Database Users

Concerned about Security - apps sending private information

After reading the article about TaintDroid (http://www.digitaltrends.com/comput...oid-apps-secretly-sharing-your-personal-data/), and how a significant portion of the apps were sending back data when not required to....I must admit, I am a bit concerned about security on my Nexus.
What are you all doing to be safe with your information on your phone? Is there a firewall that any of you are using to deny apps the ability to transmit data?
And please no responses like "don't log into anything or enter any passwords for anything on the phone" ...because then we might as well be rocking blackberries and not a phone like this with a capable browser.

"Name and shame" is the best way for an open system to eradicate this stuff

Damn alarmist journalism. Scare everybody into a corner, and then come out with a product that magically makes it all right.
Personally, I don't do anything different. I don't see why you should.

there's a firewall app that will let you block internet access to specific apps
i think it's called droidwall

Wallpapergate...
This whole issue is a joke, I agree something to monitor outgoing information would be great, I doubt however that someone who want to steal your info would sent it out unencrypted so catching this may not be easy at all..
As for this new episode of the WallPaperGate again, the info this application send is common on any platform, if you ever paid for an app on handhango or such site, the first thing they do is to ask your imei so that the app can be linked (ie DRM) to your phone… in this case the guy use imei as a cookie so that he can offer the correct screen resolution.
I would like to point out that one of the sponsor of this “studies” that target only android device is Intel who have interest into many thing including MeeGo and off course MeeGo is much safer than android…
My 2 cents…

Attention all Android fans - This is Important

We really need to rally and get Google to fix some major issues with the Android OS. If Android is going to be truly universal and be able to compete, and beat Apple, it needs to at least be able to do what it can do. Please read: http://claar.org/blog/?p=180 and call, email, post, blog, whatever you can to get Googles attention on these issues.
And thank you for your support.
P.S. Pass this url on to every android user you can.
http://claar.org/blog/?p=180
Sent from my ADR6300, not my wife's iPad...

You have a legitimate argument but those items you listed are never performed by me. =[ Sorry. Everything I need done, works. =]
[ Sent from an LG Optimus V ]

Android still has a way to go before being all things to all people. It has the potential though so i'm sure we'll see improvements in the areas where it's currently weak.
Nice write up though. I hope these issues are resolved for you soon.

Write your congressman. Attend your local PTA meeting.

Don't gey me wrong, I love my Android phone, just saying that Google is missing the boat on the Enterprise side of things. Used to have an iPod touch that worked flawlessly on our corporate intranet, can't say the same for my dinc. As the workforce continues to become more mobile, they'll be carrying iPads instead of Xooms or Galaxy tabs.
Sent from my ADR6300, not my wife's iPad.

are there really people who use android's and ipad's/iphone's for work???
o-o?
id rater use a PC or laptop. but yha.
think all the company's want to be cool?
i cant go suport this.because my android does what it needs to do.
remember. smartphones and tablets aren't pc's,so they shouldn't do the work of a pc.

ghost010 said:
are there really people who use android's and ipad's/iphone's for work???
o-o?
id rater use a PC or laptop. but yha.
think all the company's want to be cool?
i cant go suport this.because my android does what it needs to do.
remember. smartphones and tablets aren't pc's,so they shouldn't do the work of a pc.
Click to expand...
Click to collapse
Why shouldnt they? Why should they have limitations. I say the more capabilities the better!

Universally, I don't understand Googles LACK of contact and attention to it's customers. Like most people are aware that e-mailing google is a complete WASTE OF TIME. I'd love to meet someone who has yet to actually get a meaningful response from google. I understand that they are a HUGE company and can easily get overwhelmed by emails, but the complete lack of response in general is UNACCEPTABLE. Why do they act this way, ESPECIALLY to their customers? Eitherway, they should respond in some way to all emails, understandable for free products, but for PAYING customers like us Android users, should get a response.
Google is worse than Sprint when it comes to response. I don't get it or understand.

I'm an IT Director for a medium sized medical manufacturing company and I've been testing ipads as a laptop alternative for our salesforce, and I have to say, I would be absolutely pissed if I had to use an ipad(or any tablet for that matter) for work.
Don't get me wrong. They work. But do you want to do all your work on them? HELL NO.
I have a remote desktop app on my mytouch 4g and I use it every now and then when I need to fix something or get onto the server for any reason. That doesn't mean I'm going to ditch my computer because my phone is capable of doing something my laptop does. Tablets, smartphones, mobile devices in general...they should be used to supplement computers, not replace them.
And as far as google 'not listening to their customers', you obviously haven't been on any sort of development team before. Especially not one that had any sort of fast progress. I don't know if you've noticed, but chip manufacturers have released dual core mobile cpu's. So google can either work on your vpn problem and appease a small number of enterprise users(people who will actually use a vpn on their phones), or they can concentrate on optimizing their code so it will work well with the next generation of hardware. They're obviously going to concentrate their manpower(or womanpower) on development for next-gen hardware. If the support ticket exists, they'll work on it. But there are thousands of them, and people need to realize that just because it's important to you specifically, doesn't mean it's an important problem. VPN access doesn't effect the overall functionality of the os during normal use, so it's going be put on the back burner, that doesn't mean it won't be fixed.
And whoever said go to pta meetings, PTA = parent teachers association. Good luck getting heard there.
While on the subject of fixes, I'm more concerned about linked market data and being able to transfer purchases to different accounts. I.E. switching from a google apps account to a gmail account. Also, the 'master account' crap. There should be a way to change which login you use to connect to gtalk and the market without having to reset your device to factory. That just sucks.

LOL, I used to get those "wake-up" calls from the 3rd shift platform operators. I got my butt out of bed, got on my PC and fixed the problem or marked it "next day" and fixed it when I got to work.
I can't see using a phone's screen size to debug a couple hundred lines of JCL or batch COBOL program Not to mention, I was usually talking to the operator at the same time I needed to see something on the PC; very hard to do with a phone.

Can it connect to Microsoft's pptp? Yes - http://www.techrepublic.com/blog/smartphones/connect-to-a-pptp-vpn-from-your-android-phone/2145
problem 1. You can connect to a proxy (unless i'm not understanding your complaint) There's Proxy options under the settings menu.
Problem 2. I've noticed this but apparently some 3rd party browsers can do it.
Problem 3. Not sure about this one, but i connect to many different networks (public, domestic and at uni) and have never had a problem like this.
What you're saying is that you have various problems that the vast majority of people will never experience and you are wondering why Google aren't dropping everything to fix it immediately? These problems (to me at least) seem incredibly minor.

kccasey said:
Universally, I don't understand Googles LACK of contact and attention to it's customers. Like most people are aware that e-mailing google is a complete WASTE OF TIME. I'd love to meet someone who has yet to actually get a meaningful response from google. I understand that they are a HUGE company and can easily get overwhelmed by emails, but the complete lack of response in general is UNACCEPTABLE. Why do they act this way, ESPECIALLY to their customers? Eitherway, they should respond in some way to all emails, understandable for free products, but for PAYING customers like us Android users, should get a response.
Google is worse than Sprint when it comes to response. I don't get it or understand.
Click to expand...
Click to collapse
Because they already have your money, therefor they could care less. And they will continue to get your money, his money, her money etc because they make a product and provide a service that we all have come to rely on. They've got the hook set, you can't break free and they can let us dangle as long as they want.
But maybe the combination of google, samsung, and verizon has destroyed my outlook.
Samsung Fascinate
Frankenclean 2.8
EB16-ish Voodoo Kernel
Mob87's Honeycomb theme
Sent from XDA Premium App

I think many of these issues will take a long long time to see resolved.
You need to consider what motivates google RE Android. Hint: It is not paying customers.
Thing is, normal market forces are not at work in the Android space. This is
my BIGGEST issue with Android.

@andmiller
You don't think your needs are most important ones, do you? There are many, many things to do, not only these mentioned by you.
For me your "This is Important" bugs are minor. Actually I didn't know about them to this time. I care much more about NDK APIs, performance and UI improvements and this is exactly what Google does.
Also there is one good reason to focus on new APIs, standard libraries, developer tools, etc.: Google is only one who can improve them and sooner is better. They could fix bugs at any time, they could also port them to older versions of OS. But if they add new API, it will take some time for developers to use it, because new API won't be supported by most of devices. So it's much better to work on a new features first and fix minor bugs later.

BobPaul said:
I think many of these issues will take a long long time to see resolved.
You need to consider what motivates google RE Android. Hint: It is not paying customers.
Thing is, normal market forces are not at work in the Android space. This is
my BIGGEST issue with Android.
Click to expand...
Click to collapse
You have got that completely backwards. Iphone is not normal market space. Each manufacturer running android os have to set themselves apart from each other, hence skinning the os. If customers demand, need it, it will get fixed or innovated.
Apple controls all, What they say goes. Example: no flash, theming....
Amazon drops their android app store on tues. Why, market forces.
Sent from my SGH-T959 using Tapatalk

hey dude most of those issuses were fix sort of well i wouldnt say fix because google came out with a whole new O.S. most of ur issuses hav been resolved in the honeycomb os and greater but u dont need a fix u need a app that can handle what u need

> Can it connect to Microsoft's pptp? Yes - http://www.techrepublic.com/blog/sma...oid-phone/2145
No, or at least, not for several hundred people at least, some who have even provided logs of both sides of the conversation. Some bug comments are from companies, representing complaints from their customer base, so it is probably more. I could write an article that shows how to do it, too, but that doesn't mean that I've tested all combinations. If the author's VPN was not encrypted, he wouldn't have seen the problem, and--since his connection worked, and there's that encryption checkbox--he might have just assumed it worked. He might have even tried it: You can connect with encryption, you just can't stay connected for any length of time.
> problem 1. You can connect to a proxy (unless i'm not understanding your complaint) There's Proxy options under the settings menu.
I can manually set a proxy, although there are reports that this is not a standard part of android, but a value-add by the phone mfr. A third-party program could perhaps recognize which WAP I connect to and set values accordingly, but only if I want everything to go through the proxy, and not just some things. That would have worked at HP, but my ulterior motive is to proxy a specific blocked port so that I can pop my email to my wifi tab. OK, I'll admit, my actual reason isn't a compelling case for Google! ;-)
> Problem 2. I've noticed this but apparently some 3rd party browsers can do it.
I'm not surprised that some clever programmer patched around the breakage, but it needs to be solved generally. Really, this and VPN are the most important issues for me.
> Problem 3. Not sure about this one, but i connect to many different networks (public, domestic and at uni) and have never had a problem like this.
You have never had a problem like this that you know of! Most folks have been bitten by this when the run into a place with short leases, and only find out--if they do--by accident, since most places don't check for violators.

Other comments
For the person who asserted that these are fixed in the latest release, that doesn't appear to be the case, according to the bug reports.
Are there really people who use their portable device for work? Not if it is android-based! (I know, cheap shot, but--for many of us--a true statement).
I have a galaxy tab. With working VPN and ssh, I could login and do a simple database change "echo blah blah blah|mysql", restart a job, whatever. I'm not going to write a couple of thousand lines of code, but I might look at a couple of thousand lines of a log file! Instead, I have to fire up the PC, which means I have to be around the PC, and I'd rather have the freedom of mobility.

Looking for developer opinions on a security guide for new android users

Hello XDA
I've written a security guide I have posted to quite a few Android communities/forums. This guide is intended for new users to Android so probably doesn't apply to anyone here. But I do think Android users deserve solid advice from the experts and with all the media scare tactics going around, now more than ever.
However, I was hoping that if some Devs had the time, they could give some of it a quick read. I'm hoping to get a more informed developer opinion on whether I missed anything or am mis-representing something or another. I'd like to make sure that my information is as accurate as possible, and since Android is a community thang, I figure why not ask some other devs if they want to have a look and chime in.
The one topic I havent really yet covered is rooting, so I know at least that much is missing.
Thanks in advance and please feel free to post all feedback -- positive/negative/or your favorite cheesecake recipe.
=================================
Background about Android
The first thing when understanding the security of your phone is to know a little bit about what makes it tick. Android is a 'lite' version of Linux with most applications that you download from the market written in Java.
The reason that this is important to know is that it means Android is very unlikely to ever get a 'virus' in the traditional sense. Part of the reason why is because Linux is a fairly secure operating system that protects various parts of itself from other parts. This is similar to how Windows has admin accounts and limited user accounts. Because of this protection, applications downloaded from the market do not have access to anything by default. You must grant them permission for each activity they want to perform when they are installed. This is a very important point which we will address a bit later. Also due to some bad choices by Google, there are a few exceptions to this rule that we'll talk about in the permissions section.
Nevertheless, while Android is very unlikely to get a 'virus', that does not mean you are completely safe from 'malware', 'spyware', or other harmful types of programs.
Types of Dangerous Programs
Probably the biggest/most common threats from applications on Android are:
1) When the developer/app tricks the user into giving the app permissions it does not need to do its job
2) When the app hides malicious code behind legitimate permissions.
3) When the app tricks the user into entering in personal information or sensitive data (such as a credit card number)
There are various ways malicious developers (also knowns as hackers or crackers) accomplish this. We'll briefly define each kind just to have a common understanding of the terms.
Malware
Malware generally is an all-encompassing term used to describe any harmful program. This includes spyware, viruses, and phishing scams (sometimes).
Spyware
Spyware is used to describe software or applications that read your information and data without you actually knowing it and reporting it back to some unknown third party for nefarious purposes. Often times this includes keystroke loggers to steal passwords or credit card information. Some people include certain types of Advertising tracking in this category (sometimes called Adware, see below). However that's a much larger debate we wont cover here.
Phishing
Phishing and spyware are closely related. They work on a similar principle: tricking the user and sending user information to a 3rd party to steal it. The difference with phishing however, is that the application (or website) will pretend to be from a trusted source to try and 'trick' you into entering in your details. Contrastly spyware would try to hide itself from being known to the user. One way to think about the difference is that phishing is masquerading while spyware is hiding, but the end goal of stealing your data is the same.
An example of this would be a app or website pretending to be affiliated with your bank or Paypal or your email provider (Gmail, Hotmail, Yahoo). However it can, and does, include any service where someone might want to steal your identity or password.
There have been known successfull phising attacks releated to at least one bank on Android.
Virus
The definition of virus used to be more all-encompassing. These days that term has been replaced by malware. Virus is more typically used to describe a specific type of software that takes control of your operating system and either damages it, or uses it for its own purposes. An example might be when a virus send emails to everyone in your email address book. Again this is the type of program least likely to be a problem for Android.
Trojan Horse
A trojan horse is really just a specific type of virus. It merely refers to the idea that the app pretends to be something useful or helpful or fun for the user while actually causing harm or stealing data. This term is often used to describe spyware and phishing attacks as well.
Adware
Adware is typically a bit of a grey area. Sometimes this is also called nuisance-ware. This type of application will often show the users an excessive amount of advertising in return for providing a service to the user of dubious quality. However, this type of program can often be confused with legitimate ad-supported software, which shows a mild to moderate amount of advertising while providing a useful service that the user wants. Because it can be hard to tell the difference, there exists a grey area from most anti-virus companies as to how to handle adware.
Warez
This is a term you'll sometimes hear referring to 'pirated' or unlicensed software. Often times warez forums and websites will offer "free apps" or "apks" (Android Package).
Don't be fooled by these sites, and do NOT download these files and load them to your phone. These files are stolen from the real developers by unscrupulous people who have no regard for the work put into apps by the developers, or the law. Often times they will even try making money off of the advertising on their "warez" forums. They are profiteers that do the entire Android community a great disservice, and hurt the developers. Furthermore this is very often the most popular 'vector' (method) of attack that malware writers use. Some go as far as stealing apps and putting them on the Android Market itself under different names.
If you are a user that cannot access the paid Android Market, there are alternatives these days. The most trustworthy markets (in my opinion) are the following:
- Android (Google) Market
- Amazon Appstore
- SlideMe
- Archos AppsLib
- AndAppStore (possibly)
- AndroidTapp (possibly)
- Verizon's Market (not sure if this is live yet)
- Motorola's Market (not sure if live or where, might be focused on Latin America?)
Other than these markets, I would not advise anyone to download and install an app from anywhere else.
However there are a few exceptions related to open source. These are places that independent developers can upload free and/open source apps. They don't guarantee your safety (nothing does) but they are not warez sites and are much more likely to be safe.
Open source or free apps: (very likely safe, not warez)
- XDA Developers
- Googlecode
- GitHub
How to Protect Yourself
There are no full-proof ways to avoid all bad situations in the world, but any sane person with a reasonable head on their shoulders knows that a few good habits can keep you safe for a long, long time in whatever you do. Here are a few tips I have learned from many years as a professional software developer and from reading these forums that have many people smarter and more knowledgeable than I about Android
Read the comments in the Market
This should go without saying. Before you download any applications, be sure to read the comments. Don't just read the first three either, click through and see what people are saying. This can also help you understand how well an app work on your particular phone or your particular version of Android. Comments should also be read EVERY time you update an app.
Check the Rating
Any app that fails to maintain abpve 2.5 stars is likely not worth your time. If you are brave enough to be one of the first few to download an app, this does not apply to you. Nevertheless almost all good apps have between 3 and 5 stars. To me, this is just a general rule to help find quality apps.
Check the permissions
There are many things an app can do to, and for, your phone. But anything an app can do is told to you when you download and install it. Before you download and install an app, you will be shown a list of permissions the application is requesting. Read them. Try your best to understand them in terms of what the application is supposed to do for you. For example, if you download a game of checkers, and the Market warns you that it wants to be able to read your contacts, you should think twice and probably not download it. There is no sane reason a game of checkers needs to know your friend's phone numbers.
To see the permissions given to an application after installation, go to the Market, press [menu], then [downloads] or [my apps], then select the app, press [menu] again, then press [security].
Below I have a list of some of the most commonly used permissions. The list has explanations of how important they are, what they do, and what types of apps might legitimately need them. This should help you get a basic understanding of what to allow and when to skip an app. Please feel free to ask about a permission or let me know if I have missed any.
Check the developer's website
Make sure the developer has a website and not just some Wordpress blog. This is often again a good indication of quality as well as safety. If the developer cares about their app they will likely have a relatively nice looking website or, if they are open source, a site on Google Code. Note: sites on Google code are NOT verified or approved by Google. However, open source is usually (but not always) more likely to indicate a safe application.
NOTE: This is not definitive indicator if a developer is good or bad, just one more peice of information you can use. Their are a lot of exceptions to this particular rule, as a lot of Good devs might not have anything more than a Blogger blog, and a lot of bad devs could just point to a nice looking site they have no affiliation with. However, the developer's website can be helpful just as an extra peice of information you can use in making your decision about the developer or app.
Updating applications is the same as installing them fresh
Each time you update an application on your phone, you should use the same diligence as if you were installing it for the first time. Reread the permissions to see that it is only asking for what it needs and no more. Reread the comments to see if anything has changed in the opinions of the users and to see if it still works for your phone. If you see that an application says Update (manual) next to it, that means the developer has CHANGED the permissions they are requesting from the version you have on your phone. This is not necessarily a bad thing -- but it should indicate that you should pay a bit closer attention to the permissions and re-evaluate them as needed.
If you are still unsure, ask around -- the community is your anti-virus
If you see an app you want, but it seems to be asking for more permissions that it should, or it's comments and ratings are mediocre, go ahead and ask about the app in these (and other) forums. You will often find dozens if not more people who know the answers and another whole bunch wishing to know the answers to the same questions you have.
I can't stress this point enough. This is the best part about Android. The community are usually the first to identify any Malware or dangerous programs, and are the best resource for finding quality apps.
Beware the Sockpuppets, Shills, and Spammers
However, like anything, don't believe everything you read. Someone who comes into a forum telling you an app is the "best" may be what's referred to as a sockpuppet or shill. I tend to be wary of people with low post counts, or who have unreasonably high praise for what seems a simple app, or anyone using the word "best" in a forced context.
Now these people are not all bad, some may just be excited, or not speak english as their first language. But it's common for sockpuppets to use the term "best" to try and get better search rankings on Google. Saying things like "Best Android App" "Best GPS." Other tell-tale signs include when they mention software for iPhone or other platforms without actually answering questions. Or just generally seem like their post is out of context or overly general (think about how horoscopes are made for everyone to relate to them). I often get spam on my blog that says things like "best blog post! love your writing style, you put things in perspective for me" which makes no sense when my blog was about my new app.
This is a fine line a very much a grey area though. Sometimes it can be very hard to tell if someone is a spammer. If you see a post or comment in the market you suspect is spam on a forum, report it to the mods, don't reply and start an argument.
Posting your own comments
After you have downloaded an app you can post you own comments. The comment will be visible to all other android users but it will only show your first name. To do this go into the Market and press [menu] > [downloads]. You should see five empty stars at the top which you can tap to rate the app. Once you have rated the app you should see an option to add a comment under the stars.
Being a good user
While this guide is about security, I think it's important to point out how to be a good user too. Android is a community and stems from open source and will only ever be as good as both it's developers and it's users.
So, if an app is crashing on you, try emailing the developer before uninstalling and posting an angry comment. Anything you post in the market will stay even if you have uninstalled the app, and you could do serious harm to a developer's reputation if you post very negative comments.
If you think the developer just made a mistake, or didnt support your phone, work with them. If they are unhelpful, then you can consider giving them a bad rating. This is especially true for free apps in the market. Remember that you, as a user are not "entitled" to perfect free apps. Most developers do not have Google's enginnering and QA team backing them up and even Google makes mistakes.
And while it's frustrating when things don't work, imagine how frustrating it is when you put long hours into something but make a mistake -- and then because of that mistake you can never fix the damage done by a rude commenter.
What does Google do to protect us?
Unfortunately at the moment, not a lot. They do police the market to a small extent and investigate any reports of malware. They several instances of Malware and actually remotely uninstalled the applications from users phones.
However, the Market is not like the Apple App Store or Amazon Appstore, there is no screening of applications before they are posted to the market. There are no draconian procedures or lengthy approval processes that developers have to go through to post applications. All that a developer needs to do is to 'digitally self sign' his or her application before posting it. This helps Google track any developers with ill intent, but it's just a way to manage malware after it is discovered.
What about Wi-Fi?
One of the things to remember when trying to keep yourself safe is to be very careful with public Wi-Fi. Whenever you connect to the internet through a public Wi-Fi you should never use any website that requires a password to sign into. The danger here is because you have no idea who is connecting you to the website your are trying to connect to. A good analogy would be like trying to mail a letter to your friend by giving it to a stranger in the street.
[guide continues below]

Permissions
When you install an application the Market will tell you all of the permissions it needs to function. These are important to read as it can give you an idea if the application is asking for permission to do more than it needs. While some legitimate apps often ask for more permission than they need, it should at least raise an eyebrow when deciding if an application is safe and of good quality.
NOTE: there are also some backwards compatibility decisions Google has made that will grant apps targeting 1.5 or earlier two permissions you may never see requested. It is my belief this is a security hole, but not a large one. The permissions are Read Phone State and Identity and Write/Delete files from the SD. I will elaborate on those below.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Services that cost you money
make phone calls
This permission is of moderate to high importance. This could let an application call a 1-900 number and charge you money. However this is not a common to cheat people in today's world. Legitimate applications that use this include: Google voice and Google Maps
Services that cost you money
send SMS or MMS
This permission is of moderate to high importance. This could let an application send an SMS on your behalf, and much like the phone call feature above, it could cost you money. Certain SMS numbers work much like 1-900 numbers and automatically charge your phone company money when you send them an SMS.
Storage
modify/delete SD card contents
This permission is of high importance. This will allow the applications to read, write, and delete anything stored on your phone's SD card. This includes, pictures, videos, mp3s, and even data written to your SD card by other applications. However there are many legitimate uses for this permission. Many people want their applications to store data on the SD card, and any application that stores information on the SD card will need this permission. You will have to use your own judgment and be cautious with this permission knowing it is very powerful but very very commonly used by legitimate applications. Applications that typically need this permission include (but are not limited to): camera applications, video applications, note taking apps, backup applications.
WARNING: Any app targeting Android 1.5 or below (possibly 1.6 as well) will be granted this permission BY DEFAULT. And you may not ever be warned about it. It is important to pay attention to what version of Android an app is targeting to know if this permission is being granted. You can see this on the Market website in the right hand column.
Your personal information
read contact data, write contact data
This permission is of high importance. Unless an app explicitly states a specific feature that it would use your contact list for, there isn't much of a reason to give an application this permission. The one exception to that rule includes typing or note taking applications and/or quick-dial type applications. Those might require your contact information to help make suggestions to you as you type. Typical application that require this permission include: social networking apps, typing/note taking apps, SMS replacement apps, contact management apps.
Your personal information
read calendar data, write calendar data
This permission is of moderate to high importance. While most people would consider their calendar information slightly less important than their list of contacts and friends, this permission should still be treated with care when allowing applications access.
Phone calls
read phone state and identity
This permission is of moderate to high importance. Unfortunately this permission seems to be a bit of a mixed bag. While it's perfectly normal for an application to want to know if you are on the phone or getting a call, this permission also gives an application access to 2 unique numbers that can identify your phone. The numbers are the IMEI, and IMSI. Many software developers legitamately use these numbers as a means of tracking piracy though.
WARNING: Any app targeting Android 1.5 or below (possibly 1.6 as well) will be granted this permission BY DEFAULT. And you may not ever be warned about it. It is important to pay attention to what version of Android an app is targeting to know if this permission is being granted. You can see this on the Market website in the right hand column.
Your location
fine (GPS) location
While not a danger for stealing any of your personal information, this will allow an application to track where you are. Typical applications that might need this include (but are not limited to) restaurant directories, movie theater finders, and mapping applications. This can sometimes be used for location based services and advertising.
Your location
coarse (network-based) location
This setting is almost identical to the above GPS location permission, except that it is less precise when tracking your location. This can sometimes be used for location based services and advertising.
Network Communication
create Bluetooth connection
Bluetooth (Wikipedia: Bluetooth - Wikipedia, the free encyclopedia) is a technology that lets your phone communicate wirelessly over short distances. It is similar to Wi-fi in many ways. It itself is not a danger to your phone, but it does enable a way for an application to send and receive data from other devices. Typical applications that would need bluetooth access include: Sharing applications, file transfer apps, apps that connect to headset out wireless speakers.
Network Communication
full internet access
This is probably the most important permission you will want to pay attention to. Many apps will request this but not all need it. For any malware to truly be effective it needs a means by which to transfer data off of your phone, this is one of the setting it would definitely have to ask for.
However, in this day and age of cloud computing and always-on internet connectivity, many, many legitimate applications also request this.
You will have to be very careful with this setting and use your judgment. It should always pique your interest to think about whether your application needs this permission. Typical applications that would use this include but are not limited to: web browsers, social networking applications, internet radio, cloud computing applications, weather widgets, and many, many more. This permission can also be used to serve Advertising, and to validate that you app is licensed. (See DRM for more info).
Network communication
view network state, view Wi-Fi state
This permission is of low importance as it will only allow an application to tell if you are connected to the internet via 3G or Wi-Fi.
System tools
Prevent phone from sleeping
This is almost always harmless. An application sometimes expects the user to not interact with the phone directly sometimes, and as such would need to keep the phone from going to sleep so that the user can still use the application. Many applications will often request this permission. Typical applications that use this are: Video players, e-readers, alarm clock 'dock' views and many more.
System tools
Modify global system settings
This permission is pretty important but only has the possibility of moderate impact. Global settings are pretty much anything you would find under Android's main 'settings' window. However there are a lot of these setting that are perfectly reasonable for an application to want to change. Typical applications that would use this include: Volume control widget, notifications, widgets, settings widgets.
System tools
read sync settings
This permission is of low impact. It merely allows the application to know if you have background data sync (such as for Facebook or Gmail) turned on or off.
System tools
Write Access Point name settings
I need a bit of clarification on this setting myself. I believe this relates to turning on and off wifi and your 3G data network. (if someone can comment and clarify I would greatly appreciate it and update this guide to reflect). Essentially however I believe this to be similar to the 'modify global settings' permission above.
System tools
automatically start at boot
This permission is of low to moderate impact. It will allow an application to tell Android to run the application every time you start your phone. While not a danger in an of itself, it can point to an applications intent.
System tools
restart other applications
This permission is of low to moderate impact. It will allow an application to tell Android to 'kill' the process of another application. However that application should have the option of immediately restarting itself.
System tools
retrieve running applications
This permission is of moderate impact. It will allow an application to find out what other applications are running on your phone. While not a danger in an of itself, it would be a useful tool for someone trying to steal your data. Typical legitimate applications that require this permission include: task killers and battery history widgets.
System tools
set preferred applications
This permission is of moderate impact. It will allow an application to set the default application for any task in Android. For instance clicking on a hyperlink in your email will bring up a browser. However if you have more than one browser on your phone, you may want to have one set as your 'preferred' browser. Typical legitimate applications that require this permission include any applications that replace, compliment, or augment default Android functionality. Examples of this include web browsers, enhanced keyboards, email applications, Facebook applications and many more.
Hardware controls
control vibrator
This permission is of low importance (but could be lots of fun). As it states, it lets an app control the vibrate function on your phone. This includes for incoming calls and other events.
Hardware controls
take pictures
This permission is of low importance. As it states, it lets an app control the camera function on your phone.
Your accounts discover known accounts
This permission is of moderate importance. This allows the application to read what accounts you have and the usernames associated with them. It allows the app to interact with permission related to that account. An example would be an app that was restoring your contact, would discover your google account then sned you to Google's login screen. It doesnt actually get to see your password, but it gets to work with the account.
Development Tools read logs
This permission is of very high importance. This allows the application to read what any other applications have written as debugging/logging code. This can reveal some very sensistive information. There are almost no reasons an applications needs this permission. The only apps I might grant this permission to would be Google apps.
What Does it All Mean? This Sounds so Scary!
It might sound that way but it is not, by any means, scary. The power of the market is actually due to the fact that developers are free to post updates and applications much more quickly and easily. But despite the security risks that this model creates, there is an incredibly powerful deterrent to malware in the community itself. Lots of people on these boards and in the market eagerly try out new apps and report back the safety and quality.
Again, the community is your best anti-virus app.
last updated: March 23, 2011
This guide by Lost Packet Software is licensed under a Creative Commons Attribution-No Derivative Works 3.0 United States License.

Good post.

Yes, well written and informative. As a developer, it's good to get this information into user's hands who may not know how permissions work. And the author makes some good points on how to be safe without massive fear of EVER downloading an app
Thanks to OP for a nice article. Do you mind if I copy it and post it on my website? You can send me a PM. Of course, I will cite you as the original source

Thanks much guys,
@Rootstonian
Yes you can copy it, but copy the one from my site http://alostpacket.com/2010/02/20/how-to-be-safe-find-trusted-apps-avoid-viruses/ as it has a few less typos.
It is licensed under the creative commons license (no derivative works, must attribute to me). This means you are free to copy/republish but you have to copy the whole thing and not change it.

Well written and informative! Thanks.

Ok, thanks. I'll either copy it in its entirety or just use the link you provided if that's ok.
Regardless, you work will be properly cited
Again, well done.

thanks much guys.
Also curious if anyone has found any errors or inaccuracies or misrepresentations etc.

Brilliant post.

[Q] Privacy

I have seen a couple of stories on the news about the Iphone storing user locations and also stories about the cops being able to 'extract' user data from the phone without the owner's permission. I am wondering if the same is true for android phones, and if there are any apps available to encrypt data to prevent such things.

gregeberts said:
I have seen a couple of stories on the news about the Iphone storing user locations and also stories about the cops being able to 'extract' user data from the phone without the owner's permission. I am wondering if the same is true for android phones, and if there are any apps available to encrypt data to prevent such things.
Click to expand...
Click to collapse
You optionally turn on the location data setting under "location& security", the setting is "use wireless networks". If you leave it on, anonymous location data is collected. I only put it on when I need a stronger gps lock.

I was reading about this JUST this morning, I will direct you here regarding the info extraction

fiscidtox said:
You optionally turn on the location data setting under "location& security", the setting is "use wireless networks". If you leave it on, anonymous location data is collected. I only put it on when I need a stronger gps lock.
Click to expand...
Click to collapse
Spot on. But as stated, this is anonymous data (for Google statistics and such) so I wouldn't worry about it.

Jesus there are many people happy to give up their privacy at the drop of a dime... I feel like we as a population don't respect our civil liberties nearly as much as we should. 1984 is coming...

Oh God, here we go. This is no different than the anonymous CyanogenMod reports, or any online services that we use every day. We should be worrying about the Patriot Act and Facebook, not anonymous Google reporting.

kxhawkins said:
Oh God, here we go. This is no different than the anonymous CyanogenMod reports, or any online services that we use every day. We should be worrying about the Patriot Act and Facebook, not anonymous Google reporting.
Click to expand...
Click to collapse
I'm not talking about that....
Did you read what he posted? The thread about celebrites and police being able to use them more freely?
http://forum.xda-developers.com/showthread.php?t=1045464
They can take a scan of EVERYTHING on your phone, from passwords, pics, internet files, etc....
I agree with you though, the patriot act is insane. Especially since I'm canadian so I'm seeing it from the outside looking in

Right, I thought you had debunked the police thing by clarifying "anonymous" data. Obviously the police can't do anything to your phone without a warrant, and if they had one, they could physically access you phone so that would be irrelevant anyway.
Now, sometimes the system does fail, but that's outside the scope of this dicussion. As stated in the linked post, you have a reasonable expectation of privacy regarding your phones content, which excludes it from unlawful search and seizure. That's in the US anyways, I'm not familiar with Canadian law.
They can always pull call, sms, and mms logs from the carrier, but again- only with a warrant.

kxhawkins said:
Right, I thought you had debunked the police thing by clarifying "anonymous" data. Obviously the police can't do anything to your phone without a warrant, and if they had one, they could physically access you phone so that would be irrelevant anyway.
Now, sometimes the system does fail, but that's outside the scope of this dicussion. As stated in the linked post, you have a reasonable expectation of privacy regarding your phones content, which excludes it from unlawful search and seizure. That's in the US anyways, I'm not familiar with Canadian law.
They can always pull call, sms, and mms logs from the carrier, but again- only with a warrant.
Click to expand...
Click to collapse
From what people were mentioning though, they seem to be trying to make the use of the celebrite machine much easier (perhaps without warrant, as in your example of the "patriot act").
I was just saying that from reading that link he posted, it seems as if people will gladly hand over their civil liberties like candy for the illusion of security.
It's scary how open and willing people are to giving up their freedom, that's all.

kxhawkins said:
Right, I thought you had debunked the police thing by clarifying "anonymous" data. Obviously the police can't do anything to your phone without a warrant, and if they had one, they could physically access you phone so that would be irrelevant anyway.
Now, sometimes the system does fail, but that's outside the scope of this dicussion. As stated in the linked post, you have a reasonable expectation of privacy regarding your phones content, which excludes it from unlawful search and seizure. That's in the US anyways, I'm not familiar with Canadian law.
They can always pull call, sms, and mms logs from the carrier, but again- only with a warrant.
Click to expand...
Click to collapse
Now, you're talking about the US. Don't forgot there's a world outside the US too. There are countries out there where the government can do a lot more than you would like them too. Things that go even beyond the Patriot Act (yes, that's possible).

but if you have a latitude account then ur getting followed anyway as its a feature

Is this...
Is this communism?

PrivateOS on OnePlus X?

Hi everyone. I'll explain you. After i watched the documentary about Edward Snowden, i feel that someone is spying on me. I found the blackphone online, and his PrivateOS is awesome! I'm not a porter, so if someone may port the PrivateOS to our OnePlus X, it would be awesome!! Some guys, wanted to port it on xperia (sauce: http://forum.xda-developers.com/android/general/privatos-rom-1-0-1-t2833178)

If you want privacy buy a BlackBerry.

Hi, I had it on my Wiko Wax. I didn´t like it because de UI it´s not nice and it has a lot of security apps that I think it´s unnecessary for users like us. We have decent protection with security patches and the best security is the user. Maybe the blackphone rom is very secure yeah but if you want 100% security with this ROM just buy the blackphone, I don´t think it will be useful on our OPX. And yeah someone is spying on you. Google.

Exodusche said:
If you want privacy buy a BlackBerry.
Click to expand...
Click to collapse
Respect his idea, don't make fun.

sheraz1015 said:
Respect his idea, don't make fun.
Click to expand...
Click to collapse
Thank you so much sheraz1015!
Yesterday, i found a video on youtube. This guy was explaining how to get your search history of Google.
I found that Google, was spying on me...they recorded with microphone of my OnePlus X my voice, every 2h!!
I was surprised that they recorded me also when i was sleeping!!!
I found also that they tracked my position, but my gps is always switched off!!
I didn't know that, but everyone who has google play services on the phone, they keep in history when you open
or close any app that you have. I'm pissed off!
Will someone try to port it, or make a secure rom, maybe not based on google apps?

WithoutValorFreedomDies said:
Thank you so much sheraz1015!
Yesterday, i found a video on youtube. This guy was explaining how to get your search history of Google.
I found that Google, was spying on me...they recorded with microphone of my OnePlus X my voice, every 2h!!
I was surprised that they recorded me also when i was sleeping!!!
I found also that they tracked my position, but my gps is always switched off!!
I didn't know that, but everyone who has google play services on the phone, they keep in history when you open
or close any app that you have. I'm pissed off!
Will someone try to port it, or make a secure rom, maybe not based on google apps?
Click to expand...
Click to collapse
Can you send me the link please..

sheraz1015 said:
Can you send me the link please..
Click to expand...
Click to collapse
Here it is dude
Sauce: https://www.youtube.com/watch?v=TtmR9L0ITlM
Go to minute 2:03 also

Wasn't trying to be rude just herd blackberry has best security. But In this case I don't think it would matter. Thanks for sharing this don't think too many people know about it.

okay first: appreciate, that obviously there are other people concerned about their privacy.
second: there are people even more concerned about their privacy, like i.e. German's chancellor, making them pay 10,000$ for a cell phone - hacked. so how secure can som cell phone for some 100$ be?
next: about BlackBerry: where is ur privacy when all ur communication is routed through a private companies servers? As long as u do not fully trust such a company i'd call that surveillance too...
that being said: what do u consider to be secure regard ur privacy? first answer urself this question before making any progress. keep in mind, that ur cellphone is basically a full featured tracking system (which isnot a bad thing per se).
What do I mean?ˋWell for instance personally i don't consider photos synced to dropbox/google drive/microsoft's whatever to be private. they're located on servers inside the use, and as such accessable by officials whenever there's desire. also I do absolutely not consider my passwords to be safe when synced to my google account. Next i will not consider any call to be secure in a matter of "no one can listen"- that wont change unless u use end-to-end encryption which requires the called person to have an according setup. etc etc
i came to the conclusion that my phone simply is NOT secure! So if u do not intend to just keep ur hands off any device connected to the internet/gps u can be tracked. Just a matter of the effort to achieve that....
Now how can i just keep calm with all that. well i actually don't. its a compromise for me, as i just don't want to miss certain points which are provided by smartphones.
However I totally disagree with just handing over my private data making it needless to spy on me cause i instafacetweet**** whenever i'm at starbucks taking a coffee or sending private photos using services, that claim property of such (needless to call it by name..)
finally, to shorten this and maybe give u one or two hints especially regarding google apps etc:
- y handing google my actual name (u certainly won't be able to hide ur identity just because of this!! but referring to the last paragraph above this is step no1)
- personally i use opengapps pico which shrinks the amount of spyware down a bit (however there are some packages included safe to uninstall)
- regarding the "google tracks my app usage": well this is because u grant playstore/play services permission to do so (settings-->security-->app ausage access)
- also i have restricted access to pretty much anything for google apps as i only want playstore running(privacy guard or similar)
- using greenify (xposed required i guess) u can "uncover hidden synchronizations" which will (what a surprise) a HUGE list of syncs to be disabled in settings -->accounts-->google-->whatever
- also take a look in google settings (ads/"security")
- system administrator
etcetcetc...
if u want to minimize the chance one can create location profiles: mac spoofing (i guess thats the english term). also when u use buetooth headset, u ar visible for any near device. same goes for wlan search, nfc bla.
These are just a few things that make me personally feel a bit more comfortable using such devices. a huge part in this takes NOT using whatsapp/facebook or anything like that. i'm convinced computers don't understand social interaction, and as such they should only take a minor "transmitting" role in this and not tell me who/what i might like or what the f***
I actually do have friends and they will know if theres sth worth to know, which works the other way round too.
I hope I somehow stuck to the read thread (do u really say so? ) and maybe there were 1 or 2 points of use for u.
Whats most: the more u use/rely on such technology, the more of ur life can/will be exposed OR the more effort u will have to put into it to prevent that. (with the only result u increase the effort in spying on u/whatever).
Gesendet von meinem ONE E1003 mit Tapatalk

tet-bundy said:
okay first: appreciate, that obviously there are other people concerned about their privacy.
second: there are people even more concerned about their privacy, like i.e. German's chancellor, making them pay 10,000$ for a cell phone - hacked. so how secure can som cell phone for some 100$ be?
next: about BlackBerry: where is ur privacy when all ur communication is routed through a private companies servers? As long as u do not fully trust such a company i'd call that surveillance too...
that being said: what do u consider to be secure regard ur privacy? first answer urself this question before making any progress. keep in mind, that ur cellphone is basically a full featured tracking system (which isnot a bad thing per se).
What do I mean?ˋWell for instance personally i don't consider photos synced to dropbox/google drive/microsoft's whatever to be private. they're located on servers inside the use, and as such accessable by officials whenever there's desire. also I do absolutely not consider my passwords to be safe when synced to my google account. Next i will not consider any call to be secure in a matter of "no one can listen"- that wont change unless u use end-to-end encryption which requires the called person to have an according setup. etc etc
i came to the conclusion that my phone simply is NOT secure! So if u do not intend to just keep ur hands off any device connected to the internet/gps u can be tracked. Just a matter of the effort to achieve that....
Now how can i just keep calm with all that. well i actually don't. its a compromise for me, as i just don't want to miss certain points which are provided by smartphones.
However I totally disagree with just handing over my private data making it needless to spy on me cause i instafacetweet**** whenever i'm at starbucks taking a coffee or sending private photos using services, that claim property of such (needless to call it by name..)
finally, to shorten this and maybe give u one or two hints especially regarding google apps etc:
- y handing google my actual name (u certainly won't be able to hide ur identity just because of this!! but referring to the last paragraph above this is step no1)
- personally i use opengapps pico which shrinks the amount of spyware down a bit (however there are some packages included safe to uninstall)
- regarding the "google tracks my app usage": well this is because u grant playstore/play services permission to do so (settings-->security-->app ausage access)
- also i have restricted access to pretty much anything for google apps as i only want playstore running(privacy guard or similar)
- using greenify (xposed required i guess) u can "uncover hidden synchronizations" which will (what a surprise) a HUGE list of syncs to be disabled in settings -->accounts-->google-->whatever
- also take a look in google settings (ads/"security")
- system administrator
etcetcetc...
if u want to minimize the chance one can create location profiles: mac spoofing (i guess thats the english term). also when u use buetooth headset, u ar visible for any near device. same goes for wlan search, nfc bla.
These are just a few things that make me personally feel a bit more comfortable using such devices. a huge part in this takes NOT using whatsapp/facebook or anything like that. i'm convinced computers don't understand social interaction, and as such they should only take a minor "transmitting" role in this and not tell me who/what i might like or what the f***
I actually do have friends and they will know if theres sth worth to know, which works the other way round too.
I hope I somehow stuck to the read thread (do u really say so? ) and maybe there were 1 or 2 points of use for u.
Whats most: the more u use/rely on such technology, the more of ur life can/will be exposed OR the more effort u will have to put into it to prevent that. (with the only result u increase the effort in spying on u/whatever).
Gesendet von meinem ONE E1003 mit Tapatalk
Click to expand...
Click to collapse
Thank you very much for your dedication on a precise answering. All that you said.....you are right. Damn

I'm just trying out Nameless ROM. I noticed it has privacey guard as mentioned above. Whether it actually does anything who knows.

I'm paranoid about google services aswell.
Hence i installed a fresh build of CM13 / AOSP CAF
Installed F-Droid as primary market and replaced apps with open source replacements. (Replaced Chrome/AOSP browser with chromium etc.).
I also installed Firewall, adblocker+ and system manager for monitoring malicious apps and processes. Privacy guard & app ops also works wonders together
this not only gives u ability to customize android your way but also provides good level of security.
If you are still paranoid about identity, u can use orbot and tor network for anonymous identity. (Both found on F-Droid).
This also greatly improves battery life and keeps the phone snappy.
Hope this helps

In all honesty, just use Sailfish and remove everything you find funky. Private OS isn't worth porting. Another alternative would be to just flash any ROM without flashing GAPPs
---------- Post added at 04:02 AM ---------- Previous post was at 04:01 AM ----------
At the end of the day though, you are still at the mercy to some company... We have already lost this fight.

karan5chaos said:
If you are still paranoid about identity, u can use orbot and tor network for anonymous identity. (Both found on F-Droid)
Click to expand...
Click to collapse
I agree... in theory. however if u assume to be under surveillance, u better assume that u are not the only one inside the tor network to be under surveillance. u just need to observe a not too small amount of tor servers (which is still a relatively small amount, taking the capacity of todays intelligence services into consideration) to be able to reconstruct the whole path of any communication routed through that network. now also seeing that bandwidth is just lousy, there's just no point in using tor (except u want to access services, that require u to do so).
To cut a long story short, if u want ur internet traffic to be secure, u'll have to go for a vpn provider! (of course u have to trust that provider, as they are able to read anything u pass through that gate)
regards
t
P.S.: if u're interested in vpn service, pm me and i'll tell u my hoster which i think is one of the most trustworthy around and also provides some advanced methods other just don't.
(just to stick to the rules and not advertise here )