[kernel] Do we need data security (aka a working firewall)? - Desire General

Dear kernel developer,
do you have a firewall on your destop computer?
I think, the answer is "yes, of course!"
Why don't you wan't a firewall for your phone?
Your answere: "It is linux, we don't need it!"
Sure?
In contrast to the "safe a.p.p.l.e market" we are free to get our application from everywhere...
But every person with minimum programming skills is able to use tools like "apktool", "smali/baksmali" to modify existing applications.
Why not integrate some spy functions (send private photos, use camera and microphone, send phonebook and email-adresses).
Solution:
There is always a FREE program to disallow or allow applications the use of wifi or mobile data connections:
DROIDWALL ( h ttp://code.google.com/p/droidwall/ )
But this superb program need some special compiling parameters in the kernel compilation process.
(Something like 'iptables', 'multiport', 'iprange' and 'ipowner')
I found only one working kernel+rom, which is DroidWall compatible: "Six O´Clock A.M." from user 'oclock',
( h ttp://android.modaco.com/content/htc-desire-desire-modaco-com/312051/oclock-custom-rom/ )
This is a fine and stable release, but it is a v2.1 rom (not froyo).
Please, please froyo-kernel-developer: get the right parameters for kernel compilation, so we can use DroidWall.
So everybody can decide by himself, which application is allowed to send data to wifi or mobile data connection.
Kind Regards

i knew linux didnt need an antivirus, thought it still needed a firewall...
since ive always had one set up on my linux installs... but then again, im a linux noob.

What about using the phone as a hardware firewall for your laptop when on public wifi?
I'd have no use for it personally but I am sure others might.

You do not NEED a firewall on your computer. You need a firewall between your computer and the internet. If your computer has a public routable IP then you need a software firewall. If you have a hardware firewall that is a good known brand and it is not OLD then this will be fine providing you do not illegally download software - generally. And therefore there is no requirement for a software firewall.
You need a firewall to deny traffic to port's (and IP addresses) that are not closed by default. These open ports potentially open a security risk providing there is an exploit for said port.
Please inform us of which ports are open on our Android phones? I mean open for inbound communication of which did not get opened due to software making an outbound connection.
I can do an NMAP to my desire over wifi sometime this week to discover... But right now I can pretty much say you do not need a firewall on your phone. It will only cause you problems with software needing the internet. And besides, our phone ISPs put us on a private network - they dont usually allow connections between hosts / customers, and we sit behind a corporate type hardware firewall...

iptables
Actually Andorid has a Firewall installed, its called iptables.
It's not a personal firewall... but thous are just to get money from PPL without any advanced security... Linux does, by design not have open ports... like windows where you need a program to close what shouldn't be open anyway... And when you Install an APP you see what the APP wants to do, if it wants access to your contacts or internet or what else... so there is absolutely no need for a user scaring Personal Firewall

kuhine said:
So everybody can decide by himself, which application is allowed to send data to wifi or mobile data connection.
WiHerr
Click to expand...
Click to collapse
OK, a classic firewall is looking only to the used network-ports and allow or disallow the communication: this type of firewall can not make a difference between a good and bad data transmission (for example the firewall built-in in our wifi-routers).
But extented versions of firewalls have a built-in behavior control of applications:
I want to decide, which application is allowed to communicate WITHOUT ANY USERCONTROL over Wifi or a mobile data connection and which one not.
- I want to stop (possible) spyware from sending my private data out
- I want to stop software looking to their developers server an stop working when the developer say "stop, buy the new the new version - the old one is out of order yet"
And in linux there is a system function, which has the information, which network sockets are owned by which application (ipuser?).
There are only a few parameters to set when compiling a new kernel, to activate these functions
Please look to the Droidwall site and the screenshot of the software.
Regards

safttuete said:
Actually Andorid has a Firewall installed, its called iptables.
Click to expand...
Click to collapse
That is the point, but IPTABLES is not working on allmost all android kernels, except the oclock roms. Or am I wrong?
Droidwall is only a graphical frontend for iptables! Not more.
Everytime when we install new software (i.e. out of the android market), we get a list displayed of what the program likes to do. And there is allmost "unrestrictive network use" for even the smallest witgets... I want to decline this network use, but it is a "take all or nothing" thing.
I'm not a modern facebook/twitter user: take all my data... here a some more private details... and here are photos and addresses from all my friends, too.
What is so scary to select out some applications from sending data?
And with a working iptables we can do so.
Dramatical continuance...
the real reason could be: there are some application installed on the phone, which must not re-check their licenses on every use...
(only to save mobile data volume... without switching to flight mode)

I think an app that can edit the given permissions would be much more useful than a firewall. But I haven't found something like that yet.

@kuhine
I think nearly every custom ROM has iptables, CM has it for sure. I don't know about ipuser though.
uTauro said:
I think an app that can edit the given permissions would be much more useful than a firewall. But I haven't found something like that yet.
Click to expand...
Click to collapse
It's impossible for now. Android convention is to give all required permissions to an app or don't install it at all, so apps aren't designed to support lack of permissions. Most of them will probably FC, even if you will block out some minor feature.

Hello all,
today I saw the message, that a wallpaper app sent private information to their server in china:
h t t p ://mobile.venturebeat.com/2010/07/28/android-wallpaper-app-that-steals-your-data-was-downloaded-by-millions/
In the meantime I choose this rom with "DROIDWALL" firewall support:
[ROM-FroYo AOSP] OpenDesire v2.3a
And I found a new free firewall program named "ANDFIRE", but I didn't test it yet.

kuhine said:
And I found a new free firewall program named "ANDFIRE", but I didn't test it yet.
WiHerr
Click to expand...
Click to collapse
Checked ANDFIRE out. Seems to work fine on my DeFrost 2.2c release. Will check it out further. Interface looks very similar to DroidWall and that also seems to work fine on my device.
Will have to investigate further, but it's a good idea to get it working.

suffer not adware to live
kuhine said:
That is the point, but IPTABLES is not working on allmost all android kernels, except the oclock roms.
Click to expand...
Click to collapse
If the kernel features you need are not an option consider a less horrible option:
LBE privacy guard

kuhine said:
That is the point, but IPTABLES is not working on allmost all android kernels, except the oclock roms. Or am I wrong?
Droidwall is only a graphical frontend for iptables! Not more.
Everytime when we install new software (i.e. out of the android market), we get a list displayed of what the program likes to do. And there is allmost "unrestrictive network use" for even the smallest witgets... I want to decline this network use, but it is a "take all or nothing" thing.
I'm not a modern facebook/twitter user: take all my data... here a some more private details... and here are photos and addresses from all my friends, too.
What is so scary to select out some applications from sending data?
And with a working iptables we can do so.
WiHerr
Dramatical continuance...
the real reason could be: there are some application installed on the phone, which must not re-check their licenses on every use...
(only to save mobile data volume... without switching to flight mode)
Click to expand...
Click to collapse
May be you should have a look for LBE privacy....

Related

[TUT] [APP] Hacking Facebook, Yahoo etc. over wifi

DroidSheep is an Android application that demonstrates security weaknesses (not using https) and is capturing facebook, twitter, linkedin , yahoo, and other accounts.
PS> this is NOT my work, nor do i intend it to be taken as my work, I just wanted to share with the community!
NOTE FROM THE GERMAN DEVELOPER:
DroidSheep was developed as a tool for testing the security of your accounts.
This software is neither made for using it in public networks, nor for hijacking any other persons account.
It should only demonstrate the poor security properties network connections without encryption have.
So do not get DroidSheep to harm anybody or use it in order to gain unauthorized access to any account you do not own! Use this software only for analyzing your own security!
So do not get DroidSheep to harm anybody or use it in order to gain unauthorized access to any account you do not own! Use this software only for analyzing your own security!
Now>
WHAT DO YOU NEED?
1. A rooted phone (no, it will for sure not work without root)
2. The App installed on the phone (latest build attached to the present post)
3. A WIFI network to test it on
How do you use it?
DroidSheeps main intention is to demonstrate how EASY it can be, to take over nearly any internet account. Using DroidSheep any user – even without technical experience – can check if his websession can be attacked or not. For these users it is hard to determine, if the data is sent using HTTPS or not, specially in case of using apps. DroidSheep makes it easy to check this.
This video demonstrates what DroidSheep can do:
http://droidsheep.de/?page_id=14
How does it work?
As already announced DroidsSheep supports almost every website – also “big” webservices like facebook and Yahoo.
How does that work this simple?
There are many users that do not known that air is the transmission medium when using WiFi. Therefore information is not only transfered to its receiver but also to any other party in the network within the range of the radio waves.
Usually nothing special happens because the WiFi users discard packets that are not destined to themselves. DroidSheep does not do this. It reads all the packets looking at their contents.
Is a website sending a clear recognition feature within a message’s content, which can identify a user (“SessionID”), then DroidSheep is able to read it although it is not intended to external users. Moreover DroidSheep can use this token to use it as its own. The server can’t decide whether the authorized user or DroidSheep has sent the request.
http://droidsheep.de/?page_id=424
How can I protect myself?
The only satisfying answer is: SSL respectively HTTPS.
Many providers already offer HTTPS, even facebook, however it must often be enabled in the settings first.
When using HTTPS the data are still sent to alle participants in the WiFi-network, too, but because the data has been encrypted it is impossible for DroidSheep to decrypt the contect of a message - remaining only a complete mess of letters, with which an attacker can’t do anything.
The real problem is that not every website provides SSL. What to do when you are in a public network (hotel, airport, etc.), you also want to use this and the site does not offer HTTPS though?
You can use a VPN-connection
For this the computer sets up an encrypted channel to a confidential computer which again transfers the data to the website.
You can also install DroidSheep Guard from the Market:
https://play.google.com/store/apps/details?id=de.trier.infsec.koch.droidsheep.guard.free&hl=en
A very interesting feature is the possibility to save cookies!!
Source> http://droidsheep.de
Imagine the possibilities....
This isn't good dude.
And 'air' isn't the 'transmission medium' for WiFi. We figured that out when we discarded the ether hypothesis around a century ago.
backfromthestorm said:
This isn't good dude.
And 'air' isn't the 'transmission medium' for WiFi. We figured that out when we discarded the ether hypothesis around a century ago.
Click to expand...
Click to collapse
-what exactly "isn´t good" ?
Ok you are correct, yes, WIFI (as any other electromagnetic wave) can also be transmitted through vacuum, so yes there is no need of "air"
Re-ported to a MOD I don't think this should be shown or talked about on XDA this isn't an hacking site like you might think for taking advantage of other peoples accounts.
XDA is a hacking community for the good like Rooting.
This app has been on XDA for quite a while http://forum.xda-developers.com/showthread.php?t=1593990
Even a portal article about it http://www.xda-developers.com/android/droidsheep-undresses-network-security-and-shows-how-its-done/
Please use the main thread to discuss this app, not this one.
@ shankly1985, we appreciate your concern, but people need to know how insecure important accounts can be. Thus enabling them to make the changes to fix them.
Thread Closed.

How to use openvpn with android

I was a bit confused about how to use OpenVPN on an Android device because there was so little information around. I thought I'd post this to make it easy for others. It turns out to be very simple. I have an Android phone (Note 2, Jellybean) rooted and Busybox installed, but neither is necessary.
The following steps relate to using an Android device with a commercial vpn service (like an anonymizing service amoung others), but they should help clarify in other situations.
Step 1: download the OpenVPN config files from your vpn provider.
Step 2: download, install and start "OpenVPN for Android by Arne Schwabe" (O4A) (get it from any android app source, it's free, but donation to the author is optional and its a great app).
Step 3: on the "VPN Profiles" page of O4A, use the folder icon upper right to browse to the .ovpn config file for a server, select, and save it on the following page. The server name will appear on the Profiles page.
Note: Sometimes the server config files include a .p12 file which O4A will want to import, then require a password to decrypt...just uncheck that file (upper left) before saving; later O4A will ask for a password, just leave it blank and hit "OK", it will connect just fine (at least with my vpn provider).
Step 4: open the settings for the server you just imported (icon to the right of the server name), navigate to the "Basic" page, and enter your username and password at the bottom of the page (if your provider uses the u/p type connection). YOU ARE DONE (but, you will need to repeat this for each server you want to use).
Step 5: tap on the server name on the "Profiles" page, O4A will open the log file and you will see it going through the steps of the connection process in both the log and the notification bar . When it's finished successfully, you'll see "connected". You can check the connection in the log file. Also depending on your device the connection will show in the notification bar for as long as its connected. You can disconnect by tapping the notification.
The correct configuration settings for OpenVPN are usually included in the .ovpn file, so you likely won't need to change any config setting in O4A. However, you can add the line "auth-nocache" to the .ovpn file manually or add it on the O4A page "Advanced -> Custom Options". This will prevent the username/password from being cached if that's important to you.
NOTE: Using dnsleaktest.com I have noticed that google dsn servers appear sometimes as a dns server. This might represent a dns leak as there would seem to be no reason, for example, for a European located server to use a U.S. located google dns server. I'm not clear about why the google servers are showing up, maybe someone can verify/clarify.
However, you can force a dns server of your choosing by going to the "IP and DNS" page of the server config settings in O4A, and select "Override DNS Setting by Server". You can then use the default dns servers chosen by the author or enter your own.
Enjoy!
What is your choice server? I see free and fee ones, but wondering about true encryption security too.
I'm just now looking into this, and am curious at what point vpn should be considered or if it's overkill for me.
Sent from my SGH-T889 using xda app-developers app
lyinelriche said:
What is your choice server? I see free and fee ones, but wondering about true encryption security too.
I'm just now looking into this, and am curious at what point vpn should be considered or if it's overkill for me.
Sent from my SGH-T889 using xda app-developers app
Click to expand...
Click to collapse
IMHO, anyone who cares about their privacy should use a vpn. It does give you privacy on the web. Otherwise all your net activity, email, messaging, etc.are recorded by your ISP as well as snooped by various international TLAs (three letter organizations i.e. FBI, NSA, CIA, GRU, etc) and commercial entities seeking to monetize your information.
There are many vpn services around, some good, some very bad. After doing some research, I've been using Perfect-Privacy.com for a few years. Some of the things I like about them are: you can sign up and pay anonymously, They have over 40 servers in some 20 countries. You can switch between servers from your machine in seconds. You can chain 2 or more servers for even stronger privacy (though you probably don't need that). They have free port forwarding (needed for some p2p progs). They do not log anything anytime. They donate part of their server bandwidth to the TOR project. Their servers are fast (I can dl at my ISP's cap speed (@12 mb/s) but PP's bandwidth is much higher if you can use it). There's no limit on your traffic. Their up time is very good...occasionally a server goes down, but they get it fixed timely and with 40 servers to choose from its not a problem. Their staff is friendly and responsive (though you should plan on following instructions for setup...pretty easy). They use OpenVpn with AES-256 bit encryption which is currently unbreakable (PPTP and L2TP are hackable) (they also provide access via SSH2, Socks 5, Squid, PPTP and L2TP). My take is that they are very committed to privacy; Overall I think the quality of their service is excellent. All that said, they are a bit more expensive than some vpns, but worth it IMO. You can sign up for one month to try it out, then apply that to a cheaper longer time if you like it.
BTW, you could use TOR (The Onion Router) to check out using a vpn. Its a great project, open-source and free! Its a bit slow because it chains through three servers and all the nodes/bandwidth are donated. But it works well and is a great great service to those who understand that privacy is important. Be aware that the TOR admins ask people not to use it for p2p because that lags down the system.
Hope that helps. Good luck
I am not going to pretend that I understand everything you wrote, but I think I know what you mean by P2P, and that is exactly the reason why I'm considering Vpn in the first place. That being said, I really appreciate you letting me pick your brain about it.
Sent from my SGH-T889 using xda app-developers app
lyinelriche said:
I am not going to pretend that I understand everything you wrote, but I think I know what you mean by P2P, and that is exactly the reason why I'm considering Vpn in the first place. That being said, I really appreciate you letting me pick your brain about it.
Sent from my SGH-T889 using xda app-developers app
Click to expand...
Click to collapse
Glad to help. BTW TOR has a free web browser package with the TOR function already built in. Just download it, install and you're up and ready to browse anonymously. Easier than that it doesn't get Search for TOR, you'll find it.

[Q] how hide apps in start menu of Windows 10 Mobile "or" add whitelist to Edge?

[Q] how hide apps in start menu of Windows 10 Mobile "or" add whitelist to Edge?
Hi,
is it possible to "hide" an app from the W10M start menu? And I don't refer to the home screen, I mean the full list of apps.
Or would there be a way to let the browser only work with a whitelist? .. No, Microsoft Family does not work properly on W10M.
Background - feel free to call me soft:
- Bought a Lumia 640 XL for my wife and a 2nd hand Lumia 535 for my daughter (to be her first smartphone, getting 9 end of the month) so that they could "share" the same experience, more or less.
- Played around with the "Microsoft Family" feature, and, to make it short, it doesn't work properly, not nearly close to what was expected or advertised. That might change ... in a few months. Maybe.
At least the URL filtering does not work "at all".
- So, in short, in order not to instantly fall back to pick an Android based device for my daughter (one beloved Razr i still in close range...), I was wondering if it was possible to "hide" one or the other thing from the start menu instead, the Edge browser in particular. Uninstallation I don't expect to be possible, probably being a deeper chunk of the OS, but only touching the start menu I concluded "should" be possible, one way or the other. At least I hope so.
Would I start to deal with the "full file system access" approach or rather try to dive into registry fiddling? Any help or maybe clear hint would be highly appreciated.
By now I did not find anything related to this. Neither here at xda or somewhere else. Probably no one considers doing something like that for his kids on Windows 10 Mobile ...
Who would want to hide a browser on a smartphone, anyway? .. yeah, I can't keep my kids "off" of the bad Internet, but I can at least keep an eye upon as long as possible.
Thanks in advance,
regards,...
bloodot
additional remark:
... after adding "a few" URLs to Microsoft's web interface for blocking URLs (via a web automation tool, yeah, I'm lazy...) it stopped working at 1003 regitered URLs. So, as long as they don't come up with something that works (whitlist... external service for checking URLs... whatever...) any help on this matter would be highly appreciated.
You want to keep her off the "web," correct?
Change your Mobile Data & Wifi DNS to 127.0.01
(You will need interop/FS access: )
Create a hosts file in C://Windows/system32/drivers/etc
Determine what sites you want to *allow* and find their IP. For example, if you want to whitelist Facebook, open cmd.exe from your PC and type:
Code:
ping facebook.com
You'll see:
Code:
C:\WINDOWS\system32>ping facebook.com
Pinging facebook.com [31.13.76.68] with 32 bytes of data:
Reply from 31.13.76.68: bytes=32 time=75ms TTL=82
Reply from 31.13.76.68: bytes=32 time=76ms TTL=82
Reply from 31.13.76.68: bytes=32 time=79ms TTL=82
Reply from 31.13.76.68: bytes=32 time=74ms TTL=82
Ping statistics for 31.13.76.68:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 74ms, Maximum = 79ms, Average = 76ms
C:\WINDOWS\system32>
So, you'd add:
Code:
31.13.76.68 facebook.com
31.13.76.68 www.facebook.com
to your phone's host file.
If you can create profiles on your router, you can also do the same (DNS to 127.0.01 for her phone's MAC address)
Doing this would make all of the web unresolvable, except facebook.com
To change the Wifi DNS:
Settings -> Network & Wireless -> Wi-fi -> Static IP -> fill your info
*If your router doesn't support static IP, you should check and see if your router supports profiles, and build one to target her phone mac address.* (If you don't target her mac address/other phone identifier and set your router to 127.0.01, all of the devices on your network will encounter blocked access to the web)
For Mobile Data:
I don't see an immediate switch for this (at least with my provider), it's routed through a network port on their servers. Unless something changes in future builds, it's probably best to just turn mobile data off and use the Wifi/hosts to keep control of what sites she can access.
Thank you very much!
Point is, I don't want to keep her off completely, and the major issue would be to keep control once she's "not" inside our home network but on cellular.
So I think I need to start investigating on my own whether I can manipulate the start menu or even the browser itself.
The local DNS lookup, which would only work on WiFi anyhow, would also result in me analyzing all communcation end points for "any" kind of
app I'd like her to use. Doable, but still the mobile part would be open. Beyond that I cannot block here "re-enabling" the cellular data connection,
the system isn't that strict in that matter. Would be nice, though, ...
@home I already use OpenDNS, probably should have mentioned that, so that's more or less under control.
Let's see if some other ideas or approached pop up from xda; I'm actually trying to get in direct contact with one of the Microsoft Family team
as, on a business level, we're currently working closely with some of the Microsoft 10 teams.
If they, if connected that is, tell me that they're aware of the bugs and that they're actually part of a road map, I'd be happy, too.
However, for the time being I expect I have to sort it on my own.
I'll give it a go with interop and see what I can find to deal with.
So, any other ideas?
Regards,..
bloodot
How about interopunlock and use your own hosts file?
How about App corner inside settings?
augustinionut said:
How about interopunlock and use your own hosts file?
How about App corner inside settings?
Click to expand...
Click to collapse
... the hostsfile will only work via WiFi, at least that's my current understanding as for cellular one cannot change the DNS settings, meaning, you can't make them point towards 127.0.0.1.
App Corner I already "played" around with - it has some other issues
- it's buggy, sometimes it doesn't even start.
- can be bypassed by just restarting the device
- everything "allowed" is available to public, more or less.
- the App Corner does not allow "games" to be made available ...
... hey, so what about the kids' corner?
- well, that doesn't allow the phone app... but still, that would also be a half-baked approach again.
I hope it were at least three different teams designing those packages, the kids' corner, the app corner and the family safety integration.
As a whole, NONE of them delivers what a parent needs when actually "permanently" giving a Windows based phone to one of his children.
bloodot said:
... the hostsfile will only work via WiFi, at least that's my current understanding as for cellular one cannot change the DNS settings, meaning, you can't make them point towards 127.0.0.1.
App Corner I already "played" around with - it has some other issues
- it's buggy, sometimes it doesn't even start.
- can be bypassed by just restarting the device
- everything "allowed" is available to public, more or less.
- the App Corner does not allow "games" to be made available ...
... hey, so what about the kids' corner?
- well, that doesn't allow the phone app... but still, that would also be a half-baked approach again.
I hope it were at least three different teams designing those packages, the kids' corner, the app corner and the family safety integration.
As a whole, NONE of them delivers what a parent needs when actually "permanently" giving a Windows based phone to one of his children.
Click to expand...
Click to collapse
PIN + kids corner. Can't bypass it.
-W_O_L_F- said:
PIN + kids corner. Can't bypass it.
Click to expand...
Click to collapse
... it's not my phone she should use. She should be able to use her own phone.
That includes calling her mum or me.
"Phone" is not an allowed app for the kids corner, it ain't listed when setting that up.
And even if it was, it would allow "anyone" who would steal that phone to directly use it's SIM card hazzle free.
And, as a minor annoyance, anything else that would be allowed via that mechanism.
It's just the current truth to deal with, W10M is not child-ready by any means.
If I want more control, I need to switch the phone.
Or start trusting a 9year-ish old girl to deal with the Internet without restrictions.
... so fiddled around with a few things, though interop is active according to the tool itself after sideloading it, wconnect won't work at all (crashes, no proper error given and before that IpOverUsbInstaller won't finish installation), so I can't get that key to get the SSH connection done and therefore I can't get full file access.
I think I'm done with this now. Selling the phone, using the Razr I instead, already have the proper system locking tools in place for that, bye bye Lumia 535. I would have loved to see my child deal with such an "easy" OS interface for getting used to smartphones, but I can't let her have access to the Internet while "not at home" without restrictions. No way.
... went so far and tried miradore to restrict the system via MDM. And guess what ... the f'n browser CANNOT be blocked via MDM. At least miradore has a free trial of 14 days. I was even willing to pay the damn 2$ per month for that service. *sigh* MAYBE it has a URL filter SOMEWHERE ...
... however, at least one can disallow the "usage" of the browser. MAYBE that works. Trying...
Yes. Works. JESUS ... what a mess. Let's see if I can get that done somewhere / somehow via MDM "without" another monthly fee ...
yeah, worked. Pitty though, they want "10$" minimum fee per month.
BUT: ... I stumbled over https://www.manageengine.com/mobile-device-management/
Free for up to 25 devices. Either cloud based (not supporting W10M for now) or Windows based installation (supporting W10M, more up2date...).
And it works. Thank you very much. Case closed.
Though I cannot restrict the URLs ... I can blog the Edge browser. And the Microsoft Store. Happy bunny.

Note 10+, user certificates and package disabler

Alright, I'm in that nice panic stage where you've learned enough to scare yourself but don't know enough to reassure yourself.
Had a factory reset recently, seems likely it was due to 3rd party lock/wipe app i triggered while dealing with my dog. (But not 100% sure there was a drop just prior and I've had stability issues since school has required me add a work profile but, of course tech support for both Microsoft and my school have zero response to inquiries)
Any way, user certificates now has two:
FindMyMobile
AttestationKey_com_wssyncmldm
And I have no idea how to verify those in any way. Its quite possible isn't it that an app could have actually installed them right?
Findmymobile, obviously is such a cert, allowing for find my mobile. It has a key a CA cert and user cert.
AttestationKey_com_wssyncmldm
Has a user key and user cert
I would say it's the school/work profile. Microsoft InTune is for enterprise IT management. If your school's IT managers don't know how to configure it, it can screw things up for everyone.
Try deleting your school profile and see what happens.
My company recently migrated from Google to Microsoft services and when I added my company as a work profile, my phone started acting wonky.
Sent from my SM-N976V using Tapatalk
I would reload and not put the crapware back on it.
It's your phone... my favorite word is No!
I have zero faith in the new MS; don't run any of their cloud junk on my 10+ and never will.
Find my device is normally present. You can disable it as a device administrator in advanced security settings.
It will auto enable on reboot or sometimes when you go to Playstore.
HungryRobotics said:
Alright, I'm in that nice panic stage where you've learned enough to scare yourself but don't know enough to reassure yourself.
Had a factory reset recently, seems likely it was due to 3rd party lock/wipe app i triggered while dealing with my dog. (But not 100% sure there was a drop just prior and I've had stability issues since school has required me add a work profile but, of course tech support for both Microsoft and my school have zero response to inquiries)
Any way, user certificates now has two:
FindMyMobile
AttestationKey_com_wssyncmldm
And I have no idea how to verify those in any way. Its quite possible isn't it that an app could have actually installed them right?
Findmymobile, obviously is such a cert, allowing for find my mobile. It has a key a CA cert and user cert.
AttestationKey_com_wssyncmldm
Has a user key and user cert
Click to expand...
Click to collapse
So are these both normal then?
sirv said:
So are these both normal then?
Click to expand...
Click to collapse
I don't know. I don't have a work profile set, and I show no user certificates.
The names seem off too. I see why the OP was a bit shook up. I'm running a AT&T 10+
Here's how they show on my 10+, it's running fast and clean.
sirv said:
So are these both normal then?
Click to expand...
Click to collapse
Find my mobile is for find my mobile being active when you have a VPN that may block it.
The other I still don't know but may be Knox related under same circumstances.
Thank you, @blackhawk and @HungryRobotics
I had a similar guess, that findmymobile was the Samsung service. Since I was using a VPN-based ad block (Adguard), it makes sense that it appeared there.
As for the other one (AttestationKey_com_wssyncmldm), I'm still not sure, but I wonder if it was for the Link to PC service.
It's alarming to find anything in User Certificates, honestly, and there seems no way to get information that they are legit. My hope is that it is only the system apps that can install certificates without user intervention.
sirv said:
Thank you, @blackhawk and @HungryRobotics
I had a similar guess, that findmymobile was the Samsung service. Since I was using a VPN-based ad block (Adguard), it makes sense that it appeared there.
As for the other one (AttestationKey_com_wssyncmldm), I'm still not sure, but I wonder if it was for the Link to PC service.
It's alarming to find anything in User Certificates, honestly, and there seems no way to get information that they are legit. My hope is that it is only the system apps that can install certificates without user intervention.
Click to expand...
Click to collapse
wssyncmldm is the infamous AT&T updater usually listed as in my previous screen shot.
Seems it might have something to do with this.
My guess is it has to do with setting up the work profile.
If it was there on the AT&T stock rom, after a factory reset it should be ok.
Maybe check with AT&T.
blackhawk said:
wssyncmldm is the infamous AT&T updater usually listed as in my previous screen shot.
Seems it might have something to do with this.
My guess is it has to do with setting up the work profile.
If it was there on the AT&T stock rom, after a factory reset it should be ok.
Maybe check with AT&T.
Click to expand...
Click to collapse
I don't have AT&T, but it could be an updater for my carrier.
sirv said:
I don't have AT&T, but it could be an updater for my carrier.
Click to expand...
Click to collapse
Those apps have every permission under the sun. Check to see what is set as system administrators. Find my Device will be there.
I don't know.
Maybe it's nothing but what if it's something
I found these and other User Certificates on another device, too. It's disconcerting. Is it known, can any app install User Certificates?
This may be helpful:
How To Remove all Stored Certificates on Android - Technipages
Ever been greeted by a popup saying, "The certificate doesn't come from a trusted authority?" when trying to access a website? These security certificates
www.technipages.com
Lockdown time, add Karma Firewall, a VNP based freeware app that uses almost no battery and has logging. Can run at boot up.
I also use this setting to globaly block ads...
blackhawk said:
This may be helpful:
How To Remove all Stored Certificates on Android - Technipages
Ever been greeted by a popup saying, "The certificate doesn't come from a trusted authority?" when trying to access a website? These security certificates
www.technipages.com
Lockdown time, add Karma Firewall, a VNP based freeware app that uses almost no battery and has logging. Can run at boot up.
I also use this setting to globaly block ads...
Click to expand...
Click to collapse
It's strange, I can find nothing online about common entries in User Certificates on Android. My thought is that they get generated when VPN is used, such as AdGuard.
Thanks for the Private DNS tip for ad blocking. In the meantime, I have been using Disconnect Pro (based on Knox).
sirv said:
It's strange, I can find nothing online about common entries in User Certificates on Android. My thought is that they get generated when VPN is used, such as AdGuard.
Thanks for the Private DNS tip for ad blocking. In the meantime, I have been using Disconnect Pro (based on Knox).
Click to expand...
Click to collapse
Can you delete them?
If you don't do/want OTA updates wssyncmldm isn't needed.
I'm still happily running on Pie...

SOS! Please HELP - XM10T5G Down[&up]grading..

Have the Xiaomi Mi 10T 5G, which comes with Android 10 / MIUI 12 [Sort of combination of them i think], and i wanna install an older version of android only, lower than 10 [Preferably 7.0], is it possible to do at all? If so, then how exactly can i do that? if possible with exact instruction or guide to it..
Thanks ahead..
PEACE AND LOVE!
Not possible. I am really curious why would you even want that.
_mysiak_ said:
Not possible. I am really curious why would you even want that.
Click to expand...
Click to collapse
For many reasons.. They changed it in some very bad way for my opinion.. like the auto turning on WiFi by some apps, like some apps that don't have widgets, the call recording issue and many more very annoying unreasonable changes they did on A10 on.. saw also they only allow FBE encryption instead of FDE which is much better [That i can see for huge 128, 256 or maybe 512 Gigs Storages but still it should be up to the user decision not forcing]
So you say it's completely impossible? even if flash universal / rooted ROM? no way at all?! cause man those are really annoying stuff especially to the tech Pros and/or savvy's like us, and i know that since i saw many threads and posts in other forums about those issues too.. Maybe some giving up or thinking it's advancements, but really, maybe big money involved, espionage, and many more possible reasons they doing it.. It's bad, really bad..
* BTW sorry for the multiplication threads didn't knew it's SPAMing and not very involved it forums world..
Thank ahead.
Jeff1976A1 said:
For many reasons.. They changed it in some very bad way for my opinion.. like the auto turning on WiFi by some apps, like some apps that don't have widgets, the call recording issue and many more very annoying unreasonable changes they did on A10 on.. saw also they only allow FBE encryption instead of FDE which is much better [That i can see for huge 128, 256 or maybe 512 Gigs Storages but still it should be up to the user decision not forcing]
So you say it's completely impossible? even if flash universal / rooted ROM? no way at all?! cause man those are really annoying stuff especially to the tech Pros and/or savvy's like us, and i know that since i saw many threads and posts in other forums about those issues too.. Maybe some giving up or thinking it's advancements, but really, maybe big money involved, espionage, and many more possible reasons they doing it.. It's bad, really bad..
* BTW sorry for the multiplication threads didn't knew it's SPAMing and not very involved it forums world..
Thank ahead.
Click to expand...
Click to collapse
To be honest I don't understand none of your points.
1. Wifi can be still turned on by apps, you just need to enable the permission (allow always vs. allow only when app is running in foreground).
2. Call recording is working in regions where it's not forbidden by privacy laws.
3. FBE is much better because it allows you to start the phone with basic service without using the password. Not sure why do you consider FDE to be superior.
4. Well, you can try to build your own Android 7 ROM from old sources, but you're going to have a fun time adapting to vendor partition/proprietary files created for Android 10 or 11. Also using several years old code which is not supported or patched anymore is quite interesting approach to security.
_mysiak_ said:
To be honest I don't understand none of your points.
1. Wifi can be still turned on by apps, you just need to enable the permission (allow always vs. allow only when app is running in foreground).
2. Call recording is working in regions where it's not forbidden by privacy laws.
3. FBE is much better because it allows you to start the phone with basic service without using the password. Not sure why do you consider FDE to be superior.
4. Well, you can try to build your own Android 7 ROM from old sources, but you're going to have a fun time adapting to vendor partition/proprietary files created for Android 10 or 11. Also using several years old code which is not supported or patched anymore is quite interesting approach to security.
Click to expand...
Click to collapse
Maybe it's regional or SROMs based issue, but the vendor of the app said it's not allowed on Android 10 and on, and i did confirmed the permission to turn on WiFi automatically, but maybe there's some other settings that i missed and that guy was wrong, i'd love if you can show how to enable it globally and/or to just the auto file sync i use, cause i tried many times even with manual syncing [by clicking the Sync button when WiFi is off, it started and turn it off automatically on Android 7.0.. Of course also for time interval based sync]..
Jeff1976A1 said:
Maybe it's regional or SROMs based issue, but the vendor of the app said it's not allowed on Android 10 and on, and i did confirmed the permission to turn on WiFi automatically, but maybe there's some other settings that i missed and that guy was wrong, i'd love if you can show how to enable it globally and/or to just the auto file sync i use, cause i tried many times even with manual syncing [by clicking the Sync button when WiFi is off, it started and turn it off automatically on Android 7.0.. Of course also for time interval based sync]..
Click to expand...
Click to collapse
App info, permissions.
_mysiak_ said:
App info, permissions.
Click to expand...
Click to collapse
Hi.. Thanks for your reply.. i did that already before, but still it doesn't work.. i use FolderSync, that currently in my old Android 7.0 device, does syncing when i click Sync from within the app, while i was totally offline [Data and Wifi] so it turned on the Wifi connection [Specific home network], and also on Scheduled i inserted the Allowed Networks SSID [Which BTW when i turn on WiFi manually and it does sync it with GDrive, it say on top 'Unknown SSID' for case it matters {Had the feeling that it very much does}], I also switced it on in Data and WiFI limit it does on that Security app, which i guess is kind of firewall, and BTW i remember like 5-6 years ago i had the Lenovo A8 "Golden Worrier" has that same kind of Security app built in with firewall and all that, but still manually at least, as i checked, it doesn't turn on the Wifi via FolderSync app.. Got a strong feeling it's due to that Unknown SSID stuff or that Security app.. Could it be?..
Jeff1976A1 said:
Hi.. Thanks for your reply.. i did that already before, but still it doesn't work.. i use FolderSync, that currently in my old Android 7.0 device, does syncing when i click Sync from within the app, while i was totally offline [Data and Wifi] so it turned on the Wifi connection [Specific home network], and also on Scheduled i inserted the Allowed Networks SSID [Which BTW when i turn on WiFi manually and it does sync it with GDrive, it say on top 'Unknown SSID' for case it matters {Had the feeling that it very much does}], I also switced it on in Data and WiFI limit it does on that Security app, which i guess is kind of firewall, and BTW i remember like 5-6 years ago i had the Lenovo A8 "Golden Worrier" has that same kind of Security app built in with firewall and all that, but still manually at least, as i checked, it doesn't turn on the Wifi via FolderSync app.. Got a strong feeling it's due to that Unknown SSID stuff or that Security app.. Could it be?..
Click to expand...
Click to collapse
FolderSync doesn't turn Wifi On automatically, this feature seems to be missing in the app. But I've just tested with Tasker and it is able to turn Wifi On and Off, so it's not a problem of Android version.
For Allowed SSID feature in FolderSync you must enable permanent location access.
Btw. I see no point in turning Wifi Off at any point, it uses so little power that there is next to none benefit in doing it. If you insist on some kind of automation, use Tasker in a fully controlled manner.
_mysiak_ said:
FolderSync doesn't turn Wifi On automatically, this feature seems to be missing in the app. But I've just tested with Tasker and it is able to turn Wifi On and Off, so it's not a problem of Android version.
For Allowed SSID feature in FolderSync you must enable permanent location access.
Btw. I see no point in turning Wifi Off at any point, it uses so little power that there is next to none benefit in doing it. If you insist on some kind of automation, use Tasker in a fully controlled manner.
Click to expand...
Click to collapse
Well your first argument is actually not tru, FolderSync does turns on Wifi automatically as i do for like 4 years with my older Galaxy s6 [Great dev BTW, Samsung's first 64 bit device i thinks] running now Android 7.0, and also the other day and im sure if ill try this right now it will actually turning on WiFi from off mode and also automatically closed it when done syncing, but no matter what i did it doesn't doing it on the XM10T5G, and it both updated to the latest FolderSync version the one with those tiles.. so it must be something with the operation system.. again it's some kind of Andro/MIUI OS so it has to do with one of them..
About the SSID, i did confirmed the location access all the time [not just when it's used] on the Security app, is there any other place that i should enable location or any other settings that may be relating to this?..
And really? you don't see the point in using Wifi? It's much more faster, secure, and reliable than data.. of course i don't care if it'll be 4G or 5G even better to sync, but obviously not any connection, but thanks for the Tasker Tip, i'll try that.. i've heared that somewhere i think from the gut of FolderSync..
And BTW, the call recording is legal in my country, so i did also many years but here only after trying several apps i found Cube ACR working good.. And also, some apps ask you if you confirm that Call recording is legal in your country but of course if you flash custom or different ROM, the system obviously can never tell..
Peace..
Jeff1976A1 said:
Well your first argument is actually not tru, FolderSync does turns on Wifi automatically as i do for like 4 years with my older Galaxy s6 [Great dev BTW, Samsung's first 64 bit device i thinks] running now Android 7.0, and also the other day and im sure if ill try this right now it will actually turning on WiFi from off mode and also automatically closed it when done syncing, but no matter what i did it doesn't doing it on the XM10T5G, and it both updated to the latest FolderSync version the one with those tiles.. so it must be something with the operation system.. again it's some kind of Andro/MIUI OS so it has to do with one of them..
About the SSID, i did confirmed the location access all the time [not just when it's used] on the Security app, is there any other place that i should enable location or any other settings that may be relating to this?..
And really? you don't see the point in using Wifi? It's much more faster, secure, and reliable than data.. of course i don't care if it'll be 4G or 5G even better to sync, but obviously not any connection, but thanks for the Tasker Tip, i'll try that.. i've heared that somewhere i think from the gut of FolderSync..
And BTW, the call recording is legal in my country, so i did also many years but here only after trying several apps i found Cube ACR working good.. And also, some apps ask you if you confirm that Call recording is legal in your country but of course if you flash custom or different ROM, the system obviously can never tell..
Peace..
Click to expand...
Click to collapse
I see no point in turning wifi OFF.
Anyway, good luck finding/building your perfect Andoid 7 ROM.
_mysiak_ said:
I see no point in turning wifi OFF.
Anyway, good luck finding/building your perfect Andoid 7 ROM.
Click to expand...
Click to collapse
Again security and energy reasons.. Think about it..
Anyway i barely know how to flash ROM, so i'm very far from building a custom one.. But at start you said it's impossible to install / flash an older Android ROM to it [XM10T5G], so you say it's possible with custom ROM?
Jeff1976A1 said:
Again security and energy reasons.. Think about it..
Anyway i barely know how to flash ROM, so i'm very far from building a custom one.. But at start you said it's impossible to install / flash an older Android ROM to it [XM10T5G], so you say it's possible with custom ROM?
Click to expand...
Click to collapse
Again - not possible, such ROM doesn't exist.

Categories

Resources