Just yesterday an OTA update which addressed security issues was rolled out to the T-Mobile Nexus 4 and is now being pushed to other Nexus devices, including the Nexus 7, 10, and the Galaxy Nexus. The changes are unconfirmed at this point, but the update is known as JWR66Y. We do have the download link below to manually update your yakju Galaxy Nexus.
With all of the angst some device owners have over recent incidents of government agencies tapping into user computer data via carriers and major industry players, along with general distrust of what corporations may be doing with user data, the CyanogenMod team is readying some changes and apps to help users be a little more secure. The first change, CyanogenMod Account, has been submitted to the CM Github so developers can review the code and provide some feedback before it is submitted to the nightlies.
Last week, about $5,720 of bitcoins were stolen out of a digital wallet and the reason is a weakness in Android’s Java Cryptography Architecture. Google security engineer Alex Klyubin confirmed this in a blog post earlier in the week. He also warned that other apps could be compromised unless developers change the way they access pseudo random number generators (PRNG).
“We have now determined that applications which use the Java Cryptography Architecture (JCA) for key generation, signing, or random number generation may not receive cryptographically strong values on Android devices due to improper initialization of the underlying PRNG,” he wrote. “Applications that directly invoke the system-provided OpenSSL PRNG without explicit initialization on Android are also affected.”
At the recently held Def Con 21 security conference in Las Vegas, security researcher Craig Young with Tripwire demonstrated a proof of concept for a vulnerability in the way Android handles one-click authentication for web sites and apps. The authentication method is called “weblogin” and works by generating a unique token that is used to directly authenticate users via their Google+ accounts. Young’s proof of concept demonstrated how a rogue app could steal the weblogin tokens and redirect them to an attacker. Once they have the tokens, attackers could then impersonate victims with a variety of Google services like Gmail, Google Apps, Drive, Calendar and Voice.
Some recent documents have emerged that detail a few slightly invasive things the FBI can do to access Android devices, and it’s some pretty scary stuff. Apparently, in an effort to keep up with criminals and technology, the FBI has developed a few techniques that blur ethical boundaries, including developing software that basically acts like malware to mine data from computers, as well as some technology that would allow them to remotely activate the microphone on a laptop or Android device without user knowledge. PRISM part 2, anyone?
Naturally, no parties involved have publicly said anything about any of these documents or accusations. A former US official did say that these techniques were generally only used in cases related to terrorism or child pornography, so there’s really no reason to think the FBI wants to listen in on your phone calls to make plans with your buddies for the weekend. Still, though, the potential is there, and that’s a pretty scary thought, especially with all the privacy concerns that have been leaking all over the internet every week. Rule of thumb: if you don’t want anyone to find out about it, don’t use your phone to tell others about it. Better safe than sorry, right?
source: Wall Street Journal
Over the weekend news that the newest version of the popular Nexus 7 does not have official Google Wallet support. When purchasers of the tablet went to download Wallet from the Play Store they found the download not compatible with their tablet. Now before anyone suggests that this has something to do with Android 4.3 Google’s own Director of Product Management for Google Wallet, Peter Hazlehurst told the folks over at Android Police that it’s because the tablet doesn’t have a secure element. This is needed in order for Google Wallet to protect your information. Here’s what he said:
“Hi folks, there is no Secure Element in the new Nexus 7 (or the HTC One Play Edition) which is why Google Wallet isn’t supported.”
Pretty simple and straight forward. Basically without this secure element to store your credit card and billing information safely, having the app on there isn’t safe. Whether or not this has anything to do with the LTE version coming to carriers or not is anyone’s guess. Does this mean that Google’s attempt at paying via NFC is going to go the way of Google Reader? We’re not sure. Regardless, those of you buying the newest generation of the Nexus 7 in hopes of using it as a way to pay, will sadly be disappointed.
source: Android Police
Security wasn’t really a big part of Google’s Android 4.3 announcement, which might sound odd considering how big of a deal device security has been in these past few weeks. However, that doesn’t mean Google hasn’t done anything to target malicious apps; instead of loading up Android 4.3 with beefy security features, they took those security features and implemented them into Google’s Play services application that’s updated separately from Android versions.
Android users are familiar with the idea of app permissions since installing or updating apps triggers a notice about what permissions an app requires. However, just knowing what permissions an app requires can be limiting since users have to accept all or none of the permissions. Android 4.3 appears to have changed that as users have found a “hidden through obscurity” setting that gives users the ability to turn individual permissions on and off for an app.
We all thought the SIM card was un-hackable, but think again. German cryptographer Karsten Nohl is going to present some interesting findings at the Black Hat security conference in Las Vegas on July 31. He found encryption and software flaws that could affect millions of SIM cards. His team tested approximately 1,000 SIM cards for vulnerabilities and found that hackers can remotely infect a SIM with a virus that sends premium text messages. That’s not all, they can redirect or record calls and possibly commit payment system fraud. “Give me any phone number and there is some chance I will, a few minutes later, be able to remotely control this SIM card and even make a copy of it,” Nohl says.
Now it doesn’t look like this affects all SIM cards. It all comes down to the encryption standards chosen by different countries. Noel said, “Different shipments of SIM cards either have [the bug] or not, it’s very random.” Noel did find about 25% of the cards he tested to be hackable, but figures about an eighth of the world’s SIM cards to be vulnerable. That’s about a half a billion mobile devices.