Discover and read the best of Twitter Threads about #Android
Most recents (24)
Quick Review of the #NSSFGoApp
1. Login requires phone number and email yet estatement portal requires NSSF No.
2. There is a popup display ~XXXXXX~ maybe the developers left it in there
3. When one enters email the app checks for SMS … received
1. Login requires phone number and email yet estatement portal requires NSSF No.
2. There is a popup display ~XXXXXX~ maybe the developers left it in there
3. When one enters email the app checks for SMS … received
#NSSFGoApp review
4. Why does the app need access to media on my phone? Why is the external permission necessary for an app that provides information? #AppSecurity
5. Hamburger menu in top left hand corner does not work
4. Why does the app need access to media on my phone? Why is the external permission necessary for an app that provides information? #AppSecurity
5. Hamburger menu in top left hand corner does not work
6. No way to log out of the app - so deleted don’t want my NSSF information lying around on my phone un-secured
Testing Platform: #OnePlusTwo #Android 8.1.0 #LineageOs 15.1-20180918
Testing Platform: #OnePlusTwo #Android 8.1.0 #LineageOs 15.1-20180918
Qualche considerazione a caldo (a tiepido) sul caso #Google #Android-#Commissione.
#thread
europa.eu/rapid/press-re…
#thread
europa.eu/rapid/press-re…
1) La Commissione ha comminato a Google un'ammenda di 4,34 miliardi di euri. Si tratta della multa più alta nella storia dell'antitrust mondiale e quasi doppia il precedente record: la multa di 2,42 miliardi di euri inflitta nel 2017 dalla Commissione... a Google.
2) L'entità della sanzione – che la Commissione avrebbe potuto fissare fino a un massimo di 9,45 miliardi, ma gli analisti stimavano intorno ai 2,5 miliardi – spiega molto della portata del caso. Il futuro politoc del commissario Vestager sarà definito dal caso (dai casi) Google.
Thread (1/7): @TheEconomist published a Special Report Titled "Fixing the #Internet", which relied on #Centralisation as its core lens
Huge victory for a technical community that has spent decade explaining how the architecture & ethos of the internet are under attack.
6 arts!
Huge victory for a technical community that has spent decade explaining how the architecture & ethos of the internet are under attack.
6 arts!
2. "But like Sir Tim, many people have recently become more critical of it (...) At the heart of their disenchantment, this special report will argue, is that the internet has become much more “centralised” than it was even ten years ago."
economist.com/special-report…
economist.com/special-report…
3. #Decentralisation is ultimately a question of #democracy. As digital technology penetrates society ever more deeply & the two become ever more intertwined, the rules of the former will increasingly govern the latter" economist.com/special-report…
Time for a new thread. The #android #application called @moinsbete is one of the most downloaded applications in France. This app is sending without your consent your personal data to @mopub:
- location
- operator
- mcc
- mnc
- country
- screen size
- location
- operator
- mcc
- mnc
- country
- screen size
Yes, all these requests to @mopub are HTTP requests... Welcome to 2018...
This is a very good example of data abuse. Every time you open the @moinsbete #android #app with location on, your location is send without your consent to an US based server owned by @mopub
I’m analysing #KevDroid samples the new #Android #malware discovered several days ago by #ESTSecurity
blog.alyac.co.kr/1587
blog.alyac.co.kr/1587
Articles on the same subject by @PaloAltoNtwks and @TalosSecurity
researchcenter.paloaltonetworks.com/2018/04/unit42…
blog.talosintelligence.com/2018/04/fake-a…
researchcenter.paloaltonetworks.com/2018/04/unit42…
blog.talosintelligence.com/2018/04/fake-a…
The samples are available on @koodous_project and @virusbay_io
28c69801929f0472cef346880a295cdf4956023cd3d72a1b6e72238f5b033aca
679d6ad1dd6d1078300e24cf5dbd17efea1141b0a619ff08b6cc8ff94cfbb27e
990d278761f87274a427b348f09475f5da4f924aa80023bf8d2320d981fb3209
28c69801929f0472cef346880a295cdf4956023cd3d72a1b6e72238f5b033aca
679d6ad1dd6d1078300e24cf5dbd17efea1141b0a619ff08b6cc8ff94cfbb27e
990d278761f87274a427b348f09475f5da4f924aa80023bf8d2320d981fb3209
Last time I checked this website, on Jan 7, 291 #android #apps were available. @GoDaddy is it possible to shutdown this website?
Several occurrences of the website jikutate.com can be found in the apps. Jikutate means shaft in Japanese.
An "iPhone spin” can be found on lp.jikutate.com/it/iphonespin/…
Tutorial: How to capture network packets and record them on your #Android phone
1/ Install Packet Capture #android app
play.google.com/store/apps/det…
1/ Install Packet Capture #android app
play.google.com/store/apps/det…
2/ Follow the setup wizard of Packet Capture
3/ Give the read external storage permission to Packet Capture
1/ In this request, the @narendramodi's #Android #application sends silently and without the user's consent, his IP address and a unique identifier of his phone.
This personal data is sent to the website api.narendramodi.in which is located in the US.
This personal data is sent to the website api.narendramodi.in which is located in the US.
2/ As the application is available in Europe, it must comply with the European regulation called #GDPR. Since an IP address is considered as a personal data, the user must give his consent and must be able to opt out from this data collection.
3/ The @narendramodi's #Android #application does not meet these requirements and so is breaking this European regulation.
When you apply for membership in the official @INCIndia #android #app, your personal data are send encoded through a HTTP request to membership.inc.in.
Come on! HTTP?! I'm sure you are able to rectify this and use HTTPS instead.
Moreover, the personal data are encoding with base 64. This is not encryption! Decode this data is very easy as shown in the example.
When you create a profile in the official @narendramodi #Android app, all your device info (OS, network type, Carrier …) and personal data (email, photo, gender, name, …) are send without your consent to a third-party domain called in.wzrkt.com.
This domain is classified as a phishing link by the company G-Data. This website is hosted by @GoDaddy and the whois info are hidden.
After a quick search, this domain belongs to an American company called @CleverTap. According to their description, “#CleverTap is the next generation app engagement platform. It enables marketers to identify, engage and retain users and provides developers"
I released #Palindraw about 4 weeks ago.
play.google.com/store/apps/det…
It's my first deliberate attempt at #IndieGameDev and it's been an interesting experience. I wasn't sure what to expect.
play.google.com/store/apps/det…
It's my first deliberate attempt at #IndieGameDev and it's been an interesting experience. I wasn't sure what to expect.
The main functionality of the game was developed in about 4 weeks of evenings and weekends. Several months were spent on generating and hand picking the levels.
The levels are procedurally generated given a RNG seed and a few parameters. I wanted to have a nice balanced progression through each set.
The @OnePlus #clipboard app contains a strange file called badword.txt 🤔
In these words, we can find: Chairman, Vice President, Deputy Director, Associate Professor, Deputy Heads, General, Private Message, shipping, Address, email, ...
pastebin.com/kfvJWKJB
In these words, we can find: Chairman, Vice President, Deputy Director, Associate Professor, Deputy Heads, General, Private Message, shipping, Address, email, ...
pastebin.com/kfvJWKJB
This badword.txt is duplicated in a zip file called pattern. This archive contains 7 files:
- badword.txt
- brackets.txt
- end.txt
- follow.txt
- key.txt
- start.txt
- badword.txt
- brackets.txt
- end.txt
- follow.txt
- key.txt
- start.txt
All these files are used in a obfuscated package which seems to be an #Android library from teddymobile
The official #Aadhaar #android app is sending an SMS to authenticate the user. In general, to avoid abuses, you add a sending rate limit. The user has to wait 2 minutes before resend the SMS. @UIDAI did not implement this kind of limit in the app. What are the consequences?
1. I'm tweeting a lot these last days, let make a quick recap
2. @Gioneeglobal, a Chinese phone maker who sell his phone in the US under the name @BLU_Product, made a phone for #NorthKorea. Afaik, they didn't make a public statement.
Bug in the official #Aadhaar #android app. By default, the application asks for the password for each action. In the settings, you can deactivate this password protection.
By force quitting the app when you deactivate this mechanism you don't need to enter the password.
By force quitting the app when you deactivate this mechanism you don't need to enter the password.
.@UIDAI You clearly have not tested your application...
unroll
Hi @UIDAI 👋! Do I have to explain you how real #Android developers are working?
On his official #Playstore account. @UDAI published today an app called "NewTest" with blank screenshot and testingtestingtesting[...] as description 🤦♂️
#AadhaarFail
On his official #Playstore account. @UDAI published today an app called "NewTest" with blank screenshot and testingtestingtesting[...] as description 🤦♂️
#AadhaarFail
They also have a 3rd app called "testBeta (Unreleased)" 🤦♂️. Yes, they called an "Unreleased" an app released on the PlayStore 🤦♂️...
@UIDAI maybe your interns can read this link support.google.com/googleplay/and… to know how to set up an alpha/beta tests...
@UIDAI maybe your interns can read this link support.google.com/googleplay/and… to know how to set up an alpha/beta tests...
Regarding how they used their #PlayStore account, I'm pretty sure they are unable to update the official #Aadhaar #android app because they lost the release key. Please @UIDAI, show me I'm wrong
The @KhoslaLabs and @UIDAI developers don't know how to generate a #android app certificate correctly 🤦♂️
They keep the default owner and issuer: Google. This is funny, technically, Google is the owner and issuer of #Aadhaar 😂😬🤦♂️
They keep the default owner and issuer: Google. This is funny, technically, Google is the owner and issuer of #Aadhaar 😂😬🤦♂️
As stated by the official documentation, developer.android.com/studio/publish…
"A public-key certificate, also known as a digital certificate or an identity certificate, contains the public key of a public/private key pair, as well as some other metadata identifying the owner of the key"
"A public-key certificate, also known as a digital certificate or an identity certificate, contains the public key of a public/private key pair, as well as some other metadata identifying the owner of the key"
Moreover, "Every app must use the same certificate throughout its lifespan"
So, @KhoslaLabs and @UIDAI cannot change it. They need to reupload another app with a different package name if they really want to change it.
So, @KhoslaLabs and @UIDAI cannot change it. They need to reupload another app with a different package name if they really want to change it.
Hi @KhoslaLabs, @UIDAI 👋! Let me show you the power of git.
If an Android dev want to integrate AadhaarBridge in his #android app, he will visit this page: aadhaarbridge.com/products.html
Because he is curious, he will click on the "SDK For Android" and the "Sample Application"
If an Android dev want to integrate AadhaarBridge in his #android app, he will visit this page: aadhaarbridge.com/products.html
Because he is curious, he will click on the "SDK For Android" and the "Sample Application"
But oops! You removed the sample application (apk file) and the library (jar file) from the repo. I guess you want to discuss before giving him the info
But hey come on! This is a GIT repo, I just have to checkout on the correct commit to get the latest library and APK
Hi #Aadhaar 👋! Can we talk about the #BenefitsOfAadhaar for the #India population?
I quickly check your #android app on the #playstore and you have some security issues...It's super easy to get the password of the local database for example...🤦♂️
play.google.com/store/apps/det…
I quickly check your #android app on the #playstore and you have some security issues...It's super easy to get the password of the local database for example...🤦♂️
play.google.com/store/apps/det…
The #Aadhaar #android app is saving your biometric settings in a local database which is protected with a password. To generate the password they used a random number with 123456789 as seed and a hardcoded string db_password_123 🤦♂️
It can be good also to remove the "developer" endpoint from the release apk...
1. Hi @makemytrip 👋! Why are you retrieving user data without their consent?
Your #android app is making an http🤦♂️ request to metric.makemytrip.com with the following unencrypted 🤦♂️ data:
- email
- device name
- phone build version
- OS version
- network type
- ...
Your #android app is making an http🤦♂️ request to metric.makemytrip.com with the following unencrypted 🤦♂️ data:
- device name
- phone build version
- OS version
- network type
- ...
2. This is the nice tracker package you have here...
3. You can find the definition of the Events and FNKeys they used: gist.github.com/fs0c131y/065c7…
It seems they used to retrieve the Client_IP, Gender, Last_Name and more
It seems they used to retrieve the Client_IP, Gender, Last_Name and more
Hi @edawerd,
Few years ago you published 2 #android apps on the #playstore:
- No Root Screenshot It
- Screenshot It
FYI, the native library you coded had been used by #NorthKorea in an app called RedFlag aka Digital Signature Manipulation System
#KCC
cc @GustoHQ @willscott
Few years ago you published 2 #android apps on the #playstore:
- No Root Screenshot It
- Screenshot It
FYI, the native library you coded had been used by #NorthKorea in an app called RedFlag aka Digital Signature Manipulation System
#KCC
cc @GustoHQ @willscott
The modified version of your library can be found here: github.com/fs0c131y/RedFl…
By checking the two versions, we can see they only modified few bytes of your lib. In fact, they only changed the "SCREEN_SHOT_IT_PACKAGE".
By checking the two versions, we can see they only modified few bytes of your lib. In fact, they only changed the "SCREEN_SHOT_IT_PACKAGE".
By the way, the software at lindylabs.com/screenshot_it to "enable" the app is no more available. So, please update your app or remove it from the store.
I'm staying at your disposal if you have any questions
I'm staying at your disposal if you have any questions
A J-14 du #hackinghealth, quels défi de #santé allez-vous relever ? Passage en revue de notre sparkboard 2017 :
Familien - comment mieux accompagner les familles lors d'une #hospitalisation ? hhlyon2017.sparkboard.com/project/59ba78…
Un outil numérique serait-il pertinent pour maintenir le lien entre enfant et patient même si les visites sont impossibles ou rares ?
<Thread> CM Browser is a very popular application (50M - 100M downloads) published by @CheetahMobile.
In the description it said "#1 antivirus engine (rated by AV-TEST)" which is a lie. The AV-TEST best android security 2016 award had been given to @Bitdefender and @Sophos.
Security Master is in their best antivirus for #Android list but it's not the same app and not #1: av-test.org/en/antivirus/m…
Minor correction in the second half, as I tweeted earlier, the iPhone 8 may be limited on the 4x4 MIMO antennas due to the patent feud…
…and also Apple wants to dual-source their radios regardless of the patent feud, and Intel’s LTE speeds aren’t as fast as Qualcomm’s yet.
So, and here’s the part that annoys me, they sell both variants (QCOM & Intel) of iPhone in the market and artificially limit the speeds…
