I haven't looked at Phone Recorder either, but I can tell you that the apps processor does not have access to downlink audio. It's probably possible to do that with a change to the radio firmware, but that would be up to the hardware vendor.
On Dec 30, 2:56 pm, "Justin (Google Employee)" <[email protected]> wrote: > I think there's a little misunderstanding of what Phone Recorder does. > I did not write the app, but I have a pretty good guess at what its > actually doing. > > Its *not* recording the audio streams that actually make up the call. > Its using the built-in mic to record audio. I believe this is why > there are several comments complaining about the audio level of the > person on the other side of the call. So, its recording your voice > because you're talking into your handset. Its then getting faint audio > through the mic from the ear piece. If you activate the speaker phone > you'll get much greater volume from the other side of the > conversation. > > This does not really change the security points brought up here, but I > just wanted to clarify what is going on. The actual traffic going over > the cellular network is not being recorded, the ambient sound is. As > JBQ mentioned, the cellular audio streams aren't even processed > through the main CPU, but a separate co-processor. The main CPU can > talk to this co-processor and access the call audio, but at the very > least there is no way in the Java API to get access to the actual call > audio streams. > > Cheers, > Justin > Android Team @ Google > > On Dec 1, 11:54 am, tauntz <[email protected]> wrote: > > > It is certainly possible - look for example at the "Phone > > Recorder"app(available via Market). > > > There are actually many issues with this IMO - one is the fundamental > > thing that you can record phone calls but notkeypresses. The next > > thing is that the wording of the warning during install should mention > > that theappis able to record incoming and outgoing calls. (currently > > it's too vague and doesn't mention anything about outgoing calls). > > Another thing is that if suchappis installed behind your back and > > without your knowledge, then the user should still get a visible > > and/or audible notification that the call is being recorded (a red > > recording icon in the "header" for example). ("Phone Recorder" > > displays a short toast when recording starts but this is coming from > > theappitself AFAIK and a maliciousappwould not show that.) > > > Tauno > > > On Mon, Dec 1, 2008 at 8:55 PM, Jean-Baptiste Queru <[email protected]> wrote: > > > > This is the kind of discussion that might turn out to be more > > > appropriate for android-security-discuss, though since android-discuss > > > is pretty much a catch-all it's hard to be off-topic here ;-) > > > > I think that the point is valid, though. Sure, the density of > > > information and the ease with which it can be filtered is far higher > > > with a keyboard capture than with a voice capture, but if you ignore > > > that specific aspect the fundamental security concern is indeed > > > similar for phone calls and keyboard capture. > > > > I was however under the impression that on the G1 at least anything > > > related to the audio part of phone calls was entirely isolated from > > > the application processor, so I'm not actually sure whether it's > > > really possible to capture a phone call the way you're thinking of. I > > > might be very wrong. > > > > JBQ > > > > On Thu, Nov 27, 2008 at 2:19 AM, tauntz <[email protected]> wrote: > > > >> Hi all > > > >> Was wondering why iscapturingkeyevents(keypress,keyrelease > > >> etc..) from abackgroundappconsidered a more serious security issue > > >> thancapturingphone calls frombackgroundapps? > > > >> If you are going to make a phone callcapturingapp, then the > > >> installer notifies the end user of: > > >> "Phone calls - Intercept outgoing phone calls" and "Hardware control - > > >> record audio" > > >> Notice that it won't directly tell the user that theappwill actually > > >> record outgoing AND incoming calls - only that it want's to record > > >> some kind of audio and it intercepts outgoing calls and does not tell > > >> anything regarding incoming calls. > > > >> So it's possible for a maliciousappto record ALL your phone calls > > >> without you noticing it (after installing theapp). A malicious user > > >> can take your phone if you leave it unattended and install theapp > > >> there and you have no idea that all your calls are being recorded and > > >> uploaded to the net for example. > > > >> Why isn't the same logic applied tocapturingkeyevents? Some people > > >> have said that it would be a huge security risk if you would allow an > > >>appto do that (egcapturingusernames/passwords). Now why is this > > >> considered a bigger security risk than recording phone calls? The > > >> average user won't enter any of his/her usernames anyway on the > > >> G1after he has registered the phone with his g-account the first time > > >> the phone boots. The average user makes/receives phone calls, sends > > >> SMS or plays some games.. and once in a while browses some websites > > >> that do not require a log in. > > > >> Recording phone calls allows an attacker to get n-times more > > >> sensitive/personal details about the user than recording > > >> usernames/passwords. I mean.. so what if an attacker gets a password > > >> for the average mailbox/forum - he will find only pictures of LOLcats, > > >> the occasional "Joe sent you an e-card" and huge amount of ... > > >> enlargement spam. Now imagine if an attacker gets access to all your > > >> phone calls... to me at least, this seems WAY scarier. > > > >> I just want to understand the reasoning behind allowing recording and > > >> disallowingkeyevents. It's a decision that I just can't understand > > >> :( > > > >> (And no, I personally don't care if anappcan/can't do any of the two > > >> things - they are not features that I need.. I'm just curious) > > > >> Tauno --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Android Discuss" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/android-discuss?hl=en -~----------~----~----~----~------~----~------~--~---
