Hi all,
I came across this article which explains how malcious code can be pushed on our android phones through malicious ad networks.
I will only highlight the important points and include the countermesaures which I think we can use to atleast avoid/prevent this type of malware.
1) Ads displayed within mobile apps are served by code that's actually part of those applications.
2) Application owners typically include SDK's in the application for various ad network's.
3) Not all developers verify the Ad network and if the developer does not care or simply goes with the highest bidder, then the chances of siding with a malicious ad network are high.
4) If an ad from a malicious network is displayed it can push malicious payload which runs quietly in device memory.
5) Detection by AV's can be difficult as this runs in memory and android AV's mostly verify the apk's only.
Not so good thing:
This is a very elegant approach that doesn’t really require the end-user to do anything “wrong”.
The user could download a valid application from a valid app store, and ultimately be silently infected by a disreputable ad network
--
Countermeasures:
1) Do not install applications from untrusted sources. This is configured by default under :Settings->Security->Device Administration->Unknown Sources.
2) Always verify the permissions the application is requesting.
3) Rooted phones can utilize applications like AdAway which simply block all traffic to known ad networks. (Make sure you update it frequently).
4) Av's help in atleast verifying the apk's and there are applications to detect adnetworks like (Lookout,Symantec,TrustGo Ad detectors, etc).
If I get some time, I will try to get list of known malicious networks so we can manually add them to our host file and block all traffic to these networks.
I know these networks are dymanic but blocking can be helpful even for a short time.
If you think there are more better ways to prevent/detect this then please share and benefit the community.
References:
http://researchcenter.paloaltonetworks.com/2013/08/mobile-devices-new-malware-and-new-vectors/
http://www.businessinsider.com/malware-in-mobile-advertising-2013-8
http://www.google.com/ads/admob/monetize.html
Related
Hello,
I noticed that several apps I install require that I enable my location/position.
For several of them my location has nothing to do with the purpose of the app.
For instance: Bubble Birds.
I was wondering why??! And also, are the developers using the users' location info for some reasons?
Thank you.
This is something that irks me too, and is often a deciding point on whether I buy/install said app.
I can see it as being used for statistical purposes, but still brings out the conspiracy theorist in me.
I think it might be for ads. Maybe it is for stats though
Sent from my HD7 using XDA Windows Phone 7 App
The "ID_CAP_LOCATION" capability is included by default when creating a new project. If the location requirement is derived from this, it could mean that many developers just haven't removed it before submission, making it look like the application needs location info. This would probably be pointed out during submission, though. Maybe it's for the ads?
Thank you for all the answers.
I suppose it's not for the ads. I live in France and, luckily, all the ads are totally irrevelant and in English.
arturobandini said:
Thank you for all the answers.
I suppose it's not for the ads. I live in France and, luckily, all the ads are totally irrevelant and in English.
Click to expand...
Click to collapse
On my App, I have a trial mode that uses ads. If you pass the location information to the adControl, it enhances the selection process for the ads and will provide better focused ads, which also enhances money the developers receive.
AFAIK, WP7 doesn't support the ability to say "no" to the location and still use the app. If you decline the location, the application will not run. It would be nice to deny access to Location to the app, and still let the application run.
spokanedj said:
On my App, I have a trial mode that uses ads. If you pass the location information to the adControl, it enhances the selection process for the ads and will provide better focused ads, which also enhances money the developers receive.
AFAIK, WP7 doesn't support the ability to say "no" to the location and still use the app. If you decline the location, the application will not run. It would be nice to deny access to Location to the app, and still let the application run.
Click to expand...
Click to collapse
Well they have a very strict policy with the location service, it should be comppetely turned off from within the app if the user desires, i had an app with a button to activate and find the current location and it failed certification since the user could not bypass this button! If the user does not want to supply his location dont press te button and the location service will remain off, but this was not strict enough there should have been an extra switch to deactivate this button....
Weird policy really really weird
As I understand it, not all apps are suitable for all devices (Thus the device filter drop down on google play.)
For any given search term, play.google will drown you.
Are there (links to?) threads with best of class apps by category?
(Recognizing that this is a moving target / people have their fav's.)
[Otherwise, start one here?]
In some senses, coming from a sysadmin perspective, for the purposes of this thread.
For example, it seems prudent / intuitive to be running a firewall. (iptables, presumably). Yet there are quite a number when one searches for 'firewall'. (Yet until I went looking, I've never seen 'firewall' mentioned in threads, pages, etc., I have come across.)
Or, an ssh client seems useful, yet searching on ssh reveals most need root first. (Not complaining, just haven't gotten that far.)
Links?
----
VNC (Remote control a computer, man, way more viable on Android with pinch zooming screens than I ever would have expected) - android-vnc-viewer
[Seems to 'just work'. Note: Was already set up, across multiple computers/OSs, able to VNC each other.]
You don't need a firewall. Android is a tight ecosystem that doesn't need to be protected from itself. If you really care, most ROMs already have iptables in the kernel and commandline tools already installed; just root. (You'd need to root for any firewall app anyway.)
SSH *clients* generally don't need root. Servers are another matter. Some are server/client bundles but the client part should work just fine without root. I've used ConnectBot in the past and was pleased with it, though now that my server is wrapped in a VPN my phone doesn't support, it doesn't have much use for me anymore.
roothorick said:
You don't need a firewall. Android is a tight ecosystem that doesn't need to be protected from itself. If you really care, most ROMs already have iptables in the kernel and commandline tools already installed; just root. (You'd need to root for any firewall app anyway.)
Click to expand...
Click to collapse
I think perhaps I wasn't clear, or we're forgetting about one aspect of firewalls.
I'll accept your comments (and thank you) with respect to security.
However, what I also meant by firewall was blocking - be it to nefarious sites in foreign lands, or to other unsavoury ip's - be it in, or out.
e.g. A firewall facility utilizing the bluetack lists. (I'll accept if you have a better word for such an 'app' than 'firewall'.)
Thanks for any thoughts.
Hey guys,
I am a web developer and decided to create a mobile application for Android and iOS using Phonegap. Creating the graphical interface isn't a problem, but somehow I need to store 2 tokens and a username (the app receives data from a server and somehow the user has to be authenticated. So the tokens and username get posted every time I request some data from the server). My question: I already heard about localstorage - is this a secure way to store the tokens? A https connection is available, so man-in-the-middle isn't possible. Localstorage is sandboxed, right? So there should be no problem to simply store it in this way. Or am I missing something? I already thought about encryption, but to be honest: Javascript and encryption don't make sense as you would need to somewhere store the secret and in this case it would be directly inside my JS file...
Thanks for your help!
Yes, localstorage is sandboxed so each app will have it's own dedicated space to avoid variable clashes. Though it's by no means secure in the sense that it's relatively easy to view it through external means.
As far as encryption in javascript, this depends on how secure you need it to be. Properly obfuscated JS is almost as difficult to reverse-engineer as Java byte code (though still quite doable if someone is determined enough).
To be more secure you would need to get the user to enter a password/passphrase at the beginning of each session which is only ever stored in memory and used to decrypt the data stored in the local storage using a decent open source encryption library. In this case access to the JS won't be a problem.
You need to define what types of threats you are trying to protect from. Traffic between your device and the server is protected from sniffing and tampering by HTTPS, so no problems there. But all that is local on your device could be examined, reverse engineered, and altered by the owner: local storage, encrypted or not, traffic between app and Android OS, data in RAM memory, etc. I would trust regular web component security features (cookies+HTTPS), as it is considered safe for things like online banking. But I don't think there is a way to protect data from the owner.
If you are a developer and you have apps with users, to monetize apps you should combine several ad networks to reach 100% fill rate. There are so many networks.
Questions of a format, country, type of app and fill rate expectations are of your concern.
But there is a solution that makes this choice much easier. This is new generation of mediation. The one that gives you access to many networks with single SDK.
If you try such service, you won't need to create several accounts inside this SDK. It's already there for you. You will have an access to all formats. It should be mentioned, that algorithm automatically rotates networks according to their performance.
It doubles revenue from mobile apps.
Be aware of free mediations. How it works, the mediator has a network itself. Which makes it biased on rotation process. Network pushes maximum impressions from its side and only the rest goes to fair auction. Technically mediation is free, in reality - profit comes from own network, which is being pushed more often then you might want.
Good example of a new generation of independent mediation is Adtoapp.
I am trying to register Signal for a second user on my LineageOS 17.1 on a Fairphone 3+. It fails, looping me through the process and the Google ReCaptcha. Apparently the registration needs an open port 443 and UDP traffic rights.
Unlike my first user where I sucessfully registered Signal just two days ago, the second user (mainly to be used with the second, professional SIM) appears to lack the corresponding rights. I activated multiple users in Settings --> System --> Advanced --> Multiple users. Yet only the first user is set to have admin rights. This seems to be hard-coded...
At least I couldn't find any way to influence the user rights so far. Though this thread indicates meddling with /system/build.prop could be a solution, I would rather find a solution without rooting the device.
Do you have any ideas?
Essentially, I would love some frontend for an aggregated UserManager. If there is none, could you give some hints as to how to change the variables mentioned in the link when rooted?
--
On a sidenote, the Multiple Users feature traded some of its functionality from Android 9 to Android 10 imho... while before you could grant access to specific apps on the main account, now it's really separated users with separate app installs and such. This is great for some use cases including mine, though in order to be more useful, some more options would be nice (restrictions (think about kids usage), rights management, define locations for shared data, ...).
PS: if this is the wrong forum for such a question, please point me to the right one.
Sounds like a question for stack overflow or signal support.