Intercepting outgoing data sms

by Urs Grob » Fri, 04 Sep 2009 15:13:17 GMT


Sponsored Links
 I'm trying to figure out if it's possible for some third party
application to read the content of an outgoing data sms.
I send a data sms by calling SmsManager.sendDataMessage(...).
Is there a way to intercept this by using either public or _private_ api?

I'm trying to share a secret key with the service on the other side so
it can send me an encrypted message that no other app installed can
understand. If it is possible to intercept this message I'll have to
think of another way to share the key. (e.g. over a web service)

Rooted phones or other non-standard system images are of no concern
since those users did that on purpose. All I want is to make sure that
John Doe is safe.

-- Urs



Intercepting outgoing data sms

by Dan Hein » Fri, 04 Sep 2009 22:18:33 GMT


 Have you read Burns' paper on android security?  He gives general
guidance on securing these types of things.

 http://website.isecpartners.com/files/iSEC_Securing_Android_Apps.pdf 

Since he posted the above on an earlier thread, perhaps he will
comment directly...



>


Sponsored Links


Intercepting outgoing data sms

by Urs Grob » Fri, 04 Sep 2009 23:38:21 GMT


 Thank you for that link. It's a nice overview/introduction.

I read most of this paper right now. But I'm quite used to the
security of android. So there's not really something new that would
help me. What I lack most is knowledge about the possibilities that
the public and especially private apis of the SMS internals give. I
know there's a way to read the content of the sms inbox and outbox.
And I'm wondering if SmsManager.sendDataMessage will end up in the
outbox where it can be accessed by malware, or if there's other means
of intercepting a data sms sent by that method. For example opening a
Socket to a server and directly sending data can't be intercepted by
third party apps. If it's the same for SmsManager.sendDataMessage then
I'm happy with it. But if e.g. the sms ends up in the outbox where
third party apps can access its content, then I'm forced to use a
different solution.

This would be the easiest approach for my problem because the back end
already exists. But if it is not safe enough I'll have to use another
method. that's why I'm asking about this. And I hoped for someone
familiar with the SMS code to be able to give me a short Answer on
this. :)

-- Urs




>



Intercepting outgoing data sms

by Chris Palmer » Sat, 05 Sep 2009 00:29:44 GMT


 SMS is not the right way to go about this: it is not a secure protocol, in
the sense of SSH or TLS. Just use TLS.

Check out Harald Welte's presentation from Hacking At Random 2009 in case
you're wondering how an attacker might go about hacking SMS.





I'm trying to figure out if it's possible for some third party
application to read the content of an outgoing data sms.
I send a data sms by calling SmsManager.sendDataMessage(...).
Is there a way to intercept this by using either public or _private_ api?

I'm trying to share a secret key with the service on the other side so
it can send me an encrypted message that no other app installed can
understand. If it is possible to intercept this message I'll have to
think of another way to share the key. (e.g. over a web service)

Rooted phones or other non-standard system images are of no concern
since those users did that on purpose. All I want is to make sure that
John Doe is safe.

-- Urs



Other Threads

1. Google Checkout Finally Arrives in Canada?

Great!  Com'on Canadians, show us your buying powers now :)

-- 

2. Setting screens size/scale on big screen devices

I am rolling a couple of apps with one forked off of the original.
This means they share a lot of code and layouts.
In both cases, the main view is a MapView, and I also use camera
previews.
I am in the process of porting the forked-off app to Android 2.x now
(found a sponsor to do that, would have dropped it otherwise...), and
to my surprise I found that on the bigger screen (of the Nexus One), I
get a screen size/scale different from the original app. From a layout
perspective I have no problem, but I wonder how I can control which
screen size is being used here.
What I am getting when calling MapView.getWidth() and .getHeight()
(similarly with the corresponding calls to determine camera preview
screen size):
Original app: width: 320 - height: 508
Forked off: width: 480 - height: 762
I combed through the various layout and manifest files of the apps, as
well as documentation (I know a lot has been written about this) and
this very forum, but could not find anything that stuck out.
Any pointers where I can set/select the screen size for the app (or
individual views) are welcome, THX in advance!

-- 

3. MP3 Decoding

4. Application Crashing OutOfMemory .Restructuring Help Needed

5. Android Developer Device Seeding Program for TOP FORUM POSTERS?

6. Bug or Feature ?

7. ROAMING on Android, has anyone ever worked with it???