How to face security Issues on Android 4.2

I am not sure PTP and USB storage are in anyway related to disabling the Browser. I have been using (not PTP) but USB and MTP storage regularly since applying and had none issues with them.

You are right that the WebKit component is still available. There is no easy fix for that as far i know. It is also no alternative to a proper fix, but i figured for me, it is better then nothing.

Actually, I wondered myself and in general it makes no sense. However, I can reproduce the error by disabling com.android.browser and “fix” it by enabling it again. Im am not sure why this is happening (therefore I lack necessary information on the internal architacture), but it is reproducable. When I am back from conference I might give MTP a try and disable the browser again :wink:

1 Like

@Shiny (and other XPrivacy users): can XPrivacy be used for solving the WebView issue? Or will an app be able to activate WebView even if one blocks the app’s own internet privileges?
My reason for asking: I have a Solitaire app installed and since I can’t see any reason why this app should have access to the internet, I’ve set my firewall to block it. Nevetheless, if i run the app while connected to the internet, ads are displayed. My guess is that the app uses WebView for this, and that WebView still have access to the internet even if the app itself is firewalled. And my guess is that this goes for a number of other apps as well
Would XPrivacy be a more efficient way to block access, or would the result be the same, meaning that WebView can never be disabled, not even partially?

It’s a bit odd, really: considering that Android is UNIX-based and the FP is rooted, it ought to be possible to disable WebView simply by commenting out a line somewhere…

Which Firewall app did you install? I think this could be a misconfiguration behavior because if you filter an app by firewall, it shouldn’t go outside and download ads (maybe they’re already cached in your device or embedded in the app without going to the Internet so you still see them?)

Well I don’t think it’s so easy as commenting out a line somewhere…Android is Java based (simplifying too much) and apps use components by “linking” other components present in the file system (think something similar as Windows DLLs) so unless you delete/rename the component(s) which represent the “Webview” system component, any application will always be able to use it, but I don’t suggest to remove them because I suspect this could end in an unusable device (or with very limited usage capabilities).

To answer your first question: with XPrivacy module you should be able to block Internet access to your Solitaire app (and also to other more sensible components like Contacts database, or Clipboard history and so on) in order to avoid it going somewhere on the Internet, I strongly suggest use XPrivacy because I found it very useful.

And I suggest also to look for a solitaire app in F-Droid repo :wink: their apps are open source and most of the time ads-free :smile:
Bye!

2 Likes

@kgha: I don’t use Addware (if I like a software I buy the pro Version or I use real “free” software). So I can’t answer your question for shure. XPrivacy offers the posibility to deny Internet Access for the Add and it allows to deny the right to “show in browser” so you should have a chance.

It you Post me a link to your App I will install it, deny everything and see wahat happens it you want to know it for sure.

regards,
Shiny

2 Likes

@DjDas, @Shiny,
thanks a lot for your comments.
I use Avast’s firewall, and generally it seems to work (I have, for instance, firewalled the default Android browser and it is quite dead). But when I check Avast’s network activity meter, it does show a little activity stemming from my likewise firewalled Solitaire app.
Sadly there are no open source soliutaire apps that can compete… but Shiny’s advice to get the pro version is of course a good one. And I really should consider trying out XPrivacy.
Shiny, if you really want to bother, you can find the app here:

Well, I feel very comfortable with AFWall+, it’s very easy to use, furthermore I also use AdAway to filter ads (not from apps but generally while browsing). You can find both on F-Droid :smile:
Bye!

1 Like

Hi @kgha,

fastcinationg Experiment. I refused the rights "Identify Phone, Access Internet, and Show in Broser). And thought.everything is fine because I didn’t see any Adds. To make sure that XPrivacy did the Job I grated the right to access the Internet in my separate Firewall App AFWall+ and restated the game. Now an Add for Amazon was displayed. To exclude the possibility that it is a Add from the App resource I enabled the Protection of AFWall+ again and resarted the card game once more. Now it was Add Free again.

So it seems that XPrivacy fails like your Firewall but AFWall+ does the Job. I can’t say why but this shows again that having a second line in protecting your data is a good idea. I use AFWall+ besides XPrivacy because it allows a more detailed control. Here I can allow an App to access the Web while WIFI is connected but deny it if its just a mobile connection etc. XPrivacy simply allows to block all internet access and like this experiment shows it doesn’t make a perfect job by doing this.

regards,
Shiny

2 Likes

Hi @Shiny,
heartfelt thanks for taking the time to dig deeper into this! AFWall+ seems to be the best choice, then… the Avast firewall also allows me to choose between blocking wifi, mobile data, or both but apparantly it’s not as efficient.

You are welcome @kgha.

It was very interesting and I learned something, too. Maybe I will find some time this evening to look a little deeper to the XPrivacy options, trying to understand if I make something wrong or if XPrivacy itself has a problem to block this traffic.

regards,
Shiny

2 Likes

After installing AFWall+ I can only confirm that it works perfectly. The log shows that it blocks traffic stemming from my Solitaire app which now, since it’s blocked, is ad-free as well :slight_smile:
Fairly intuitive UI as well (although it took me some time to understand that AFWall needs permanent SU access :stuck_out_tongue: )

1 Like

Nice! This is very interesting, although I thought XPrivacy could do the job.
Some days ago I was impressed about the “brute force” of XPrivacy on Skype which was able to connect to the Internet and send/receive instant messages, but not able to talk, with or without video; I had to uncheck several options before being able to talk with Skype, so I think XPrivacy is stronger than your experiment seems to prove.
I’ll wait for your informations because your experiment is very interesting, thank you very much! :smile:

I suggest you even AdAway if you want to block ads while browsing, because a firewall can block all the Internet access, not simple URLs pointing to ads (something is possible with a deeper configuration of course…and however not every possible problem is solvable with simply a firewall)

Hello again,

I investigated the XPrivacy rule for the solitaire game and found that not all routines which are guoped under the right “Internet Access” where blocked. By blocking all functions manualy XPrivacy also blocked the Ads as save as AFWall+ does.

So how could it happen, that just some of the internet functions where blocked?
By digging a little at the different options of the program I found a Template section. It seems that If you deny an App to access a right the configured template will be used and at the template for internet access not all rights become blocked.

I can’t remember that I have modified this options so I don’t know if it is the standard to don’t deny the access to every internet option. But the riddle is solved and I have something to do in the near future - checking all templates ;).

regards,
Shiny

3 Likes

Very good catch! :smile:
Thank you!

21 posts were moved here from our wiki post Constructive tips to improve security.

You can discuss here and contribute to the wiki post with your solutions.

1 Like

There are different ways to connect to internet. Some do not involve connecting the app itself to the internet, so more restrictions might be needed.
BTW, I’m using both, AFWall+ and Xprivacy simultaneously without any issues. AFWall+ has a quite useful feature to allow connection on Wifi only. As far I know, you cant do that with XPrivacy.

Hi can you please help finding a working demo/apk for the CVE-2014-7911? An apk causing system server crash would be enough.

2 Likes

There doesn’t seem to be any for Android 4.2, unfortunately. I tried https://github.com/retme7/CVE-2014-7911_poc together with https://github.com/retme7/CVE-2014-4322_poc, but that specific demo seems to rely on Android 4.4 features and fails under 4.2.

1 Like