我不确定这是问题的正确区域,还是如果它甚至是一个大的交易,但我走了。 当使用NVIDIA平板电脑开发一个应用程序时,我意识到它正在尝试在中国到达服务器。这对我来说并不有意义,因为我没有任何我认为会尝试这样做的应用程序。我想知道的是,如果这是安全问题?
02-12 14:09:32.448 11220-11284/? E/sdkstat﹕ sdkstat send error++++++java.net.UnknownHostException: Unable to resolve host "hmma.baidu.com": No address associated with hostname I am not sure if this is the right area for the question, or if it is even a big deal, but here i go. When using by Nvidia tablet to develop an app I realized that it was attempting to reach a server in china. this doesn't make sense to me because I don't have any apps that I would think would try to do this. What I would like to know is if this is a security concern?
02-12 14:09:32.448 11220-11284/? E/sdkstatxefxb9x95 sdkstat send error++++++java.net.UnknownHostException: Unable to resolve host "hmma.baidu.com": No address associated with hostname 您可能希望读取 2016年2月在Citizenlab上的文章。 org
文章最相关的部分:
泄漏启动敏感数据
在应用程序启动时,我们观察了百度浏览器发送HTTP POST请求 https://hmma.baidu.com/app.gif
该HTTP请求的正文是谷拓的JSON文件。 JSON文件包含一个字段列表,其中包含有关电话和用户的各种细节,其中一些纯文本和其他加密。
json文件中的未加密字段包括:
- O:用户的操作系统(例如,"Android" )
- n:百度浏览器版本号
- w,h:宽度和高度,屏幕以像素
- GL:GPS坐标和最后GPS更新的时间
某些字段使用AES + ECB使用硬编码的ASCII编码键加密
h9YLQoINGWyOBYYk然后base64编码。这些字段包括:
- DD:IMEI号
- II:一个包含手机的IMEI编号的字符串,编写的Android软件版信息的MD5散列
- wl2:所有无线网络的列表及其MAC地址和信号强度
了解硬编码键,这些字段可以很容易地解密。这里可以使用用于解密这些字段的Python脚本的源代码。
然后有百度的响应(在citizenlab.org托管的pdf文件)。他们似乎没有看到收集此数据的问题,他们只是承认他们需要改进他们的加密:
百度努力以与最高安全标准的方式收集数据 用户隐私在行业中。我们根据隐私的服务条款披露了我们的习俗 这里详述的权利(中文): https://www.baidu.com/duty/yinsiquan。 html
我们感谢公民实验室,以便在传输中进行数据安全性,我们有 已经在确保任何此类传输将是安全的,这已经取得了实质性的进展。
所以Citizenlab的文章可能没有更多地描述你现在可以在网上看到的内容。
You might want to read this February 2016 article at citizenlab.org.
Most relevant part of the article:
Leaks sensitive data on startup
Upon application launch, we observed Baidu Browser sending an HTTP POST request to https://hmma.baidu.com/app.gif
The body of this HTTP request is a gzipped JSON file. The JSON file contains a list of fields with various details about the phone and the user, some in plain text and others encrypted.
Unencrypted fields in the JSON file include:
- o: the userxe2x80x99s operating system (e.g., xe2x80x9cAndroidxe2x80x9d)
- n: Baidu Browser version number
- w, h: width and height, respectively, of the screen in pixels
- gl: GPS coordinates and time of last GPS update
Some fields are encrypted using AES+ECB with the hard-coded ASCII-encoded key
h9YLQoINGWyOBYYkand then Base64 encoded. These fields include:
- dd: IMEI number
- ii: a string containing the phonexe2x80x99s IMEI number written backwards and an MD5 hash of Android software version information
- wl2: list of all in-range wireless networks and their MAC addresses and signal strengths
With knowledge of the hard-coded key, these fields can easily be decrypted. The source code for a python script for decrypting these fields is available here.
And then there's Baidu's response (PDF file hosted at citizenlab.org). They don't seem to see an issue in collecting this data, they just acknowledge that they need to improve their encryption:
Baidu endeavors to collect data in a way consistent with the highest standards of security and user privacy in the industry. We disclose our practices in our terms of service under privacy rights as detailed here (Chinese): https://www.baidu.com/duty/yinsiquan.html
We're grateful of Citizen Lab for being mindful of data security in transmission and we have already made substantial progress toward ensuring that any such transmission will be secure.
So citizenlab's article is probably no morexc2xa0describing what you can see on the net nowadays.