Thursday 29 December 2011

seNotes blew up its text but won't save your notes as text files


My favorite app to put yellow sticky notes all over my homescreens is seNotes. It comes in sizes as small as a 1x1 widget, it's free, it has no ads, and it never goes online.

It briefly lost its 1x1 widget in an update though, but fortunately not for long. It came back in another update the day after.

A pleasant surprise: you can restore lost notes by long-tapping an empty note, and then hitting "paste from note."

A not so pleasant surprise: the updates increased the font size. This means that notes display less information. I guess bigger text is nice if you're old and your eyes are not what they used to be, but I like to squeeze as much information as possible in the limited space of my homescreens. seNotes would be a lot better if we could simply choose our own preferred font size from the options.

seNotes could also learn something from Papyrus Ex. This notes app saves your notes as plain text files on your memory card, so you can easily back 'em up, sync 'em with Dropbox or any other cloud storage service, share 'em with other phones and computers and tablets, and import new notes simply by dropping a text file on your phone. If seNotes would store its notes as plain text you could even store 'em in a shared folder with Papyrus so all your notes would be available as yellow stickies on your homescreens and organised in a notebook app.

You can send your seNotes to Papyrus with the share menu option, but automatically sharing them through a shared folder would be a lot more convenient. Maybe in a future update? If Papyrus would add an option along the lines of "send to seNotes" we'd have a winning team!

seNotes
Papyrus Ex


tweet this reddit digg this StumbleUpon digg this digg this

Tuesday 27 December 2011

K-9 Mail cleaned up in the background


K-9 Mail is the best free email client for Android. It has a million ways to tweak, customise, alter, change, modify... It does POP3, IMAP, MS Exchange, push email, and it gives you full control over which mail folders to sync and which folders to leave alone.

The canine has been updated twice in December to kill a bunch of fleas bugs. One of the changes sits in the background. The old K-9 used to leave its background service on the street whenever you took it for a walk, but after a bit of training it now cleans up after itself. So if you prefer to check your mail manually instead of having it automatically shoved in your face your phones RAM gets a bunch of extra megabytes to play with.

Now if they would only clean up that ugly dogface of an app icon..

K-9 Mail (Android Market)
K-9 Mail (Google Code)


tweet this reddit digg this StumbleUpon digg this digg this

Thursday 22 December 2011

Bloat Freezer abuses Airpush ads to blackmail you


Bloat and junk

Your phone manufacturer or network operator may have filled your Android phone with bloatware and other junk, such as Myspace, Carrier IQ, a bunch of live wallpapers, etc.

It's tempting to delete all that junk from your phone, but this usually means that you can't update Android the normal way because the update program will complain about missing bits and pieces. And when you need to get something on your phone fixed under warranty you'll have to reinstall all the junk before unrooting.

Freeze it

But there's another way to deal with unwanted junk. Apps like Titanium and MyBackup can "freeze" Android apps. This way they stay on your phone, but they disappear from your app drawer and won't run. If you need to get your phone back to a state suitable to receive updates or repairs under warranty you can unfreeze the junk, unroot your phone, then reroot and refreeze when your phone is updated or repaired.

Unfortunately the freeze features of Titanium and MyBackup are only available in the paid versions.

Bloat Freezer by Trey Holland promises to freeze your apps for free. It sort of delivers: it doesn't cost you any money, but you pay a price anyway.

Obnoxious advertising and market abuse

Bloat Freezer is infected with the most obnoxious type of mobile adverting ever invented: Airpush. This advertising scheme scam pollutes your Android notification bar with ads, even when you're not using the infected app.

Bloat Freezer has a history of malware-like bahaviour. It used to sabotage AdFree and AdAway by infecting your Android hosts file to unblock blocked ad servers.

There used to be an ad-free version of Bloat Freezer. People bought it and paid for it, but then it was pulled from the market. The people who paid Trey Holland for an ad-free app can't use it anymore and are stuck with the ad-infected version. They didn't get a refund.

But Trey has another trick up his sleeve. Now you can remove his Airpush ads for free, but you'll play along with a blackmail-like market rating scam. You're supposed to ask for an activation code by email, but you only get it if you leave a five star rating on the Android Market plus a positive review.

Usually apps with Airpush get lots of one star ratings and matching negative comments. By blackmailing you into giving five stars plus public praise Bloat Freezer abuses the most annoying advertising method to inflate its ratings and turn the market feedback system into a PR scheme scam.

Stay away from Bloat Freezer and use one of the alternatives instead. If you really want to try Trey Hollands piece of blackmailware, ask for the Airpush removal code and then go back to the market to edit your feedback. Change your rating into a single star and use the comment box to tell everybody what you really think about this kind of Airpush abuse.

The Android Market has a link to report malicious apps. Use it! I'm sure that offering to remove ads in exchange for fake ratings violates the small print.

Update: Bloat Freezer has disappeared from the Android Market again. I guess Google doesn't like Trey Hollands business ethics either.

• Bloat Freezer (no link until Trey Holland cleans up his app)

Alternatives

App Quarantine (completely free, no ads whatsoever)
SystemCleanup (can kill and freeze unwanted apps)
NoBloat (backs up, removes, and restores apps)


tweet this reddit digg this StumbleUpon digg this digg this

Wednesday 21 December 2011

SoundTracking: identifies songs like Shazam and SoundHound do



What's playing?

Hear a strange song and want to know what's playing? There's Shazam, there's SoundHound, and there's SoundTracking.

All these apps do the same thing. The record about ten seconds of music, turn it into a digital fingerprint, and check for a match in their database.

Three is a crowd

Shazam and SoundHound have been around for ages, SoundTracking is the new kid on the block. It uses the Gracenote database to identify music, so SoundTracking taps into the largest database of the three.

Which of the three apps is the better one? That's hard to tell, because all of them sometimes fail to identify a track and then you'll want to use one of the others. All three have their problems. For example, Shazam started to misbehave after a recent update and it's not fixed yet.

Scratched record

SoundTracking has a couple of very annoying flaws.

You need to enter your Facebook, Twitter, or Foursquare account details to use SoundTracking, because its song identification is added as an afterthought. It first and foremost wants to publish the music you listen to on your social networks. You probably don't want to do that everytime you play a song, but the "create a post" button is the biggest button on its startup screen. If you're not on Facebook, Twitter, or Foursquare, you have to make an account there anyway or else SoundTracking won't let you in.

To tag a song you have to tap a tiny little button in the corner of the screen, and then tap once more on the "Music ID" link. Open app, wait for it to log in, tap small button in the corner, then again on the Music ID button... by the time SoundTracking starts recording the song is probably over. The next version of the app should have a "tag now" button on the start screen that starts recording right away without waiting for anything. A "record now" widget would be a welcome feature too.

While SoundTracking is recording and matching you better not look at it, because it pollutes your phone with a really ugly and annoying screen of flickering bright squares. Whoever designed that must have a financial interest in a company that sells anti-epileptic drugs.

The settings have a problem remembering things. When you switch off all the email notification options, the entry that sends you mail when someone "follows" you gets reactivated all by itself. The push notifications when someone "loves" your post refuses to stay unchecked too, but when you switch off everything in the push settings screen that's just a cosmetic error.

When you exit the app with the back or home button it keeps sending data in the background, but not as bad as the totally messed up Shazam version.

As for the quality of its song identification service, it usually works. Sometimes it can't figure out what's playing or it returns the wrong song, especially when the music gets more obscure. SoundTracking managed to get my Monobloco and Baaba Maal tracks right, but it didn't recognise Marabi by Mafikizolo. Strange bug: when you record silence SoundTracking sometimes spits out a random song.

SoundHound and Shazam don't always get it right either, but at least they make it a lot easier to tag what's playing without unnecessary clicks and waits. SoundTracking has potential, but its social networking options get in the way of music identification.

Erase your tracks

If you had enough of SoundTracking and you want to delete your account, you're in for a nasty surprise. You can't. Maybe they'll let you escape in the future, but they've been working on it for a year and you still can't delete your SoundTracking account.

But you can make SoundTracking forget about you by feeding them some fake data:

1) Make a temporary email address like randomgibberish@gmail.com and use it to make a temporary Twitter or Facebook account.

2) Go to your SoundTracking profile page and link SoundTracking to your temporary Facebook or Twitter account.

3) Unlink your normal Twitter/Facebook/whatever accounts from SoundTracking. Delete your name and other private data from your SoundTracking profile, and feed it your soon-to-be-abandoned temporary email address.

4) Deactivate or delete your temporary Twitter/Facebook account and kill your temporary email address, or just abandon your bogus accounts until they expire by themselves.

Now you're still caught in SoundTrackings web, but all info they'll have on you will be useless. For all practical purposes SoundTracking lost track of you.

SoundTracking

The competition:

Shazam
SoundHound


tweet this reddit digg this StumbleUpon digg this digg this

Tuesday 20 December 2011

Adobe Reader: the return of text reflow


Adobe made a stupid mistake when they removed text reflow from their Android PDF reader.

Text reflow is an essential feature for any PDF reader that has to display PDFs on small phone screens in a way that's fit for reading.

The good news is that Adobe is willing to learn from their mistakes. They updated their app again and put text reflow back in.

The bad news is that the resurrected text reflow option is well hidden. Tapping the menu button does nothing. To reflow your text you now have to tap near the top of the screen and hit the icon that looks like a page. The next version should put the reflow option back into the menu, because that's where you look first when you want to play with the settings.

Adobe Reader (Android Market)

The (very) old Adobe Reader version 10.0.2 still comes with text reflow in the menu:

Adobe Reader 10.0.2 at ftp://ftp.adobe.com/pub/adobe/reader/android/10.x/10.0.2/
Adobe Reader 10.0.2 for Android on Google


tweet this reddit digg this StumbleUpon digg this digg this

Monday 19 December 2011

Android Market: Just in went out


Did you keep your old Android Market for the "Just in" tab? Then you might as well unfreeze the market updater, because the Just in tab doesn't work anymore.

It's not completely gone, but the stream of fresh apps has dried up. Now when you tap "Just in" in your old market you get a selection of apps from the "top new paid" and "top new free" pages of the new market.

This makes it harder to discover new apps that still have to gain enough momentum to make it to the top lists. On the other hand, it makes it harder for spammers to trick the system with fake updates. Of course it would be way better if Google would find another way to fight market spam, but then they'd have to moderate the market to some extent and that costs time and money.

There are a few alternatives for the Just in tab. You could look at the new entries in forums like i-Pmart, Mobilism, and Noeman, or check Android app blogs like androidcentral and MobileCruze, but this only gets you a very small selection of new apps and it can be difficult to tell legit apps and warez apart.

The closest thing to the dead Just in tab is the Latest Android apps page on AppBrain, but it's not even close to the Just in tab of the old Android Market.

The new market versions are like an overcrowded shopping mall for music, games, junk, and bloat. And oh yeah, they also have an app store thrown in. Before you throw out your old market, make a backup. You may want to go back, because versions up to v2.3.6 are clean and uncluttered.

Old Android Market (v2.3.6) on xda
Latest Android apps page on AppBrain


tweet this reddit digg this StumbleUpon digg this digg this

Saturday 17 December 2011

Virus scanner avast finds, locks, and wipes your phone and gets better if you root your phone


Virus vaccine

The most popular free antivirus app for Android is Lookout, but for how long? Avast is done beta testing. The paint is not dry yet, but it already blows Lookout out of the water.

Whether you really need a virus scanner on your Android phone is open for debate. I'd say better safe than sorry, especially if you're one of those people who likes to try lots of new apps from all over the internet.

But what makes avast really worth installing are its other features. Where other security apps see rooting as the root of all evil, avast adds extra security options to rooted phones that can make the difference between keeping your phone safe or having your data stolen.

Firewall

If your phone is rooted (and if you read this blog you probably rooted your phone the day you took it out of the box) avast doubles as a firewall. It doesn't have the custom scripts and logging that DroidWall does, but it has something else. Just like DroidWall, avast can stop apps from going online through WiFi, mobile data, or both. But avast gives you an extra option: you can allow apps to use your data connection in your own country, but not when roaming abroad.

Find, lock, and wipe lost phones

And now for the number one reason to grab a copy of avast from the market: its lost phone options.

Avast can locate your phone, make it scream, SMS you its new phone number if someone changes the SIM card, lock it, wipe it (and your SD card too), block access to the settings, force the data connection to stay on so you don't lose track of your phone, and even make its anti-theft/lost phone features survive a hard reset.

The remote control options only work by SMS, but avast promised that they will add web-based control early 2012. Something to look out for, although I guess Lookout has a different view.
Update: web-based remote control has arrived.

Other security apps have remote control features too, but avast gives it all away for free.

avast! (Android Market)


tweet this reddit digg this StumbleUpon digg this digg this

Friday 16 December 2011

Tame Shazam to make it stop shaking and phoning home


How to find out what song's playing? SoundHound or Shazam? Two know more than one, so I keep both.

But when I updated Shazam it started to do strange things. The "vibrate on tag" option that I switched off insisted on reactivating all by itself. And instead of sitting quietly in the background after I was done Shazamming, it kept going online and ate over a megabyte of data every day even when I didn't use the app. A megabyte or two may not sound like a big deal, but just go abroad and you'll soon find that a useless megabyte per day on an expensive roaming connection adds up real quick.

It seemed that there was no way to stop it. Worse yet, Android insisted on auto-loading Shazam into memory even when I didn't touch the app. And then it went eating data in the background and defaulting back to shaking on tagging.

I was about to reinstall an ancient version of Shazam but then I found the fix by accident. When you update Shazam, make sure to tag at least one song (it can be silence, that doesn't matter). After a single tag, whether succesful or not, your vibrate preference will stack and Shazam will no longer phone home behind your back.

Edit: The single tag method is only a temporary fix. After a while Shazam picks up its bad habits again.
Edit 2: Like v3.6.1, Shazam v3.8.1 doesn't leak data, but versions 3.8.2 and 3.9.0 do.

Shazam (Android Market)


tweet this reddit digg this StumbleUpon digg this digg this

Wednesday 14 December 2011

Skype remembers your password again, transfers files, movies, pictures, and still makes annoying noises


If you make VoIP calls through standard SIP servers you have plenty of Android apps to choose from, but for Skype you're stuck with the official client.

And that client sucks.

Noise, ads, death of tabs

There's no way to switch off the dialpad tones (loud annoying beeps), and if you're just connecting for a quiet text chat Skype insists on sounding its startup and shutdown sounds at deafening volume unless you downgrade to a very old version.

The old Skype lets you set your own call ringtone, the new Skype only plays the default Skype tone. Another benefit of vintage Skype is its tabbed interface, which is way better than the new layout that requires detours through the start screen.

One more reason to be old skool: the ancient versions are free of ads. The ads don't matter much yet because they only invade your phone if you're in the USA, UK, or Germany, but other countries will get them later. You won't see the ads if you have Skype credit or any other paid service active, so keeping a balance of a few pennies may be worth the trouble even if you only use Skypes free features. And there's no reason to pay for Skype, because there are plenty of SIP VoIP operators that offer better rates and better sound quality than the overpriced SkypeOut.

Minor improvements

If you keep the old tabbed version you won't get video calls. Not a big deal, because video calling gets old real quick unless you're hooked on cyber sex. Unfortunately you'll also miss out on the new features in the latest update: file transfers. Not just pictures and movies, but any file you want. Of course there's email, but sending pictures straight from a chat screen is a nice touch.

The old Skype remembered your password. Later versions forgot and made you retype your password everytime you'd log in. But the latest edition remembers your password again.

Sometime during the series of updates the background service that persisted after closing the app went away too. If you go to the settings and disable the Skype status notification the background proces called "MainService" won't even show up in your list of running services, but then your notification bar won't tell you if you're signed in or not.

Future?

After a bad start and slipping downhill Skype for Android took a small step up from downright horrible to simply mediocre. It's not enough to make me ditch the old ad-free tabbed version yet, but future versions might change that.

I wonder what's gonna happen first: Skype cleaning up their act or someone coding an alternative Skype client or a real Skype plugin for CSipSimple? Maybe Skype will return to Nimbuzz and fring someday? This would help fight the chat and VoIP fragmentation that's pushing us back to the dark ages.

Skype (Android Market)
skype.com
Skype 1.0.0.983 (Google) (last tabbed ad-free version)


tweet this reddit digg this StumbleUpon digg this digg this

Tuesday 13 December 2011

Alternative Grooveshark app shootout: Dood's Music Streamer versus TinyShark


Want to stream songs from Grooveshark to your phone or tablet for free? Without signing up for an account? With Android you can!

Dood's Music Streamer

Dood's Music Streamer pulls songs from Grooveshark. It's playlist and radio support, buffering, and widget are done pretty well. If you copy the buffered tracks from Dood's SD card folder you can even use it as an mp3 downloader, although it only grabs tracks at the 128 kbps bitrate set by Grooveshark. It can scrobble your tracks to last.fm too.

Unfortunately today's update to version 1.2.3 is a big step in the wrong direction. The shuffle and repeat buttons were set nicely apart until v1.2.2, but now they're way too close to the previous/play/pause/next buttons. The elapsed time and song duration moved to a new place on top of the album art instead of near the time bar were they should have stayed. You can switch back to the old layout in the settings menu, but on my phone switching to the old layout gives me white text on a light grey background so I'm stuck with the new interface.

The worst new "feature" is a very annoying and ugly ad banner that sits so close to the tabs that its maker must be hoping for accidental clicks on his ads when you're trying to switch from your playqueue to the search tab or "now playing" screen. Yep, I'm sure the Grooveshark audience really wants to click on bingo advertisements! AdAway doesn't block these ads, but maybe it will when the filter lists get updated?

Updates are meant to improve things, but the switch from version 1.2.2 to 1.2.3 does the opposite.

Update 1: Dood's latest edition removes the ads from the now playing screen, but they still pollute the rest of the app in a way that makes it much too easy to click by accident. It would be better if the ad banner would move to the bottom of the screen, away from the tabs.

Update 2: AdAway now blocks the ads in Dood's Music Streamer. The cat and mouse game goes on!


TinyShark

Dood's step back made me try TinyShark.

TinyShark is good for playing the tracks you searched for, but forget about Grooveshark radio stations. It won't scrobble to last.fm either. And it requires Adobe Flash, which is no big deal unless you're stuck on an old version of Android. Update: new versions of TinyShark scrobble too, and it doesn't require Flash anymore. There are gaps between tracks (TinyShark doesn't precache), and tapping a song in the search results doesn't do anything. You'll have to pick an option from the long-tap menu, because you can't set "add to queue" or "play now" as the default short-tap behaviour. Maybe in the next version?

TinyShark comes with a music downloader add-on which you'll have to download separately. On the bright side, this beats pulling cryptically numbered tracks out of Dood's cache folder.

The verdict: Dood's Music Streamer versus TinyShark

Dood's beats TinyShark at most things, except track downloading. If you don't use an ad blocker Dood's update is so annoying that it makes TinyShark an attractive option, but you're better off if you just keep your old (v1.2.2) copy of Dood's Music Streamer. You can grab the old version from the developers website. Update: Grooveshark changed, old versions of Dood's no longer work.

TinyShark (Exigo Software)
Dood's Music Streamer (Android Market) No longer available in the Google Play Store
Dood's Music Streamer straight from its maker

Dood's Music Streamer (including v1.2.2 and other old versions) at the dev's site

Update: Grooveshark changed, old versions of Dood's no longer work.


tweet this reddit digg this StumbleUpon digg this digg this

Monday 12 December 2011

Flash updated, check your privacy and security settings again


iPhoners may believe that Flash is dead, but if you ever tried to book a table from a restaurant homepage or watch video on non-YouTube sites you know better. Without Flash you'll stay hungry and miss out on lots of content. Flash for mobile is slowly dying, but it's gonna stay a necessary evil for years to come.

Adobe released yet another update to squash bugs and patch security holes. Unfortunately you have to reapply privacy and security settings that you may have set before.

Since early October Flash adds an icon in your app drawer that takes you to its Flash player settings page. There are two things to play with: "Local Storage" lets you block Flash supercookies that are usually set by annoying advertisers to follow you around on the web. The "Peer-Assisted Networking" page lets you save mobile data by switching peer-assisted networking off.

If you disabled local storage and peer-assisted networking before you better hit the Flash settings again. When I updated Flash both features were automatically reset to allow all, so I had to tame Flash again.

Don't forget to fire up the settings manager in all your Flash-enabled browsers, because your Flash settings for the stock browser don't carry over to Dolphin or Skyfire, and vice versa.

A security update that undoes your security settings... don't do this again, Adobe. Next update I expect my settings to stay.

Flash (Android Market)

Adobe pulled Flash out of the Android Market Google Play Store and doesn't maintain Flash for Android anymore. If your Flashless phone stumbles upon a website that requires Flash (plenty of them still do) you can install and run an archived copy of Flash.


tweet this reddit digg this StumbleUpon digg this digg this

Friday 9 December 2011

DroidWall back up to speed


Plenty of apps ask for internet permission to phone home, download ads, or for no apparent reason at all. Android won't let you keep apps offline through its settings (it should have a built-in permissions manager!), but if your phone is rooted you can tell your apps who's boss.

DroidWall is an outgoing firewall that lets you deny internet permissions. You can tell apps not to use WiFi, to stay away from cellular data, or both. It comes with a blacklist, a whitelist, and a widget to quickly toggle the firewall on and off

The previous update added app icons to the application list (which slowed down loading a lot), but stopped displaying the UIDs.

The latest update (to version 1.5.6) shows the UIDs again. It keeps showing app icons, but now it loads them in a background process so you can start editing online permissions before DroidWall is done grabbing the icons. This speeds things up to the pre-icon levels.

Keep in mind that DroidWall is not totally waterproof. When you boot your phone there's a brief period in which other apps may start before DroidWall does. If you don't want DroidWall to leak in the seconds after booting your phone, switch off WiFi and mobile data before you shut your phone down.

DroidWall (Google code)
DroidWall (Android Market)

Update: DroidWall out, AFWall+ in. It's better than DroidWall, and AFWall+ doesn't leak when you boot your phone.


tweet this reddit digg this StumbleUpon digg this digg this

Friday 2 December 2011

Web browser Dolphin HD now encrypts your backups, adds off switch to webzine toggle, ditches exit menu


Dolphin HD is a strange animal. It has the best features of any Android web browser: well designed tabs, a very useful bookmark sidebar, and its highly customisable gesture controls leave the competition gasping for air.

But this marine mammal has a fishy side. You need a rooted phone and a bit of Android hosts file editing to stop it from calling the mothership, and its backup feature may put info out in the open on your SD card that should be locked.

Encrypted backups, finally!

The latter problem is fixed in the latest update. The old versions didn't encrypt their backups, but the latest version does. I guess a bit of complaining on blogs like this helps ;) Head to the settings and set a password to make sure nobody can grab login cookies and other sensitive data from Dolphins backup files on your memory card.

A bunch of off switches

More new stuff that puts you in control: get rid of the confirmation screen that pops up when you you exit Dolphin with the back button, dump the annoying "rate me" nag screen, and disable the webzine toggle. If you choose to keep webzine on Dolphin will send the URLs you visit to its webzine server, but if you opt out your surfing habits should remain private. If not, I'm sure the folks at the xda forums will find out real soon.

Links in new tab dialog still flawed

Something that didn't change: when you open a link in a new tab and choose between switching to the new tab or opening it in the background, the "remember my decision" checkbox is still checked by default. This doesn't make any sense. If the box was unchecked, you'd only have to check it once. But because it's checked by default you have to uncheck it over and over again. Even worse: if you allow Dolphin to remember your choice by accident it's really hard to make it forget again. Restoring your settings from a backup (if you have one) or resetting to default settings is the only way out.

Dolphin Browser (Android Market)


tweet this reddit digg this StumbleUpon digg this digg this

Thursday 1 December 2011

Security app updates: Wifi Protector, DroidWall, Lookout


Wifi Protector

WiFiKill is a tool that turns Android phones into rogue access points. The first version could break internet connections of all devices connected to the same router. An update allows attackers to redirect their victims to any IP address of their choice. This makes it possible to spy on you, steal your passwords, and more. And there are other apps that do the same evil things.

Wifi Protector detects rogue access points, and if your phone is rooted it can protect you against their evilness. Like all security apps Wifi Protector is not 100% waterproof, but the latest update does a better job than the previous versions.

Wifi Protector costs a euro if you get it from the Android Market, but it's free if you download it from the xda forum. You can't use the Android Market to update the free version, so you'll need to get the new APK from xda and install it over the old copy.

more about Wifi Protector (android underground)
Wifi Protector (xda forum, free, download link at the bottom of the opening post)
Wifi Protector (gurkedev, not free)


DroidWall

Many Android apps demand full internet access to collect usage stats and other info, to show ads from banner farms that track your location and online behaviour, and to do other things that you may not want them to do.

DroidWall is an outgoing firewall for Android that lets you revoke the internet permission that you didn't want to hand out to begin with. You can tell apps not to use WiFi, to stay away from cellular data, or both. The latest version added a bit of eye candy (application icons in the app list) and lists new apps on top of the list so you don't have to scroll all over the place to keep your freshly installed apps offline. There's a price to pay, though. Although the changelog promises that the app list doesn't reload when it doesn't need to, I often have to wait a long time before my list of apps loads since the update. Maybe the app icons or moving new apps to the top slow things down more than expected?

Update: the latest version loads the icons in a background process, so you can edit your app list before the icons are done loading.

DroidWall has one major flaw: when you boot your phone blocked apps may start before DroidWall does, so there's a brief period in which DroidWall can be leaky. It's probably due to the way Android is set up, but it's annoying anyway.

DroidWall (Google code)
DroidWall (Android Market)

Update: DroidWall out, AFWall+ in. Unlike DroidWall, AFWall+ doesn't leak when you boot your phone.


Lookout

Whether Android antivirus apps are useful or useless is a topic of hot debate. Some people argue that bad apps are kicked out of the Android Market before the antivirus apps learn how to detect them. On the other hand, you can't exclude the possibility that an antivirus app updates its virus database before Google cleans up its shop. If you install apps from other sources an antivirus app will definitely add a much needed extra layer of protection.

Just keep in mind that no antivirus app catches everything. Lookout, the most popular free antivirus app for Android, is no exception. It's good at catching test viruses, but you never know how long a real virus manages to escape detection in the wild.

But even though you shouldn't rely too much on virus scanners, there are other reasons to get a copy of Lookout. The free version can back up your contacts, so you can keep an extra copy in addition to your Google backup. If your phone goes missing, Lookout can locate it and make it scream. The latest update fixes some bugs, but the makers of Lookout didn't say which bugs.

Lookout (Android Market)


tweet this reddit digg this StumbleUpon digg this digg this

Tuesday 29 November 2011

Catch and kill the Carrier IQ spyware


CIQ must die

Carrier IQ is a spyware company that deserves to be sued straight into bankrupcy, and its owners should go to jail. Their product is a piece of spyware that comes preinstalled on many Android phones, iPhones, Blackberries , and Nokias. It reads all sorts of private information (location, web surfing, text messages, keystrokes, emails) behind your back. It even logs data sent over https as plain text, which defeats the purpose of end-to-end encryption used by PayPal, banks, webmail, etc.

CIQ phones home to Carrier IQ, Inc., which hands the info to its customers. Your data eventually ends up at phone manufacturers and operators. It's meant to improve cellular service, but it can collect such a truckload of sensitive data that it would make Big Brother drool like a little baby. CIQ should be killed like any other virus. Its makers deserve a slow and painful death.

For a detailed but non-geeky description of CIQ check out The Rootkit Of All Evil: CIQ on the xda portal. For all the gory details in geekspeak dive into the full CIQ discussion on the xda forum.

Trevor Eckhart (TrevE on the xda forum) discovered and exposed CIQs dirty business. Carrier IQ, Inc. obviously didn't like to have their crimes exposed. They even threatened to sue Trevor into silence, but after free speech organisation EFF got involved CIQ had to back off and shut up. That's a good start, but not enough. Carrier IQ should shut their mouths and shut down their business. Let's hope the legal system does the right thing and kills CIQ.

Many Android and other phones are sold with CIQ straight out of the box. There's usually no way to opt out from being spied on, and no way to get rid of this piece of junk unless you root your phone, alter the system files, and void your warranty.

If you bought your phone from an american wireless operator it's probably infected with CIQ. Infection rates in the rest of the world are lower. For example, the major operators in my country (The Netherlands) don't use CIQ. Europeans are still at risk, though. Vodafone Portugal is in bed with CIQ, which probably violates all kinds of european privacy laws. And it's not just network operators that shop at CIQ. Phone manufacturers like HTC and Samsung include CIQ or similar junk, so even if your phone is not carrier-branded you may still be spied upon.

How to catch the thief?

CIQ is a rootkit that hides itself from you. It won't show up in task managers, it doesn't have an icon in your app drawer, and you'll never know it's running unless your tech skills are well above average. On some phones it may show up as IQ Agent in the application settings, but it could also be running completely invisible unless you use third party tools to hunt it down.

The best way to catch the thief red-handed is with the Logging Test App from TrevE. This app catches CIQ and many other logging apps that may (or may not) be running on your phone.

You can also check for CIQ with Any Cut. If Any Cut offers to create shortcuts to IQRD and IQAgent your phone is infected.

Update: now that CIQ-gate made the mainstream media all kinds of new CIQ detecting apps appear on the market. Voodoo Carrier IQ detector is an open source app to catch CIQ. Although it's still a work in progress it is a lot more user friendly than the geeky app from TrevE. Another app to catch CIQ is Carrier IQ Detector from Lookout Labs, built by the company that makes Androids most popular free antivirus app. Virus killer Bitdefender made a CIQ detector too.

Kill the beast

You'll need root access to kill CIQ, and all ways to remove CIQ from your phone will void your warranty. Before you start, make sure to back up your system software just in case you need to get your hardware fixed.

Flashing a custom ROM like CyanogenMod will remove CIQ. Other custom ROMs are usually CIQ-free too. Keep a backup copy of your stock ROM in a safe place just in case.

The free version of the Logging Test App can detect CIQ for you, but it won't touch it. The Logging Test App can kill CIQ, but only if you upgrade to the paid version (one dollar). Warning: all phones are different, so the Logging Test App may not work on your phone or even brick it. Make sure you have a full system backup just in case the Logging Test App makes your phone unbootable.

You could try to sue your mobile operator or phone manufacturer to recoup the cost of the Logging Test App, but that would only work if you join a class action lawsuit. Of course you could buy the app from the Android Market, use it to get rid of CIQ, and then use the 15 minute window to get a refund. Or just keep the app, because removing CIQ is just one if its many useful features.

Removing CIQ by hand is possible, but very difficult. You can't just rename or delete the app files, because CIQ is integrated into your web browser, dialer, kernel, media player, SMS app, and other places. You'll need to extract all those bits and pieces, patch them, and flash them back into your phone. This keeps manual removal out of reach of everyone except a handful of experts who know how to edit source code. If you want to give it a shot anyway, start with this CIQ discussion on xda. It's very HTC-centered, but it should give you an idea where to look on other phones too.

Tame the beast

Although CIQ is very hard to remove, there's another way to stop it from phoning home. Just make sure it doesn't run. Your phone needs to be rooted to keep CIQ under control.

You can freeze its background processes with Titanium or MyBackup. The names of the processes depend on your phone, look for IQRD, System Manager (yes, really), IQAgent, or HTCIQAgent. Too bad that freezing apps only works with the paid versions of Titanium and MyBackup.

You can freeze CIQ for free grab with Bloat Freezer, but the business ethics of the maker of Bloat Freezer are as bad as those of CIQ.

Carrier IQ Process Killer kills CIQ when it tries to run. It won't restart until you reboot your phone, and then you can kill CIQ again. Anti Carrier IQ does the same.

find CIQ

Carrier IQ Detector (from Lookout Labs)
Bitdefender Carrier IQ Finder
Voodoo Carrier IQ detector

find and kill CIQ

Logging Test App by TrevE (finds CIQ for free, removes it for a dollar)
Android Security Test (Trevor Eckharts Logging Test App site)
Carrier IQ Process Killer
Anti Carrier IQ
CIQ discussion on xda (warning: full of geekspeak and raw code)

more about CIQ

The Rootkit Of All Evil: CIQ (xda on CIQ in non-geekspeak)


tweet this reddit digg this StumbleUpon digg this digg this

Wednesday 23 November 2011

Kill WiFiKill with Wifi Protector


WiFiKill turns Android phones into rogue access points that can hijack your WiFi to break your internet, spy on you, steal passwords, and more. And there are other apps that do the same evil things.

But you can fight back! Wifi Protector looks for suspicious network behaviour and warns you when things smell fishy. If your phone is rooted, it can protect you against attacks in addition to warning you.

Wifi Protector doesn't always detect bad access points. It knows when a good access point turns bad, but it won't protect you if the network is already compromised when you connect to it for the first time. If a known network (or the network at your office or school) goes bad Wifi Protector will usually do the job, but when you walk into a coffeeshop with an unknown network already under attack Wifi Protector doesn't always see the danger.

Even though it's a bit leaky, Wifi Protector adds an extra layer of security which is better than nothing, and the latest update gives you a chance to detect an ongoing attack. Just keep in mind that it shouldn't be used as a substitute for your brain. The same goes for all security apps, because no safety net is completely without holes.

Autostart is optional. If you move out of a suspect location into a safe place the background service keeps running. Wifi Protector eats a lot of memory (and causes a bit of network traffic), so if you want to save memory and battery you'll have to close it yourself. The off switch is hidden in the menu of the expert mode screen. It would be better if there was an off button in the main screen.

Wifi Protector costs a euro if you get it from the Android Market, but it's free if you download it from the xda forum.

Wifi Protector (xda forum, free, download link at the bottom of the opening post)
Wifi Protector (gurkedev, not free)

Other apps to protect your phone against the bad guys:
LBE Privacy Guard
DroidWall
AdAway


tweet this reddit digg this StumbleUpon digg this digg this

Monday 21 November 2011

CoboltFM: free last.fm on all Android phones everywhere



Update 1: CoboltFM and KLastFM are dead. Last.fm changed things for the worse and pulled the plug on free streaming for almost everyone. Believe it or not, most of the planet can't stream anymore even if they pay. Last.fm refugees can still stream custom radio stations from Grooveshark with Dood's Music Streamer.

Update 2: Liquid Bear still plays last.fm radio on Android.


Streaming tracks from last.fm is free if you're in Germany, the UK, or the USA. The rest of the world has to pay for it. If you're not in one of the three "free" countries, you can't stream last.fm on your phone, not even if you pay.

This is totally wrong! The internet was never meant to be crippled by borders and other geographical restrictions.

KLastFM solves the problem for Android by letting everyone stream last.fm radio. No matter where on the planet you are, you get the same free streaming radio stations that the germans, english, and americans get on their computers.

But KLastFM is not a very nice app. It has an ugly user interface, erratic scrobbling, and it comes with a very annoying ad banner that screams to be blocked by AdFree or AdAway.

Enter CoboltFM. It looks better, is more stable, doesn't have any ads, and the source code is freely available for everyone.

CoboltFM precaches tracks for seamless switching to the next song. It used to vibrate when loading or changing tracks, but after I complained about it in an Android Market comment the makers of Cobolt added an off switch to get rid of the shakes (thanx for that, Cobolt!). The icons are big, which is nice but makes it a little bit too easy to love, ban, or share a track by accident. CoboltFM would be better if the less frequently used buttons (love, ban, share) are a lot smaller than pause, stop, and next.

A nice touch is the "show profile page" button in the menu, which takes you straight to your last.fm profile in your default web browser.

If your launcher lets you change icons, you may want to replace the CoboltFM icon by something that looks like the last.fm logo. I use the last.fm icon from the GO Launcher EX theme RBW.

The verdict: CoboltFM is better than KLastFM, and if you're in one of the over 200 countries where last.fm won't stream to your phone, CoboltFM is infinitely better than the official last.fm app.

CoboltFM (Android Market)
CoboltFM (CoboltForge)

Want more?

KLastFM (last.fm), QueueTube (YouTube music clips), Dood's Music Streamer (GrooveShark)

Update 1: CoboltFM and KLastFM are dead. Last.fm changed things for the worse and pulled the plug on free streaming for almost everyone. Believe it or not, most of the planet can't stream anymore even if they pay. Last.fm refugees can still stream custom radio stations from Grooveshark with Dood's Music Streamer.

Update 2: Liquid Bear still plays last.fm radio on Android.



tweet this reddit digg this StumbleUpon digg this digg this

Sunday 20 November 2011

File manager ES File Explorer adds more cloud: now talks with box.net too


ES File Explorer is an excellent app to manage the files on your SD card, and if your phone is rooted it lets you into your system files too.

It doesn't stop at your phone. ES File Explorer doubles as an FTP client (not as an FTP server, though), receives files over bluetooth, talks to Samba servers, and it connects to your Dropbox and SugarSync cloud storage as if they were standard FTP servers. The latest update got even more cloudy: now it does box.net too.

Something that didn't change: the plugins. The most useful are the app manager to back up your apk installers, and the bookmark manager to send shortcuts to your files to your home screens.

It still makes and breaks ZIP archives, and it unpacks RARs.

A great app indeed, but it has one bad habit: mystery network traffic when you enable root access. Does it collect usage statistics or what? If all of you ask about it in your Android Market comments or email to the developer (contact@estrongs.com) maybe we'll find out?

ES File Explorer (Android Market)
ES File Explorer (EStrongs)


tweet this reddit digg this StumbleUpon digg this digg this

Monday 14 November 2011

Dolphin Browser phones home again, here's how to stop it


When Dolphin Browser was caught sending your entire surfing history to its webzine server they got so much bad publicity that they had to clean up their act real quick. You'd expect that they learned something from that fiasco, but they didn't.

Dolphin HD version 7.1.0 was caught spying on the same day that it was released.

The new Dolphin sends your Android ID (a number that stays with your phone forever), a Dolphin client ID, your carrier and phone specifications to https://tracken.dolphin-browser.com.

Well, at least they use encryption. And the information isn't really that sensitive. Still, they frequently grab usage statistics and information about your phone without letting you opt out.

Of course you can opt out yourself. The obvious method is to remove Dolphin from your phone, but then you miss out on all its features which leave the competition in the dust. A better way to stop Dolphin from phoning home is to block the target URL in your Android hosts file. This file is usually in /system/etc/hosts. You can edit it manually, or feed the offending domain names to the blocklist of AdAway. Either way, you'll need root access. The URL to block is tracken.dolphin-browser.com.

To cut the line between Dolphin and its maker add these three lines to your hosts file or block the domains with AdAway:

127.0.0.1 tracken.dolphin-browser.com
127.0.0.1 en.mywebzines.com
127.0.0.1 pnsen.dolphin-browser.com

The first line stops usage stats collection. The second line cuts off URL collection by the webzines server (Dolphin stopped sending it, but you never know if it comes back). The third line prevents the popup that begs you to rate Dolphin in the Android Market.

Phoning home is not the only new feature of version 7.1.0. The update allows importing bookmarks from Dolphin Mini, deleting bookmarks from the side bar, picking a different search engine if you don't like Google (you can choose Bing and Yahoo too), and some bug fixes under the hood. Too bad for Dolphin that its data grabbing will get much more attention than the bookmark and search improvements.

Dolphin still doesn't encrypt its backups, so if someone steals your phone they can pull all sorts of private info from your SD card, even if your phone is locked.

Update: Dolphin finally encrypts your backups!

Gesture commands, tabs, plugins, bookmarks sidebar etcetera make Dolphin an excellent mobile web browser, but the way it handles security and privacy is unacceptable. It shares its bad habits with plenty of other Android apps, so root your phone and protect it with electronic condoms like AdAway, DroidWall, and LBE Privacy Guard. Android and its apps need a permanent reminder that it's your phone and your data.

Dolphin Browser HD


tweet this reddit digg this StumbleUpon digg this digg this

Sunday 13 November 2011

CSipSimple adds plugins for Skype and other VoIP services


Open source VoIP app CSipSimple is not affiliated with any VoIP provider, so it doesn't favor one over the other like Nimbuzz and fring do. Because it doesn't route your calls through its own servers it sounds a lot better than the competition. It integrates with your native dialer app unless you tell it not to, in which case it stays out. Other features include switching off your ringer when you're on a VoIP call to keep incoming calls from blowing up your ears, a clean uncluttered user interface, and support for multiple simultaneous calls.

The latest update adds a new low bandwidth codec for when you're on a slow 3G (or worse) connection. Combined with a new echo killer your calls will be friendly for your ears even if your internet is as slow as the government.

But the real big change in CSipSimple is a new set of plugins. There's a plugin for Betamax. Nope, that's not the old and extinct VCR format, but a collection of SIP providers like VoipCheap, 12voip, and dozens more. Of course you could already use all those SIP services with CSipSimple, but with the new plugins you can now also use their local access numbers and callback service. This can be useful if your mobile carrier doesn't allow you to use classic VoIP over their data network or if you're about to hit your data limit.

The other plugin is for Skype. This first version just launches the Skype client if you pick a Skype contact from CSipSimple, so you need to have the official Skype app installed on your phone. Maybe one day CSipSimple will add the Skype support that Nimbuzz and fring had to drop?

CSipSimple (Google code)
CSipSimple (Android Market)
CSipSimple Skype plugin (Android Market) Update: the Skype plugin has been removed from the Android Market.
CSipSimple Betamax plugin (Android Market)


tweet this reddit digg this StumbleUpon digg this digg this

Monday 7 November 2011

Mess up your pictures with Mosaic Wallpaper



Have a picture that's too ugly to use as a wallpaper on your phone, but you want to use it anyway? Then Mosaic Wallpaper is for you.

Mosaic Wallpaper has plenty of image effects to alter your pictures beyond recognition. Circles, stripes, spirals, or just cut it up in little tiles like Antoni Gaudí used to do. You can use the results as a background for your phone, or for anything else.

The image from the screenshot comes from Vladstudio, a great site to grab backgrounds for your homescreens and desktops. I wonder if Vlad would recognise the picture without sneaking a peek at the original image first.

Mosaic Wallpaper (Android Market)
Vladstudio


tweet this reddit digg this StumbleUpon digg this digg this

Saturday 5 November 2011

Even more evil: WiFiKill lets you kidnap your victims to your IP address


How to be an obnoxious little brat?

WiFiKill turns your phone into a rogue WiFi access point. It drops the packets of every computer, phone, tablet or other device that you choose to block, so if you want to keep your boss, kids, neighbours, or everyone else around you offline then WiFiKill is your weapon. You can kill all wireless networks that you can connect to, no matter if they're encrypted or not.

More evil

The latest update lets you be even more evil. You can still make your victims think the network is broken, but now you can also redirect unsuspecting surfers to any IP address you like. Virus servers, spam sites, fake login screens, or just an innocent "pwn3d! ur internets are belong to us" page, anything goes. If you want to be an annoying teenage douchebag nothing can stop you, no matter how old you are.

Well, something can stop you. WiFiKill doesn't spoof your MAC address (not yet, but who knows what the next update will bring?) so you may get caught, kicked from the network, lose your job, or get shot at dawn. If you have a brain, switch it on before you switch on WiFiKill. If you don't have a brain then go buy an iPhone.

Another new feature: WiFiKill checks for updates on launch. You can't switch it off, but if you're really paranoid (and you should be!) you can block the update URL in your Android hosts file. You can either edit your hosts file with a text editor, or just use the blacklist option of AdAway. Even easier: block WiFiKill with DroidWall. This disables the update check, but you can still use the app to kill the internet of those around you.

Bad advice

Redirecting traffic to your IP needs a bit of digging in the dirt. Fire up the settings screen, scroll down to the killing rules, switch "use iptables" on, choose the "drop + redirect" method, and then set the IP address to which you want to redirect your friends (soon to be your enemies).

WiFiKill loads a long list of hardware vendors so you can see who made the devices connected to the network. This is real slow, so disable the vendor list if you don't want to wait. You'll only see MAC addresses, not device types, so switch the vendor list back on if you want to kick all iPhones offline without touching the Androids. And keep in mind that WiFiKill also kills your battery because it turns your phone into a bad router. Your phone and your battery will get hammered by every device that connects to you.

You need a rooted phone to play evil games with WiFiKill. Needless to say, Google booted the app off its market real quick so you have to download the APK from somewhere else. The free version has ads, but it's easy to kill them.

• There are different versions of WiFiKill. To find out which version suits you check out this new story on the new (and old) WiFiKill.


tweet this reddit digg this StumbleUpon digg this digg this

Wednesday 2 November 2011

LBE Privacy Guard adds data management and DroidWall functions



Too permissive

A major design flaw in Android is the way it handles permissions for apps. When you install an app it asks for permissions to go online, read your private data, get your location, and lots of other scary stuff.

The problem is that your choice is limited to all or nothing. You can either grant an app each and every permission it asks for, or you can choose not to install the app at all. There's nothing in between, and for preinstalled apps you don't get any choice at all. Give 'em a finger and they take the whole hand.

That's why there are apps to fill the gap. None of the permissions managers, firewalls and ad blockers works without root access, so there's yet another good reason to root your phone.

Just say no

Permissions Denied is an app to revoke permissions. Recent versions of CyanogenMod 7 have a built-in permissions manager. Unfortunately those apps really deny permissions, which crashes apps that don't know how to behave when they hear the word "no."

LBE Privacy Guard thinks different. It doesn't deny permissions outright, it simply makes apps believe they still have the permissions that you took away from them. For example, when an app wants to read your contacts list against your will, LBE Privacy Guard feeds the app an empty list. It uses the same trick to protect your messages, location, phone number, IMEI, email, phone bill, etc.

Totally new

The latest update of LBE Privacy Guard is so new that you can't update the old version. Version 2 gets installed as a new app that won't coexist with LBE 1, and your old settings won't carry over either. Upgrading means that your old copy gets bumped off your phone and you'll have to reapply all your granted and denied permissions.

But upgrading is worth it. The new LBE is faster, eats less battery and memory, has a cleaner interface, and comes with new features. Good news for CyanogenMod users: LBE now works on CM7 too.

The main new feature in LBE Privacy Guard is a DroidWall-like firewall which can keep apps away from WiFi, mobile data, or both. It doesn't have the custom rules and blacklist/whitelist options of DroidWall itself, so you may want to keep DroidWall together with LBE.

LBE 2 can also monitor your data usage, and warn you when you're about to go over a preset limit. That might be useful for some, but there are better data managers out there.

Totally old

Some things didn't change. For most permissions you get three choices: permit, deny, or ask me everytime. The exception to the rule is the Phone ID permission (to keep your IMEI, IMSI, and phone number away from spammers). Phone ID permission can be either on or off, but the "ask me" option is missing. Its default setting is "allow."

LBE Privacy Guard won't let you protect its settings with a password, but there are apps out there that can lock down other apps if you need to put a lock on LBE.

Of course LBE Privacy Guard asks for a lot of permissions itself. It needs most of them to do its job, but it doesn't need internet permission. You can take LBE out of your list of trusted apps and tell it not to go online, or blacklist it in DroidWall. So far I didn't detect any unsollicited internet access, but for apps with root access you never know. What would happen on a level playing field where one app with root access (LBE) is kept offline by another app with root access (DroidWall)?

LBE Privacy Guard (Android Market)

Other apps to keep your phone safe:

Permissions Denied
DroidWall
AdAway (better than AdFree)
Wi-Fi Ruler
Flash privacy settings


tweet this reddit digg this StumbleUpon digg this digg this

Tuesday 1 November 2011

FileSlick: Android file manager with an eye on looks


There are a couple of good file managers for Android, and a few bad ones too. ES File Explorer is a good file manager, X-plore is pretty good but has a horrible user interface.

Looks and roots

FileSlick is a new file manager which cares a lot about its looks. The first entry in its settings screen is a theme browser, which should give you an idea of its vanity. You can give it a makeover with those themes, and you should because the default theme (text on an image of stones) is a bit of a distraction when you're out to play with your files and folders.

The last entry on the settings screen lets you disable FileSlicks ads without paying. A nice touch, but if you run an app like AdAway or AdFree it doesn't really matter. When you switch off the ads FileSlick pops up a screen asking for a donation (and again everytime you open the settings screen). Whether you put some coins in the tip jar or not is up to you.

Speaking of tip jars: there used to be a time when playing with your system files and folders required paying for Root Explorer. Those days are long gone, because now there are plenty of free file managers with root access. FileSlick is no exception. Tap "root access" in the "Places" menu and you go straight into the guts of your phone. Unfortunately the method to mount files and folders to do something with them is quite counterintuitive, and it doesn't always work. When I tried to rename the files in system/media/audio FileSlick claimed success in a but didn't do anything. You'd expect better from the maker of z4root.

Files and swipes

FileSlick couldn't find any apps to play my mp3s and movies, even though my phone has media players aplenty. As for other file formats, it couldn't find an app to open PDFs (even though I've got Adobe Reader and OfficeSuite Pro on my phone). DOC and XLS worked, PPT did not. Finding out which app can open what format is a hit and miss affair.

FileSlick is not all about looks. Feel counts too, with an emphasis on swiping. Tapping files and folders selects them, opening them requires a swipe, long-tapping doesn't do anything. You'll probably find yourself tapping files and folders and then find them highlighted instead of opened, at least until you get used to the FileSlick way. There's no way to customise the behaviour of taps, long-taps and swipes. I would set swipe to select, tap to open, long-tap to launch the actions menu. You would probably choose something different, so a bit more choice in the settings would be welcome. Maybe in a next version?

In addition to managing files on your phone, FileSlick talks to FTP servers and Samba shares. It also lets you share files over bluetooth, but receiving them is another story. FileSlick is not as full featured as ES File Explorer or FileExpert, but it looks a lot better. Looks are not everything, though. Especially when it's your job to manage files. For all practical purposes FileSlick is still a beta test version with rough edges, but with some extra features and more ways to customise the behaviour of the app it might mature into something useful.

FileSlick (Android Market)
FileSlick (xda forum)

The competition:
ES File Explorer
X-plore
File Expert (Android Market)


tweet this reddit digg this StumbleUpon digg this digg this

Sunday 30 October 2011

Yet another Dolphin Browser security issue: think twice before backing up


Update: Dolphin finally encrypts your backups!

Dolphin Browser HD may be the Android browser with the most features of the pack, but it doesn't always behave well.

It used to send your entire surfing history to its webzine server. That got fixed in an update after the entire web screamed murder about it.

But there's another problem that remains unfixed, and this problem can cause a lot of trouble if exploited.

Dolphin has a backup feature that lets you backup all its browser settings, bookmarks, cookies, etcetera to your SD card. If you tell Dolphin to remember your logins and passwords they'll be included in the backup too.

It's your own choice to make backups or not, so what's the problem? The problem is that nobody expects their backups to be in a format that can easily be abused by anyone with access to the backup file. You'd expect the backup to be in a secure format, but unfortunately it's not. The backup is not encrypted, so anyone with access to your SD card can look into the backup file (sdcard/TunnyBrowser/backup/databases/webview.db) and read your stored passwords and login cookies.

Even if you sit on top of your phone 24/7 that doesn't mean your backup is safe. Any app with permission to read your memory card and go online (that means just about every app on the Android Market) could send the unencrypted backup file out and steal your passwords and login cookies. It only takes one evil programmer to release a bad app on the market to send your Dolphin backups out. Maybe those bad apps are already out there.

Any app that stores data on your memory card should consider the SD card of your phone an unsafe location that should only store sensitive data under lock and key. That's why backup app Titanium lets you encrypt its backups. The other big backup app out there does not. MyBackup should add encryption as soon as possible.

With all the recent fuzz about Dolphin you might think this web browser is a malicious app. It's probably not. The security issues are more likely a result of incompetence rather than evil intent. Of course that won't make any difference to you if your passwords get stolen, so if you keep surfing with Dolphin make sure you take your own measures to close the security holes.

My advice: do NOT use Dolphins built-in backup feature unless you've cleared your saved passwords and login cookies. If you want a backup with your login data included, just make an encrypted backup with Titanium.

Update: Dolphin finally encrypts your backups!


tweet this reddit digg this StumbleUpon digg this digg this

Saturday 29 October 2011

Dolphin Browser clean after a bath and a shower


Dolphin HD is the most feature rich(tabs, gesture commands, bookmarks sidebar, and much more) web browser in the seas of Android , but the marine mammal was smelling like rotten fish lately.

Flipper was still unclean after a bath, but a post-tub shower washed away the dirt.

What gives? Three days ago Fnorder found out that Dolphin HD was sending all your surfing history, including searches and URLs with private information, back home to en.mywebzines.com, a server owned by Dolphin. He shared the info with the world through the xda forum, and then the waves got rough.

The reason? Since version 6 Dolphin ships with a "webzine" feature that lets you display sites in a kind of Google Reader style. To ease toggling between normal and webzine view Dolphin compares the page loaded on your phone with a list of webzine-enabled sites. It does so by sending the URL to its own server to look for a match.

Doesn't sound like a big deal, except that 1) Dolphin never told us about it until we found out ourselves, 2) some URLs can contain sensitive data, especially if they point to a private network or if they're of the http://site.com/?private.stuff type, and 3) the data is sent unencrypted, even for https sites (which opens the doors to hijacking and mutiny).

And then Dolphin released version 7.0.1 of their app and told us that the URL snooping was gone.

But...

Hi Android Underground. It has come to our attention that the hot fix update we pushed out last night on Android Market (7.0.1) did not fix the issue, thank you for noting this!

It has now been resolved and is live on the Android Market as Dolphin Browser HD v7.0.2. Again, user privacy is a huge priority for us and we thank you for your patience while this has been resolved.
Alex Molloy on the Dolphin blog

First things first. The first one to notice (and share) that the first update still fished for your URLs is xda member Keiji, and Fnorder was the first to confirm that v7.0.1 remained fishy. So Alex Molloys words of thanks belong to them.

The good news is that the latest update to version 7.0.2 really fixes the issue. Dolphin screwed up in their first attempt, but v7.0.2 is clean and shiny and doesn't send your browsing data home.

So if you haven't already done so, head for for the fish market and update your copy of Dolphin HD to keep your surfing safe.

Dolphin, take note: Wireshark is watching you, no matter how deep you dive.

Dolphin Browser HD
Dolphin caught in the nets of xda


tweet this reddit digg this StumbleUpon digg this digg this

Friday 28 October 2011

Dolphin Browser washed, still dirty


Update: Dolphin clean after bath and shower

Androids most popular browser Dolphin HD got caught in the nets of those who fish in the deep waters of their phones. The update to version 7.0.0 added a Cloud To Device Messaging background service that kept swimming, even for those who have no use for it.

Todays update to version 7.0.1 fixes that. The C2DM service stays underwater if you don't sign up for Dolphins bookmark sync service.

But Dolphin has more dirt under its tail fin. It's fishing for your data! Dolphin HD 7.0.0 sends all visited URLs back home to Dolphin without asking for permission or even telling that it did so and why it did so. It's been doing so since version 6, when the webzine feature was added to the browser.

Dolphin responded on their site:
"Webzine simply performs an ancillary check if we can view current webpage in Webzine format . It is not critical and we have temporary removed this functionality in our latest update yesterday.

[...]

While it has been immediately disabled, we do think that the “Toggle Webzine” feature is a useful one for exploring the Web and will be adding an “opt-in” feature in forthcoming releases to enable this function. The code and URL-checking process will be made very clear to users, and will only be enabled if a user wishes.
Again, our update last night have temporary removed this functionality to avoid any confusion or concern you may have."
(source: Dolphin blog)

Sounds good, right? Wrong! When the folks at xda tested the update (version 7.0.1) it still shipped all your surfing habits to the mothership. Dolphin promised to play fair but lied about it! So if you told your Android hosts file to block all communication with en.mywebzine.com you better keep blocking it. If Dolphin doesn't swim back to clear waters it may be time to fish for another web browser.

Take home message: if you make a popular app anything your software does will be closely watched and made public. Apps that don't behave are fed to the sharks.

If you want to keep using Dolphin without sharing your browsing history, add these lines to your Android hosts file:

127.0.0.1 en.mywebzines.com
127.0.0.1 pnsen.dolphin-browser.com

The first line stops the URL phone home behaviour, the second line blocks the annoying "rate me on the market" popups.

You can add the entries to your hosts file (usually in /system/etc/hosts) with a text editor, but it's a lot easier to enter them in the blacklist of AdAway. No matter which method you use, you'll need root access for it.

The pros and cons of Dolphin
Dolphin caught in the nets of xda
AdAway

Update: Dolphin clean after bath and shower


tweet this reddit digg this StumbleUpon digg this digg this

Wednesday 26 October 2011

Dolphin Browser: spyware?


Update: Dolphin clean after bath and shower

Dolphin is probably the most popular web browser for Android. There's a good reason for that, because is has a couple of killer features: unlimited tabs, gesture controls, and much more.

The bad news: version 7.0.0 adds a cloud to device messaging service (Dolphin Connect) without an off switch. The next version better come with a toggle in the settings menu for those who don't want Dolphin Connect listening online when there's no need for it.

The really really really bad news: a couple of updates ago Dolphin added a feature called "Webzines," and it seems that this addition turned Dolphin into spyware.

According to Fnorder on the xda forum the new Dolphin sends the address of every site you visit, every link you tap, and every search query you enter to http://en.mywebzines.com. The domain mywebzines.com is probably owned by Dolphin itself.

Maybe your surfing trips are sent out to target advertising, maybe it's just an innocent way to collect anonymous browsing statistics. Either way, having all your URLs collected can be a real security issue because many sites generate URLs of the www.domain.com/?personal.data type. And let's not even think about URLs for pages on your internal network, or URLs along the lines of [password]:[username].site.com.

If you want to stop Dolphin from sending your browsing history to mywebzines.com, open your Android hosts file (usually in /system/etc/hosts) and add this line to it:

127.0.0.1 en.mywebzines.com mywebzines.com

If you don't want to edit your hosts file by hand, you can blacklist the domain en.mywebzines.com with AdAway.

Editing your hosts file or using AdAway requires root access, but if you know what's good for you and your phone you'll have rooted it anyway.

You can also patch the Dolphin app itself so it doesn't send your surfing secrets out. Fnorder posted instructions on taming Dolphin by killing the offending code with APKTool.

Keeping your browsing data away from mywebzines.com will break the Webzine part of Dolphin, but does anybody really use that anyway?

Of course you can just throw Dolphin back into the ocean and surf with another browser, but keep in mind that other web browsers may do the same evil thing. For example, Boat Browser phones home to www.umeng.com and Maxthon reports to mm.maxthon.com and stats-a.maxthon.com.

Open source browser Firefox for Android is probably clean. Unfortunately it's not ready for human consumption yet. The best Dolphin alternative is xScope, but it lacks many of the features that make Dolphin such a popular browser.

This fish marine mammal should clean up its act real quick, or else I'm gonna eat a lot of tuna.

Dolphin
AdAway
• The Dolphin is fishy thread on the xda forum
xScope (Android Market)

Update: Dolphin clean after bath and shower


tweet this reddit digg this StumbleUpon digg this digg this