Database Users

Security breach found on htc devices

The Vulnerability
In recent updates to some of its devices, HTC introduces a suite of logging tools that collected information. Lots of information. LOTS. Whatever the reason was, whether for better understanding problems on users' devices, easier remote analysis, corporate evilness - it doesn't matter. If you, as a company, plant these information collectors on a device, you better be DAMN sure the information they collect is secured and only available to privileged services or the user, after opting in.
That is not the case. What Trevor found is only the tip of the iceberg - we are all still digging deeper - but currently any app on affected devices that requests a single android.permission.INTERNET (which is normal for any app that connects to the web or shows ads) can get its hands on:
the list of user accounts, including email addresses and sync status for each
last known network and GPS locations and a limited previous history of locations
phone numbers from the phone log
SMS data, including phone numbers and encoded text (not sure yet if it's possible to decode it, but very likely)
system logs (both kernel/dmesg and app/logcat), which includes everything your running apps do and is likely to include email addresses, phone numbers, and other private info
Normally, applications get access to only what is allowed by the permissions they request, so when you install a simple, innocent-looking new game from the Market that only asks for the INTERNET permission (to submit scores online, for example), you don't expect it to read your phone log or list of emails.
But that's not all. After looking at the huge amount of data (the log file was 3.5MB on my EVO 3D) that is vulnerable to apps exploiting this vulnerability all day, I found the following is also exposed (granted, some of which may be already available to any app via the Android APIs):
active notifications in the notification bar, including notification text
build number, bootloader version, radio version, kernel version
network info, including IP addresses
full memory info
CPU info
file system info and free space on each partition
running processes
current snapshot/stacktrace of not only every running process but every running thread
list of installed apps, including permissions used, user ids, versions, and more
system properties/variables
currently active broadcast listeners and history of past broadcasts received
currently active content providers
battery info and status, including charging/wake lock history
and more
Let me put it another way. By using only the INTERNET permission, any app can also gain at least the following:
ACCESS_COARSE_LOCATION Allows an application to access coarse (e.g., Cell-ID, WiFi) location
ACCESS_FINE_LOCATION Allows an application to access fine (e.g., GPS) location
ACCESS_LOCATION_EXTRA_COMMANDS Allows an application to access extra location provider commands
ACCESS_WIFI_STATE Allows applications to access information about Wi-Fi networks
BATTERY_STATS Allows an application to collect battery statistics
DUMP Allows an application to retrieve state dump information from system services.
GET_ACCOUNTS Allows access to the list of accounts in the Accounts Service
GET_PACKAGE_SIZE Allows an application to find out the space used by any package.
GET_TASKS Allows an application to get information about the currently or recently running tasks: a thumbnail representation of the tasks, what activities are running in it, etc.
READ_LOGS Allows an application to read the low-level system log files.
READ_SYNC_SETTINGS Allows applications to read the sync settings
READ_SYNC_STATS Allows applications to read the sync stats
Theoretically, it may be possible to clone a device using only a small subset of the information leaked here.
I'd like to reiterate that the only reason the data is leaking left and right is because HTC set their snooping environment up this way. It's like leaving your keys under the mat and expecting nobody who finds them to unlock the door. For a more technical explanation, see the section below.
Additionally, and the implications of this could end up being insignificant, yet still very suspicious, HTC also decided to add an app called androidvncserver.apk to their Android OS installations. If you're not familiar with the definition of VNC, it is basically a remote access server. On the EVO 3D, it was present from the start and updated in the latest OTA. The app doesn't get started by default, but who knows what and who can trigger it and potentially get access to your phone remotely? I'm sure we'll know soon enough - HTC, care to tell us what it's doing here?
Technical Details
In addition to Carrier IQ (CIQ) that was planted by HTC/Sprint and prompted all kinds of questions a while ago, HTC also included another app called HtcLoggers.apk. This app is capable of collecting all kinds of data, as I mentioned above, and then... provide it to anyone who asks for it by opening a local port. Yup, not just HTC, but anyone who connects to it, which happens to be any app with the INTERNET permission. Ironically, because a given app has the INTERNET permission, it can also send all the data off to a remote server, killing 2 birds with one stone permission.
In fact, HtcLogger has a whole interface which accepts a variety of commands (such as the handy :help: that shows all available commands). Oh yeah - and no login/password are required to access said interface.
Furthermore, it's worth noting that HtcLogger tries to use root to dump even more data, such as WiMax state, and may attempt to run something called htcserviced - at least this code is present in the source:
/system/xbin/su 0 /data/data/com.htc.loggers/bin/htcserviced
HtcLoggers is only one of the services that is collecting data, and we haven't even gotten to the bottom of what else it can do, let alone what the other services are capable of doing. But hey - I think you'll agree that this is already more than enough.
Patching The Vulnerability
... is not possible without either root or an update from HTC. If you do root, we recommend immediate removal of Htcloggers (you can find it at /system/app/HtcLoggers.apk).
Stay safe and don't download suspicious apps. Of course, even quality-looking apps can silently capture and send off this data, but the chance of that is lower.
Affected Phones
Note: Only stock Sense firmware is affected - if you're running an AOSP-based ROM like CyanogenMod, you are safe.
EVO 4G
EVO 3D
Thunderbolt
EVO Shift 4G? (thanks, pm)
MyTouch 4G Slide? (thanks, Michael)
the upcoming Vigor? (thanks, bjn714)
some Sensations? (thanks, Nick)
View 4G? (thanks, Pat)
the upcoming Kingdom? (thanks, Pat)
most likely others - we haven't verified them yet, but you can help us by downloading the proof of concept above and running the APK
HTC's Response
After finding the vulnerability, Trevor contacted HTC on September 24th and received no real response for five business days, after which he released this information to the public (as per RF full disclosure Policy). In my experience, lighting fire under someone's ass in public makes things move a whole lot faster, which is why responsible disclosure is a norm in the security industry. (This is where we come in.)
As far as we know, HTC is now looking into the issue, but no statement has been issued yet.
HTC, you got yourself into this mess, and it's now up to you to climb out of the hole as fast as possible, in your own interest.
The ball is in your court.
Credit
ANDROID POLICE
Huge thank you to Trevor Eckhart who found the vulnerability and Justin Case for working with us today digging deeper.

Hi there, I need help, someone is consistently hacking into my phone, htc evo 4g, they are penetration testers and pc savvy, currently I cant login to the phn for trying to do a factory reset. They kept intercepting me and now my password does not work. Who knows maybe they changed it on their side. I wrote down everything I saw. I was seeing all these process running for the same app. in my applications. My phone was getting hot, freezes but its people that live in my apt complex and at work. can you help?

zzm5 said:
Hi there, I need help, someone is consistently hacking into my phone, htc evo 4g, they are penetration testers and pc savvy, currently I cant login to the phn for trying to do a factory reset. They kept intercepting me and now my password does not work. Who knows maybe they changed it on their side. I wrote down everything I saw. I was seeing all these process running for the same app. in my applications. My phone was getting hot, freezes but its people that live in my apt complex and at work. can you help?
Click to expand...
Click to collapse
Is your device rooted?

I used root explorer and removed the HtcLoggers.apk and other than the forced close loop that removing it caused (requiring me to remove the battery), after rebooting all seems to be working fine.
EDIT: Actually I didn't just delete HtcLoggers.apk but moved it to a safe location on the SD Card in case there was a problem and it needed to be restored. I highly suggest you do this instead of just deleting it, or better yet, a nandroid backup.

there are a few good ROMS out there that have the ICQ loggers removed already.

Do we really need three threads on the front page about the same thing?

[Q] is there a patch for this bug 13678484 (fake id)

can anyone make a patch for all variants of hd2 roms from gb up i used the bluebox app to check if my phone was vunerable for this bug 13678484 (fake id) and my daily driver barebone cm7 v2b was, and id say all roms developed for hd2 are vunerable have searched the net for how to patch this vunerability but cant find the info abywhere this is something i think all xda devs for this device will have to sort out as we cannot get help from carriers on this as this is what advice is given "contact your carrier or phone vendor for patch. if anyone has advice on how to sort this out would be very thankful i think xda should run a piece about this vunerability and what steps are being taken by all devs on xda to patch this vunerabilitu for older handsets likemy hd2.

Bluebox Security revealed a significant security flaw that affects all Android devices since version 2.1. Our hyperbolic title mocks the fact that he had little to ignite the Internet powders. If the fault is real, it should take a step back and put the case in context instead of screaming panic for nothing.
A serious flaw that affects a large number of terminals
Very schematically, the fault Fake ID allows malware to authenticate using the signature of a known application to hide its true origin. The firm provides an example of a virus masquerading as an Adobe Systems and Google software which would be able to become a Trojan horse or steal data used by Google Wallet acquiring the necessary permissions without using the user.
The flaw is serious. However, Google has already been made ​​aware, he has already released a patch he sent to his partners, he corrected the flaw in Android 4.4 KitKat, he scanned the Google Play and can say that no application in its store uses this vulnerability. Finally, Verify Apps, which monitors the behavior of applications on an Android device, is also fixed and can detect an application attempting to exploit Fake ID.
A patch already in place and a flaw in a very limited scope that still show that Google still has work to do in terms of security
In short, it is true that it is possible to be a victim of this fault, but it requires a terminal that has not been updated, download an application containing malware does not come from Google and Play Verify Apps have disabled or have an Android version of which is free. Suffice to say that the cases in question are very limited.
This flaw shows that Google still has work to do in terms of its security strategy. Last month, we décriions lax features the Play Store. Today, we are dealing with a flaw of a limited scope, but was discovered by analyzing the shortcomings of the source code of the operating system.

This flaw shows that Google still has work to do in terms of its security strategy. Last month, we décriions lax features the Play Store. Today, we are dealing with a flaw of a limited scope, but was discovered by analyzing the shortcomings of the source code of the operating system.[/QUOTE]
while the info you have given is fine and i thank you for it, but there are other app stores people use beside google play store and reading up on this bug it is still possible their phones could become compromised downloading apps from them?

A Big Big Thank You
Just an update: opssemnik backported the fake id xposed module and it works perfectly with gb roms a big big thank you to him. he also supplied a link in the comments on http://www.xda-developers.com/android/fight-fake-id-vulnerability-xposed/ So once again a big thank you to opssemnik

[Q] Device Control - Blacklist Applications

I am in the process of configuring a number of Note 4 (910F) with Android 4.4.4 for issue to employees within my department. To prevent people from using a corporate handset for their unauthorised purposes, the devices have to be as clean as possible, with access to base functions such as phone, contact, sms, camera and business applications, but remove access to unnecessary applications that are all part of the bloatware installed on them by the network operator.
For device management, we are using SOTI Mobicontrol. SOTI allows me to blacklist applications to prevent them from launching. For security and warranty reasons, rooting the devices to remove unwanted applications is not an option. Therefore the only option is to use the SOTI blacklist to remove access to the application icon for launch.
SOTI requires that I input the application path eg com.sec.android.samsung.samsungapps to add an application to the blacklist. For the majority of mainstream applications such as Amazon, Evernote etc these are readily available. I'm having difficulty in finding the details for things like S Voice, and other bloatware that has been installed as part of the ROM.
I have one device that I can use for testing, so can install applications onto that. Is there any application readily available which will be able to capture the application launch path for an app that doesn't require me to root the device? I've found a few lists on the forum that related to the same apps on different devices which has given me a starting point. Just thought there may be an easier way to find the information out from the device.
Any help gratefully accepted.
IP
Work smarter, not harder. 'Dilbert'

In my opinion, these forums are for helping others to be able to get the most out of their devices, to improve and to make them more enjoyable, that is not your case, here we come as enthusiasts, fans, you better hire a pro in order to accomplish your corporative goals

winol said:
In my opinion, these forums are for helping others to be able to get the most out of their devices, to improve and to make them more enjoyable, that is not your case, here we come as enthusiasts, fans, you better hire a pro in order to accomplish your corporative goals
Click to expand...
Click to collapse
Thanks for the reply. I am an enthusiast, both Android, HTC and Samsung. Where I've been happy to read through the forums and customise my own devices over the years, my 'enthusiast' status has now put me in a position at work where a little bit of advice would go a long way to helping me out.
It's all fine and well paying someone else to do something, but the advice I was looking for was to help me as learning a new skill or how to use a new tool or app is always useful and helps keep me in a job and putting food in the mouths of my children!
I could have easily not included anything about this being needed to help me out for a situation at work and got an entirely different response, but I'm an honest guy just looking for a little advice.

indigo_prime said:
I am in the process of configuring a number of Note 4 (910F) with Android 4.4.4 for issue to employees within my department. To prevent people from using a corporate handset for their unauthorised purposes, the devices have to be as clean as possible, with access to base functions such as phone, contact, sms, camera and business applications, but remove access to unnecessary applications that are all part of the bloatware installed on them by the network operator.
For device management, we are using SOTI Mobicontrol. SOTI allows me to blacklist applications to prevent them from launching. For security and warranty reasons, rooting the devices to remove unwanted applications is not an option. Therefore the only option is to use the SOTI blacklist to remove access to the application icon for launch.
SOTI requires that I input the application path eg com.sec.android.samsung.samsungapps to add an application to the blacklist. For the majority of mainstream applications such as Amazon, Evernote etc these are readily available. I'm having difficulty in finding the details for things like S Voice, and other bloatware that has been installed as part of the ROM.
I have one device that I can use for testing, so can install applications onto that. Is there any application readily available which will be able to capture the application launch path for an app that doesn't require me to root the device? I've found a few lists on the forum that related to the same apps on different devices which has given me a starting point. Just thought there may be an easier way to find the information out from the device.
Any help gratefully accepted.
IP
Work smarter, not harder. 'Dilbert'
Click to expand...
Click to collapse
Why you're not using knox? Which gives you & your team clean,safe & high security in a partition where your enterprise data & emails are there, also it's allows your team to enjoy device as it's.
I believe knox has been designed for this purpose only.

jdomadia said:
Why you're not using knox? Which gives you & your team clean,safe & high security in a partition where your enterprise data & emails are there, also it's allows your team to enjoy device as it's.
I believe knox has been designed for this purpose only.
Click to expand...
Click to collapse
Knox is an additional license for the SOTI software we are using for device management and my suggestion to include it as part of the project were ignored. Work want to 'see how it goes' without spending any more money!

If you want a better Corporate security:
KNOX
ROOT
Choose EITHER ONE or you are out of options.
KNOX is a corporate solution for most big enterprises provided by Samsung & it's a good investment.
ROOT gives you FULL control over any LINUX based OS (Android is a LINUX fork) & it's cheaper as it's FREE.
By using ROOT access, you can create secondary user that is very limited & password protected, even encrypted; in a way that it differs from Android guest mode.
Using ROOT access, you can even remove the BLOAT/Unnecessary apps entirely from your devices, therefore eliminates unwanted possible BUGs that may compromise your company securities.
Linux & Android security knowledge is highly required.
IMHO, for warranty issue, you can replace warranty with insurance.
...And from my knowledge, I've read that many people claim their warranty with KNOX counter tripped without problem from Samsung (But of course they un-ROOT it before claiming).
But remember, as long as your employee can access Download Mode, all of it is useless.

Safetynet check, apps won't run on rooted devices. What IS CTS?

If you are running Lineage OS for the BLU R1HD, or almost any custom ROM on any device, you have probably gotten this message from android pay, PS Vue, or a number of other apps: "can not run on a rooted device". This is easy to fix on a rooted device, but a custom ROM is a whole other story. I kept getting CTS profile mismatch, regardless of what I tried. I'm not a developer, but I am no dummy, work as an OpenStack engineer, and have been in network engineering for 15 years, yet I could not find crap about CTS, other than it is the " Comparability Test Suite ". After hunting the web, I finally stumbled upon a good article that explains it pretty nicely, so here it is:
------------
Rooting your Android device gives you access to a wider variety of apps and a deeper access to the Android system. But some apps–like Google’s Android Pay–won’t work at all on a rooted device.
Google uses something called SafetyNet to detect whether your device is rooted or not, and blocks access to those features. Google isn’t the only one, either–plenty of third-party apps also won’t work on rooted Android devices, although they may check for the presence of root in other ways.
SafetyNet: How Google Knows You’ve Rooted Your Android Phone
Android devices offer a “SafetyNet API,” which is part of the Google Play Services layer installed on Google-approved Android devices. This API “provides access to Google services that help you assess the health and safety of an Android device,” according to Google. If you’re an Android developer, you can call this API in your app to check whether the device you’re running on has been tampered with.
This SafetyNet API is designed to check whether a device has been tampered with–whether it’s been rooted by a user, is running a custom ROM, or has been infected with low-level malware, for example.
Devices that ship with Google’s Play Store and other apps installed must pass Google’s Android “Compatibility Test Suite”. Rooting a device or installing a custom ROM prevents a device from being “CTS Compatible”. This is how the SafetyNet API can tell if you’re rooted–it merely checks for CTS compatibility. Similarly, if you get an Android device that never came with Google’s apps–like one of those $20 tablets shipped direct from a factory in China–it won’t be considered “CTS compatible” at all, even if you haven’t rooted it.
To get this information, Google Play Services downloads a program named “snet” and runs it in the background on your device. The program collects data from your device and sends it to Google regularly. Google uses this information for a variety of purposes, from getting a picture of the wider Android ecosystem to determining whether or not your device’s software has been tampered with. Google doesn’t explain exactly what snet is looking for, but it’s likely snet checks if your system partition has been modified from the factory state.
You can check the SafetyNet status of your device by downloading an app like SafetyNet Helper Sample or SafetyNet Playground. The app will ask Google’s SafetyNet service about your device’s status and tell you the response it gets from Google’s server.
It’s Up to the App
SafetyNet is optional for app developers, and app developers can choose to use it or not. SafetyNet only prevents an app from working if an app’s developer doesn’t want it to work on rooted devices.
Most apps won’t check the SafetyNet API at all. Even an app that does check the SafetyNet API–like the test apps above–won’t stop working if they receive a bad response. The app’s developer has to check the SafetyNet API and make the app refuse to function if it learns your device’s software has been modified. Google’s own Android Pay app is a good example of this in action.
Android Pay Won’t Work on Rooted Devices
Google’s Android Pay mobile payment solution doesn’t work at all on rooted Android devices. Try to launch it, and you’ll just see a message saying “Android Pay cannot be used. Google is unable to verify that your device or the software running on it is Android compatible.”
It’s not just about rooting, of course–running a custom ROM would also put you afoul of this requirement. The SafetyNet API will claim it’s not “Android compatible” if you’re using a custom ROM the device didn’t come with.
Remember, this doesn’t just detect rooting. If your device were infected by some system-level malware with the ability to spy on Android Pay and other apps, the SafetyNet API would also prevent Android Pay from functioning, which is a good thing.
Rooting your device breaks Android’s normal security model. Android Pay normally protects your payment data using Android’s sandboxing features, but apps can break out of the sandbox on a rooted device. Google has no way to know how secure Android Pay would be on a particular device if it’s rooted or running an unknown custom ROM, so they block it. An Android Pay engineer explained the problem on the XDA Developers forum if you’re curious to read more.
Other Ways Apps Can Detect Root
SafetyNet is just one way an app could check if it’s running on a rooted device. For example, Samsung devices include a security system named KNOX. If you root your device, KNOX security is tripped. Samsung Pay, Samsung’s own mobile-payments app, will refuse to function on rooted devices. Samsung is using KNOX for this, but it could just as well use SafetyNet.
Similarly, plenty of third-party apps will block you from using them, and not all of them use SafetyNet. They may just check for the presence of known root apps and processes on a device.
It’s tough to find an up-to-date list of apps that don’t work when a device is rooted. However, RootCloak provides several lists. These lists may be out-of-date, but they’re the best ones we can find. Many are banking and other mobile wallet apps, which block access on rooted phones in an attempt to protect your banking information from being captured by other apps. Apps for video streaming services may also refuse to function on a rooted device as a sort of DRM measure, attempting to prevent you from recording a protected video stream.
Some Apps Can Be Tricked
Google’s playing a cat-and-mouse game with SafetyNet, constantly updating it in an attempt to stay ahead of people getting around it. For example, Android developer Chainfire has created a new method of rooting Android devices without modifying the system partition, known as “systemless root”. SafetyNet initially didn’t detect such devices as being tampered with, and Android Pay worked–but SafetyNet was eventually updated to detect this new rooting method. This means Android Pay no longer works along with systemless root.
Depending on how an app checks for root access, you may be able to trick it. For example, there are reportedly methods to root some Samsung devices without tripping the KNOX security, which would allow you to continue using Samsung Pay.
In the case of apps that just check for root apps on your system, there’s an Xposed Framework module named RootCloak that reportedly allows you to trick them into working anyway. This works with apps like DirecTV GenieGo, Best Buy CinemaNow, and Movies by Flixster, which don’t normally work on rooted devices. However, if these apps were updated to use Google’s SafetyNet, they wouldn’t be so easy to trick in this way.
Most apps will continue working normally once you’ve rooted your device. Mobile payment apps are the big exception, as are some other banking and financial apps. Paid video-streaming services sometimes attempt to block you from watching their videos as well.
If an app you need doesn’t function on your rooted device, you can always unroot your device to use it. The app should work after you’ve returned your device to its secure, factory state.

I am checking every way hoping to find a solution ...
Yes...It's working.
I am using GPay on my rooted device !

MicroG users thread

I got microG to run on my G9810 snapdragon
Prereq: Rooted s20/+/ultra.
Use smali patcher to patch services jar, i used 0.0.6.7
Use adb or root explorer to add the patched servcies.jar to system/framework.
System will reboot few times in booting process

About MicroG:
https://microg.org/
"About
The linux-based open-source mobile operating system Android is not only the most popular mobile operating system in the world, it’s also on the way to becoming a proprietary operating system. How is that?
While the core operating system is still released as part of the Android Open Source Project, the majority of core apps are not. It gets worse: More and more libraries and APIs are only available on phones that run various Google apps pre-installed, effectively locking third-party apps to the Google ecosystem. For these reasons Android is described as being a “look but don’t touch” kind of open.
At this point, several popular open-source applications already require some of Google’s proprietary libraries to be installed. Increasing demand in the free software community in addition to severe problems in Google’s proprietary software discovered by the Android modding community, have led to the development of a free software clone of Google’s proprietary core libraries and applications - the microG Project was born.
Although most microG components are far from complete, users are amazed by the results. Free software users got extended application support, privacy-caring users can reduce or monitor data that is sent to Google and especially older phones can expect some battery life improvements. microG is not only used on real devices, but also replaces Google tools in test emulators and is even used in virtual mobile infrastructure."

Hi.
How did you actually install MicroG after enabling spoofing? I managed to enable signature spoofing on the official ROM, and to completely remove Google Play Services, but I can't get MicroG to actually install.
Would you kindly share the rest of your method?
Cheers.

I am also curious on how you managed to root and get microG to run on a snapdragon (G9810) based device.