Root [Virgin Mobile/Sprint] Trust, apps, Google and so forth

[serealnewbie]

u0_a131@android:/ $ su
os.tools.scriptmanager-1.apk <
8968a440040a0abd934499444e23f685 /data/app/os.tools.scriptmanager-1.apk
root@android:/ #

Alright, good I have the same one with MD5. Even though I can't scan it on anubis. Thanks by the way, appreciate the quick effort. That is why google doesn't give away MD5 hashes on their site. They only want people to download from them. Then they say it's only safe to download from them. But people are just downloading their apks and hosting it on other websites.

Unless they do better verification then everyone else. I think I will start trusting other stores.

 

[scary alien]

Yeah, i would still use the one from Google play. Id trust that more than any other third party website

This.

Downloading and installing apps that are otherwise available from trusted sources like Google Play or the Amazon App Store can indeed be very iffy / sketchy.

A nefarious dev could inject malware into an app that purports to be the original and you could very well end-up negating the other security precautions that you're working on installing.

Caveat emptor.

 

[serealnewbie]

Yeah, i would still use the one from Google play. Id trust that more than any other third party website

This.

Downloading and installing apps that are otherwise available from trusted sources like Google Play or the Amazon App Store can indeed be very iffy / sketchy.

A nefarious dev could inject malware into an app that purports to be the original and you could very well end-up negating the other security precautions that you're working on installing.

Caveat emptor.

So you are trying to say Google Play is the only store that can properly scan for malware ? You can't just scan it on virustotal and various apk scanner programs/websites to make sure it doesn't have malware?

Conveniently google is apparently the company that built this operating system. Which conveniently has all this bloatware that is designed to collect information on you:

https://myshadow.org/google-collection

 

[EarlyMon]

Google didn't apparently build Android, they do build Android.

It's open source and used by members of the Open Handset Alliance and they build the Android they want to offer - in your case, your phone manufacturer built it.

Thanks for link but it's a sensational excerpt.

Read the whole thing, in context.

http://www.google.com/policies/privacy/

And don't just sign up for a Google account and complain about privacy. Go to your settings on the Gmail web and set the permissions you want.

And if you want to end the ad tracking, install an ad blocker. You're rooted. You can.

There.

End of apparent conspiracy to control you. By tracking things like what language you want your web searches served up in.

And btw - wake up my friend - it's your carrier and phone manufacturer that are tracking you in spades. They're the ones with the bloatware.

 

[serealnewbie]

And if you want to end the ad tracking, install an ad blocker. You're rooted. You can.

There.

End of apparent conspiracy to control you. By tracking things like what language you want your web searches served up in.

And btw - wake up my friend - it's your carrier and phone manufacturer that are tracking you in spades. They're the ones with the bloatware.

I'm not really speaking of the google search feature.

I know my phone manufacturer is trying to use applications to track me. One of them is MLT (which I uninstalled). I'm fine with using google's search engine when using it on my PC. I just don't want google apps spying on my phone.

So far I have done well with xprivacy + firewall + appsettings. I don't agree with the google play store to download apps by logging in from my phone. To me that's like saying if I have windows 7 , the only place you get downloads and applications is from a special windows store. Or firefox addons from a firefox addons store (there is no store, it's free, no login either!). I have no idea why they google does it this way. No, idea why you have to login to download the free apps.


It's similar to the setup to steam. You can only play single player games if you are connected online to steam to do it. *And yes I know about the offline mode. But it's a hassle and you have to relogin online to re-enable single player games. Now a days you have to use steam to get games. You can't just have them on your own. And they can shut down your account for all the games you bought.

And according to the tutorial to secure my phone on xda. For android 4.2 google added FusedLocation.apk, which tries to spy on you, but google says otherwise, it's an enhancement. By the way just because google says that the purpose of tracking of what you do is for a good purpose. Doesn't mean you should trust them.


Even if google says they have good intentions on their privacy statement in the context you want me to read. Doesn't mean I trust them. Or I should give them the information. I never said it was a conspiracy and everyone is evil and out to get me.

 

[EarlyMon]

Even if google says they have good intentions on their privacy statement in the context you want me to read. Doesn't mean I trust them. Or I should give them the information. I never said it was a conspiracy and everyone is evil and out to get me.

"Even if Google says... "

Yeah, I'm not really into arguing about what you think something that you didn't read said.

So have you changed your Google privacy settings?

 

[serealnewbie]

"Even if Google says... "

Yeah, I'm not really into arguing about what you think something that you didn't read said.

The difference is I'm not going to trust anything they say in the first place.

 

[EarlyMon]

OK.

The reason that an identity is used in the Play Store is because very few apps are actually free.

Most of the free ones are monetized by ads - as is where Google gets the dough to do Android in the first place.

Conveniently google is apparently the company that built this operating system. Which conveniently has all this bloatware that is designed to collect information on you:

Well, that sums up your point of view perfectly.

Apparently. Conveniently. Rotf thanks for that.

Cheers.

 

[serealnewbie]

OK.

The reason that an identity is used in the Play Store is because very few apps are actually free.

Most of the free ones are monetized by ads - as is where Google gets the dough to do Android in the first place.

Yes, and I don't agree with this, and your point is? With the free apps, they shouldn't have you log in. And the ones that cost money, you do? I pointed out my reasons for it in more details. But since you don't want to read it, what's the point?

Well, that sums up your point of view perfectly.

Apparently. Conveniently. Rotf thanks for that.

Cheers.

I said I was still new to using the android OS in my very first post. Before you chopped off this thread.

http://androidforums.com/threads/is-it-safe-to-install-init-d-on-this-phone-on-stock.898751/

Clearly you don't want a valuable discussion. More along the lines you just want to cherry pick things from what I said. And laugh at it. Fine.

 

[EarlyMon]

Oh, relax. It's Saturday night, I was just busting on ya, I didn't mean any harm.

I apologize ok.

 

[serealnewbie]

Oh, relax. It's Saturday night, I was just busting on ya, I didn't mean any harm.

I apologize ok.

I know you were messing with me as I said you cherry picked things. Mixed in with other serious points and statements you were trying to make.

 

[EarlyMon]

I know you were messing with me as I said you cherry picked things. It never hurts to give valuable information. Because of this:

And why can't we just download apks from other stores and scan it from various antivirus scanners ourselves to make sure it has no malware?

A lot of people do.

I use Amazon. I've tried others.

Very few are legitimate, on a percentage basis.

We used to try to keep a trusted list posted but there was too much churn and in the end, we couldn't keep up officially.

Drop @codesplice a line, I think he knows one or two you don't have to mistrust. Tell him I sent you.

The Play Store Bouncer is not perfect by any stretch.

It has one attractive advantage - not only does it sweep constantly for malware, but when they find something with an intentional hole in it to deliver malware later (famous way to fool anti-malware apps) they not only take it out of the Store, they remotely uninstall it from your phone. There have been a few incidents where that really saved people.

Go get yourself Network Connections, search and ask the dev on XDA if you don't want to go to the Store.

I run a firewall, sure, but I also use that app to see what apps are talking to the wrong places at the wrong times. Rather than blacklist them at the firewall, I just get rid of them.

 

[serealnewbie]

A lot of people do.

I use Amazon. I've tried others.

Very few are legitimate, on a percentage basis.

We used to try to keep a trusted list posted but there was too much churn and in the end, we couldn't keep up officially.

Drop @codesplice a line, I think he knows one or two you don't have to mistrust. Tell him I sent you.

The Play Store Bouncer is not perfect by any stretch.

It has one attractive advantage - not only does it sweep constantly for malware, but when they find something with an intentional hole in it to deliver malware later (famous way to fool anti-malware apps) they not only take it out of the Store, they remotely uninstall it from your phone. There have been a few incidents where that really saved people.

Go get yourself Network Connections, search and ask the dev on XDA if you don't want to go to the Store.

I run a firewall, sure, but I also use that app to see what apps are talking to the wrong places at the wrong times. Rather than blacklist them at the firewall, I just get rid of them.

I see, I have network log. I'll get network connections as well.
To be extra cautious, maybe I should contact anubis about the file that I scanned and ask why it had/or is a false positive. Or how their result ratings work.

And stop stressing if virustotal couldn't detect malware in 57 different virus scanners, then I should be alright. Except for that loop hole you mentioned.

I'm not looking for a store as such, I'm more or less just downloading apps I normally do on windows. And always checking everything I do on windows I usually scan with virustotal.

I'm just looking for the confirmation that I can trust virustotal results with apk files that they are accurate.

 

[EarlyMon]

I can't really endorse much outside of what I know on Windows and I don't know VirusTotal beyond their claims. Most AM/AV software I've been exposed to has been pretty bad and even the good stuff makes mistakes.

Sideloading through Windows downloads is the number one Android malware infection vector despite a lot of people claiming that they've scanned.

You have to do your due diligence on that.

Have you tried just emailing devs or visiting their pages for direct download opportunities directly from the actual sources?

And never go for cracked apps.

 

[robaho]

If your phone is rooted... it is not secure. any app that is granted root permission can mess with security at any time...

 

[serealnewbie]

If your phone is rooted... it is not secure. any app that is granted root permission can mess with security at any time...

Theoretically if it is programmed to know how to disable that security. If I used xprivacy to disable certain permissions and functions of an app that has SU access. It won't bypass the security unless it knows how to shut down xprivacy. So the more security layers you put up, the more harder it is to do anything.

Have you tried just emailing devs or visiting their pages for direct download opportunities directly from the actual sources?

I can try. It might be a good practice to start asking. And also requesting MD5's checksums.

 

[robaho]

Theoretically if it is programmed to know how to disable that security. If I used xprivacy to disable certain permissions and functions of an app that has SU access. It won't bypass the security unless it knows how to shut down xprivacy. So the more security layers you put up, the more harder it is to do anything.




I can try. It might be a good practice to start asking. And also requesting MD5's checksums.

not really, when a rooted app runs it can install any number of backdoors that do not go through the android permissioning system - it can even replace the system files...

 

[serealnewbie]

not really, when a rooted app runs it can install any number of backdoors that do not go through the android permissioning system - it can even replace the system files...

And what if xprivacy denies them that permission to install any new back doors?

 

[robaho]

And what if xprivacy denies them that permission to install any new back doors?

not possible for xprivacy to prevent it if the app ran even once as root.

 

[serealnewbie]

not possible for xprivacy to prevent it if the app ran even once as root.

Then I will only grant root permissions to applications I trust then. But back to your original argument.
"A rooted phone isn't secure."

And a unrooted phone is secure? From private eyes of your phone manufacture apps and some google apps spying on you, without your permission?

I rather trust makers of AFwall+ firewall, xposed installer, xprivacy, etc. Not like they are going to purposely inject malware for their own gain.

It's nice when finally connecting to my wifi. My phone doesn't immediately download an update without my permission.

And technically you are correct, a rooted phone can be way more dangerous if you don't know what you are doing and downloading malware and running untrusted apps granting root permission.

 

[robaho]

Then I will only grant root permissions to applications I trust then. But back to your original argument.
"A rooted phone isn't secure."

And a unrooted phone is secure? From private eyes of your phone manufacture apps and some google apps spying on you, without your permission?

I rather trust makers of AFwall+ firewall, xposed installer, xprivacy, etc. Not like they are going to purposely inject malware for their own gain.

It's nice when finally connecting to my wifi. My phone doesn't immediately download an update without my permission.

And technically you are correct, a rooted phone can be way more dangerous if you don't know what you are doing and downloading malware and running untrusted apps granting root permission.

everything you said is true. I would add though that apps like xprivacy can only work well if they run as root... and even then you can't really control the backdoors that the vendor builds into the platform. only as good as the terms of service and their honesty.

 

[serealnewbie]

everything you said is true. I would add though that apps like xprivacy can only work well if they run as root... and even then you can't really control the backdoors that the vendor builds into the platform. only as good as the terms of service and their honesty.

Thanks for input. With a back door is it possible it can send data without me knowing to another ip address? If I was monitoring it through network connections and network log?

A lot of people do.
Go get yourself Network Connections, search and ask the dev on XDA if you don't want to go to the Store.

I run a firewall, sure, but I also use that app to see what apps are talking to the wrong places at the wrong times. Rather than blacklist them at the firewall, I just get rid of them.

Good news.
I figured out a solution to my problem. How to get apks from google play store without using my real phone. I won't need @codesplice 's help after all.


(Link redacted by Early)

Using this virtual machine method, which seems to work really well. Still need a google account.

I can then use appmonster , back it up, then use hashcalc app and verify sha256 and MD5. To see if it matches the ones I download from the internet from other sources.

I haven t figured out how to get the apk files out of the VMware and onto my pc yet. But I'm sure there is a way.

 

[codesplice]

I may be a bit late, but the only app repository I can recommend (apart from the Play Store and Amazon) is https://f-droid.org/. They host only free and open-source apps with the permission of the developers. You can find a lot of root and utility applications there, but probably won't find anything from the big players.

Edit: Whoops, didn't realize the VM approach was a ToS violation. Afraid we can't help with that.

 

[EarlyMon]

The VM route became a violation of Google's Terms of Service as soon as it got into discussion of moving apks out - and frankly as we don't want to risk a complaint from them, the link has been removed.

 

[serealnewbie]

I may be a bit late, but the only app repository I can recommend (apart from the Play Store and Amazon) is https://f-droid.org/. They host only free and open-source apps with the permission of the developers. You can find a lot of root and utility applications there, but probably won't find anything from the big players.

Edit: Whoops, didn't realize the VM approach was a ToS violation. Afraid we can't help with that.

Alright, yeah f-droid sounds familiar. It's where I got my network log from:
https://f-droid.org/repository/browse/?fdfilter=network log&fdid=com.googlecode.networklog

Interestingly it has a different checksum than the one on googleplay. It's a different signature. And the one on google play. Has this detection:

https://www.virustotal.com/en/file/...aee1592433758579b0ed443d7e51e945c82/analysis/


So I assume fdroid puts a different signature on theirs and they got permission. And I can trust them.

The VM route became a violation of Google's Terms of Service as soon as it got into discussion of moving apks out - and frankly as we don't want to risk a complaint from them, the link has been removed.

Haha, that figures, google. No problem there. I'll just keep it myself then.