NM. I answered my own question. The log in screen was misleading. Have to stop multi tasking when I do these things. @ me.
KOF33 said:
NM. I answered my own question. The log in screen was misleading. Have to stop multi tasking when I do these things. @ me.
Click to expand...
Click to collapse
Just for fun, the answer is most definitely *NO*. Not if you have any personal information on your google account since this would allow that app to not only steal all your personal information, it would allow the app author to hijack your account, send your login credentials to china, etc.
lbcoder said:
Just for fun, the answer is most definitely *NO*. Not if you have any personal information on your google account since this would allow that app to not only steal all your personal information, it would allow the app author to hijack your account, send your login credentials to china, etc.
Click to expand...
Click to collapse
So can't use GDoc or Greed?
cigar3tte said:
So can't use GDoc or Greed?
Click to expand...
Click to collapse
I wouldnt...
Unless you know the code and compiled it yourself.
Or if you definitely don't have any sensitive info on your account.
There's no telling what they'll do with it.
Do you know the author? Have you met them? Do you even know what country they're in?
If you have a rooted device then id watch out for any apps you install, I've read about malware that uploads you browser.db and other data, and we all know that google didn't implement encryption into password storage.
I'm developing a shell app to do this over adb or on the phone console I have implemented
Browser database
Contact database
Ebuddy password
you could always use a password you just made up out of the blue. the app won't be able to recognize whether it's your actual gmail password or not.
tazz9690 said:
you could always use a password you just made up out of the blue. the app won't be able to recognize whether it's your actual gmail password or not.
Click to expand...
Click to collapse
Well the app that made me ask didnt "Require" it. But just recently after that A Gmail/Fbook sync app asks for both passwords.
Without it it wont work. I dont feel comfortable giving my PW to some random app.
Sudox-
Do you mean installing from non marketplace ?
Even rooted marketplace should be ok no ?
Ive never looked extensively at the safety precautions Google implemented.
KOF33 said:
Well the app that made me ask didnt "Require" it. But just recently after that A Gmail/Fbook sync app asks for both passwords.
Without it it wont work. I dont feel comfortable giving my PW to some random app.
Sudox-
Do you mean installing from non marketplace ?
Even rooted marketplace should be ok no ?
Ive never looked extensively at the safety precautions Google implemented.
Click to expand...
Click to collapse
The only thing that the market gives you is a partial assurance that the publisher's market account can be traced back to them based on the credit card number that was used to sign up. Google does NOT security verify the applications that are posted there. The security is built in to the OS -- and note that the app shows you what kind of data it can access at install time. It is therefore UP TO YOU to ensure that the application doesn't get any information that you would consider "sensitive".
And as for root access... this is a potential danger if you aren't careful about limiting root access from certain applications. The community-root scheme is fairly OK, but any program to which you grant ROOT PERMISSION will have access to *everything*. Be careful about what applications you give root to.
lbcoder said:
The only thing that the market gives you is a partial assurance that the publisher's market account can be traced back to them based on the credit card number that was used to sign up. Google does NOT security verify the applications that are posted there. The security is built in to the OS -- and note that the app shows you what kind of data it can access at install time. It is therefore UP TO YOU to ensure that the application doesn't get any information that you would consider "sensitive".
And as for root access... this is a potential danger if you aren't careful about limiting root access from certain applications. The community-root scheme is fairly OK, but any program to which you grant ROOT PERMISSION will have access to *everything*. Be careful about what applications you give root to.
Click to expand...
Click to collapse
This is something I have been wondering for a while now. Say you grant an app SU rights, however upon installation that app did not specify "Internet Access", meaning that the permissions for that program do not allow access to the internet (for sending of any information it could possibly gather). Can that app somehow access the internet, or modify it's own permissions in packages.xml?
daveid said:
This is something I have been wondering for a while now. Say you grant an app SU rights, however upon installation that app did not specify "Internet Access", meaning that the permissions for that program do not allow access to the internet (for sending of any information it could possibly gather). Can that app somehow access the internet, or modify it's own permissions in packages.xml?
Click to expand...
Click to collapse
Yes, any app with root access *can* change its own permissions, yes, any app with root access can access the internet, even withOUT internet permissions, and yes, an update to the app can come with additional permissions than an earlier version.
Note possible attack;
publish an app withOUT internet and/or read contacts permission,
app tries to send sensitive information to china -- permission denied, catch exception, no visible effect to the user. App granted ROOT access, alters /data/system/packages.xml to add internet and read contacts permissions and immediately the phone "randomly" reboots, upon reboot, that app has permissions required to send sensitive information to china.
And yes, the root app is NOT completely secure/trustworthy. There are several vulnerabilities that need to be considered...
1) A *pair* of apps can conspire to break out... i.e., one "trusted" app with root can modify a DIFFERENT app into the whitelist. This can include granting blanket root access.
2) The userid of an uninstalled application may remain in the whitelist, allowing it to be replaced by a *different* app that could later use that root access to do all kinds of nasty things.
In general, a better form for the community root database app would be along the following lines;
1) There should be NO WHITELIST.
2) The root permission state should remain in *memory* for a limited period of time (i.e. 1 minute).
3) The root app should request a PASSWORD (to prevent other people from tampering with it) -- store a password hash in the app's home directory,
4) The root app should be *forced* to be a *system* app in order to eliminate possibility of other user uninstalling and reinstalling it to bypass the password.
1 and 2 should be considered essential. 3 and 4 make it bulletproof, but still can't possibly do anything to stop an app given root from running amok.
In fact, note this;
Even WITH a secured root app, all any app needs is a MOMENT with root to do severe nastiness -- like give itself its very own su command that can't be stopped by the root-app...
Note: in order to *really* give decent security, the su command/app should work more like 'sudo' than like 'su'.
I.e., some app runs "sudo somecommand". This invokes the "sudo" app, which says... "XYZ is attempting to run this command as root: ---. Do you want to allow it?" You know, it is a much stronger position to be in if you can see *exactly* what some root-wanting app is trying to run. Also, nice to prevent some app from just going off as root any time it wants to.
When I set up my ROM this time, I left unchecked the first box when it asks can Google gather anonymous location info even when apps are not running.
Then when I set up my weather widget it didn't seem to know where I was so I had to put in my zip code.
Before when I set up I had always left both boxes checked about could google gather location info.
And it seemed that weather widget worked automatically then, knowing where I was without zip code.
Is that how it works?
How can I get back to that screen to allow google to gather anonymous location info? I can't seem to find it now.Is there any downside to allowing Google to do this? What is the info used for?
Thanks.
Found it in Settings. Security and Location. Use wireless networks.
its in the location settings, allow gps and mobile network tracking...
How does the Android community ban apps that ask for crazy permissions? For people who root and have some level of sophistication - we're not going to fall for bad behaving apps.
But for all those who don't even know what permissions are, they need to be warned.
Take a look at this one:
https://market.android.com/details?id=com.antonio.fashion&feature=search_result
Comes from a banned company called Plankton that rebranded itself as StartApp.
I feel sorry for people that install this and can't get rid of all the nasty stuff they injected into their device.
Android Market said:
Permissions
This application has access to the following:
Network communication
full Internet access
Allows an application to create network sockets.
Your personal information
write Browser's history and bookmarks
Allows an application to modify the Browser's history or bookmarks stored on your device. Malicious applications can use this to erase or modify your Browser's data.
read Browser's history and bookmarks
Allows the application to read all the URLs that the Browser has visited, and all of the Browser's bookmarks.
Phone calls
read phone state and identity
Allows the application to access the phone features of the device. An application with this permission can determine the phone number and serial number of this phone, whether a call is active, the number that call is connected to and the like.
Storage
modify/delete USB storage contents modify/delete SD card contents
Allows an application to write to the USB storage. Allows an application to write to the SD card.
Show all
Network communication
view network state
Allows an application to view the state of all networks.
view Wi-Fi state
Allows an application to view the information about the state of Wi-Fi.
System tools
automatically start at boot
Allows an application to have itself started as soon as the system has finished booting. This can make it take longer to start the device and allow the application to slow down the overall device by always running.
Click to expand...
Click to collapse
I have a problem with an app that supposedly just displays pictures but needs access to my phone, my browser AND starts on boot. The network communication and SD modify I understand since it needs to retrieve the pictures from somewhere and save them in the memory other than the internal one but the rest of the permissions are just completely unnecessary.
Wow that's crazy, I fully agree!
Wow! Those permissions are crazy. That company should be banned. People are having a similar issue with the Amazon "Free app of the day" today. It's a game that is asking for a ton of permissions. There were a lot of complaints and the developer remarked on their Twitter account that they accidentally uploaded a version with "remnant permissions." Ya..right. Too many companies are getting away with this "we accidentally uploaded a test/alpha/beta/developer...etc version of our app." *rolls eyes
Sent from my PC36100 using xda premium
I am running CheckROMv3 on my Note, and decided to install the Torch Light application of Samsung.
I found the apk in the developers thread, and when I opened it with Installer it requested a lot of permissions. Some highlights are listed bellow:
//
Add or modify calendar events, read browser's history and bookmarks, read contact data, read user defined dictionary, write contact data.
SysScope (??) (sound snooping enough?)
Directly call phone, send, receive, read, edit SMS or MMS.
Your location, both coarse as well as GPS.
Your account: act as account authenticator, use credentials.
Modify, delete USB sotrage contents.
Change audio settings, record audio, take pictures and videos.
System tools including BT, wifi etc
Discover knowns accounts, read Google service configuration, view configured accounts.
Automatically start at boot, read Home settings and shortcuts.
//
All of that for a simple torch widget?
Seriously Samsung, why do you need my GPS and access to my SMS and Google services to light a dark staircase? And how are you planning on acting as an authenticator on my part?
Is this even legal or ethical? And how about all the stock ROM users that have no idea of the above list? Are they really making an educated decision when accepting the update?
This is why I love android and cooked ROMs. I get to decide what I want to share and in this case I decided not to install it.
PS: I just hope this is just an oversight of the programmers. They might have just used a shared library that requests all of the above. Today the Torch Light widget might be using none of them, but if you give your permission to it, future updates will not inform you of any changes.
:O good thing i deleted it.
shahadat said:
:O good thing i deleted it.
Click to expand...
Click to collapse
Unfortunately it is not in the market to Vote/comment it
This one has me stumped, and the online info is not helpful. I just started a new job and they use Google Apps for Work. They let you add your account to your own device, but because it is a state agency they are enforcing device policies on accounts - including remote wipe and app auditing abilities. I don't particularly like the idea of them knowing about every single app I have nor the fact that they can wipe my phone. I saw that there should be the ability to create a "work profile" to keep the two separate (allowing them to only see the apps installed on the work profile, and if they issue a wipe it will only nuke the work profile), but I don't seem to have the ability to create one. This is an S5 (SM-G900R7) with bone stock/non-rooted 6.0.1. The online guides say that all I should have to do is open the Device Policy app and go to the Status page, and there should be a button to create a work profile but I do not have said button. Under Policies > Shared Device Details it does say "Work Profile: Supported", so what am I missing here? All I really need is to access my email and see my calendar from that account, but even those require the device policy, so I'm at a loss..
Anyone?