NexusHD2 Android Forum

In a blog post, Ben Lincoln recently reported that his Motorola Droid X2 was sending sensitive information to Motorola -- and it was doing so unencrypted.

When monitoring traffic on his phone, Lincoln noticed frequent connections to a domain owned by Motorola, passing basic check-in data every nine minutes, including hardware data, application information, phone call statistics, and more.

He also found that Motorola gathers e-mail addresses and passwords for Facebook, Twitter, YouTube, Picasa and Photobucket, along with a wide range of user activity on those services. Similar data is collected for everything from Exchange ActiveSync to RSS feeds.

"I can think of many ways that Motorola, unethical employees of Motorola, or unauthorized third parties could misuse this enormous treasure trove of information," Lincoln writes. "But the biggest question on my mind is this: now that it is known that Motorola is collecting this data, can it be subpoenaed in criminal or civil cases against owners of Motorola phones?"

NYLimited wrote:In a blog post, Ben Lincoln recently reported that his Motorola Droid X2 was sending sensitive information to Motorola -- and it was doing so unencrypted.

When monitoring traffic on his phone, Lincoln noticed frequent connections to a domain owned by Motorola, passing basic check-in data every nine minutes, including hardware data, application information, phone call statistics, and more.

He also found that Motorola gathers e-mail addresses and passwords for Facebook, Twitter, YouTube, Picasa and Photobucket, along with a wide range of user activity on those services. Similar data is collected for everything from Exchange ActiveSync to RSS feeds.

"I can think of many ways that Motorola, unethical employees of Motorola, or unauthorized third parties could misuse this enormous treasure trove of information," Lincoln writes. "But the biggest question on my mind is this: now that it is known that Motorola is collecting this data, can it be subpoenaed in criminal or civil cases against owners of Motorola phones?"

It's an interesting article.
Regarding the password safety issue, are there any special social apps (or email apps) made by Motorola including in their ROMs?
If so, it'll be dangerous to use them because the 'plaintext passwords' might be uploaded to Motorola according to the blog above.
If not, I think the users might not need to worry about it too much. (Referred to the 'plaintext passwords' only.)

Well, if the users of Motorola phones install and use 'the official social apps', such as Facebook or Twitter apps, the passwords should be still safe.
In theory, Motorola cannot steal the 'plaintext passwords' from the official Facebook or Twitter apps unless these official apps are developed by poor-skilled programmers. But I think it's impossible.
If Motorola only gets the hashed or encrypted passwords, users' accounts might be still safe.

In short, what I want to say is that we should always fill in our passwords into the official apps made by the corresponding online service providers, not the third-party apps, even if the apps are developed by the phone manufacturers.
For example, we should only fill in the Facebook password into the official Facebook app.

tytung wrote:In short, what I want to say is that we should always fill in our passwords into the official apps made by the corresponding online service providers, not the third-party apps, even if the apps are developed by the phone manufacturers.
For example, we should only fill in the Facebook password into the official Facebook app.

A network logger or sniffer can do a lot of damage but, as you said, encrypted passwords would be of limited use.

Personally, I seldom let my apps remember my passwords. I prefer to use password managers (such as LastPass) with long, annoying passwords that I can never remember myself.

Your email and phone call metadata certainly isn't private, but maybe you were holding out hope that good old fashioned snail mail somehow avoided big brother's living gaze. The Smoking Gun broke the bad news a month ago, and now the New York Times is confirming that nope, that's all being tracked too. Surprise surprise.

It's by no means a new development; it's been going on for years. But now the details of the whole system are coming to light. Fortunately, the sanctity of your mail's contents is only defilable if there's a warrant involved. There's none needed to track all the sweet, sweet metadata, though.

The New York Times explains:

At the request of law enforcement officials, postal workers record information from the outside of letters and parcels before they are delivered. (Actually opening the mail requires a warrant.) The information is sent to whatever law enforcement agency asked for it. Tens of thousands of pieces of mail each year undergo this scrutiny.

The surveillance system is known as the Mail Isolation Control and Tracking program, and was instated in 2001 after the mail-borne anthrax attacks that killed five people. Since then, the program's been responsible for photographing each and every piece of mail the Postal Service handles. There were over 160 billion pieces last year.

All this is only possible with a little help from the Postal Service itself, of course. Again, from the Times:

For mail cover requests, law enforcement agencies simply submit a letter to the Postal Service, which can grant or deny a request without judicial review. Law enforcement officials say the Postal Service rarely denies a request. In other government surveillance program, such as wiretaps, a federal judge must sign off on the requests. The mail cover surveillance requests are granted for about 30 days, and can be extended for up to 120 days.

Read the original article:

http://www.nytimes.com/2013/07/04/us/monitoring-of-snail-mail.html?hp&_r=2&amp



----
You can chose to ignore reality, but you cannot ignore the consequences of ignoring reality.

Your smartphone knows a lot about you. It’s with you all the time. It knows which apps you use. It knows which websites you visit. And it knows your gender, your age, and even how fit you are. These are all things that advertisers would love to know about you, and smartphone companies are starting to give it to them. Verizon announced it would start bundling data about its customers in 2011 to provide audience “insights” and said in 2012 that it was going fabulously. It’s perhaps not surprising then that in its most recent privacy policy change, carrier competitor AT&T revealed that it wants to hop on the sell-information-about-our-users bandwagon too.

As noted by Fierce Wireless, a proposed change to AT&T’s privacy policy will allow the company to use customers’ wireless location information, “U-verse information” (AT&T’s television service), website browsing, mobile application usage, age and gender for reports to other customers interested, for example, in who is coming into their stores. AT&T says these reports would be aggregated and anonymized; your activity would only be reported as part of a group of people.

(Between this and Verizon’s offering, Euclid Analytics — a company that helps retailers track customers by their smartphone signals which has raised privacy hackles on the Hill — has some heavyweight competition.)

AT&T also plans to use the info to deliver more relevant ads to you. In a letter to customers, AT&T explains that if you hang out near movie theaters a lot, you may be labeled as a “movie fan” and receive ads about the latest blockbuster:

People who live in a particular geographic area might appear to be very interested in movies, thanks to collective information that shows wireless devices from that area are often located in the vicinity of movie theaters. We might create a “movies” characteristic for that area, and deliver movie ads to the people who live there.

The way this is aggregated means that you aren’t labeled a movie fan because you particularly hang out at a movie theater a lot, but that you are among a group of people that go to theaters a lot. You might not even be a movie fan but will be labeled as one if other AT&T customers in your demographic or neighborhood are. I’ll assume that if you live in a college dorm, you may wind up labeled as a “heavy drinker” or “single and looking” and then be hit up with beer ads or Match.com offers.



Read the complete article at Forbes.com, published on July 3.

You may want to read about this vulnerability
http://bluebox.com/corporate-blog/blueb ... aster-key/
Uncovering Android Master Key That Makes 99% of Devices Vulnerable
Cheers
Tom

My Note 2 to you

Another one about Facebok http://translate.google.com.tr/translat ... ml&act=url (Chip Turkey)

(Okay, one last one and we take a break from reading bad news for a while!)



Mobile security company Bluebox said today that it recently discovered a vulnerability in Android that makes any Android device released in the last four years vulnerable to hackers who can read your data, get your passwords, and control any function of your phone, including sending texts, making phone calls, or turning on the camera.

That’s almost 900 million Android devices globally.

“A Trojan application … has the ability to read arbitrary application data on the device (email, SMS messages, documents, etc.), retrieve all stored account & service passwords,” Bluebox CTO Jeff Forristal posted. “It can essentially take over the normal functioning of the phone and control any function.”

The vulnerability is due to “discrepancies” in how Android apps are approved and verified, Bluebox says, allowing hackers to tamper with application code without changing the app’s cryptographic signatures. That means that an app — any app — that looks perfectly safe and legitimate to an app store, a device, an engineer, or a user actually could actually have malicious code embedded within it.

Forristal said the details of the bug were disclosed to Google back in February and that Google has “notified their device partners.”

The problem, however, is that because of Android’s fragmented nature and the fact that device manufacturers and mobile carriers release Android updates sporadically if at all, many Android devices are not running the latest software and cannot be user-updated.


You can read the complete article in Venturebeat.

How-to/find-eradicate-android-apps-maliciously-tracking-you
http://galaxy-note2.wonderhowto.com/how ... 2-0147740/
Cheers
Tom

My Note 2 to you

Tom wrote:How-to/find-eradicate-android-apps-maliciously-tracking-you

Use Dutty Troy's Windows Mobile ROM?



----
You can chose to ignore reality, but you cannot ignore the consequences of ignoring reality.