Intercepting outgoing data sms

by Urs Grob » Fri, 04 Sep 2009 15:13:17 GMT


Sponsored Links
 I'm trying to figure out if it's possible for some third party
application to read the content of an outgoing data sms.
I send a data sms by calling SmsManager.sendDataMessage(...).
Is there a way to intercept this by using either public or _private_ api?

I'm trying to share a secret key with the service on the other side so
it can send me an encrypted message that no other app installed can
understand. If it is possible to intercept this message I'll have to
think of another way to share the key. (e.g. over a web service)

Rooted phones or other non-standard system images are of no concern
since those users did that on purpose. All I want is to make sure that
John Doe is safe.

-- Urs



Intercepting outgoing data sms

by Dan Hein » Fri, 04 Sep 2009 22:18:33 GMT


 Have you read Burns' paper on android security?  He gives general
guidance on securing these types of things.

 http://website.isecpartners.com/files/iSEC_Securing_Android_Apps.pdf 

Since he posted the above on an earlier thread, perhaps he will
comment directly...



>


Sponsored Links


Intercepting outgoing data sms

by Urs Grob » Fri, 04 Sep 2009 23:38:21 GMT


 Thank you for that link. It's a nice overview/introduction.

I read most of this paper right now. But I'm quite used to the
security of android. So there's not really something new that would
help me. What I lack most is knowledge about the possibilities that
the public and especially private apis of the SMS internals give. I
know there's a way to read the content of the sms inbox and outbox.
And I'm wondering if SmsManager.sendDataMessage will end up in the
outbox where it can be accessed by malware, or if there's other means
of intercepting a data sms sent by that method. For example opening a
Socket to a server and directly sending data can't be intercepted by
third party apps. If it's the same for SmsManager.sendDataMessage then
I'm happy with it. But if e.g. the sms ends up in the outbox where
third party apps can access its content, then I'm forced to use a
different solution.

This would be the easiest approach for my problem because the back end
already exists. But if it is not safe enough I'll have to use another
method. that's why I'm asking about this. And I hoped for someone
familiar with the SMS code to be able to give me a short Answer on
this. :)

-- Urs




>



Intercepting outgoing data sms

by Chris Palmer » Sat, 05 Sep 2009 00:29:44 GMT


 SMS is not the right way to go about this: it is not a secure protocol, in
the sense of SSH or TLS. Just use TLS.

Check out Harald Welte's presentation from Hacking At Random 2009 in case
you're wondering how an attacker might go about hacking SMS.





I'm trying to figure out if it's possible for some third party
application to read the content of an outgoing data sms.
I send a data sms by calling SmsManager.sendDataMessage(...).
Is there a way to intercept this by using either public or _private_ api?

I'm trying to share a secret key with the service on the other side so
it can send me an encrypted message that no other app installed can
understand. If it is possible to intercept this message I'll have to
think of another way to share the key. (e.g. over a web service)

Rooted phones or other non-standard system images are of no concern
since those users did that on purpose. All I want is to make sure that
John Doe is safe.

-- Urs



Other Threads

1. how to use resources from installed app

Hello,

Trying to make it so that the default list highlight, (the orange
highlight, in the contacts list, for example)  will be changeable, at
the app layer.  In the file frameworks/base/core/java/android/widget/
AbsListView.java I modified the function:

 private void useDefaultSelector() {...}

from:

        setSelector(getResources().getDrawable(
 
com.android.internal.R.drawable.list_selector_background));


to:

        Context myContext = null;
        try {
                myContext = getContext().createPackageContext
("com.mycompany.myapp", 0);
        }
        catch (Exception e){
                // deal with exception
        }
        Resources r = null;
        try {
                r = myContext.getResources();
        }
        catch(Exception e ){
                // deal with exception
        }

        Drawable dr = null;
        int resID = r.getIdentifier("list_selector_background",
"drawable", "com.mycompany.myapp");
        try {
                dr = r.getDrawable(resID);
        }
        catch( Exception e){
                // // deal with exception
        }
        setSelector(dr);


Of course, I will put the correct xml file and .png's in the resources
folder of my app.

Should this work?  If so, how do I integrate this change, is it "mmm
frameworks/base" followed "make snod"?

thanks



--~--~---------~--~----~------------~-------~--~----~
unsubscribe: android-porting+unsubscr...@googlegroups.com
website: 

2. New push email client

Ada client email baru, namanya push email client..jiahahahaha..lucu 
namanya...ga unik..

Cara kerja persis mirip seven..



--- Sent with SEVEN on Android - the new generation of mobile messaging

--~--~---------~--~----~------------~-------~--~----~
Google Groups "Indonesian Android Community [id-android]" group.

To post to this group, send email to id-android@googlegroups.com

To request to subscribe to this group, please visit the following page:
 

3. Announcing our ADC2 submission: Xeeku Twitter

4. Can a core class access resources at the app layer?

5. Can a core class access resources at the app layer?

6. cyanogen

7. Zipalign utility not available in android 1.5_r3