These forums have been archived and are now read-only.

The new forums are live and can be found at https://forums.eveonline.com/

EVE General Discussion

 
  • Topic is locked indefinitely.
12Next page
 

Question about Eve cell fone apps
Author
Previous Topic Next Topic
Denslow Steampunk
Steam Industries
#1 - 2012-05-04 01:09:45 UTC
I was looking at the app store on my fone and found some eve online apps, (Aura and Nvanova to name some).

But are they safe to use?

I dont want to go downloading and using something that will; a) get my account hacked b) get my account banned or c) put a virus on my cell.




Thank you
Degren
The Scope
Gallente Federation
#2 - 2012-05-04 01:11:15 UTC
Been using Aura for a while now, no issues. Plus, it has such smashing lil widgets.

But then, I'm not really allowed to have my phone on me very often, so keep that in mind.

Hello, hello again.
Karl Hobb
Imperial Margarine
#3 - 2012-05-04 01:12:44 UTC
Confirming that Aura is p cool and I haven't lost my account yet.

A professional astro-bastard was not available so they sent me.
Renturu
In Glorium et Decorum
#4 - 2012-05-04 06:27:25 UTC
I'd say they are only as vulnerable as you allow your device to be... Just like anything else; banking apps, Fecal... er, I mean Facebook, etc.,..

Be weary though. Recently there is a new hack against Android using hacked websites:

Drive-By

By the orders of PlunderBunny: ☻/ /▌ / \ This is Bob, post him into your forum sig and help him conquer the forums.
Lexmana
#5 - 2012-05-04 07:11:07 UTC
EVEUniverse is awesome. Has everything you need and is as safe as they come - on App Store.
okst666
Federal Navy Academy
Gallente Federation
#6 - 2012-05-04 07:16:08 UTC
I use Aura on my tablet. Pretty cool and nice UI.

[X] < Nail here for new monitor
Mad Mobius
VICE.
#7 - 2012-05-04 16:24:38 UTC
+1 for Aura with neat widgets, fitter, and database. Also comes with notifications for mails, skill training completions, and less than 24 hour skill queues.
Vertisce Soritenshi
The Scope
Gallente Federation
#8 - 2012-05-04 16:27:38 UTC
http://www.youtube.com/watch?v=zvfD5rnkTws&ob=av2e

That video will explain everything that will happen if you download any EVE related app to your phone.

Bounties for all! https://forums.eveonline.com/default.aspx?g=posts&m=2279821#post2279821
Tau Cabalander
Retirement Retreat
Working Stiffs
#9 - 2012-05-04 17:05:01 UTC
Any EVE app can only do what the API key allows it to. If you are paranoid, don't use an API key with unlimited access.
Petrus Blackshell
Rifterlings
#10 - 2012-05-04 17:11:02 UTC
Aura is cool.

Use a limited API that only does what you let it.

It's called a "phone".

Accidentally The Whole Frigate - For-newbies blog (currently on pause)
Alec Stacer
Revenent Defence Corperation
Ishuk-Raata Enforcement Directive
#11 - 2012-05-04 17:15:55 UTC
Eve universe is the best, but its only available for Iphone users.


Aura is the better program for Android users.
Meryl SinGarda
Belligerent Underpaid Tactical Team
#12 - 2012-05-04 17:34:47 UTC
was fone easier for you to type or is that how they screw it up in other countries?
Ravak Nyyriki
Doomheim
#13 - 2012-05-04 17:59:42 UTC
Aura is really good In my opinion. No issues at all with it.
Denslow Steampunk
Steam Industries
#14 - 2012-05-04 19:16:02 UTC
Thank you all for your views Smile


Petrus Blackshell wrote:
It's called a "phone".

Thank you for the spell checking Smile


Meryl SinGarda wrote:
was fone easier for you to type or is that how they screw it up in other countries?

It was easyer to type, and it was easyer to type cell instead of mobile P
Miilla
Hulkageddon Orphanage
#15 - 2012-05-04 19:24:38 UTC  |  Edited by: Miilla
Disassemble the APK file using Android SDK tools, then you can know for sure they are doing :)

you want to pull the APK using the Eclipse sdk plugin, then get a dex2jar then have fun :) You will see all the heavy lifting code that was compiler generated and not what they wrote but still is what the program is doing

I did just this exact thing with the facebook apk that is shipped by android vendors and updates, this way you can see exactly what they are grabbing from your mobile.

You can always proxy it and watch every web request.

As for viri on your mobile, check out Avast mobile scanner. It is on the Google app market now. I use avast on the desktop, it is decent for free. I havnt checked out the mobile version yet. I am developing on android atm so it will drive it nuts :)

I could mash up an Android Eve app, might get back to that once the new Carbon REST API is out, and I have more time, but I am busy doing bluetooth stuff.

Android has an "experimental" Oauth2 library included in the later API levels and Carbon REST is going to use OAuth 2 but the thing is, OAuth 2 is not finalised yet and subject to change, dont know why CCP are not usign OAuth until OAuth2 is final, or at least provide differnet ways to authenticate REST calls, shouldnt be a problem over SSL as long as CA chain checking is not disabled , which unfortunately most apps on droid do because they dont understand Certificates chains and Keystores so opens up droid to MITM attacks by just using any old self signed certs lol.
Katrina Oniseki
Oniseki-Raata Internal Watch
Ishuk-Raata Enforcement Directive
#16 - 2012-05-04 19:39:25 UTC
Miilla wrote:
Disassemble the APK file using Android SDK tools, then you can know for sure they are doing :)

you want to pull the APK using the Eclipse sdk plugin, then get a dex2jar then have fun :) You will see all the heavy lifting code that was compiler generated and not what they wrote but still is what the program is doing

I did just this exact thing with the facebook apk that is shipped by android vendors and updates, this way you can see exactly what they are grabbing from your mobile.

You can always proxy it and watch every web request.

As for viri on your mobile, check out Avast mobile scanner. It is on the Google app market now. I use avast on the desktop, it is decent for free. I havnt checked out the mobile version yet. I am developing on android atm so it will drive it nuts :)

I could mash up an Android Eve app, might get back to that once the new Carbon REST API is out, and I have more time, but I am busy doing bluetooth stuff.

Android has an "experimental" Oauth2 library included in the later API levels and Carbon REST is going to use OAuth 2 but the thing is, OAuth 2 is not finalised yet and subject to change, dont know why CCP are not usign OAuth until OAuth2 is final, or at least provide differnet ways to authenticate REST calls, shouldnt be a problem over SSL as long as CA chain checking is not disabled , which unfortunately most apps on droid do because they dont understand Certificates chains and Keystores so opens up droid to MITM attacks by just using any old self signed certs lol.


This is me while reading that post.

Katrina Oniseki
Miilla
Hulkageddon Orphanage
#17 - 2012-05-04 19:43:18 UTC  |  Edited by: Miilla
http://developer.android.com/reference/android/Manifest.permission.html

List of permissions an android app has to declare in order to use specific features.

Be wary of apps that grab more permissions than you think they should require, usually its the devloper either being 1) lazy and grabbing them all in a copy and paste land grab and or 2) sneakyness ala facebook.

For example if a simple wallpaper app needs access to your sms, call logs and SD card, then simply dont use it, in fact dont use stupid apps like that in the first place :)
Miilla
Hulkageddon Orphanage
#18 - 2012-05-04 20:03:20 UTC  |  Edited by: Miilla
If you want the code for Aura, I can decompile it for you and send you it . It is easy to do really.

It is also easy to raed, all you have to concentrate on is the critical calls for using any storage and network client calls or content providers for calls and messaging etc. It could also be possible to cut down its permission set in the manafest file and also disable any nasty lines (or add your own lol) :) All android apps have to be digitally signed even for side loading and debugging, but these are self signed keys. When an app is installed, it cannot even run install code, all they can do is check for a first run existance of assets (db , files etc) then use default values if they are not present.



I dont think its possible to hijack running apps by code injection in droid, i dono havnt tested, maybe using NDK? No idea, not tinkered with it that deep much.

Apple put the responsibility on developers for their apps on their app store but Google seem to be more open hence all the sex wall paper apps. Jobs even was critical openly about this issue iPhone/Pad vs Android. Don't even bother with Windows Phone, they will redesign it again in 18 months lol and anyway, their API's are crippled and that is also why there is no WP apps worth talking about.

As for rooting, well, you need the phone connected to your PC to do that, physical access, game over.

Best advice, never click "remember my password" options, in fact most likely you will forget them that way, and reset your phone regularly if you are that paranoid about somebody stealing the personal data.

The only way to share information on phone activities programatically on droid is via Content Providers, its an API interface (subclassed type of ContentProvider) that provides content (data). All local prefs are specific to teh activity or application.

Every app runs in its own Dalvik VM (1.6 java) In droid

When installing or updating apps, always read the permissions required, and especially overpermissioning and changes during update installations, the system does tell you, but most just click yes anyway cuz they want to run "My little ponies" app.
Miilla
Hulkageddon Orphanage
#19 - 2012-05-04 20:26:32 UTC
PS: I am an Android developer :P (amongst other things) :)
Miilla
Hulkageddon Orphanage
#20 - 2012-05-04 20:29:03 UTC  |  Edited by: Miilla
Renturu wrote:
I'd say they are only as vulnerable as you allow your device to be... Just like anything else; banking apps, Fecal... er, I mean Facebook, etc.,..

Be weary though. Recently there is a new hack against Android using hacked websites:

Drive-By


So they click a link with an APK file, and Android does what it should, asks if you want to install it, and the dumb user says yeah, ignoring all the Security options saying "VIEW NETWORK STATE" and "START AT BOOT" well yeah, hardly a hack, just praying on the ignorant. Nothing new nor technical here, more social attacking. AND they have to have SIDE LOADING ON which company field systems would have because they install locally at the vendor and not in a "consumer" app store, or they just clicked it on stupidly. I am coding specifically this scenario where a closed system field data capture app used in the field will have side loading enabled.. Then again I have to check whether this can be locked out once it is installed but would prevent remote updates.

Droid does have "ENTERPRISE POLICY" handling so they could prevent such attacks on enterprise enabled devices by enforcing a corporate device policy. That is the only real way to solve stupidly on the users part without crippling the phone at the API level.

Basically preventing social attacks or attacks from ignorant people just clicking YES to everything makes a phone as useless as a WIndows Phone 7, and end up with next to zero apps available due to said crippled APIs.

So this isnt a droid problem, it is a user / enterprise policy problem (or lack there of)

More info on 2.2+ policies

http://support.google.com/mobile/bin/answer.py?hl=en&answer=190930
12Next page