At the recently held Def Con 21 security conference in Las Vegas, security researcher Craig Young with Tripwire demonstrated a proof of concept for a vulnerability in the way Android handles one-click authentication for web sites and apps. The authentication method is called “weblogin” and works by generating a unique token that is used to directly authenticate users via their Google+ accounts. Young’s proof of concept demonstrated how a rogue app could steal the weblogin tokens and redirect them to an attacker. Once they have the tokens, attackers could then impersonate victims with a variety of Google services like Gmail, Google Apps, Drive, Calendar and Voice. » Read the rest
Some recent documents have emerged that detail a few slightly invasive things the FBI can do to access Android devices, and it’s some pretty scary stuff. Apparently, in an effort to keep up with criminals and technology, the FBI has developed a few techniques that blur ethical boundaries, including developing software that basically acts like malware to mine data from computers, as well as some technology that would allow them to remotely activate the microphone on a laptop or Android device without user knowledge. PRISM part 2, anyone?
Naturally, no parties involved have publicly said anything about any of these documents or accusations. A former US official did say that these techniques were generally only used in cases related to terrorism or child pornography, so there’s really no reason to think the FBI wants to listen in on your phone calls to make plans with your buddies for the weekend. Still, though, the potential is there, and that’s a pretty scary thought, especially with all the privacy concerns that have been leaking all over the internet every week. Rule of thumb: if you don’t want anyone to find out about it, don’t use your phone to tell others about it. Better safe than sorry, right?
source: Wall Street Journal
Over the weekend news that the newest version of the popular Nexus 7 does not have official Google Wallet support. When purchasers of the tablet went to download Wallet from the Play Store they found the download not compatible with their tablet. Now before anyone suggests that this has something to do with Android 4.3 Google’s own Director of Product Management for Google Wallet, Peter Hazlehurst told the folks over at Android Police that it’s because the tablet doesn’t have a secure element. This is needed in order for Google Wallet to protect your information. Here’s what he said:
“Hi folks, there is no Secure Element in the new Nexus 7 (or the HTC One Play Edition) which is why Google Wallet isn’t supported.”
Pretty simple and straight forward. Basically without this secure element to store your credit card and billing information safely, having the app on there isn’t safe. Whether or not this has anything to do with the LTE version coming to carriers or not is anyone’s guess. Does this mean that Google’s attempt at paying via NFC is going to go the way of Google Reader? We’re not sure. Regardless, those of you buying the newest generation of the Nexus 7 in hopes of using it as a way to pay, will sadly be disappointed.
source: Android Police
Security wasn’t really a big part of Google’s Android 4.3 announcement, which might sound odd considering how big of a deal device security has been in these past few weeks. However, that doesn’t mean Google hasn’t done anything to target malicious apps; instead of loading up Android 4.3 with beefy security features, they took those security features and implemented them into Google’s Play services application that’s updated separately from Android versions. » Read the rest
Android users are familiar with the idea of app permissions since installing or updating apps triggers a notice about what permissions an app requires. However, just knowing what permissions an app requires can be limiting since users have to accept all or none of the permissions. Android 4.3 appears to have changed that as users have found a “hidden through obscurity” setting that gives users the ability to turn individual permissions on and off for an app. » Read the rest
We all thought the SIM card was un-hackable, but think again. German cryptographer Karsten Nohl is going to present some interesting findings at the Black Hat security conference in Las Vegas on July 31. He found encryption and software flaws that could affect millions of SIM cards. His team tested approximately 1,000 SIM cards for vulnerabilities and found that hackers can remotely infect a SIM with a virus that sends premium text messages. That’s not all, they can redirect or record calls and possibly commit payment system fraud. “Give me any phone number and there is some chance I will, a few minutes later, be able to remotely control this SIM card and even make a copy of it,” Nohl says.
Now it doesn’t look like this affects all SIM cards. It all comes down to the encryption standards chosen by different countries. Noel said, “Different shipments of SIM cards either have [the bug] or not, it’s very random.” Noel did find about 25% of the cards he tested to be hackable, but figures about an eighth of the world’s SIM cards to be vulnerable. That’s about a half a billion mobile devices.
So it’s been a few weeks since we told you about that security flaw which happens to affect most devices out there and well… but most of you are still probably waiting on some sort of satisfying fix, right? Well the fine folks at Duo and Northeastern University have teamed up and unleashed a special mod of the patch called ReKey. A product of Duo’s security engineers and Northeastern University’s Systems Security Lab, ReKey allows users to immediately protect their Android device without waiting on security updates from their mobile carrier— all with a simple app. There is one major caveat, however: in order for users to apply the patch, devices must be rooted. So if you happen to own an unrooted device at this time, then you’re outta luck until your update is finally pushed to your device (or if some other crafty individuals come up with an alternative).
The patch is free to all Android 2.0+ users and only comes in at a mere 86K in size, so if you’re on a rooted device and itching to feel a little more secure, then head on down to the Play Store and grab ReKey today.
It looks like the NSA is about to have a rival in the spying business— good old Mom and Pops.
Got a feeling your kids are up to no good? Want to monitor your kids’ data usage? Need to lock your son out of his phone because he won’t do his homework?
Good news for you— Verizon has announced “FamilyBase,” which will let parents (or account administrators) monitor and limit calling, texting, app usage, app purchases, as well as set time restrictions and review contact lists. The feature to remotely lock their devices on demand is also available.
Big Red is making the service available for $5/month for up to 10 lines— it’s only for Android devices running 2.1 or higher. (So pretty much all of you can use it.) To set it up, parents can visit familybase.vzw.com, or by calling SAFE, or by texting SAFE to #7233. The apps are also available in the Play store.
Check out the press release after the break for more info.
After all the commotion about the latest major security vulnerability to Android devices, you would think things on the security side of the platform would quiet down for a bit. However, that’s not the case, as a Chinese site has posted details about an application exploit similar to Bluebox’s earlier revealed loophole that would allow apps to avoid signature verification to run malicious code on an Android device. However, the vulnerability was found in older code that was replaced with a security fix, so Google was already aware of the problem and has patched it up as soon as they were made aware of it. It may take awhile for that type of security patch to hit devices in the wild, but like the Bluebox vulnerability, Google has done all they can to take care of things on their end.
If you want to read up on the specifics of the vulnerability, hit the links below. It’s a pretty small, complicated vulnerability that would be pretty tricky for malware to pull off on most devices, but it’s interesting nonetheless.
source: Sina Blog
via: Android Police
Once again, the CyanogenMod team seems to be on top of things, as they just released version 10.1.1 of their famed firmware. A post on their blog today issued a follow-up to the general release. They pointed out that the CM 10.1.1 build is simply a security bug-fix release on top of their previous release, the 10.1.0.x code-base. Check out the full blog post after the break for more details. » Read the rest