Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 6 years ago.
Improve this question
I am new in computing. I have read that android is based on Linux OS.
And Linux rather any distro of UNIX is virus free.
Then my question is that what is the need of anti virus s/w's in Android phones??
Please correct if I am carrying wrong knowledge.
Thanks in advance.
You may be asking yourself, what if I have a cell phone virus and what is it anyway? You know you keep a lot of precious, valuable data on your phone, and when you hear in the news that mobile threats are on the rise, it’s easy to lose sight of the context behind the numbers and worry that you’ve gotten a dreaded mobile phone virus that’s going to steal your personal info and eat your children. Hopefully we can clarify things by addressing some of the questions that we hear most about so-called Android “viruses.”
Is there really such a thing as an Android virus?
Historically carried over from the old PC world, a “virus” is a program that replicates itself by attaching to another program. Hackers often used this method to spread their nefarious work, and virus became a popular term to refer to all types of malicious software (malware) on computers. In the case of smartphones, to date we have not seen malware that replicate itself like a PC virus can, and specifically on Android this does not exist, so technically there are no Android viruses. However, there are many other types of Android malware. Most people think of any malicious software as a virus, even though it is technically inaccurate.
So what is Android malware?
Malware, short for malicious software, is software designed to secretly control a device, steal private information or money from the device’s owner. Malware has been used to steal passwords and account numbers from mobile phones, put false charges on user accounts and even track a user’s location and activity without their knowledge. Learn about some of the most notable malware Lookout has blocked in Resources Top Threats.
How would I get malware on my phone?
Through Lookout’s research for the State of Mobile Security 2012, we’ve found that user behavior and geography greatly influence your risk of encountering malware. The safest bet is to stick with downloading well-known apps from well-known apps from reputable markets like Google Play in addition to having a security app. Fraudsters make it their job to disguise malware as innocent-looking mobile apps on app stores and websites. So if you’re thinking that it’s a good idea to download a just-published, supposedly free version of Angry Birds you found on a random Chinese app store, it’s probably not. Once installed, these apps may appear to work just as described, but they are can be busy with additional secret tasks. Some apps start out clean, but are given malicious capabilities after a seemingly routine software update.
And conscientious app downloading won’t always minimize your risk. Sneaky, drive-by-download sites can download a potentially malicious app file without any user intervention. Safe Browsing in Lookout Premium for Android will block web-based threats like that, but even so, you also shouldn’t install random downloads from your download manager that you didn’t expect to find there.
How can I protect myself and my mobile device?
It’s pretty simple to minimize the risk of encountering malware, and we’ve got 5 simple mobile security tips right here. The top two ways to protect yourself are to download a mobile security app like Lookout to catch those pesky “phone viruses” and to be judicious about what apps you download and were you download them from. Lookout will scour your phone or tablet for any existing malware, and also examine every new app you download to ensure it is safe. But even before you let Lookout scan your newly downloaded app, you should only download apps from sites you trust, check the ratings and read reviews to make sure they’re widely used and respected.
So, should you worry about getting a phone virus? Nope, because they technically don’t exist. (If they ever do crop up, Lookout will weed them out.) And should you worry about the more accurately termed malware? Well, with a little bit of awareness and Lookout on your phone and by your side, you can keep malware and other mobile threats at bay.
Related
I do not have an Android phone and have hit a snag.
Google says you cannot test In App Purchases on an Emulator, details found here.
Install your application on an Android-powered device. You cannot use
an emulator to test Google Play Billing.
Question 1: Is this also true for the Genymotion emulator?
If this is truly the case, I guess I could not have in app purchases, and instead have two versions of the product. A Free, limited edition and a paid-for edition.
Question 2: If I have a solely paid-for version, do I need anything in my code that needs to be checked? By this, I mean the user can only install a paid-for version once they have paid Google Play. The actual program itself is oblivious that it has been paid for. Do I need anything in my code to indicate it is a paid-for version?
If the Android version sold, I would obviously get a physical machine. But at the moment, I do not want to keep on buying loads of different hardware just to keep on checking stuff.
Buying a phone is a personal decision, and you aren't going to get good advice on a programming site. You might be better to try https://android.stackexchange.com/, but even there, opinion based questions "what phone should I get" aren't encouraged as the stackoverflow / stackexchange sites are for things with right and wrong answers, not opinion. If I were you, I'd either do the research myself (if your time isn't valuable). If your time is valuable, I'd just go to argos and get the cheapest Android based phone you can which currently is £15 at Argos right now. (less cost than your time). There'll be something you don't like about it, probably many things, but at that point you'll know what they are and can make a more informed decision.
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
Looking at some postings at stackoverflow, as of writing, there seems to be really no way to effectively prevent app piracy.
is anyone here actually losing money from app piracy?
what's your current solution (free or non-free) against app crackers?
what are some of the popular & reliable solutions for protecting enterprise level apps?
Use the LVL (License Verification Library) provided via Google, its a server side verification that the user actually bought your app.
http://developer.android.com/guide/market/licensing/index.html
Use other techniques to detect if you application has been tampered with, there are a few and they are covered in this blog post and the I/O video. Assume it was pirated if tampered with. (Double extra check to make sure you don't mess this up and annoy real users)
http://android-developers.blogspot.com/2010/09/securing-android-lvl-applications.html
http://www.youtube.com/watch?v=TnSNCXR9fbY
Use AntiLVL against your own application, attack it like a cracker! This is actually really fun and educational, see how much work it takes to crack your app. The blog/tool go over the known weaknesses and you can make some educated decisions about how to stop the automated tools from working. Stopping dedicated pirates is no ones priority, but stopping people from using a 1-click tool is easily obtainable.
http://androidcracking.blogspot.com/
EDIT 1:
Make a free version with ads and/or less features. Crackers just want free stuff, so make it easy on them :) If you detect they are using a cracked version of your paid app you can try and convert them to using the free version or upsell them to the paid version. Currently about 1/4 of the people cracking one of my apps will open the Google Play for the full paid version (although less actually buy it)
This google IO 2011 video should be your bible: Evading Pirates and Stopping Vampires using License Verification Library, In-App Billing, and App Engine
It talks about many things you can do to defend yourself.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 9 years ago.
Improve this question
For understanding how strong data should be secured on an Android device I want to understand which attacks are possible. I started to write down my knowledge and hope that I get corrections, where I'm wrong or where I'm missing something. I first assume that Google don't be evil, so will ignores attacks from google themselves.
Each application is signed and runs under his own user-id, so an app can only reads data which belongs to him, except the app creates a public storage. Furthermore app which are sign with the same key can share data.
If an application want to get special rights like reading or writing to calendar or contacts the user must accept it.
So by default it's a secure design. Unfortunately every system can have security issues, so that the system become corrupted. On Desktop-Systems regular updates are common practice. On the android it depends on the vendor and is except the Nexus mostly bad. So it could be that there are security holes open for a long period.
So how could an android phone be attacked?
Google can delete and install apps silently (Link). If someone hacks this mechanism, an attacker can install arbitrary apps on a device. Unsure if this app has automatically all rights it wants to have. This doesn't happens till now, but it's possible. You can only protect your phone by checking regularly all installed apps and there rights. This mechanism can be misused by a hacker.
Malicious applications can do a lot evil things, but if you don't give every app the rights the apps wanted and think a little bit, you can protect your phone.
Some security holes in the browser or the system allows an app to get root-access. In this case the app can do everything it wanted. I don't know any protection against this. As far as I know android has such security holes, so this is the most dangerous issue.
So in summary the only secure protection of data seems to be encryption. Depending on how secure your data must be with a default key or an individual key (in other words a password).
Some time ago I've found these PDF's, maybe they can help: slides, paper (more than 2 years old).
edit:
a new link for the slides
a new link for the paper
Google can delete and install apps silently. If someone hacks this mechanism, an attacker can install arbitrary apps on a device. Unsure if this app has automatically all rights it wants to have. This doesn't happens till now, but it's possible. You can only protect your phone by checking regularly all installed apps and there rights.
Delete may be silent, but the only push-install mechanism I know about is to use the firmware update mechanism, and that is not silent - the phone reboots twice.
Malicious applications can do a lot evil things, but if you don't give every app the rights the apps wanted and think a little bit, you can protect your phone.
Unfortunately, you cannot decline to grant permissions, you can only decline to install an app that requests more than you want to grant. And some permissions are quite broad, so an app may legitimately need a tiny part of some permission, but get the whole thing.
Some security holes in the browser or the system allows an app to get root-access. In this case the app can do everything it wanted. I don't know any protection against this. As far as I know android has such security holes, so this is the most dangerous issue.
On the other hand, these security holes are unfortunately what the owners of most devices must rely on in if they wish to to be able to install custom firmware, since most consumer phones were not designed to permit this. Knowledge about android security exploits is not much behind that of conventional linux distributions (most of the root exploit are inherited linux kernel exploits, not android exploits, since android has few components with root authority).
Is there any reason to forward lock a free app? If the user copies the app from the phone, is it protected in any way from decompilation, etc?
By "forward lock" I'm assuming you mean "prevent a user from forwarding the app to another person", and by "free" I'm assuming you mean "available for zero money". If that is the case, then yes, there are reasons to do so. First and foremost, this will ensure that the app is only available from a single source and that users don't have to worry about whether the app is genuine or a tampered version. It is not unheard of for someone to take a freely available app, add their own ads or malicious code, and re-distribute the app as if it was the original version. Unsuspecting users end up running adware/malware without knowing it. This also (unfairly) gives the original app a bad reputation. Therefore, many free apps prevent forwarding/copying for the sole reason of ensuring authenticity.
Also, just because an app does not cost anything doesn't mean that there aren't trademarked/copyrighted materials (or other types of protected intellectual property) inside it that aren't legally copy-able. Being able to easily copy or dis-assemble the app could open the creator to legal issues (especially if they licensed some of their content from a third party), so a free app isn't necessarily able to be taken apart. That being said, binary code is always viewable in a hex editor, and anything can be dis-assembled if you have the time and patience...
No, because the implementation that the Android Market offers is multiply broken:
It does not stop piracy, as people with rooted phones can still go in and grab the APKs, as they do all the time (and, AFAIK, it does nothing to stop decompilation)
Using Android Market copy protection has a tendency to keep your app out of the Market on occasion, such as when new devices are being rolled out
If you want copy protection, that's your call, but use something other than the one supplied by the Android Market.
While consumers bypassing the marketplace and copying a free app will obviously not directly affect profits, keeping track of the number of people using your app can be very important in terms of building the reputation both of the app itself and of your company / you as an indie developer.
If your app communicates with a server or central database as part of its natural functionality, then usage tracking can be implemented through that channel. But if not, then download information on the marketplace is the next best way to get a rough estimate of its popularity.
As for security, I'm not aware of any way forward locking directly makes your app more secure, preventing illicit copying could certainly serve to discourage untoward manipulation of the package files.
No, but it isn't particularly protected either way - it's possible to copy all the data off most android phones regardless of what the application developer would prefer, and once you have the bytes you can disassemble to your hearts' content. (Whether any of that is likely to happen to your particular application is an entirely different question).
There are other reasons to lock it - more accurate counting of userbase, etc. - but they're generally not worth the impact to the overall user experience. If your app phones home occasionally to count installed handsets, that's a much better plan than trying to enforce some way to trust the Marketplace count.
There's no way to protect anything from decompilation. Except if there's no platform that can run it.
But you can make it harder, with obfuscation and stuff.
But fo a free app it is probably not worth the effort.
I was wondering what the most effective way of preventing people from stealing my application (downloading a copy of the .apk online rather than buying it).
I've spent a lot of time on one in particular (Droidbox) and won't be releasing Sync until I can guarantee that the people who are providing illegal copies of the pro version aren't able to.
Anyone implemented this? I've tried checking my package signature verses an the signature of an unsigned copy but it appears to be the same - perhaps I'm doing something incorrectly here. I'm unsure whether people actually distribute the signed .apk in which case I don't think signature validation would work to begin with...
Please note, this question is specific to Android Marketplace Applications - the difference being, application delivery is out of my hands and I have no way of linking between a legitimate purchase and an illegal download.
Now there is the new Google App Licensing available. For deeper information read about it in the android developer blog.
A short summary: Google provides a library that makes a inter process call to the market client on the phone. The market client will then ask the google servers if the signed in user has purchased the app and forward this answer to you. There should be a public key in you developer profile that you need to encrypt the connection to the google server to prevent spoofing of answers. You also provide a application and device unique id with the query to make it impossible to forward approved queries to another device and build something like an licensing proxy with one bought copy forwarding the IS LICENSED answers to other devices.
At the moment this service looks secure enough to protect even the more valuable apps in the market. I will give it a try and maybe come back and leave some more informations after I used it a little bit.
If your app is really popular like an EA game or something this wan't stop users from hacking it. To hack the app somebody has to buy it, then unzip the apk, and edit the bytecode of your app to think that the market send a correct answer. The new byte code can be packed into another apk and can be installed on every phone that allows side loading.
To make this harder you can always try to obfuscate your apk and make your bytecode hard to understand.
There is a single, useful connection between an application buyer and the developer through the marketplace, the forwarding email address provided by google to contact the buyer.
Utilizing the integration callback setting to send buy information to your own server, you can use PHP to send a unique identifier (registration code) to the buy via email (real time as the callback is shipped from google during a purchase. The user then uses this email to register their software using the unique identifier that is then linked to their android ID (or google account username) and the software is "activated" and guaranteed to be legitimate.
Obvious Questions
Why is this a suitable solution when it requires the user to read email? Our market are those people who are capable of buying an application using an android device. By using an android device, it is implied that the user has a google account which implies they know how to use email.
How do I use the email with the unique identifier with my application? Create a content handler in your application that handles something like "myactivator://uniqueid-or-something" which causes your application to communicate to your internal server that keeps tabs on activations. Embed this as a link in the email that the user can click on.
How should I generate the unique identifer? I'm going to use the email somehow - I'm fairly confident google has already made it unique enough to disallow any feasible method of contact information selling.
What about people who have already purchased the software? A lot of options here - none ideal or terrible.
Send emails to all previous buyers
Allow users to activate by typing in their order number (can be obtained by logging into checkout.google.com.
Why bother?
Because some of us put a lot of time into applications and saying "you should just accept pirating" is a slap in the face.
The people that are lax enough to use pirated copies of your application to access their DropBox are probably using their DropBox for piracy anyway. Forget those people. Let them go. Yes, it's a huge number of people I bet, but let's face it, those people were never going to pay you anything anyway. Focus on the parts that you can control, and forget the rest.
Focus on the Android users that use DropBox for their work, for their businesses, for their own code, for their finance, for their thesis, and/or for their private family pictures. 95% of those people, that have something of value in their DropBox, and that want it kept private, are going to want to buy your application (assuming it's good enough for them).
Let me use this analogy:
When it comes to hiring a locksmith to put a lock on your home, do you hire the guy that looks the part and takes $150 an hour, or do you hire the shady guy that is willing to sell you a stolen lock to put on your front door?
Release your own illegal copy in the best known forums and have it disable itself after a week and showing a message like
Thanks for stealing... I make my living with programming this app. The x Dollar won't hurt you and I could by my next meal and go on making great updates for you.
I think this is the only thing that you can do about it. People will always find a way to copy your app and all countermeasures will only disturb the users that paid for the app.
The people copying your app aren't your customers and they never will be. Just see their use of the program as a kind of viral marketing. At least they are talking about your app and maybe some of their friends will then buy the app.
General shareware advice here - license the software to the individual. i.e. provide a license key that is personalized to their username. They'll be much less likely to distribute a key if it's got their name on it. You can probably automate the backend fulfillment of the order, to provide custom keys. Have your "Pro" version operate in trial mode until the name/key are entered.
Don't leave your computers so that someone can steal your applications from there.
Or wait.. Did you meant you don't want others to copy your software? Then.. not publishing it in the first place is likely your best option.
A bit related link: http://news.cnet.com/8301-27076_3-20003120-248.html
You neither have any mechanism to estimate amount of illegally copied software. Enjoy your attempts from stopping the rain even though entities bigger than you have attempted and failed.
There is a new tool in the wild that seems to good to be true:
Automatic Application Licensing from Keyes Lab.
I haven't tried it yet but if this works it sound like something you want to use in your high priced android apps.
If anybody tested it leave a comment or edit my answer with personal feedback.
I have the same issue. I recently found a number of my paid apps available for free download on this site: https://dlandroid.com/
I asked them to remove my app APKs, but I'm sure there are many other similar sites. Presumably they have a rooted phone which gets one valid copy of the app from Google Play, then uploads it onto their web site to distribute to all and sundry for free.
You could spend endless amounts of time ensuring that there are no pirated copies of your apps on the web, or implementing complex piracy protection measures, which would most likely make things less convenient for your genuine paid users. But I guess in the end, you have to be prepared to make a trade-off and accept that a certain level of loss is inevitable, and hope that most people are honest and get your app through the proper channels rather than risk malware infection by going to dodgy sites like this.