Permission Remover .apk and Plop linux questions

Started by zapp, December 05, 2013, 06:45:07 AM

Previous topic - Next topic

zapp

hi Elmar! long time.. hope all is well. your movie game looks interesting!

I have held out long enough on android OS and now have a tablet with it. this tablet is offline only until I familiarize myself enough with the OS to be able to control it. while checking in here I noticed you have a great app for it so I downloaded and briefly tried it but it need to go online or search for "testkey.pk8 & testkey.x509.pem" and install separately.

my first question is: are these two files everything or are these different for each app?

if it is only two files, do you have a direct link I can get while PC is online then copy to SD on device and load it that way, is this possible?

I do not want to go online at all with this device until I have everything set-up to be trust worthy. I was very happy to see you have an app to help with this but Im not sure I can use it offline.


now about plop linux.. can a lite version be run on the ARM processors so it can be set to dual boot with android on a device? is that what flybook linux is?

thanks and looking forward to your movie!

Elmar

hello zapp,

Quote from: zapp on December 05, 2013, 06:45:07 AM
my first question is: are these two files everything or are these different for each app?

those two files are googles certificate files for apps when the developer didn't create an own certificate. the certificate is not app based. basically, the test certificate should be used only during the development process and not in released apps. but the test certificate is a valid certificate and can be used to sign apps and those apps are accepted by android. you have to know that the resigning with the test certificate is also a security risk. because the original secure certificate is broken and a bad app is able to add code to the app and resign it with the free available test key. to avoid this, its possible to create an own certificate and let the permission remover sign the apps with your certificate. but its easier for users to use the test certificate. there are also other things that can make problems. see http://www.plop.at/en/android/permission-remover.html#permrem_tech

Quote from: zapp on December 05, 2013, 06:45:07 AM
if it is only two files, do you have a direct link I can get while PC is online then copy to SD on device and load it that way, is this possible?

you can search and find the files with google. but here are direct links
https://github.com/CyanogenMod/android_build/raw/gingerbread/target/product/security/testkey.pk8
https://github.com/CyanogenMod/android_build/raw/gingerbread/target/product/security/testkey.x509.pem

just copy the files to /sdcard/at.plop.PermissionRemover/key
and the permission remover no longer needs internet access


Quote from: zapp on December 05, 2013, 06:45:07 AM
now about plop linux.. can a lite version be run on the ARM processors so it can be set to dual boot with android on a device? is that what flybook linux is?

the flybook is meanwhile an old small laptop with an i686 processor. it was a nice piece of hardware with a touchscreen an so on. the flybook linux is only some kind of optimized for the flybook.

i started compiling a fresh version of plop linux. but currently its interrupted. release will be maybe 01/2014. till now, i didn't thought about an ARM version, but now i think about it but i dont say that it will come. if i release an ARM version, then maybe it can be used for dualboot.

best regards
elmar

zapp

Quote from: Elmar on December 05, 2013, 08:23:36 AM
those two files are googles certificate files for apps when the developer didn't create an own certificate. the certificate is not app based. basically, the test certificate should be used only during the development process and not in released apps. but the test certificate is a valid certificate and can be used to sign apps and those apps are accepted by android. you have to know that the resigning with the test certificate is also a security risk. because the original secure certificate is broken and a bad app is able to add code to the app and resign it with the free available test key. to avoid this, its possible to create an own certificate and let the permission remover sign the apps with your certificate. but its easier for users to use the test certificate. there are also other things that can make problems. see http://www.plop.at/en/android/permission-remover.html#permrem_tech

I trust You (a man) more than google (a corporation)


Quote from: Elmar on December 05, 2013, 08:23:36 AM


you can search and find the files with google. but here are direct links
https://github.com/CyanogenMod/android_build/raw/gingerbread/target/product/security/testkey.pk8
https://github.com/CyanogenMod/android_build/raw/gingerbread/target/product/security/testkey.x509.pem

just copy the files to /sdcard/at.plop.PermissionRemover/key
and the permission remover no longer needs internet access

perfect! I was not sure if those two files were only needed or if those two were needed as a pairing for each app.


Quote from: Elmar on December 05, 2013, 08:23:36 AM

the flybook is meanwhile an old small laptop with an i686 processor. it was a nice piece of hardware with a touchscreen an so on. the flybook linux is only some kind of optimized for the flybook.

i started compiling a fresh version of plop linux. but currently its interrupted. release will be maybe 01/2014. till now, i didn't thought about an ARM version, but now i think about it but i dont say that it will come. if i release an ARM version, then maybe it can be used for dualboot.

out of curiosity after I posted these questions I searched about the flybook. I knew that if you have interest in it that it must be pretty good. and yes it seems it is and it has an interesting history behind it too.

I briefly tried your plop linux versions last year and was very impressed with them. so much so that I planned to install them on one older machine to learn more but I have limited time for this and I didnt find an easy way to install to HDD. I am glad to hear you are still working on it and if you do decide to add support for ARM that would be great!

I want to become more linux proficient but on PC I have spent lots of time learning windows inside and out and make my own hybrid version of it so I stick with that on PCs.

I have some experience using linux variants on some routers, GPS units, and solar charge controllers but still very limited and so if Plop-linux someday has ARM support then I would be all over it! main reason is because I know that what you have done with Plop is very advanced development so I think whatever else you do it also better than most others can do.

I will keep checking in every now and then and hope to see the movie and Plop-Linux w/ARM support.

thanks Elmar and if I dont get a chance before the time comes then I will write to you now wishing you and yours a great New Year!


Elmar

Quote from: zapp on December 06, 2013, 04:09:51 AM
I will keep checking in every now and then and hope to see the movie and Plop-Linux w/ARM support.

thanks Elmar and if I dont get a chance before the time comes then I will write to you now wishing you and yours a great New Year!

don't expect  too much from the short movie. its just an entry to a new world and a fun project. i am afraid that its some kind of boring and not good.

i wish you also a great new year!

TheDrive

Hello Elmar!
Thank you for all your brilliant utils and native code!!!
There are still people around the world who loves asm and who cares "how is it done"!

Permission Remover is an app I wanted to find for a few monthes, but didn't  found enough time to search, so found it eventually today. I definitely know how to make the job, but I was sure this job already was done by some experienced programmer. :)
Berfore your explanation I didn't had clue what will happen if app will be denied with some rights it was designed for. as you explained there should be handler in any normal app, that will handle access violation errors. I never wrote any Android Apps so have no clue on many internal things.

Sad to hear many users trust to the Google but don't trust to you, the man, who's brilliant apps they can explore in sources.
People around the world have no clue where are friends and where are enemies and what are criterias to estimate. They simply don't think by their brains!
They trust to the Google, which is, I'm definitely sure, is one of the biggest Matrix builders, but don't trust to the man, who most probably have enough pride and no any reasons to make anything bad, who's code is free and open sourced and small enough to evaluate by anyone...

Your Permission Remover is actual nowadays. I know, in 4.x Google have added settings dialog where user can disable some permissions to ant app, but 'unfortunately' not any permission. Furthermore you can't disable any permissions from GApps.
I don't maintain any accounts in my Android devices (there are absolutely no problems to DL apk's from forums like XDA etc and explore them manually on the PC before setting up) but i'm forced to use GApps because many (even patched) apps don't work without GApps. A few percent of apps don't work w/o account, I simply drop them (or try to patch).
Your app will help to fix some security holes in this meaning.

Why there is no desktop version of your app? If you're explored and have readymade procedure to parse and edit Manifest binary sructure ther should be no problem to port PR to PC (console version should be enough).

There is another problem today. Google dropped support for android 2.2 Froyo. It seems to lead no any problems for me. I don't require any support from Google, but they froced devs to use at least 2.3 related SDK even though most apps don't require any 2.3+ APIs. Bastards force users to drop their good enough but slightly old devices and buy new ones which will bring tons excessive of money to the google partners and will allow google to steal more data with ease.
From the brginnig of 2015 many apps got the new versions, These new versions were compiled with 2.3+ related SDK and uploaded to Play. If you try to install such a new APK on 2.2 device it simply refuses to install. I'm forced to look for older versions and try one by one unless latest installable one will be found.
I have a few devices with a Froyo and yes, I can upgrade most of them to the custom 2.3 FWs, but why not to try solve this problem by less expensive manifest fixation? I think many apps should be executable after such fixation.
Why not to add this function to the Permission Remover? Required functionality is to show APK's required API and related Android version and ability to edit this value. Desktop (Win/Lin) version also will be appreciated.
Futhermore, why no to allow user to edit any standard fields of manifest? :)

BTW Why don't you have official account on XDA-developers?
It's mobile software/hardware central around the world, so most of the 'smart' mobile world people publish their works and explorations there. There is also perfect 'marketplace' for a good stuff. Many devs and advanced users around the world will find your creatures and will eveluate them with honor. Furthermore, many devs publish their apps on XDA for free with APK's downloadable by anyone (XDA even don't require reg to download attachments!) while the same APKs are ofered for sell on Play (with small price) and are successfully sold as a goods or donations. :)
Sure, you are Welcome on XDA with your mobile apps (independently of this site)!

Elmar

Hello,

Quote from: TheDrive on September 15, 2015, 09:20:53 AM
Sad to hear many users trust to the Google but don't trust to you, the man, who's brilliant apps they can explore in sources.

I have no problem with that. I understand them, a single person can do also bad things and not all of my software is released as open source.


Quote from: TheDrive on September 15, 2015, 09:20:53 AM
Why there is no desktop version of your app? If you're explored and have readymade procedure to parse and edit Manifest binary sructure ther should be no problem to port PR to PC (console version should be enough).

It's easy to sign it on a desktop. There is already a java program. You only need openssl, java and the program apksign.jar.

Example: java -jar signapk.jar certificate.pem key.pk8 app.apk  app-signed.apk


Its also possible to do it by hand without java. You have to create a new META-INF/CERT.RSA file with openssl and then zip the apk.

Here is my script to create the new CERT.RSA:
sign.sh

#!/bin/sh

CERT="../testkey.x509.pem"
PKEY="../testkey.pk8"

TMPPKEY="tmppkey"
OUT="META-INF/CERT.RSA"

echo creating $TMPPKEY
openssl pkcs8 -inform DER -nocrypt -in "$PKEY" -out "$TMPPKEY"

echo creating $OUT
openssl smime -in "META-INF/CERT.SF" -sign -inkey "$TMPPKEY" -signer "$CERT" -binary -outform DER -noattr -out "$OUT"

echo removing $TMPPKEY
rm "$TMPPKEY"


I didn't use it for years. Meanwhile, the PermissionRemover is a few years old.

Have fun, maybe you or someone else find it useful :)


Quote from: TheDrive on September 15, 2015, 09:20:53 AM
BTW Why don't you have official account on XDA-developers?

I registered an account in 2012, but I never used it.


Nice to hear that people like my work :)

Best regards
Elmar

TheDrive

Quote from: Elmar on September 15, 2015, 20:48:57 PM
I have no problem with that. I understand them, a single person can do also bad things and not all of my software is released as open source.
I know, but it's almost impossible to believe that man who spend most of his time for years to write perfect apps with a crystal clear code for free, publish sources and make great work for the community will steal one's data or spread virs. The man should have enough honor and pride to perform described activity for a long period of time. We're all people, someday we could fall in problems and become forced to do anything to e.g. save one's life of buy somthing to eat and there will be no choice in some situations, but they are  too rare and unpredictable to evaluate so we just should accept this w/o prejudice like we're forced to accept that a simple fact we'll all die someday and nothing will help to survive. :)

On other hand it's widely known that any business is an action(s) performed to earn money. Money and power are the first and most valuable goals of any business owners and management. So why should we expect they will do a thing, that will lead them to less power or less money? :) What's the reason? Fear of punishment? Law is a weak protection. Some things which are not directly prohibited by the law may seriously affect person's life and rights but will not be prosecuted. Some law violations will not be prosecuted anyway... It's a real world, not a TV show... Is anybody here who didn't heard what Snow..n have said...? Sure we both have known about problem in common a long before. Snow... was just cleared some particular things and published evidences. But most valuable "evidence" (reason) is the simple fact that business wants money and power... Information lead to money and power... Google isn't on our side guys, sorry... :)

Quote from: Elmar on September 15, 2015, 20:48:57 PM
It's easy to sign it on a desktop. There is already a java program. You only need openssl, java and the program apksign.jar.
Example: java -jar signapk.jar certificate.pem key.pk8 app.apk  app-signed.apk
Its also possible to do it by hand without java. You have to create a new META-INF/CERT.RSA file with openssl and then zip the apk.
We should also edit binary Manifest!
I didn't explored it's binary structure... Tought you've... :)
To be clear for all I should point Mafinfest.xml doesn't have any text XML format inside, it contains binary data with some unicode strings.
I know aboyt Java signer, it's widely spread on XDA and other forums.
Sure there shoulbe readymade official tool or library to edit (generate) manifest, but I don't know which...
I tought you've reversed binary structure and do direct manifest binary editing with your app.
If you did what about required API version? Is it stored in manifest as I've suspected?
On other hand may be I should spend time and find it myself. It shouldn't be too complicated. Dalvik is a generic Java and there are decompilers around. I've already explored some Dalvik code last year Manifest furthermore is just small binary data structure desctibed somewhere on the net. My weakness is that I don't like and don't know [modern object-oriented and [stupid]"human-oriented" langs like Java. They are "uncomfortable" for me. Direct langs or Asm is easier to understand. :)

Quote from: Elmar on September 15, 2015, 20:48:57 PM
I didn't use it for years. Meanwhile, the PermissionRemover is a few years old.
Don't use Google accounts in your mobiles, forbid any unnecessary permissions for G's and othe apps as good as possible. Accounts allow to easily collect big amounts of "big data" in automatic way (w/o human intervention) hard linked to a particular person. That's why most of modern messengers requre you to provide real telephone number (there was no problems before with random numbers or logins). Built in FlashLight app in my Android smart require GPS repmission (and a lot of others) for completely irreasonable trgets... It just turns flashlight on and off, nothing else. Why GPS etc required?
Don't use cloud services (except for public file sharing). What's a problem to store your personal data in your own storage as it was stored for a years and decades? What's a reason to share all your life with corps? NO ANY REASONABLE REASONS... AT ALL... :)

Quote from: Elmar on September 15, 2015, 20:48:57 PM
Have fun, maybe you or someone else find it useful :)
Yes, they will, but they should find it before, that why I asked you to publish ur mobile apps on XDA. :)
There is already one more similar app on XDA released a years later than yours and some people found it definitely useful. :)

Quote from: Elmar on September 15, 2015, 20:48:57 PM
I registered an account in 2012, but I never used it.
I have just a few posts but I post just when I have something to say not just to post something or force others to solve my problems. :) Mostly I like to read and explore. :)
And I'm more active in Russian lang forums because it's my native lang.

You can post your apps (even old ones :) . It'll be useful.

Quote from: Elmar on September 15, 2015, 20:48:57 PM
Nice to hear that people like my work :)
I think Millions people like and use your Plop related work. It's a great success!
You can try to develop mobile boot manager (I know about ARM port, but I'm talking about smartphones, tablets etc.) if you are interested in. It's completely different field. The day is close when nobody will be able to sell locked boot device. HTC will fall first as I think, they have lost their brain somewhere in space when decided to sell devices with a partially read-only locked eMMC's while loosing marketshare at the same time.

Best regards to you!

Elmar

#7
Quote from: TheDrive on September 17, 2015, 15:13:12 PM
We should also edit binary Manifest!
I didn't explored it's binary structure... Tought you've... :)
To be clear for all I should point Mafinfest.xml doesn't have any text XML format inside, it contains binary data with some unicode strings.

Yes, forgot that it became binary. Its a simple format. Easy to understand when you open it with a hex editor.

The structure is:
1) A simple header.
2) All used strings in unicode.
3) A table with a structure that has id's of the strings. It represents the XML file.

Best regards
Elmar



Elmar

And when you modify the AndroidManifest.xml, then you have update the sha1 values in ,ETA-INF/MANIFEST.MF and META-INF/CERT.SF