memory cards. It has also offered to supply them with tools to restore the integrity of their devices.
Reports of an HTC Magic smartphone carrying the virus were first published less than two weeks ago, however the malware is not able to harm the Android smartphone itself. The bot only attempts to contact a command & control server when connected to a Windows PC. The virus should be detected by most up-to-date anti-virus solutions.
Personal take:
Interesting to note that the virus being carried on an Android phone and was used to infect PC's NOT other Android phones. It came straight from manufacturing with the virus on, so as of yet I still haven't heard of a virus that can infect an android phone.
Further more, I have seen Anti-virus software on the market place AND being offered by Norton. What do they protect against if there are no known virus threats? Do they just draw a nice pretty anti-virus logo on the screen to make you feel comfy? hehehe.
Trojans in the hacked up ROMs people are distributing
androidmonkey said:
Sometimes I come across an app thats not on the Android market and you have to install it manually. Has anyone come across a virus/trojan on Android yet? Im curious how easy or hard it is to modify a legit applications and put a virus/trojan in it?
Click to expand...
Click to collapse
I've found a trojan in at least one of the ROMs being distributed on here. Even reported directly from the developer's own file sharing site.
"Stock" ROM http://forum.xda-developers.com/showthread.php?t=2066023
Attached is a photo of the file scanned from the linked file sharing site for the KERNEL he wants you to INSTALL!!
Click the link to JB_KERNEL_3.17.841.2_EVITA_Init.d_Support_Installer.zip - 8.54 MB in that thread and see for yourself.
Be careful what you install on your device. ANDR.Trojan.GingerBreak takes full administrative control of your device and downloads more trojans to siphon out your private personal data.
Need an apk that signs my update.zip files from titanium blackup.
I don't understand why it hasn't been done. The code to do it is already in java! Search the forums for testsign.jar
I know everything you need to do to get it done but I don't have a development environment at my disposal. Help me out and I'll show you how to convert your jarred up code libraries to run on android!
Please and Thank You.
* edit - this question has been solved by brainmaster! ZipSigner if you find this application helpful please thank him below.
- Posted via mobile
New application proposal: ZeroNetAccess (ZeNA?)
Concept: an app that can block other apps network access.
Market alternative: DroidWall (root only, low market potential)
Methods: Maybe by modifying the apk manifest and resigning? Im not sure if there is a framework you could subclass for this.
Why: i turned off stats reporting for an app and i saw it writing reports to the web from logcat. Google took our rights away by not letting us do this from the application settings. Its my device and i have to pay the bill not google or the rude ppl who made the app. I will never understand why we were not given the right to administer mobile data access rights.
Potential: highly lucrative. People want to save money nowadays. In that respect voiding phone warranty for root access may not sit well with potential customer.
- Posted via mobile
Avid Droidery said:
New application proposal: ZeroNetAccess (ZeNA?)
Concept: an app that can block other apps network access.
Methods: Maybe by modifying the apk manifest and resigning? Im not sure if there is a framework you could subclass for this.
Why: i turned off stats reporting for an app and i saw it writing reports to the web from logcat. Google took our rights away by not letting us do this from the application settings. Its my device and i have to pay the bill not google or the rude ppl who made the app. I will never understand why we were not given the right to administer mobile data access rights.
Potential: highly lucrative. People want to save money nowadays.
- Posted via mobile
Click to expand...
Click to collapse
For rooted devices try DroidWall
Application Proposal: Web Page to PDF/HTML Safari Plug-In
Concept: Seriously?
Why: Cant save pages from the browser I safari always reloads the page when you come back to it from other activities (pointless nethog!) whats the friggin cache for anyway? It is better to save an article copy that you could view on the computer later or add to your info library if you write books or do any kinda technical research than it is to save a bookmark that may become 404 not found. Researchers nightmare!
Methods: execute shell command wget on page source. Use regular expression to get media list. Build directory tree. For each media call wget. Done.
Potential: medium. Not many people are so technically inclined.
Usefulness: extremely high, especially with zip/+email caps.. Roundabout source code viewer for nosy/curious folks.
Average potential, stream lehigh usefulness I would sell for a buck 99. Free (1 ad per saved page, no zip email)
- Posted via mobile
3rdstring said:
For rooted devices try DroidWall
Click to expand...
Click to collapse
Thank you! Will do!
- Posted via mobile
Application proposal: WarBastard
Concept: wardriving app featuring google my maps! Maps are shared globally by locale. Signals can be pinpointed by triangulation through cross reference of mac address, signal strength and previously detected locations in a global locale based database. While we are at, throw in a google navigation intent, and a compass with distance to closest accesible AP! Dont stop there! I wonder where that cell tower is located?
Purpose: to aid weary travellers and cheap bastards to connect with their loved ones and services over open networks. Services could also be used for cellular network signal diagnostics across hundreds of thousands of devices.
Potential: astronomical I would pay 5 bux. Better yet 12 bucks per year. Free (1 ad per download of database, 1 ad per connect to AP. Possibly integrated with APs for increased revenue potential across the board.) The map data can also be used to find good places to set up an advertising AP 4 even more potential earnings.
Anybody wanna pay me to sit around and do this all day? Lol.
SERIOUSLY you are looking at my qualifications. Asking 50k p. yr. to start Project Mgr./Analyst/Sr. Developer. consulting options available. Willing to relocate. Pm for inquiries/proposals.
- Posted via mobile
Avid Droidery said:
Need an apk that signs my update.zip files from titanium blackup.
I don't understand why it hasn't been done. The code to do it is already in java! Search the forums for testsign.jar
I know everything you need to do to get it done but I don't have a development environment at my disposal. Help me out and I'll show you how to convert your jarred up code libraries to run on android!
Please and Thank You.
- Posted via mobile
Click to expand...
Click to collapse
You should use the search function: ZipSigner.
It implements in the Titanium Backup and signs it on your wish.
brainmaster said:
You should use the search function
Click to expand...
Click to collapse
You are correct. I should never have assumed that this wasn't already in the market. Actually I didn't really plan to use this to sign titanium backups. For my purpose however the concept is the same.
* edit Human beings arent the fastest search engine but collectively we are the most accurate information sources on the planet. feel free to quote me on this
I thought that it would be better to ask someone who might know than it would be to search for something that may not exist. If I had access to a computer I would have no questions to post. Only answers! Being that I am stuck on my android for the time being, I appreciate all the help I can get!
Thank you for providing me with another helpful for resource!
* Edit: Dear brainmaster, words cannot express my level of gratitude! I am truly overjoyed by the passing of this shortcoming. Signapktic is exactly what I was looking for and I never would have found this application had it not been for your assistance. The topic of this thread is kick ass apps wanted. Even though this is an application that no longer needs to be developed (because real developers don't reinvent the wheel unless absolutely necessary,) you have met or exceeded the topic issue with flying colors!
- Posted via mobile
New application proposal: Launchpad Homescreen Widget
Concept: a widget that will pop up an on screen menu (complete with icons) onClick similar to pc desktop start menus. Customizable shortcuts Horizontal or vertical (and scrollable) layouts by preference and Customizable folders.
Why: I would rather have a feature like this than an app drawer any day. This would allow individuals to organize launcher short cuts by task. It would also be great if it were possible to open files in the system such as pdf, video, music or text files with appropriate application. Another great feature would be the ability to launch shell scripts. I have searched the market and nothing like this was found.
Potential: high. will save customer time allow them to become more visually organized and task oriented as well as adding more visual appeal to the home screens. $5.99 I would buy it! Time limited trial only.
- Posted via mobile
There is a virus inside elternal legacy HD (especially) and asphalt 6!
DO NOT DOWNLOAD THESE FROM ***!!!
It will take you to a fake gameloft survey where you say your country and favourite os, and when you touch "send", it says 'thank you for your donation' and sends infinite messages, charging your phone bill. The only way to stop this is battery remove or task killer.
I wasn't one of the victims!
That's why you should only download apps with descriptions and developer names
Thus, thou shall not use warez.
+1 yup.............
AVG android id's virus in GingerBreak?
Just by dumb luck, I had loaded avg pro on atrix. When blithlely following directions to load GingerBreak, received message from avg that program contains a virus and I conclude that either: 1. I had to unload avg and then load GingerBreak or 2. ask in this forum if this message is for real. Any and all responses will be welcome.
Thats the reason why i deleted *** from my Phone! There are so much Viruses, in which you will have to pay. If you want to be safe, buy them at the Android Market!
Regards
*** is down anyways now... so peace
Sent from my PC36100 using XDA Premium App
The problem is that the android market is also not safe from viruses (although, probably more safe since it's monitored by Google and they can remotely remove malicious apps...).
I currently use lookout but wondering if there is a better antivirus.
How is AVG ? I'm using it on my desktop computer and like it but somehow got the feeling that it's too "heavy" for Android.
Morning mate,
You can use ESET. Has has now their own AV. EMS (Eset Mobile Security) You can grab it from the market, currently in a BETA stage but quite advance and very low footprint on any device. It's definitely on the same playing field as any awesome Antivirus/Malware prevention tool.
Regards,
fluxgfx
Muzikant said:
The problem is that the android market is also not safe from viruses (although, probably more safe since it's monitored by Google and they can remotely remove malicious apps...).
I currently use lookout but wondering if there is a better antivirus.
How is AVG ? I'm using it on my desktop computer and like it but somehow got the feeling that it's too "heavy" for Android.
Click to expand...
Click to collapse
I used ESET for a while. I use it on my PC and my laptop, so when I saw it in the market, I got to installing it right away.
It slowed down my phone horribly and no matter what I did, I wasn't able to uninstall it (My phone was not rooted at the time). After trying everything I found on the web, I eventually got to backing up everything I had and factory reseting...
They've probably fixed that bug by now, but it was still pretty annoying...
Can anyone recommend any other Android anti-virus software? It has to be "good", obviously, but it also has to quietly run in the background, eat as little battery and memory as possible.
P.S. My device is a Galaxy ACE (currently rooted and with leaked Android 2.3.4 firmware)
On the PC I used and removed Eset. It was a real pain spending huge amounts of time removing junk deeply imbedded and left behind in the Registry. As such, I'd be hesitant to try Eset again especially on an Android device. Furthermore, I read where Eset used their own secret vpn to bypass any local firewall to get updates, without telling the user.
I am skeptical of reviews by AV publishers like McAfee, Kaspersky, etc. warning of "the coming horrible tsunami of Android malware."
If anyone comes across a detailed Android AV review, please post the link.
no warez discussion allowed.
I see, no one was actually advertising/ requesting or posting warez, so there will be no consequences.
but since this is not an issue for anybody, not using warez in the first place, this thread is closed. if you got yourself a virus this way, there are enough tips to get rid of it, but it is your own fault.
also, i edited all the posts containing the name of the warez distributer.
closed.
Windows Phone 8 technically only allows apps to be installed from the marketplace.
However, Microsoft pretty much has left us with an avenue that would allow us to easily create our own custom 3rd party marketplaces.
With Windows Phone 8, Microsoft has introduced the "company app store" concept. This is originally intended to allow companies to easily distribute LOB applications to its employees.
http://www.windowsphone.com/en-US/business/custom-hub?wa=wsignin1.0
Note how the whole system pretty much relies on a certificate. Anyone with the certificate can sideload applications signed with said certificate.
Now this gives me the idea, why can't the homebrew community purchase their own certificate, and use it to create a 3rd party homebrew marketplace?
the_tyrant said:
Windows Phone 8 technically only allows apps to be installed from the marketplace.
However, Microsoft pretty much has left us with an avenue that would allow us to easily create our own custom 3rd party marketplaces.
With Windows Phone 8, Microsoft has introduced the "company app store" concept. This is originally intended to allow companies to easily distribute LOB applications to its employees.
http://www.windowsphone.com/en-US/business/custom-hub?wa=wsignin1.0
Note how the whole system pretty much relies on a certificate. Anyone with the certificate can sideload applications signed with said certificate.
Now this gives me the idea, why can't the homebrew community purchase their own certificate, and use it to create a 3rd party homebrew marketplace?
Click to expand...
Click to collapse
Let's bump this up, shall we? (Since I'm not going to bother making my own thread, if nobody is going to reply to it)
Here's what I've learned through my evaluation of the company app system. The requirements are simple:
-Company Dev Center account
--Requires that you have a legally registered company (e.g. an LLC), which is verified by Symantec
--$99 plus whatever fees are associated with the LLC
-Symantec Signing certificate
--Requires the company dev center account
--$299
This is actually much less than I thought, as I was expecting this to be limited to the enterprise. Rather, anyone with chump change and some legal papers can get a certificate that allows anyone to sideload apps.
The legal papers is where it gets complicated, unfortunately. If it were just the money, I'd honestly consider a fundraiser to start a homebrew store. The certificate simply needs to be used to sign the enrollment tokens (which are just provxml documents with the cert in them), the enrollment token needs to be distributed to the masses, and then the cert is used to sign all the 'brew. It could be setup pretty easily with an online system for registering devs, uploading xaps, and having them signed, for example.
But the requirement that I have an actual company makes things really complicated; I'm not sure how much verification Symantec does, but I'm under the impression a security firm like expects legal registration, which is not something I personally have, nor something I particularly want (LLC taxes are pretty steep these days)
So, here's the question. Does anyone out there have a "company" dev center account, or has played with "company apps", and is willing to experiment to see if this system would be at all useful for homebrew?
Curious to see if there's any interest. In theory, a WP8 Cydia-like app could be developed very easily
this sounds very interesting, though I do not have a company...yet. Does it have to be an LLC? I am thinking of starting an IT/computer repair company here in my town as a side business, not 100% sure yet, but considering it.
Jaxbot, you sly fox .
That's a great idea.
A couple issues to consider...
Might want to read through the WP Store T&C carefully. While those may very well be the only requirements to get a company account, I wouldn't be surprised if there are much more in the terms to keep one. In other words, distributing your app to non-employees could get your company account banned/disabled/revoked. I haven't done the leg work on this so not sure.
The VeriSign cert you get will likely have requirements to be maintained by a single person or group. Publishing the private key would almost certainly (and quickly) get this revoked. So you would either need to someone to manually sign/publish all the apps or figure out an automated process. That should be possible but would likely take a good bit of work to get going.
My $.02.
Jaxbot, did you get a WP8 device and if so, what model did you get ? I know you were trying to get one.
What would be interesting is to see what type of apps you can deploy with this. Could something like this open a full unlock or Interop unlock becase the corporate account could get those type of pemissions to their devices ?
Is this tyed to the Active Directory in anyway, knowing Microsoft each user might need an account in the Active Directory to be able to use the "Company Dev center"? There could be a lot of limits depending how you can connect to the server that runs it.
Do they have a test version ? Maybe that can be used in this case, just to see if it works and could use a deeper investment to get this working. If you could get me a full unlock from this, I surely would pay up a little for it.
DavidinCT said:
What would be interesting is to see what type of apps you can deploy with this. Could something like this open a full unlock or Interop unlock becase the corporate account could get those type of pemissions to their devices ?
Is this tyed to the Active Directory in anyway, knowing Microsoft each user might need an account in the Active Directory to be able to use the "Company Dev center"? There could be a lot of limits depending how you can connect to the server that runs it.
Do they have a test version ? Maybe that can be used in this case, just to see if it works and could use a deeper investment to get this working. If you could get me a full unlock from this, I surely would pay up a little for it.
Click to expand...
Click to collapse
I believe there are a few things you can do with corp apps that can't be done with regular ones but there's not much. Definitely not full interop unlock (at least not directly).
No. It's not tied to AD at all.
I don't think there's a "test" version. The $400 it would cost is chump change for any legit company. Microsoft could waive the $99 fee for someone they're working with but you'll still need the $299 cert and Symantec/VeriSign isn't gonna give that to you for free.
I'm just an end-user, but YEAH! Dev-unlock: $99. Full unlock: priceless. Definitely would pay a bit.
piaqt said:
I'm just an end-user, but YEAH! Dev-unlock: $99. Full unlock: priceless. Definitely would pay a bit.
Click to expand...
Click to collapse
This wouldn't be a full unlock. It would just allow devs to publish apps to an alternate marketplace and users that are not dev unlocked could easily download them.
RustyGrom said:
A couple issues to consider...
Might want to read through the WP Store T&C carefully. While those may very well be the only requirements to get a company account, I wouldn't be surprised if there are much more in the terms to keep one. In other words, distributing your app to non-employees could get your company account banned/disabled/revoked. I haven't done the leg work on this so not sure.
The VeriSign cert you get will likely have requirements to be maintained by a single person or group. Publishing the private key would almost certainly (and quickly) get this revoked. So you would either need to someone to manually sign/publish all the apps or figure out an automated process. That should be possible but would likely take a good bit of work to get going.
My $.02.
Click to expand...
Click to collapse
Correct. The ToS needs to be really well understood. Some people seem to imply that users outside the company are okay to enroll, but I'm not sure. However, I'm not really sure if the enrollment even touches MSFT's servers at all, and if T&C violations would cause a problem. Something that needs to be looked into. If it's a definite breach of T&C, I say it's not worth it. My $0.02
DavidinCT said:
Jaxbot, did you get a WP8 device and if so, what model did you get ? I know you were trying to get one.
Click to expand...
Click to collapse
Unfortunately no, all my research has been on the emulator. All my attempts to get my hands on a WP8 have proven fruitless so far.
What would be interesting is to see what type of apps you can deploy with this. Could something like this open a full unlock or Interop unlock becase the corporate account could get those type of pemissions to their devices ?
Click to expand...
Click to collapse
No, definitely not full unlock. Interop, I'm not sure. The apps are signed and installed, so I have no idea if ID_CAPs are limited. An app like Folders could definitely be deployed, though, with the new WP8 apis.
Is this tyed to the Active Directory in anyway, knowing Microsoft each user might need an account in the Active Directory to be able to use the "Company Dev center"? There could be a lot of limits depending how you can connect to the server that runs it.
Click to expand...
Click to collapse
No, you can enroll within active directory, it says that in the instructions.
Do they have a test version ? Maybe that can be used in this case, just to see if it works and could use a deeper investment to get this working. If you could get me a full unlock from this, I surely would pay up a little for it.
Click to expand...
Click to collapse
RustyGrom said:
This wouldn't be a full unlock. It would just allow devs to publish apps to an alternate marketplace and users that are not dev unlocked could easily download them.
Click to expand...
Click to collapse
What he said. Basically, it would give us homebrew apps that fit into the limitations of the SDK, but not necessarily the limitations of the certification requirements. Folders, Themes, etc. could likely be built. Apps such as CacheClearer and Tweaks, probably not, but again, I have no experimental research on this yet.
This presentation from BUILD (http://channel9.msdn.com/Events/Build/2012/2-014) should answer most of your questions. The phone does 'phone home' to Microsoft to check the publishers and apps installed. Also, capabilities are limited to "same as standard marketplace apps" however the 'company store' app can install apps and manage apps that have been published through it.
RustyGrom said:
This presentation from BUILD (http://channel9.msdn.com/Events/Build/2012/2-014) should answer most of your questions. The phone does 'phone home' to Microsoft to check the publishers and apps installed. Also, capabilities are limited to "same as standard marketplace apps" however the 'company store' app can install apps and manage apps that have been published through it.
Click to expand...
Click to collapse
55 minutes, exciting Thanks for that, though, clarifies a lot. In that case, then, it sounds like the company store app won't really have much useful information for us, as it sounds almost more restricted than I had originally hoped. In that case, then, "company apps" is probably not a worthwhile route to peruse. My 2 cents.
Terms and conditions for a company account
a. Internal Distribution. Subject to the terms of this Addendum and the Application Provider Agreement,
you may make Enterprise Applications internally available to your Employees. Enterprise Applications
may not be made available to consumers, other companies or the general public, except for vendors or
companies that are under contract with you to develop or test any Enterprise Applications. You are
responsible for any unauthorized distribution of the Certificate Software and Enterprise Applications
outside of the terms and conditions of this Addendum.
b. No Alternative Marketplace. You will not use the Certificate Software to: (i) make paid Applications that
are offered in the general Windows Phone Store available to your Employees; and (ii) make available
Enterprise Applications in a manner that harms the Windows Phone Store as determined by Microsoft
Yeah, MSFT thought about that idea WAY ahead already.
Termination. If you breach the terms of this Addendum and/or the Application Provider Agreement, Microsoft
may (a) revoke the certificates provided by Certificate Software; and/or (b) terminate your Enterprise Account immediately.
If that happens, every app installed will fail to work a day later.
Well it was a good thought guys. A damn good thought..
Since WP8 supports MMC, can we side load any temporary OS to read or execute from anything from it!?
nitin88g said:
Since WP8 supports MMC, can we side load any temporary OS to read or execute from anything from it!?
Click to expand...
Click to collapse
MMC? And seriously, go start another thread! Do NOT thread hijack! I can't stand it, seriously
MMC - Multimedia Card.
I am a MCSE, I wounder if there is a verson to learn how use it. Maybe they have a traning version so I could learn how to get it working on domain. This would be nice if I can try this and get a interop unlock by setting it up on my own domain..
DavidinCT said:
I am a MCSE, I wounder if there is a verson to learn how use it. Maybe they have a traning version so I could learn how to get it working on domain. This would be nice if I can try this and get a interop unlock by setting it up on my own domain..
Click to expand...
Click to collapse
Not possible. The apps you deploy will not get interop privileges.
I hope that this is not the wrong place for my post.
I am trying to protect an apk from being copied/extracted/backed up off the phone and installed later, on another phone.
I have to mention that the app is not (and will not be) for sale on PlayStore or on any web store, being sold along with the phone. This is why I can not use apk protection offered by GooglePlay, which is anyway cracked at his time.
But I want to take advantages on this situation: every single phone will pass trough my hands (I will install myself the app) before hitting users. How can I use this advantage in order to protect my app?
At this time my app is not visible in Running Apps drawer, is having a default Android icon and the name is disguised in something pretty innocent. GUI access by dialing a code. No worries, is not malware but only a security app regarding GSM connection security.
Also, is running as a system app, which make it invisible for apps like Astro file manager, thus impossible to copy/back up by such file manager apps. Unfortunately there are a bunch of system app managers, that can convert a system app on user app, and then copying the apk file is easy.
I know that security sucks big time when it comes about Android OS, but I am determined to find a way to protect my app.
I know also that even a licensing scheme based on IMEI, WiFi MAC or Bluetooth MAC addresses can be bypassed by some skilled crackers. This values can be spoofed or even null.
I have tried apk encryption. Doesn't work: some apps supposed to encrypt other Android apps are actually encrypting only app libraries, not the apk file itself. By encrypting apk file, the app obviously will not work.
Code obfuscation is not an option as long the app can be duplicated off the phone and installed later on another phone.
The last idea that I had: pulling some app resources (like drawables) from a server. What do you think?
At this time I'm in a dead end. I have no more ideas how to protect my app. That's why I need your help. Can you give me please some feasible ideas, based on your huge experience?
Thank you very much for your time.
theres a thread
http://forum.xda-developers.com/showthread.php?t=2279813
where we're discussing about methods to protect apps from piracy u can post it there
Sent from my GT-S5302 using Tapatalk 2
Thanks
Thx a lot sak-venom1997.