HTC security risk when checking for updates. - HTC One X

In order to set up my script that checks the HTC server for new software (for us long forgotten Three customers) I had to do some packet monitoring to see how the conversation has changed between the phone and the server - as I last did this during the HTC Desire days.
I am gobsmacked to find the sheer amount of information that the phone sends to HTC when performing an update check - and remember this is not a SSL conversation - this is plaintext.
This is an example of what the phone is sending to HTC unecrypted:
{"id":"","checkin":{"mcc_mnc":"23420","mid":"PJ4610000","checkin_type":"Manual","build":{"product":"endeavoru","id":"h3g_uk\/endeavoru\/endeavoru:4.0.3\/IML74K\/56522.9:user\/release-keys","revision":"0","firmware_version":"1.28.771.9 CL56522 release-keys","radio":"1.1204.103.14H","carrier":"h3g_uk","bootloader":"0.94.0000","build_type":"user","changelist":"56522","serialno":"HT23WW11XXXX"},"cid":"H3G__001","connection_media":"Wifi","client_version":"A4.0(GB)"},"model_number":"HTC One X","digest":"e975e0884266a65e23c359caf7c533","last_checkin_msec":"1345851401021","imei":"3591880XXXXXXXX","locale":"en_GB"}
Click to expand...
Click to collapse
Note I have replaced some numbers and letters with X to protect my phone identity.
It is bad enough that the phone is passing it's serial number and IMEI number in the clear - but wait till you see what comes back:
{"time_msec":"1345852109152","stats_ok":true,"reason":"FOTACANCEL_NO_MATCH_RULE_FOR_CID","DeviceSettings":{"settingInfo":[{"value":"3","key":"powersaver_switch_2G_call","type":"int"}]},"intent":[{"action":"android.server.checkin.FOTA_CANCEL"}]}
Click to expand...
Click to collapse
Notice that as well as replying that there is no software update available - it is also telling the device to change a setting. I don't know what sort of things they can tell the phone to do - and a Google search for powersaver_switch_2G_call comes up empty - but I am sure that one of the many devs on here could have a look at the code regarding android.server.checkin and see what they can dig up. It is of course an unfounded worry - but there is nothing to stop someone setting up a fake access point and intercepting traffic to http://andchin.htc.com possibly returning other actions for the device to perform.

QUICK! To the tin foil hats!

TommUK said:
QUICK! To the tin foil hats!
Click to expand...
Click to collapse
LOL!
+1
Sent from my HTC One X using xda premium

Related

WP7 dumbed down too much - Missing features that need to be fixed QUICKLY!!!

While I am enjoying many things about Windows Phone 7 like the look, feel, general speed and the type of APPS that are appearing I am more than a little annoyed at just how dumb they have made it....
The options to tweak things are just so minimal its almost a joke. I am not speaking as a Power User and I think this OS should not be dumber than an Iphone. As it stands I will probably still need to carry a work and person phone as this will not do both.
Maybe everyone list sensible features that are missing from WP7 that we can collate and send to Microsoft as things that need to be fixed really soon.
Obviously if the non features listed are already available please says so...
1. Copy and Paste (coming soon)
2. Fast App Switching (probably coming soon)
3. First two lines of Text Messages show on notification bar even when screen is locked - BIG PRIVACY ISSUE!!!
4. Cannot Search Company Directory after setting up an Exchange Account (even Iphone can do this)
5. Outlook does not allow you to display email by NAME or SIZE and it does not appear you can create a SIGNATURE...
ebzrascal said:
While I am enjoying many things about Windows Phone 7 like the look, feel, general speed and the type of APPS that are appearing I am more than a little annoyed at just how dumb they have made it....
The options to tweak things are just so minimal its almost a joke. I am not speaking as a Power User and I think this OS should not be dumber than an Iphone. As it stands I will probably still need to carry a work and person phone as this will not do both.
Maybe everyone list sensible features that are missing from WP7 that we can collate and send to Microsoft as things that need to be fixed really soon.
Obviously if the non features listed are already available please says so...
1. Copy and Paste (coming soon)
2. Fast App Switching (probably coming soon)
3. First two lines of Text Messages show on notification bar even when screen is locked - BIG PRIVACY ISSUE!!!
4. Cannot Search Company Directory after setting up an Exchange Account (even Iphone can do this)
5. Outlook does not allow you to display email by NAME or SIZE and it does not appear you can create a SIGNATURE...
Click to expand...
Click to collapse
1. It's coming.
2. Coming as well.
3. That's only as soon as you get the message, it goes away after about a minute and you just have the 1. notificaition down the bottom.
4. No idea about exchange
5. Go to your email, go to settings then tick use an email signature and change it from 'Sent from my Windows Phone'
As stated above... most of those features are coming and so hopefully by Jan 2010 we will see much improvement in the OS feature department.
1. Copy and Paste (coming soon)
2. Fast App Switching (probably coming soon)
3. First two lines of Text Messages show on notification bar even when screen is locked - BIG PRIVACY ISSUE!!!
4. Cannot Search Company Directory after setting up an Exchange Account (even Iphone can do this)
5. Outlook does not allow you to display email by NAME or SIZE and it does not appear you can create a SIGNATURE...
1. It's coming.
2. Coming as well.
3. That's only as soon as you get the message, it goes away after about a minute and you just have the 1. notificaition down the bottom.
4. No idea about exchange
5. Go to your email, go to settings then tick use an email signature and change it from 'Sent from my Windows Phone'
5. Agreed - Signature can be changed..........
6. Phone APP should be linked to contacts like in WM6.5 so when you start to type a number it the names that match start to appear..
Hopefully, by your hopefully, you meant "JAN 2011"
XATAGuy said:
Hopefully, by your hopefully, you meant "JAN 2011"
Click to expand...
Click to collapse
Yeah... my bad
7. Mainly HTC - We need a weather app with Active tile that will show location and weather and when you click it full blown HTC stuff
8. HTC Hubb needs to be updated to have active tile with big HTC clock rather then lady with glasses, in side there should be similar interface as stock HTC.
9. Task manager as some apps still stay open
10. A Wifi/Bluetooth/flightmode on/off widget that can be added to tiles
11. User made folders in apps screen as list gets way to long
12. Bluetooth picture and documents transfer
13. Active twitter tile so it can downloads tweats and let you know if there are new
14. Active messenger tile for obvious reason
ebzrascal said:
3. First two lines of Text Messages show on notification bar even when screen is locked - BIG PRIVACY ISSUE!!!
Click to expand...
Click to collapse
Every phone I owned showed the last message content shortly after reception.
My Sony and Sony Ericsson dumb phones, my iPhone, both my Magic and Nexus. And now my future Trophy will.
I'm not sure what the issue is.
3. First two lines of Text Messages show on notification bar even when screen is locked - BIG PRIVACY ISSUE!!!
Every phone I owned showed the last message content shortly after reception.
My Sony and Sony Ericsson dumb phones, my iPhone, both my Magic and Nexus. And now my future Trophy will.
I'm not sure what the issue is.
Its an issue for me....
My PERSONAL message can be viewed by other people sitting next to me for example!! So if I get a HOT TEXT from my wife or DIRTY JOKE from a mate.... its flashed up for a few seconds and is potentially embarrassing...
Windows Mobile 6.5 allowed you to switch this OFF and the dumb Nokia phones I use just notify you that you have a message which more sensible.
ebzrascal said:
6. Phone APP should be linked to contacts like in WM6.5 so when you start to type a number it the names that match start to appear..
Click to expand...
Click to collapse
I definitely agree! It NEEDS a smart dialer!
evilangelic said:
I definitely agree! It NEEDS a smart dialer!
Click to expand...
Click to collapse
I'll third that.
I agree on the Weather App for HTC so that we can have it as a tile. And the Wifi/Airplane mode tile/shortcut on the desktop.
They also need to improve Bing Navigation. Or how about just allowing Google Search and Navigation onto the phone? hehehe... obviously that won't happen, but one can dream.
And please stop treating us like idiots. I actually rather like to be able to configure things and hate when I get patronized by companies that think that I cannot cope with too many buttons. hohum...
mictho100 said:
I agree on the Weather App for HTC so that we can have it as a tile. And the Wifi/Airplane mode tile/shortcut on the desktop.
They also need to improve Bing Navigation. Or how about just allowing Google Search and Navigation onto the phone? hehehe... obviously that won't happen, but one can dream.
And please stop treating us like idiots. I actually rather like to be able to configure things and hate when I get patronized by companies that think that I cannot cope with too many buttons. hohum...
Click to expand...
Click to collapse
Come on atleast we now have camera button.
ebzrascal said:
Its an issue for me....
My PERSONAL message can be viewed by other people sitting next to me for example!! So if I get a HOT TEXT from my wife or DIRTY JOKE from a mate.... its flashed up for a few seconds and is potentially embarrassing...
Windows Mobile 6.5 allowed you to switch this OFF and the dumb Nokia phones I use just notify you that you have a message which more sensible.
Click to expand...
Click to collapse
So, you're one of the people that always need to put their phone into view of every one, instead of your pocket, just to show off or what?
ebzrascal said:
3.
Its an issue for me....
My PERSONAL message can be viewed by other people sitting next to me for example!! So if I get a HOT TEXT from my wife or DIRTY JOKE from a mate.... its flashed up for a few seconds and is potentially embarrassing...
Windows Mobile 6.5 allowed you to switch this OFF and the dumb Nokia phones I use just notify you that you have a message which more sensible.
Click to expand...
Click to collapse
Dude, I have to say my girlfriends iPhone does this, my X1i does this (both when it was 6.1 and now 6.5) , the guy who sits behind me at work with a Desire does it. The notification usually disappears fairly quickly.
I sort of sympathise where your are coming from but, if someone at your office goes to read your notification on your phone if it is on your desk, your issue is with your colleague and you need to slap them upside their head and tell them to behave.....and to be honest, you'll probably forward that dirty joke onto them anyway and most probably let them know what your wife has in store for you when you get home just to make them jealous
Dude, I have to say with those other phones you can disable the text on the lock screen. Don't know if this is possible with the iPhone though.
vetvito said:
Dude, I have to say with those other phones you can disable the text on the lock screen. Don't know if this is possible with the iPhone though.
Click to expand...
Click to collapse
True, you can although I haven't and I'm waiting for the gf to get in the shower so I can play with her iPhone ... but my comment I think is still valid. Colleagues shouldn't be invading privacy.
chubnut said:
True, you can although I haven't and I'm waiting for the gf to get in the shower so I can play with her iPhone ... but my comment I think is still valid. Colleagues shouldn't be invading privacy.
Click to expand...
Click to collapse
It about Microsoft limiting choice to a stupid level or not thinking things through. In this case I don`t want personal or business information that is intended for me to be seen by someone else. I don`t think people are intentionally invading space really because it might be an innocent reaction of someone`s eyes being drawn to a message flashing on the screen of my phone.
I actually need my phone to be visible to react to missed calls etc... Not to show it off as someone suggested!! I don`t want to hide my phone every-time someone walks over to my desk to discuss something with me.
Those are really valid points.
ebzrascal said:
It about Microsoft limiting choice to a stupid level or not thinking things through. In this case I don`t want personal or business information that is intended for me to be seen by someone else. I don`t think people are intentionally invading space really because it might be an innocent reaction of someone`s eyes being drawn to a message flashing on the screen of my phone.
I actually need my phone to be visible to react to missed calls etc... Not to show it off as someone suggested!! I don`t want to hide my phone every-time someone walks over to my desk to discuss something with me.
Click to expand...
Click to collapse
Look - I'm not disagreeing with you about the fact that they should give us all the relevant options. I love to tinker and tinker with everything and I want the same options as you. My phone also sits on my desk in a desk stand in plain view so I can do just as you do. I have people constantly coming to my desk. If the phone goes off, it goes off but I continue dealing with the matter at hand and fix their attention to me not my phone - or they get a slap .

[VULNERABILITY] !important security exploit!

Very Imporant - Security Exploit for HTC Desire
I suggest you read the entire post and DO NOT IGNORE IT, the HTC Desire is DEFINITELY VULNERABLE
As some of you might know, the Samsung phone remote wipe exploit is not limited to Samsung phones, in fact, older HTC models such as the HTC Desire are vulnerable too!
If you are unaware, read all about it on this link {siliconrepublic.com} - It's NOT limited to Samsung phones, I can confirm that UK HTC phones are vulnerable too, including the Desire!
This webpage when viewed on your phone will tell you if you are vulnerable:
http://dylanreeve.com/phone.php
Simply navigate to it and if it displays your IMEI number then you are vulnerable.
A simple way of being notified if your phone is being attacked by a malicious SMS or webpage is by installing TelStop:
https://play.google.com/store/apps/details?id=org.mulliner.telstop
It will open the default application selector when you hit a webpage that is trying to dial a number, when you choose telstop it will inform you if the number is malicious or not!
If you are not sure about visiting that page, I suggest you view it from a desktop or laptop computer and check the source code yourself.
This line will show your IMEI number:
Code:
<iframe src="tel:*%2306%23" />
It's an incredibly obvious and simple exploit and I'm in disbelief that it's gone unnoticed for so long, all it takes is opening an SMS or going on a dodgy webpage and then your sim and phone are wiped and potentially bricked.
My phone is a UK HTC Desire with Oxygen ROM 2.3.2, Android version 2.3.7
UPDATE: Looks like the HTC Desire might not have a reset dialer code, making the vulnerability not as bad, but we need confirmation on this one.
Latest Sandvold Build is vulnerable.
Btw.: HTC One X with Stock Rom too ...
Hehe I don't know whats with all the paranoia about security unless you're trading government secrets or doing a lot of online banking via your phone I don't think this should be a real issue. For me this is crazy but happy for people who really worry about security issues so at least they can check it out.
Sent from my HTC Desire using xda app-developers app
Fix for this exploit: https://play.google.com/store/apps/details?id=com.voss.notelurl
Article concerning exploit-fix: http://www.heise.de/security/meldung/Schutz-vor-Fernloeschung-von-Samsung-Smartphones-1717765.html (Sorry, only in German - try to Google Translate it)
Another exploit-check website: http://heise.de/ussd
I run latest nightly CM7 on my desire and tried the reset code *2767*3855# and can confirm it didn't reset

Weird Download Hours After Getting the OTA

So, I just OTAed to 4.2 and, a short while later, I noticed a small spike in my traffic graphs at home. Looking at this further, my GN just slowly downloaded a ~280MB file from Google. What this is, I don’t know, but I’ll try to have a look at my logcat in a bit. Anyone else seeing this strangeness? Here’s proof from my NetFlow collector at home (GN address has been obfuscated using an RFC 5737 address and, yes, I’m a geek):
Code:
Top 20 flows ordered by bytes:
Date flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Packets Bytes Flows
2012-11-20 23:32:18.285 1258.000 TCP 173.194.55.175:80 -> 192.0.2.1:54697 187760 279.9 M 1
BinkXDA said:
So, I just OTAed to 4.2 and, a short while later, I noticed a small spike in my traffic graphs at home. Looking at this further, my GN just slowly downloaded a ~280MB file from Google. What this is, I don’t know, but I’ll try to have a look at my logcat in a bit. Anyone else seeing this strangeness? Here’s proof from my NetFlow collector at home (GN address has been obfuscated using an RFC 5737 address and, yes, I’m a geek):
Code:
Top 20 flows ordered by bytes:
Date flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Packets Bytes Flows
2012-11-20 23:32:18.285 1258.000 TCP 173.194.55.175:80 -> 192.0.2.1:54697 187760 279.9 M 1
Click to expand...
Click to collapse
Was it thru wifi? Or 3g?
Sent from my Galaxy Nexus using Tapatalk 2
negrobembon said:
Was it thru wifi? Or 3g?
Click to expand...
Click to collapse
It was via Wi-Fi. I reviewed my logcat and couldn't find anything related to this. If someone could give me a hint as to where or what to look for further, I'd gladly do so.
BinkXDA said:
It was via Wi-Fi. I reviewed my logcat and couldn't find anything related to this. If someone could give me a hint as to where or what to look for further, I'd gladly do so.
Click to expand...
Click to collapse
and did your phone rebooted after that? could it be that google is pushing fixes and testing them with us takju users?
moisesgl said:
and did your phone rebooted after that?
Click to expand...
Click to collapse
Nope.
moisesgl said:
could it be that google is pushing fixes and testing them with us takju users?
Click to expand...
Click to collapse
Perhaps, but I see no sign of this.
YouTube subscribed feeds?
Sent from my Galaxy Nexus using xda premium
Soldier 2.0 said:
YouTube subscribed feeds?
Click to expand...
Click to collapse
Hrm. I think you have hit this one on the head. Looking at the storage of my phone, it does show YouTube using 280MB. That said, my Preloading settings for YouTube do not have subscriptions checked, but watch later is—and, while I’ve never knowingly added anything to watch later, it appears there were a few videos in there from long ago. I’ve since emptied my watch later queue—and I’ll see if this reduces the amount of space YouTube uses. So I think this might be the culprit—and I’ll report back—but it is a bit curious that this only happened after the 4.2 update (perhaps this storage is purged on OS updates?).

Hi. Contactive. We have cake.

Hi,
We make Contactive(it's an app)(just to make sure we're on the same page here). It's guaranteed to (insert sips ref here) rustle your jimmies.
We've received some great feedback lately and we're hungry like a wolf for moar. That's where you come in:fingers-crossed:. Fill our suggestion box full of stuff. Types of feedback that we like to munch on:
- all positive comments
- A bunch of five stars pls
- words that want to make us cry
- And I'm legally binded to ask for some constructive criticism. Not too much though. Our dev's get angry pretty easily(please do not tweet to contactive that i said that).
Also too our lead dev is single(lololololol) he like's to go on very brief walks on the beach, he gets tired very easily, and his fave movie is the about the ring.
I guess I should say something about the app now. Um, well it makes your phone ring, or vibrate, when you get a call. It tells you if a celebrity is calling you like Dr. Dre or if its your mailman, or if its just your mum.
But wait there's more:highfive:, if your mom's on twitter, and let's face it there's like a 99% chance she is, it will show you her latest tweet before you pick up her call... you'll be prepared. Also too it'll import all of your friends from Facebook, Twitter, Linkedin(if you have a job), and Gmail to your phone's address book. It identifies unknown callers too by crawling over the inter-webs for all public information connected to that number(ie. location, name,a picture if available, and some other stuff I cant remember.
Seriously though View attachment 2043155
http://contactive.com/
https://play.google.com/store/apps/...forums&utm_medium=XDADevelopers&utm_term=post
Also I forgot to say that our website is the bees knees, so click the link in the op. pls.
contactive_dave said:
Hi,
We make Contactive(it's an app)(just to make sure we're on the same page here). It's guaranteed to (insert sips ref here) rustle your jimmies.
We've received some great feedback lately and we're hungry like a wolf for moar. That's where you come in:fingers-crossed:. Fill our suggestion box full of stuff. Types of feedback that we like to munch on:
- all positive comments
- A bunch of five stars pls
- words that want to make us cry
- And I'm legally binded to ask for some constructive criticism. Not too much though. Our dev's get angry pretty easily(please do not tweet to contactive that i said that).
Also too our lead dev is single(lololololol) he like's to go on very brief walks on the beach, he gets tired very easily, and his fave movie is the about the ring.
I guess I should say something about the app now. Um, well it makes your phone ring, or vibrate, when you get a call. It tells you if a celebrity is calling you like Dr. Dre or if its your mailman, or if its just your mum.
But wait there's more:highfive:, if your mom's on twitter, and let's face it there's like a 99% chance she is, it will show you her latest tweet before you pick up her call... you'll be prepared. Also too it'll import all of your friends from Facebook, Twitter, Linkedin(if you have a job), and Gmail to your phone's address book. It identifies unknown callers too by crawling over the inter-webs for all public information connected to that number(ie. location, name,a picture if available, and some other stuff I cant remember.
Seriously though View attachment 2043155
http://contactive.com/
https://play.google.com/store/apps/...forums&utm_medium=XDADevelopers&utm_term=post
Click to expand...
Click to collapse
The app looks pretty nice ... :good: ... And the WebSIte Design ... AWESOME !! (may i ask who made the website ?) .... Keep up ... !! :good:
Looks awesome. can we get a dark theme?
this apps sounds good, gonna give a try. thread subscribe. thks to dev team :good:
I'm not trying to discredit your app but what does it bring that the others don't have ? I tried it works exactly like https://play.google.com/store/apps/details?id=com.callapp.contacts that is my main contacts app
Giving it a try; seems like a useful application, but I am a little concerned about the massive consolidation of personal information. The privacy policy is a good read!
Can you add a feature to remove duplicate numbers in phone contacts
This is good:good:, but feel they have two or more contacts,
numbers on the phone does not directly connect to facebook
hanifbsk said:
Can you add a feature to remove duplicate numbers in phone contacts
This is good:good:, but feel they have two or more contacts,
numbers on the phone does not directly connect to facebook
Click to expand...
Click to collapse
what do you mean by duplicate numbers?
hisname said:
what do you mean by duplicate numbers?
Click to expand...
Click to collapse
I have a lot of duplicate numbers in the phone
eg for my number, there are 4 same name in the phonebook,
and it automatically removes it,
and hope this app can change the google phonebook, not only the number on the application
niranjan94 said:
The app looks pretty nice ... :good: ... And the WebSIte Design ... AWESOME !! (may i ask who made the website ?) .... Keep up ... !! :good:
Click to expand...
Click to collapse
thanks! our in-house front-end guy plus designer made it.
honki24 said:
Looks awesome. can we get a dark theme?
Click to expand...
Click to collapse
We've had a few requests for theme customization. right now, we're busy with bug fixes and core features, but we're hoping to get to a place where we can work on themes. We know the blue is super bright, and some people like it, some people don't.
exadeci said:
I'm not trying to discredit your app but what does it bring that the others don't have ? I tried it works exactly like https://play.google.com/store/apps/details?id=com.callapp.contacts that is my main contacts app
Click to expand...
Click to collapse
Yeah. CallApp is our main competitor - and right now we do pretty much the same thing. But we're tryna eventually leapfrog them.
hanifbsk said:
Can you add a feature to remove duplicate numbers in phone contacts
This is good:good:, but feel they have two or more contacts,
numbers on the phone does not directly connect to facebook
Click to expand...
Click to collapse
Not sure what's happening there but Contactive SHOULD be taking care of your duplicate numbers. There's also an option to manually merge/link profiles when you go into an individual profile and hit settings. Could you shoot us an email at [email protected]?
PS. Thank you to @TheRomMistress for the article!
I'm trying to wrap my brain around how your app works and where the line in privacy is.
Without actually installing your app, my theory is...
* Your app takes a snapshot of my address book and pushes that to a 3rd party service
* This service builds up a database of numbers, names, and useful information to find people on social networking sites
* Some of this information is pushed back down to the user for their particular contact
* Once a call comes in, if the user already exists the app should know which accounts on what social networks the pole for the callers most recent postings
* If the caller doesn't exist in the address book, a quick ping off to the 3rd party service is made to request any known information on this new caller's phone number, and that's pushed back down to the user and relevant content is shown
Is all that approximately correct or do I have it all backwards? Thanks!
I'm really liking the layout of this app. Good work! Could you guys incorporate a way to turn of the dialer sound?
rubin110 said:
I'm trying to wrap my brain around how your app works and where the line in privacy is.
Without actually installing your app, my theory is...
* Your app takes a snapshot of my address book and pushes that to a 3rd party service
* This service builds up a database of numbers, names, and useful information to find people on social networking sites
* Some of this information is pushed back down to the user for their particular contact
* Once a call comes in, if the user already exists the app should know which accounts on what social networks the pole for the callers most recent postings
* If the caller doesn't exist in the address book, a quick ping off to the 3rd party service is made to request any known information on this new caller's phone number, and that's pushed back down to the user and relevant content is shown
Is all that approximately correct or do I have it all backwards? Thanks!
Click to expand...
Click to collapse
Iam totally agree with RUBIN110..Big concern is privacy .I'm not trying to discredit your app but App from Newyork ..,,,Whats About NSA?..Whats about U.S. and British government mass surveillance programs?
I really like the look of the app and I want to use it, but I'm concerned about the privacy aspects.
Do you collect the data and use or store it outside of this app?
rubin110 said:
I'm trying to wrap my brain around how your app works and where the line in privacy is.
Without actually installing your app, my theory is...
* Your app takes a snapshot of my address book and pushes that to a 3rd party service
* This service builds up a database of numbers, names, and useful information to find people on social networking sites
* Some of this information is pushed back down to the user for their particular contact
* Once a call comes in, if the user already exists the app should know which accounts on what social networks the pole for the callers most recent postings
* If the caller doesn't exist in the address book, a quick ping off to the 3rd party service is made to request any known information on this new caller's phone number, and that's pushed back down to the user and relevant content is shown
Is all that approximately correct or do I have it all backwards? Thanks!
Click to expand...
Click to collapse
As the lowly intern, this is my understanding of how it works - from both asking a bunch of questions and sitting next to the dev guys everyday listening to what they talk about:
You got it mostly correct.
1. yes. The app saves your address book in Contactive's database and stores links (not info) to matching social network profiles. This info is NOT shared with 3rd party services.
2. yes. The service builds up a database of the following: name, number, social network IDs
3. yes. The info you see for a particular contact all depends on what info you can see if you were to visit that user's Facebook page. For example, if you are friends with Alex, all of the info you can normally see on Alex's Facebook will show up within Contactive. If you are NOT friends with Alex, only the info Alex has made public will be seen within Contactive.
4. yes - IF 1. you are friends with them already on the social networks you connect to Contactive, and/or 2. Contactive's database has connected that number to a specific social network account.
5. yes. If the caller doesnt exist in your address book, requests are sent to Contactive's database and third parties such as yelp, facebook, etc - all the different sources we use.
gaquarian said:
Iam totally agree with RUBIN110..Big concern is privacy .I'm not trying to discredit your app but App from Newyork ..,,,Whats About NSA?..Whats about U.S. and British government mass surveillance programs?
Click to expand...
Click to collapse
We're pretty sure if the NSA wanted any of the info we have, they can get it off of Facebook. LOL
imtoomuch said:
I really like the look of the app and I want to use it, but I'm concerned about the privacy aspects.
Do you collect the data and use or store it outside of this app?
Click to expand...
Click to collapse
Nope. We don't use or store it for anything other than to bolster our caller ID feature. We won't sell any of our information either.
Are you able to add an option to silence the key press tone?
peedub said:
Are you able to add an option to silence the key press tone?
Click to expand...
Click to collapse
youre actually the second person today to ask about that. I'll bring it up to the dev team and report back.
Looks cool. Any plans for a dark theme and integrating call block( damn telemarketers)
Sent from my SGH-T999 using Tapatalk 2

heartbleed bug

xda-developers.com is listed as one of the sites affected by the heartbleed bug, but testing tool now shows no vulnerability. A quick search shows no
Why aren't you bragging about patching this bug and how awesome you are at protecting our data?
At the very least, a notice about what's being done to protect xda and how it affects users would be much appreciated.
dstarfire said:
xda-developers.com is listed as one of the sites affected by the heartbleed bug, but testing tool now shows no vulnerability. A quick search shows no
Why aren't you bragging about patching this bug and how awesome you are at protecting our data?
At the very least, a notice about what's being done to protect xda and how it affects users would be much appreciated.
Click to expand...
Click to collapse
I'm curious what site it was listed on?
Just for anyone who is interested...
As soon as the severity of the flaw was clear, we began updating our machines. Some services use pre-built packages and others use custom-compiled software (using the flawed openssl version). We updated all of our services within 30 minutes or so.
The forum.xda-developers.com hostname uses a 3rd party service who was still vulnerable to heartbeat after we patched our internal services. We opened a ticket with them - I'm sure by that point they were aware of the issue and a fix was already in the works. About an hour after that they had patched their services.
This is definitely one of the worst security flaws in the history of the internet - you pretty much have to assume that any communications thought protected by https have been compromised unless there were other protections in addition to SSL.
https://github.com/musalbas/heartbleed-masstest/blob/master/top1000.txt
please patch asap
Isriam said:
https://github.com/musalbas/heartbleed-masstest/blob/master/top1000.txt
please patch asap
Click to expand...
Click to collapse
That list is old... see my statement above.
thats fine, but just so you know that link is posted on front page msn.com under heartbleed headlines.
Isriam said:
thats fine, but just so you know that link is posted on front page msn.com under heartbleed headlines.
Click to expand...
Click to collapse
Sure, but not too much I can do about old information.
The link loriam posted is the one I found xda mentioned on. However, before I posted, I also checked a live testing website that showed xda as safe.
If anybody is interested, the url for that site is filippo.io/Heartbleed/
Unless there is updated information that I was unable to see, your SSL certificate is showing as being from 7 months ago. Shouldn't it be updated since that was part of the information that was vulnerable to Heartbleed?
Are there any plans to replace and revoke the SSL certificates that were on the vulnerable servers? Since there are no logs it is impossible to know if anyone was able to obtain the private key for these certificates, and until revoked xda remains vulnerable to stealth MITM attacks.
wto605 said:
Are there any plans to replace and revoke the SSL certificates that were on the vulnerable servers? Since there are no logs it is impossible to know if anyone was able to obtain the private key for these certificates, and until revoked xda remains vulnerable to stealth MITM attacks.
Click to expand...
Click to collapse
New certs are in process... the CA's are a bit backlogged.
We are vulnerable to stealth MITM attacks only if someone has recorder/intercepted our traffic, and also if someone was able to decode our private key. Of which both are unlikely (but possible). So while we do work to replace our certs, the priority is "hey, we are doing this" and not "hey, let's shut down our ssl services."
bitpushr said:
New certs are in process... the CA's are a bit backlogged.
We are vulnerable to stealth MITM attacks only if someone has recorder/intercepted our traffic, and also if someone was able to decode our private key. Of which both are unlikely (but possible). So while we do work to replace our certs, the priority is "hey, we are doing this" and not "hey, let's shut down our ssl services."
Click to expand...
Click to collapse
I totally agree (and believe me I'm hating this crap as much as I'm sure you guys are)... I just wanted to make sure it was in progress as I'm waiting to change my password until then.
Well, I'm glad that you guys are taking the necessary steps to keep your and your users information safe. I feel bad for whoever would try and hack XDA-Developers, because they would probably receive a huge backlash.
Probably bad enough to melt their computer.
Sent from my dictionary.
Some progress in updating androids vulnerable openssl 1.0.1e ? Heartbleed is disabled (for me) but somehow i imagine unwanted changes like from apps etc
Sent from my GT-I9505 using xda app-developers app
GrammarNazi said:
Well, I'm glad that you guys are taking the necessary steps to keep your and your users information safe. I feel bad for whoever would try and hack XDA-Developers, because they would probably receive a huge backlash.
Probably bad enough to melt their computer.
Sent from my dictionary.
Click to expand...
Click to collapse
We would blow up all mobiles they own. Mwahahahah!
Sent from my HTC Explorer A310e using XDA Premium 4 mobile app
Our new SSL certificates are in place.
Glad to hear were safe. Maybe XDA should force all users to change their passwords?? In the security world it's just better off and safer to assume everything was compromised.
Sent from my Galaxy S4 using Tapatalk
bitpushr said:
Our new SSL certificates are in place.
Click to expand...
Click to collapse
Hi bitpushr,
How to use the secured connection when logging in and/or changing password in this forum? I haven't noticed any ssl connection when logging in and/or changing password from the control panel.
Online test for Heartbleed
There are sites that will test for it.

Categories

Resources