Security - Featured Articles

HTC One Accounts

So, you want to adopt BYOD?

What you need to know before integrating employee devices on your network Bring Your Own Device (BYOD) is the current hot trend. (And has been for a while, really.) There are many perceived advantages for a company that allows employees to bring their own devices to work and have access to your...
LG G Pro 2 Knock Code

How to use Knock Code on the LG G Pro 2

Knock Code will come to other LG phones via software updates this year With Knock On — wherein you tap the display twice to turn on your phone — has been one of our favorite new features of the past few months. LG introduced it with the LG G2 in 2013, and it returned with the LG G Flex toward...
The Boeing Black

Boeing reveals the Boeing Black — a super-secure smartphone for those with super security needs

This phone will self destruct in ten seconds… In this day and age of malicious apps and intrusive government surveillance, you might be wondering how to keep your data secure. You could turn to a solution like the up-and-coming Geeksphone Blackphone, with a modified version of Android and sets...

Security - Top Articles

SD card: Activate

KitKat and SD cards — what's fixed, what's broken and what's misunderstood

Why your SD card doesn't work the same in Android 4.4 KitKat, and the reasons for the change “Curse you, Google! Your KitKat update broke my SD card!” Poke around the Android section of the Internet and you’ll hear something similar. Users like you and me are in an uproar because they updated...
Google fixes Heartbleed

Google updates back-end in light of Heartbleed vulnerability

If you've been online at some point in the last 36 hours, chances are you've heard of 'Heartbleed', a flaw in OpenSSL that has exposed data to theft on approximately 2/3 of servers in use around the globe over the past two years. It's not known how bad the damage may be, but the revelation of the...
Android Central

NBC News and the bullshit 'ZOMG Sochi Olympics Android hack' story

Your Android smartphone only installs malware if you're being dumb (or do it on purpose) — not automatically, and not just because you're in Russia. This is just ridiculous, even for American "news" television. A report from NBC News was exposed — and rightfully so — by Errata Security (via...
The Boeing Black

Boeing reveals the Boeing Black — a super-secure smartphone for those with super security needs

This phone will self destruct in ten seconds… In this day and age of malicious apps and intrusive government surveillance, you might be wondering how to keep your data secure. You could turn to a solution like the up-and-coming Geeksphone Blackphone, with a modified version of Android and sets...
Gmail

All Gmail will now use HTTPS, messages will be encrypted when moving inside Google

Initiatives were 'made a top priority after last summer's revelations' Google has steadily improved the overall security of several of its apps and services, and the latest move is moving to HTTPS and encryption across all of Gmail. Starting today, every single time you send or check your Gmail...
SkipLock.

Unlock With Wifi app retooled and is now SkipLock

Safety meets convenience with a set of great features  You may have heard us talk about an app called Unlock With Wifi a time or two. It's an app that tells your lock screen when to become secured with a password or PIN, based on what Wifi AP you're connected to. It's one of those apps that you...
Cerebus

Cerberus servers have a data leak, users advised to change password

Users of the popular phone security app Cerberus are reporting a slightly disturbing email coming from the developers today. While Cerberus assures that no passwords were compromised — they are encrypted, of course — attackers did gain access to some usernames and passwords. If you're using...
HTC One Accounts

So, you want to adopt BYOD?

What you need to know before integrating employee devices on your network Bring Your Own Device (BYOD) is the current hot trend. (And has been for a while, really.) There are many perceived advantages for a company that allows employees to bring their own devices to work and have access to your...
LG G Pro 2 Knock Code

How to use Knock Code on the LG G Pro 2

Knock Code will come to other LG phones via software updates this year With Knock On — wherein you tap the display twice to turn on your phone — has been one of our favorite new features of the past few months. LG introduced it with the LG G2 in 2013, and it returned with the LG G Flex toward...
Android Central

Android Device Manager app launches on Google Play

Like the web interface, the new app lets you remotely track and lock down your other Android devices Google has launched a new Android app allowing users of the Android Device Manager feature to remotely track, ring, lock down or wipe their other devices. Not to be confused with the Google Play...

Security - Photos

Security RSS Feed

If you've been online at some point in the last 36 hours, chances are you've heard of 'Heartbleed', a flaw in OpenSSL that has exposed data to theft on approximately 2/3 of servers in use around the globe over the past two years. It's not known how bad the damage may be, but the revelation of the vulnerability sent server teams around the world scrambling to patch their systems. Among them: Google. In a posting today on the Google Online Security Blog, Google revealed that they had patched OpenSSL vulnerabilities in a number of their services.

Read more and comment

 

Users of the popular phone security app Cerberus are reporting a slightly disturbing email coming from the developers today. While Cerberus assures that no passwords were compromised — they are encrypted, of course — attackers did gain access to some usernames and passwords. If you're using Cerberus, you'll want to change out your password even if you don't get a letter. The full text follows after the break.

Read more and comment

 
Gmail

Initiatives were 'made a top priority after last summer's revelations'

Google has steadily improved the overall security of several of its apps and services, and the latest move is moving to HTTPS and encryption across all of Gmail. Starting today, every single time you send or check your Gmail, the transfer will be made over a secure HTTPS connection. That means that the communication between the device you're using and Google's servers is secure, and nobody will be listening in along the way. Google made this option the default back in 2010, but now there will be no option to browse insecurely when it comes to Gmail.

Further, Google will now encrypt any and all Gmail messages when they're moving between Google servers. That means when you send or receive email with another person using Gmail, your communication will also be completely encrypted. This is something Google says it "made a top priority after last summer’s revelations."

Of course Google can't do a whole lot about email that is sent to email addresses with services other than Google (that's up to you to handle), but it's great to see it doing everything it can for what it can control.

Source: Official Google Blog

Read more and comment

 
SD card: Activate

Why your SD card doesn't work the same in Android 4.4 KitKat, and the reasons for the change

“Curse you, Google! Your KitKat update broke my SD card!”

Poke around the Android section of the Internet and you’ll hear something similar. Users like you and me are in an uproar because they updated their phone to Android 4.4 KitKat, and now the SD card support has changed. Apps no longer work, folks have problems with cameras and music players, and while everyone else is saying “Oh, yeah. That’s how it works now,” nobody warned them in advance before they grabbed that update.

There is a lot of push against these changes, with petitions and threats of grassroots movements that threaten to show Google the error of its ways — even a very popular developer that I won’t name has their PR people sending out requests for blogs to write about evil Google.

But, as always, there's a method to Google's madness. Let's discuss.

Read more and comment

 

Bring Your Own Device (BYOD) is the current hot trend. (And has been for a while, really.) There are many perceived advantages for a company that allows employees to bring their own devices to work and have access to your company resources, but is BYOD right for you? Can you make mistakes when developing your BYOD policies? Can you really let any device connect to your resources?

Lets look at a few top issues that you should be aware of.

Read more and comment

 

Knock Code will come to other LG phones via software updates this year

With Knock On — wherein you tap the display twice to turn on your phone — has been one of our favorite new features of the past few months. LG introduced it with the LG G2 in 2013, and it returned with the LG G Flex toward the end of the year. And now, in 2014, LG's taking things a step further.

Introducing Knock Code. It's available now on the LG G Pro 2 and will come to other current LG phones later this year via a software update.

As the name implies, you'll no longer be limited to only unlocking your phone — now you'll be able knock (OK, tap, really) as a security function. 

Let's take a closer look.

Read more and comment

 

This phone will self destruct in ten seconds…

In this day and age of malicious apps and intrusive government surveillance, you might be wondering how to keep your data secure. You could turn to a solution like the up-and-coming Geeksphone Blackphone, with a modified version of Android and sets of secure communications services. Or you could do what the government does and turn to Boeing.

Yes, Boeing. The company that makes massive jetliners, fighter jets, satellites, and all sorts of high tech military hardware is getting into the smartphone game. Their Android-powered entry is the ominously-named Boeing Black. Because stealth.

Read more and comment

 

Your Android smartphone only installs malware if you're being dumb (or do it on purpose) — not automatically, and not just because you're in Russia.

This is just ridiculous, even for American "news" television. A report from NBC News was exposed — and rightfully so — by Errata Security (via Techmeme) for being so misleading that, frankly, we almost don't know where to begin.

The short version: NBC News says you'll be hacked the moment you try to connect in Russia. And it tries to show that with two examples: New laptops, fresh out of the box, and an Android smartphone — which we'll focus on here. 

In the piece, NBC's Richard Engel sits down with "top American security expert" Kyle Wilhoit — he works for Trend Micro, actually — and we see an Android smartphone downloading and installing malware. Oops. Hacked. Only, not really.

As Errata properly points out (and Wilhoit explains on Twitter as well, actually), this is all about visiting malicious sites, and not about actually being in Russia.

Read more and comment

 

Safety meets convenience with a set of great features 

You may have heard us talk about an app called Unlock With Wifi a time or two. It's an app that tells your lock screen when to become secured with a password or PIN, based on what Wifi AP you're connected to. It's one of those apps that you never really open, but your phone is always using it. It now has a new name, and a new feature-set to go along with an entirely new re-write.

SkipLock is the new handle, and on the surface it looks like a tiny tweak to Unlock With Wifi. When you go to set it up though, you'll notice the changes. You can now use a Bluetooth connection to keep your phone unlocked, rooted users can set it up with a pattern instead of a password or PIN, and you can nix the notification bar icon — three things that users have asked for.

It works just the same, set it up and as long as you're connected to a Wifi AP or Bluetooth device you've listed, your phone is in swipe-to-unlock mode. Once you're not, your phone is secured with either a PIN or password that you've chosen during the setup, or if your rooted, a pattern. No muss, no fuss.

There are a couple things users of Unlock With Wifi need to be aware of. This is a new app, and if you want to use it longer than the four day trial period, you'll need to buy it again via an in-app purchase of about $5. If you bought Unlock With Wifi after October 27, contact the developer for a free license for Skip Lock. Unlock With Wifi isn't going anywhere, it's just not going to be further developed. If you bought it, it will still be in Google Play. The developer explains a bit more of why it was done this way here.

There's not a lot more to tell. If you leave your house with your phone, you need to have a secure lock screen. Period. If you don't wanna fool with passwords or PIN numbers while it is in your hands, you need an app like SkipLock. Grab it from Google Play and check out the free trial.

Read more and comment

 

Like the web interface, the new app lets you remotely track and lock down your other Android devices

Google has launched a new Android app allowing users of the Android Device Manager feature to remotely track, ring, lock down or wipe their other devices. Not to be confused with the Google Play Services feature that launched a few months ago, the ADM app duplicates the functionality of the web interface, meaning you can track or control one phone or tablet using another — provided you've first enabled this feature in the Google Settings app.

If you've not yet set up remote locate or remote wipe on your target handset, you can send a notification to it through the Android Device Manager app on the second device. (Fun fact: select the device you're using the app on and it marks its location as "in your hand.")

To get started, grab the new Android Device Manager app from Google Play at the link above.

Read more and comment

 

Encrypted SMS between any devices running CM or the TextSecure service hitting CyanogenMod builds soon

TextSecure is a service for Android and iOS that offers complete encryption and secure messaging between devices using it, and by all accounts it's a great service for those that need it. Security is important, and some people have a need to know that the only person reading their messages is the person they are addressed to. 

The only issue with TextSecure is that you're required to use the application itself to handle your messages. This is where the folks at CyanogenMod want to step in and change things. By building the service into the operating system itself, users should be able to use any messaging app and still enjoy the encryption WhisperPush has to offer. Messages sent to any device running a compatible version of CM, or any device running the TextSecure app will be able to hold a completely secure session. That's pretty slick.

The service is hitting the 10.2 nightly builds tonight, and after testing and seeing how the servers act with the extra load, WhisperPush will be enabled in CM 11 as well.

Source: CyanogenMod

Read more and comment

 

Storing your location and installed apps in plain text is at issue here, not collecting that data in the first place

A lot of fuss is being made about the Aviate launcher the past couple days, with things hitting a fever pitch today. Besides the endless requests for invite codes on every social media site known to modern man, it's come to light that the launcher is sharing the data it collects on you with the world. Sort of.

Let's back up a tad. Aviate is a launcher that reconfigures itself — the apps it thinks you need to see right this second — depending on where you are. It's been in private beta for a while, and opened up to more users this week.

The to-do is that your location and list of installed apps are available via a publicly accessible API — but only if you know your unique device identifier. That's not good, but it's not necessarily the end of the world, either.

The good news is that Aviate has said this is something they are fixing, and have made it a top priority. (Update: Looks like the web access has been killed, as promised.) In the meantime, here's what you need to know if you're going to use the app.

Source: +Arvid Gerstmann (1), (2)

Read more and comment

 

After what looks like a rocky start, Samsung's Knox enterprise security service is going live in Canada by way of Bell Mobility. Right now Knox is limited to the Galaxy Note 3, but will be coming to the Galaxy S4 after a software update next month.

For those unfamiliar, Knox lets users bring in their own personal device to work, but also give IT administrators control and security over business data going through the device. Knox includes full support for file sharing e-mail, contacts, collaboration tools, and other CPN and mobile device management solutions.

Read more and comment

 

Update: Google says the issue has now been resolved.

Original story: Google Talk — the service behind the company's Hangouts messaging platform — appears to be experiencing a fairly major issue this morning, as some users report messages being delivered to unintended recipients. Reports from Twitter suggest that in some cases messages are being routed to users outside the sender's contact list, presenting obvious — and quite serious — privacy and security concerns.

For its part, Google has updated it service status page to indicate it's investigating an issue with Google Talk, so hopefully the issue can be resolved before too long. In the meantime, you might want to avoid typing anything too private or incriminating into a Google Hangout chat window for the next few hours.

via: The Verge; More: Google Service Status

Read more and comment

 

Google makes remotely managing and wiping your device easy and effective

Back at the beginning of August Google unveiled a new service called "Android Device Manager" that let you locate and remotely wipe your phones and tablets, and now the service is getting a some much-needed refinement. Today Google updated ADM to include options to apply and change lock screen PINs and passwords, adding to the nuclear option of remote wiping the device completely.

Just as we covered when the service launched, enabling ADM is extremely easy. To get started, go to google.com/android/devicemanager on your computer and go through your list of devices that are connected to your Google account. Once there, you can send a notification to the device you want to enable remote password application and wiping on, and you'll be just a few steps away from a much more secure phone.

Read more and comment

 

Now more difficult to access voicemail from a new number; new 10 digit PIN option

Folks who happen to check their Google Voice inboxes on the web today will be greeted with a handy tip that Google is improving voicemail box security in a couple of weeks. Starting on October 1st, Google Voice users who wish to call their own number to access voicemail messages will have to call from one of their verified forwarding numbers already on record.

If you happen to call from a number that isn't already set up, you will have to verify that you are the account holder by entering a registered forwarding number before also entering your PIN code. Furthering the layers of security, Google is expanding PIN options to let you enter up to 10 digits, up from the previous 4.

Read more and comment

 

If you let Google back up your Wifi passwords, then Google has your Wifi passwords

The Internet has worked itself up into a bit of a tizzy over the weekend about an innocuous system-level feature that’s been around since Android 2.2 Froyo. The “Back up my data” option —  found under “Settings>Backup & reset” on most Android phones — allows certain stuff, including Wifi passwords, to be backed up to the cloud. The current setting label reads:

“Back up application data, Wi-Fi passwords and other settings to Google servers.”

And that’s exactly what it does. Uncheck the box and you’re informed that Google’s copy of the data will be purged from its servers, as it should be.

The checkbox is presented to users during the setup process, and the label is very clear about what will happen if you leave it enabled. The reason for the feature’s presence is also plain to see — it’s supposed to make the process of setting up new devices a little quicker by pulling down your personal settings and network details from the cloud. Yes, including your Wifi password.

If you’re not comfortable with Google keeping a copy of your stuff, simply uncheck the box. Same deal if you change your mind after the fact — uncheck the box, and Google’s copy of your Wifi passwords goes up in smoke. It’s been that way since the feature was first introduced some three years ago.

But in light of the recent controversy over government surveillance, the story seems to have taken on a new angle, with articles appearing suggesting Google is creating a vast database of all the world’s Wifi passwords in one convenient, NSA-accessible place.

Read more and comment

 

Securing your phone's lockscreen has never been so painless

Smartphone manufacturers are paying more and more attention to how you unlock your device — and as such, so are we. That brings us to another installment of "What do I miss?" when moving from one smartphone to another. Previously we touched on Motorola's Active Display versus LG's Knock-On. Today, we turn to Bluetooth. And, specifically, trusted Bluetooth devices. 

This is a feature that Motorola's baked into its recent line of phones — Verizon's new Droids as well as the Moto X. And, quite simply, it's a feature that needs to be baked into every smartphone going forward at the operating system level.

Read more and comment

 

Another layer of security aimed at the enterprise could help BYOD efforts

Update: Naturally, as soon as the rumors are swirling, Lookout has just announced on its official blog that it has struck a deal with Samsung to be included in its KNOX security system on future devices. This partnership is part of a bigger move towards the enterprise for Lookout, and the security company clarifies that it will only be bundled on Samsung devices that have KNOX installed.

Original story: The idea of whether or not Android devices would benefit from third-party antivirus and security software is still being debated, but Samsung is potentially thinking it is a necessity. According to a report from The Wall Street Journal, Samsung is expected to announce that it has penned a deal with Lookout to have its antivirus software pre-installed on devices going forward.

Indications are that the partnership with Lookout will span across all of Samsung's future devices, but the aim is to further its enterprise security rather than to protect average consumers. Building on its Samsung KNOX program, which works to silo enterprise data on personal devices, the inclusion of Lookout antivirus will potentially add yet another layer of security.

Read more and comment

 

Google's big tablet gets the same update Nexus 4 and Galaxy Nexus users started receiving yesterday

Not to be left out of the OTA update party, the Nexus 10 is also receiving the small incremental Android 4.3 update that was tipped by T-Mobile for the Nexus 4 and later confirmed for the Galaxy Nexus. Screenshots of the update from folks who have contacts us (found after the break) show the latest build carries the same JWR66Y build number and of course keep the tablet at Android 4.3.

The update is reported to be a simple set of security fixes, with no user-facing changes that we can tell. It seems a handful of users with Nexus 10's are seeing the update hit their tablet in our forums as well, so be sure to chime in there if you've found the update.

More: Google Nexus 10 Forums

Thanks, Mike!

Read more and comment

 

Pages