Password managers on Android are not as secure as one would think

android_security

A password manager is expected to be secure, right? Just because it is expected does not mean that is necessarily the truth. There are password managers on Android that have a security flaw in which usernames and passwords can be picked up. It happens when the password manager uses the device’s clipboard to enter information. The security flaw was identified in early 2013 and a fix has yet to be issued.


Read more

PSA: 3rd party apps that bypass the security lock screen (ie Delayed Lock, SkipLock) no longer work in Lollipop

Lock_Screen_HTC_DROID_DNA_TA

Android 5.0 Lollipop brought a new feature called Smart Lock, which allows you to set certain locations or Bluetooth devices as trusted so that you don’t have to constantly enter your security PIN, Password, or pattern to unlock your phone or tablet. Third party apps such as Delayed Lock, SkipLock and Secure Settings have already been giving users this ability for a couple of years now. Unfortunately, these apps will not work in Lollipop due to the fact that Google has changed the security in that third party apps can no longer unlock the device.


Read more

Google’s mandatory device encryption is slowing down the Nexus 6

Nexus-6-splashPrior to the launch of the Nexus 6 and Android 5.0, we knew Google was moving to making device encryption mandatory for all new devices shipping with Lollipop. As far as security goes, that’s a great move, but it looks like it’s actually having some negative effects on the Nexus 6.

Early benchmarks seem to show that Lollipop’s full disk encryption (FDE) are having some fairly significant performance impacts on the Nexus 6. This is especially unfortunate since the Nexus 6 encrypts itself on first boot and there’s no way to turn it off, outside of flashing custom boot images. That’s not exactly a user friendly solution.
Read more

WhatsApp now has end-to-end encryption, at least on Android

whatsapp_app_icon

The most popular messaging platform is getting better today. The update to the WhatsApp Android app now includes end-to-end encryption. Using open source code from Open Whisper Systems, even WhatsApp won’t have the ability to decrypt your messages.

Only the users will have access to the conversation, which means that law enforcement officials won’t be able to force WhatsApp to share your messages since they won’t have access to it.


Read more

Security expert finds vulnerability in Samsung’s Find My Mobile service [Updated]

Samsung_Logo_02_TA_CES_2014

Samsung’s Find My Mobile service has come under fire by NIST and security researcher Mohamed Baset regarding an exploit that allows attackers to remotely lock, ring or wipe Samsung devices. Baset points to a vulnerability in Samsung’s service that doesn’t validate the lock code information it receives, allowing an attacker to flood the device with network traffic and do their bidding. No word from Samsung on a patch, but for now we recommend disabling the service until they address the security issue.

Update:

Samsung issued a statement to us and it looks like it only affected the Web interface, not mobile devices. Furthermore, they patched the Web UI on October 13.

The reported issue occurred on the Find My Mobile Web site, and was not a problem on any mobile device. This Web UI was fixed with a patch update on October 13.

Source: Engadget

Snapchat images may have been breached through third-party service

snapsaved_logo

According to reports, some 4chan users are claiming that a a third-party app used to access the Snapchat service has been breached giving access to over 200,000 images matched with usernames. The app in question is named SnapSaved and is used to get around Snapchat’s system that alerts users when someone grabs a screenshot of an image that has been posted. Apparently SnapSaved was using a cloud architecture to save the images being grabbed from Snapchat, along with everything else that was being passed to a user, like usernames. According to posters on 4chan, the image database will be posted online by this Sunday, October 12th.
Read more

AT&T issues apology for customer data breach

AT&T_Logo_01_TA

AT&T has revealed that an employee inappropriately accessed customer data, including Social Security numbers and other account data. It is not clear whether the employee may have done anything beyond accessing data that was off limits, but the company is offering to reverse any unauthorized charges incurred by customers. AT&T is also offering a free year of credit monitoring services to affected customers.
Read more