1. Are you ready for the Galaxy S20? Here is everything we know so far!

Questions about APK security

Discussion in 'Android Apps & Games' started by WeAreNotAlone, Sep 8, 2011.

  1. WeAreNotAlone

    WeAreNotAlone Newbie
    Thread Starter

    Couple of ideas/concerns (I'm new to all this Android stuff so don't kill the messenger.)

    1: While not needed per-se on the Marketplace I think that the HASH VALUES of the programs /*apk file should be PUBLISHED.

    A small detail such as this:
    A: Protects the "good name" of the program/author and those using that app in the long run. Each hash is unique and with the hash value in hand you can be assured nothing "extra" has been added to the code.
    (Yes you are supposed to download thru the marketplace, but in the real world those needing a app- might get it thru other sources. If the app causes problems- Persons will badmouth the app/author..)

    B: Published hash value helps those searching for a app that has been discontinued, with the hash value in hand- you might find it somewhere and can be assured the file is the same file that would have come directly from the author.
    (Such can also transfer someone looking directly to authors site/download link for those apps with similar file names)

    2: Permissions: Seems like the whole Android OS, and the apps are on a gigantic data mining operation.
    (Makes me want to go back to dumb phone, maybe Windows Mobile 6.5?)
    What are the best ways change permissions of apps after they are installed?

    (I just saw the reference to PocketPermissions -will check it out.)

    Q: Are there manual and permanent edits that can be done, or some type of proxy? app that gives those apps false info? I'm new to this Android stuff but the data being collected is all encompassing.

    (In my mind their is alot of data mining going on. So much I sort of think Google or whoever is on the receiving end of data collected should be paying my data bill as that data mining is worth alot of money.... or am I wrong about that? I'm assuming this data mining is a reason for all these free apps..)

    3: Is there a way to download the installer file (*.apk) ?, scan it for malicious code BEFORE it is installed? Are there any virtual sandboxes /emulators you can run a app in, and scan it in real time?

    4: Related...When downloading a file from marketplace- Where is it downloaded-
    Is it possible to save (Archive) install files?


    Below is a OS extension I've used for years that allows you to check hash of a file against published values.
    (Note I do not profit, nor am I in any way connected with the publisher. Google for your own if you prefer- Android aside on ANY file you download you should check the files hash.)

    Lots of uses, verify file downloaded correctly (How many times have you downloaded a file- then later found out the file got corrupted during the download?
    You can compare files with same file name (LOL) that some authors use to differentiate different versions.

    HashTab (Free- no adware, etc, Windows and Mac)
    HashTab tool to quickly find file hash information

    HashTab provides OS extensions to calculate file hashes. HashTab supports many hash algorithms such as MD5, SHA1, SHA2, RipeMD, HAVAL and Whirlpool. HashTab is supported as a Windows shell extension and a Mac Finder plugin. HashTab provides an easy way to verify file integrity and authenticity.


    1. Download the Forums for Android™ app!


  2. alostpacket

    alostpacket Over Macho Grande?


    I have moved your post to it's own thread as it was not really permissions or guide related.

    I believe you are asking mostly about security measures that one can take when downloading warez.

    While this may or may not be what you are talking about, I feel it is important to remind you that we do not assist in obtaining, supporting, or helping users with warez in any way whatsoever around here.

    I hope that's understandable.

  3. WeAreNotAlone

    WeAreNotAlone Newbie
    Thread Starter

    No problem, I believe in supporting the authors for their work. Warez is the last thing on my mind.

    My main concerns are My Privacy, Security of My data, Permissions apps may have, and being able to back-up applications, OR revert to a previous version of a app.

    I admit I'm new to everything that is Android but I'm highly concerned about all the free rein/permissions (the apps I've downloaded from the Google MarketPlace) have -or may have as in the case of rogue apps-that behave well- then at some point in time transmit data in the background. Lots of data there that could (and probably will) be abused at a later date. It seems like everything you are doing, everywhere you are going is being tracked.

    On the apk's, I'm the type that once I get a system setup- I am hesitant about upgrading the latest version, and would like to be able to:
    A: Save install files.
    B: Be able to revert to a previous version- As you know "updates" break things sometimes.
    C: Be able to restore those files locally.
    D: As security of my data is paramount- I'd like to be able to "check" apps to be sure my data isn't being sent off parts unknown. Hence the questions about running apps in a virtual sandbox of some type. - and or misdirecting any outgoing tracking info/ identifying info slightly.

    I'm coming from a perspective that:

    I'd like to archive install files, especially install files for apps I have paid for.

    Coming from Windows Mobile 6.5 phone(s) that were just recently purchased and found out less than a month after purchase Microsoft is trying everything to promote Windows Phone 7, and kill Windows Mobile off:

    Microsoft has:
    1: Closed the (web-based) WM "MarketPlace. (access thru phone only now- and will be closed entirely OCT 2011.
    2: Has frozen the site- Developers unable to edit their own webpages/ add links to I assume back to their site, and or latest version.
    3: Has shutdown the Myphone sync app.

    Not a big fan of trusting everything to the "cloud" -or trusting everything to those that behind closed doors make decisions that negativity impact me, hence my desire to backup apps locally.

    Q: Just a day or so ago did a wipe (SpeedTest and Open Signal Maps crashing) and had search for all the apps I had downloaded- trying to remember the names?

    Once logged into the marketplace? is there a option, a tab or something that lists apps you have downloaded- you click it and it provides a listing? Didn't see it.

    PS: Thanks for moving the post to it's own thread, hopefully the thread might help others with the same concerns.

  4. alostpacket

    alostpacket Over Macho Grande?

    One thing for local backup that people seem to really like is Titanium Backup (root)

    Root required of course :)

Share This Page