Intercepting outgoing data sms

by Urs Grob » Fri, 04 Sep 2009 15:13:17 GMT


Sponsored Links
 I'm trying to figure out if it's possible for some third party
application to read the content of an outgoing data sms.
I send a data sms by calling SmsManager.sendDataMessage(...).
Is there a way to intercept this by using either public or _private_ api?

I'm trying to share a secret key with the service on the other side so
it can send me an encrypted message that no other app installed can
understand. If it is possible to intercept this message I'll have to
think of another way to share the key. (e.g. over a web service)

Rooted phones or other non-standard system images are of no concern
since those users did that on purpose. All I want is to make sure that
John Doe is safe.

-- Urs



Intercepting outgoing data sms

by Dan Hein » Fri, 04 Sep 2009 22:18:33 GMT


 Have you read Burns' paper on android security?  He gives general
guidance on securing these types of things.

 http://website.isecpartners.com/files/iSEC_Securing_Android_Apps.pdf 

Since he posted the above on an earlier thread, perhaps he will
comment directly...



>


Sponsored Links


Intercepting outgoing data sms

by Urs Grob » Fri, 04 Sep 2009 23:38:21 GMT


 Thank you for that link. It's a nice overview/introduction.

I read most of this paper right now. But I'm quite used to the
security of android. So there's not really something new that would
help me. What I lack most is knowledge about the possibilities that
the public and especially private apis of the SMS internals give. I
know there's a way to read the content of the sms inbox and outbox.
And I'm wondering if SmsManager.sendDataMessage will end up in the
outbox where it can be accessed by malware, or if there's other means
of intercepting a data sms sent by that method. For example opening a
Socket to a server and directly sending data can't be intercepted by
third party apps. If it's the same for SmsManager.sendDataMessage then
I'm happy with it. But if e.g. the sms ends up in the outbox where
third party apps can access its content, then I'm forced to use a
different solution.

This would be the easiest approach for my problem because the back end
already exists. But if it is not safe enough I'll have to use another
method. that's why I'm asking about this. And I hoped for someone
familiar with the SMS code to be able to give me a short Answer on
this. :)

-- Urs




>



Intercepting outgoing data sms

by Chris Palmer » Sat, 05 Sep 2009 00:29:44 GMT


 SMS is not the right way to go about this: it is not a secure protocol, in
the sense of SSH or TLS. Just use TLS.

Check out Harald Welte's presentation from Hacking At Random 2009 in case
you're wondering how an attacker might go about hacking SMS.





I'm trying to figure out if it's possible for some third party
application to read the content of an outgoing data sms.
I send a data sms by calling SmsManager.sendDataMessage(...).
Is there a way to intercept this by using either public or _private_ api?

I'm trying to share a secret key with the service on the other side so
it can send me an encrypted message that no other app installed can
understand. If it is possible to intercept this message I'll have to
think of another way to share the key. (e.g. over a web service)

Rooted phones or other non-standard system images are of no concern
since those users did that on purpose. All I want is to make sure that
John Doe is safe.

-- Urs



Other Threads

1. Alter Pitch In Music Player

i'm trying to write a DJ app that will allow me to pause, fast foward,
rewind, cue and skip (using a duration bar) songs. This is all done
easily in the built in media player that comes with android so nothing
new there.

The problem comes when I want to implement a way of being able to
adjust the pitch of a song, so that it can be beatmatched in a mix.

I found this java library called PitchBend which I think would do the
trick...I can't use it with the android api though can I?

I will essentially have to rewrite a whole new music playing app won't
I?

Also, I would like to be able to browse the music library like you can
in the music player app.

Is soundpool relevent for this sort of thing?


http://androidforums.com/android-developers/6370-dj-app-pitch-control.html

--~--~---------~--~----~------------~-------~--~----~

2. Voice Dialing non-functional

I have a new HTC Dream running V1.5 fw and the voice dial function
doesn't pickup any voice commands.

Both "call" and "dial" commands are unresponsive by the phone.

I have a Roger's English version of the Dream if it makes any
difference.

When I manually place calls the microphone functions, so I know I
don't have a bad microphone.  I didn't find any other references to
this functionality not working so I thought I would post on it.

--~--~---------~--~----~------------~-------~--~----~

3. TextView Ellipsize: Questions

4. permissions to be set for an MMS receiver Application

5. Ignoring one touch event and servicing the next one

6. question about inflate in LayoutInflater

7. HTML input fields in webview lose focus on JavaScript calls via loadUrl