

Making a phone spying tool because "It seemed challenging and fun." Bad idea. - FSecurePal
http://www.f-secure.com/weblog/archives/00002047.html

======
ZeroMinx
Why are apps allowed to be silently installed and executed by just inserting
an SD card?

I don't agree with the "Bad idea" label in the title. If it can be done, it
will be done. Maybe black hats are already doing it? Bringing the knowledge to
the public isn't a bad idea.

Edit: fix typo

~~~
cryptoz
> Phone Creeper is a Windows Mobile application (also being developed for
> Android).

Silent malicious install on Windows is pretty standard and has been for more
than a decade.

Now, Android...that's surprising. Does Google really allow apps to install
themselves without notifying the user? The Linux security model should easily
prevent that.

------
mquander
Fucking good idea. That is awesome.

The directly linked post rather understates its claimed capabilities. Look at
all the stuff this does: <http://forum.xda-
developers.com/showthread.php?p=3977534>

However, it's hard to get around the fact that if someone thinks you're spying
on them, they can just look at their phone bill and see the text messages,
which tells them all the commands you ever ran with this tool. EDIT: I might
be partially wrong. You can set it up so that it communicates via polling an
FTP server, instead of SMS.

~~~
maukdaddy

      Fucking good idea. That is awesome.
    

No. And no.

------
imd
Maybe using the software maliciously is a bad idea, but this seems to have
exactly the same functionality as those programs people put on their laptops
in case it gets stolen.

~~~
stratomorph
I'd point out that those programs don't silently install themselves without
the owner's knowledge or consent, which makes a world of difference.

~~~
forensic
Just depends on whether you consider the SD card slot a part of the user
interface.

It would be very easy to rephrase the description as a personal safety tool
yada yada yada.

The real point here is that Windows and apparently Android have some
counterintuitive, easily abused features.

------
Locke1689
I used to be a little bit grey hat so maybe my perspective here is a little
different. I see breaking security as just as much fun as building secure
systems. And once you do it, why wouldn't you release the source to brag a
little?

------
geuis
To take a perhaps unpopular stance:

There is this argument that people shouldn't do certain kinds of science for
fear of what it could lead to. Don't turn on the LHC because it might make a
black hole (science thoroughly disputed this before the LHC was even
finished). Its ridiculous. Science and knowledge can lead to bombs, mind
control, and death. Or, they can lead to space travel, better mental health,
and longer life. Its all about the implementation of the knowledge.

The same argument needs to be made about software.

~~~
hugh3
Well, this is less like evil science and more like evil engineering. The idea
that certain types of knowledge should not be pursued is controversial, but
the idea that certain types of things should not be built is less so.

There is a scene in the Simpsons where Professor Frink shows off his death ray
prototype and is forced to admit that "Well, to be honest, the ray only has
evil applications..." This is one of those things, like a poisoned candy bar
or a combination baby-rattle-mini-chainsaw, that only has evil applications.
It should not be built (not the same thing as saying that you shouldn't be
allowed to build it, btw), and if you build it you bear a partial moral (not
necessarily legal) responsibility for its use which can't be waved away by
saying "I am not responsible for evil uses".

~~~
younata
In this application, incorrect.

I would install it on my phone. If it gets stolen, I can remotely control it
so that I can get it back at a later date.

~~~
hugh3
Good point, I didn't think of that.

------
zaphar
I can understand trying to write it. I can understand announcing that you
succeeded. But releasing it crosses over the line in my opinion. I'm on my
phone so the forum link isn't working. Did he actually release it?

~~~
mquander
Yeah, it's existed for quite some time (over a year.)

------
agnasg
Anyway this is an old idea. There are solutions like this available long time
ago. This for example: <http://mobile-spy.com/>

------
maukdaddy
Hmm my sandboxed iPhone is looking better :)

~~~
thorax
The same one that had the jailbreakme.com exploit for so long?

I have an iPhone, too, but to be fair, exploits don't discriminate all that
much.

