2MB security update possibly rolling out to Nexus 7, 10, and Galaxy Nexus

New_Nexus_7

Just yesterday an OTA update which addressed security issues was rolled out to the T-Mobile Nexus 4 and is now being pushed to other Nexus devices, including the Nexus 7, 10, and the Galaxy Nexus. The changes are unconfirmed at this point, but the update is known as JWR66Y. We do have the download link below to manually update your yakju Galaxy Nexus.

Source:  XDA – Galaxy Nexus / PhoneArena

CyanogenMod readying Device Finder app, general security improvements for CM builds

CyanogenMod_Account

With all of the angst some device owners have over recent incidents of government agencies tapping into user computer data via carriers and major industry players, along with general distrust of what corporations may be doing with user data, the CyanogenMod team is readying some changes and apps to help users be a little more secure. The first change, CyanogenMod Account, has been submitted to the CM Github so developers can review the code and provide some feedback before it is submitted to the nightlies.
Read more

Google confirms cryptographic vulnerability in Android that resulted in $5,700 Bitcoin heist

Bitcoin_Theft

Last week, about $5,720 of bitcoins were stolen out of a digital wallet and the reason is a weakness in Android’s Java Cryptography Architecture. Google security engineer Alex Klyubin confirmed this in a blog post earlier in the week. He also warned that other apps could be compromised unless developers change the way they access pseudo random number generators (PRNG).

“We have now determined that applications which use the Java Cryptography Architecture (JCA) for key generation, signing, or random number generation may not receive cryptographically strong values on Android devices due to improper initialization of the underlying PRNG,” he wrote. “Applications that directly invoke the system-provided OpenSSL PRNG without explicit initialization on Android are also affected.”


Read more

Security researcher highlights risks of Google’s weblogin for one-click authentication in Android

defcon_craig_young

At the recently held Def Con 21 security conference in Las Vegas, security researcher Craig Young with Tripwire demonstrated a proof of concept for a vulnerability in the way Android handles one-click authentication for web sites and apps. The authentication method is called “weblogin” and works by generating a unique token that is used to directly authenticate users via their Google+ accounts. Young’s proof of concept demonstrated how a rogue app could steal the weblogin tokens and redirect them to an attacker. Once they have the tokens, attackers could then impersonate victims with a variety of Google services like Gmail, Google Apps, Drive, Calendar and Voice.
Read more

FBI potentially has ability to listen in on microphones on Android devices and remotely access user data

android question

Some recent documents have emerged that detail a few slightly invasive things the FBI can do to access Android devices, and it’s some pretty scary stuff. Apparently, in an effort to keep up with criminals and technology, the FBI has developed a few techniques that blur ethical boundaries, including developing software that basically acts like malware to mine data from computers, as well as some technology that would allow them to remotely activate the microphone on a laptop or Android device without user knowledge. PRISM part 2, anyone?

Naturally, no parties involved have publicly said anything about any of these documents or accusations. A former US official did say that these techniques were generally only used in cases related to terrorism or child pornography, so there’s really no reason to think the FBI wants to listen in on your phone calls to make plans with your buddies for the weekend. Still, though, the potential is there, and that’s a pretty scary thought, especially with all the privacy concerns that have been leaking all over the internet every week. Rule of thumb: if you don’t want anyone to find out about it, don’t use your phone to tell others about it. Better safe than sorry, right?

source: Wall Street Journal

The New Nexus 7 Does Not Officially Support Google Wallet

NexusWallet

Over the weekend news that the newest version of the popular Nexus 7 does not have official Google Wallet support.  When purchasers of the tablet went to download Wallet from the Play Store they found the download not compatible with their tablet. Now before anyone suggests that this has something to do with Android 4.3 Google’s own Director of Product Management for Google Wallet, Peter Hazlehurst told the folks over at Android Police that it’s because the tablet doesn’t have a secure element. This is needed in order for Google Wallet to protect your information. Here’s what he said:

“Hi folks, there is no Secure Element in the new Nexus 7 (or the HTC One Play Edition) which is why Google Wallet isn’t supported.”

Pretty simple and straight forward. Basically without this secure element to store your credit card and billing information safely, having the app on there isn’t safe. Whether or not this has anything to do with the LTE version coming to carriers or not is anyone’s guess. Does this mean that Google’s attempt at paying via NFC is going to go the way of Google Reader? We’re not sure. Regardless, those of you buying the newest generation of the Nexus 7 in hopes of using it as a way to pay, will sadly be disappointed.

source: Android Police

Google quietly added extra security features to all Android devices in Google Play services

google-logo-640-80

Security wasn’t really a big part of Google’s Android 4.3 announcement, which might sound odd considering how big of a deal device security has been in these past few weeks. However, that doesn’t mean Google hasn’t done anything to target malicious apps; instead of loading up Android 4.3 with beefy security features, they took those security features and implemented them into Google’s Play services application that’s updated separately from Android versions.
Read more

Android 4.3 users have hidden option for granular control over app permissions

apps_opp_store_icon

Android users are familiar with the idea of app permissions since installing or updating apps triggers a notice about what permissions an app requires. However, just knowing what permissions an app requires can be limiting since users have to accept all or none of the permissions. Android 4.3 appears to have changed that as users have found a “hidden through obscurity” setting that gives users the ability to turn individual permissions on and off for an app.
Read more

SIM cards are now hackable and could affect approximately 500 million phones

sim_cards_pile

We all thought the SIM card was un-hackable, but think again. German cryptographer Karsten Nohl is going to present some interesting findings at the Black Hat security conference in Las Vegas on July 31. He found encryption and software flaws that could affect millions of SIM cards. His team tested approximately 1,000 SIM cards for vulnerabilities and found that hackers can remotely infect a SIM with a virus that sends premium text messages. That’s not all, they can redirect or record calls and possibly commit payment system fraud. “Give me any phone number and there is some chance I will, a few minutes later, be able to remotely control this SIM card and even make a copy of it,” Nohl says.

Now it doesn’t look like this affects all SIM cards. It all comes down to the encryption standards chosen by different countries. Noel said,  “Different shipments of SIM cards either have [the bug] or not, it’s very random.” Noel did find about 25% of the cards he tested to be hackable, but figures about an eighth of the world’s SIM cards to be vulnerable. That’s about a half a billion mobile devices.


Read more