Security - Featured Articles

HTC One Accounts

So, you want to adopt BYOD?

What you need to know before integrating employee devices on your network Bring Your Own Device (BYOD) is the current hot trend. (And has been for a while, really.) There are many perceived advantages for a company that allows employees to bring their own devices to work and have access to your...
LG G Pro 2 Knock Code

How to use Knock Code on the LG G Pro 2

Knock Code will come to other LG phones via software updates this year With Knock On — wherein you tap the display twice to turn on your phone — has been one of our favorite new features of the past few months. LG introduced it with the LG G2 in 2013, and it returned with the LG G Flex toward...
The Boeing Black

Boeing reveals the Boeing Black — a super-secure smartphone for those with super security needs

This phone will self destruct in ten seconds… In this day and age of malicious apps and intrusive government surveillance, you might be wondering how to keep your data secure. You could turn to a solution like the up-and-coming Geeksphone Blackphone, with a modified version of Android and sets...

Security - Top Articles

SD card: Activate

KitKat and SD cards — what's fixed, what's broken and what's misunderstood

Why your SD card doesn't work the same in Android 4.4 KitKat, and the reasons for the change “Curse you, Google! Your KitKat update broke my SD card!” Poke around the Android section of the Internet and you’ll hear something similar. Users like you and me are in an uproar because they updated...
Google fixes Heartbleed

Google updates back-end in light of Heartbleed vulnerability

If you've been online at some point in the last 36 hours, chances are you've heard of 'Heartbleed', a flaw in OpenSSL that has exposed data to theft on approximately 2/3 of servers in use around the globe over the past two years. It's not known how bad the damage may be, but the revelation of the...
Android Central

NBC News and the bullshit 'ZOMG Sochi Olympics Android hack' story

Your Android smartphone only installs malware if you're being dumb (or do it on purpose) — not automatically, and not just because you're in Russia. This is just ridiculous, even for American "news" television. A report from NBC News was exposed — and rightfully so — by Errata Security (via...
The Boeing Black

Boeing reveals the Boeing Black — a super-secure smartphone for those with super security needs

This phone will self destruct in ten seconds… In this day and age of malicious apps and intrusive government surveillance, you might be wondering how to keep your data secure. You could turn to a solution like the up-and-coming Geeksphone Blackphone, with a modified version of Android and sets...
Gmail

All Gmail will now use HTTPS, messages will be encrypted when moving inside Google

Initiatives were 'made a top priority after last summer's revelations' Google has steadily improved the overall security of several of its apps and services, and the latest move is moving to HTTPS and encryption across all of Gmail. Starting today, every single time you send or check your Gmail...
SkipLock.

Unlock With Wifi app retooled and is now SkipLock

Safety meets convenience with a set of great features  You may have heard us talk about an app called Unlock With Wifi a time or two. It's an app that tells your lock screen when to become secured with a password or PIN, based on what Wifi AP you're connected to. It's one of those apps that you...
Cerebus

Cerberus servers have a data leak, users advised to change password

Users of the popular phone security app Cerberus are reporting a slightly disturbing email coming from the developers today. While Cerberus assures that no passwords were compromised — they are encrypted, of course — attackers did gain access to some usernames and passwords. If you're using...
HTC One Accounts

So, you want to adopt BYOD?

What you need to know before integrating employee devices on your network Bring Your Own Device (BYOD) is the current hot trend. (And has been for a while, really.) There are many perceived advantages for a company that allows employees to bring their own devices to work and have access to your...
LG G Pro 2 Knock Code

How to use Knock Code on the LG G Pro 2

Knock Code will come to other LG phones via software updates this year With Knock On — wherein you tap the display twice to turn on your phone — has been one of our favorite new features of the past few months. LG introduced it with the LG G2 in 2013, and it returned with the LG G Flex toward...
Android Central

Android Device Manager app launches on Google Play

Like the web interface, the new app lets you remotely track and lock down your other Android devices Google has launched a new Android app allowing users of the Android Device Manager feature to remotely track, ring, lock down or wipe their other devices. Not to be confused with the Google Play...

Security - Photos

Security RSS Feed

A quick way to tell if your Samsung phone is at risk, and what to do if it is 

There's a lot of confusion as to exactly which Samsung phones are affected by today's big scary USSD vulnerability, which could cause some phones to factory reset themselves upon visiting a malicious web page. Some Galaxy S2 and S3-class phones are susceptible, others less so. In some cases it depends if you're running the latest firmware or not. In others, there's no patched firmware available yet.

Samsung will surely be hard at work rolling out fixes for devices that remain susceptible, but in the meantime we've got a quick, easy to tell if your phone is at risk, without taking the plunge and running the malicious code itself. Find out more after the break.

Read more and comment

 

Update, 09/26: Samsung has told us that the latest Galaxy S3 firmware fixes this exploit. Our own testing has shown other phones, particularly Galaxy S2 models, may still be at risk, however. If you're still concerned, you can check our USSD vulnerability test to see if your phone is vulnerable.

A major security vulnerability has been discovered in some TouchWiz-based Samsung smartphones, including the Galaxy S2 and certain Galaxy S3 models on older firmware. The bug was first demonstrated days ago by security researcher Ravi Borgaonkar at the Ekoparty security conference. It involves the use of a single line of code in a malicious web page to immediately trigger a factory reset without prompting the user, or allowing them to cancel the process. Even more serious is the possibility that this could be paired with a similar glitch to render the user's SIM card inoperable. And as the malicious code is in URI form, it can also be delivered via NFC or QR code.

Our Verizon Galaxy S3 was not reset by the malicious code embedded in a web page, though we were able to trigger a reset using similar code tied to a hyperlink. Mobile dev Justin Case tells us the issue is fixed in the latest AT&T and international Galaxy S3 firmwares, though devices that have not been updated may remain vulnerable. Others have reported that devices like the Galaxy Ace and Galaxy Beam are also affected. As far as we can tell, though, the bug does not affect Samsung phones running stock Android, like the Galaxy Nexus.

The vulnerability is the result of the way the native Samsung dialer app handles USSD codes and telephone links. USSD codes are special combinations of characters that can be entered in the keypad to perform certain functions, like enabling call forwarding, or accessing hidden menus on the device. On Samsung phones, there's also a USSD code for factory resetting the phone (and presumably another for nuking your SIM). This, combined with the fact that the dialer automatically runs telephone links that are passed to it by other apps, results in a particularly nasty issue for anyone unfortunate enough to run by a malicious web page.

There are, of course, other applications of this glitch -- for example, the ability to automatically run numbers through the dialer could be used to call premium-rate phone numbers. But the fact that just visiting a web site could factory reset your phone, wipe your internal storage and nuke your SIM is a very serious issue. So we'd advise you update your software if you're running an S3, and if you're not, we'd recommend using a third-party dialer like Dialer One until all this has blown over.

We've reached out to Samsung for comment on this issue, and we'll keep you updated with any information they provide.

Source: @Paul Olvia; via SlashGear, @backlon, @teamandirc

Read more and comment

 

OMG! Have you heard? Half of all Android devices have unpatched vulnerabilities, and are out there, sharing the same air as we are! The horror!

That's the feeling you'll get if you poke around the Internet today and read a blog or two, where folks are talking about a study from Duo Security, a company that sells authentication software to be used on smartphones. They even have a nifty little app you can install to check your Android device to see if it's vulnerable. The app isn't in Google Play, but it's linked at the bottom of the post if you want to check it out yourself.

Sounds scary, right? That's 50 percent of Android phones, all over the world, all unpatched and ripe for some sort of online hacking has got to be bad. It's the end for Google and Android, and we're all screwed.

Just. Stop.

Here's what's going on. The app you can download runs and scans your device to see if any of eight popular root exploit holes are still open. These are things that were patched in more recent versions of Android or newer versions of the Linux kernel. If your phone or tablet is unpatched, you'll get a warning about it. It's all above-the-board, and these exploits probably are unpatched in 50 percent of Android phones.

But what about the other thousands of exploits, or the ones that haven't been made public yet? You can't just use the eight easy ones and call it a day. My Galaxy Nexus is safe, according to this app, but it's sitting there with an unlocked bootloader, rooted, and ready for bad things to happen. You're not getting the full story from this app -- or from the blogs out there talking about it.

But we can help.

Read more and comment

 

Verizon has just launched a mobile security service powered by McAfee with a whole bunch of useful security tools. The free version provides protection against spyware keyloggers, and potentially harmful sites that are visited in the native Android browser. For $1.99/month (or $1/month if you have Total Equipment Coverage already) you gets you remote tracking, audible alarm sounding, locking, and wiping, along with App Alert, which flags apps that are accessing personal data. 

While I'm not personally concerned about viruses in the traditional PC sense, there's plenty of malware out there that's worth protecting against in some form or another. How do you guys make sure your personal data is safe from malicious apps? Is it worth paying a monthly fee for protection?

Head on over to Verizon for more information or to sign up for Verizon Mobile Security.

Read more and comment

 

Many of us use Dropbox in varying capacities (see what I did there?), and when we do, we often use it as crucial backup storage for data that's important to us. If it wasn't important, we probably wouldn't bother backing it up now would we? If you take your security seriously, and by now we hope you all do, you should be jumping for joy that Dropbox has added 2-step verification sign in to its latest betas.

The latest Dropbox beta follows the same principle that Google's 2-step verification does. In order to access your account you need two things: 1) something you know -- your password and 2) something you have -- your phone. And there's really no reason not to take security into your own hands and add that second level in order to help prevent the worst from happening. If you haven't already, go pick up the Dropbox app from the Google Play Store at the link above, and if you're interested in setting up 2-step verification for your account, see us after the break for a better in-depth explanation

Source: Dropbox forums; via The Verge

Read more and comment

 

For many, the Nexus 7 will be their first experience with one of Google's own branded Android devices. If you're interested in hacks of any sort on your phone or tablet, there really is no other option than to go Nexus. As we like to point out, we're constantly amazed by the posts our forum members put up when it comes to hacks, rooting and loading custom ROMs. This one is no exception.

Forum moderator dmmarck has put together a fantastic guide to help you along the path of all things Nexus 7, with step-by-step tutorials for all of your hacking needs. From the basic bootloader unlock and root, to more advanced flashing of custom ROMs and mods, it's all covered here. The best part about having a guide like this is the continued discussion and support after the first post. Any questions or comments you have can go right there to be answered. The sky is the limit when it comes to hacking a Nexus device, but remember it's always nice to have a way to get back to stock when things get a little out of hand. Thankfully, there's another fantastic post in the forums to help you do just that.

So let's go hit the forums and hack the Nexus 7 -- and even learn a thing or two along the way.

[GUIDE] Release the Kraken! Rooting & Hacking Your Nexus 7

Read more and comment

 

Your Google account holds your e-mail, apps, music, books, documents, cloud storage, credit cards and more. It’s time to protect that stuff with more than a simple password.

If you’ve been watching the wider tech world over the past couple of days, you’ll be familiar with the recent misfortune of Wired writer Mat Honan, who succumbed to a devastating hacking attack that annihilated his iCloud, Twitter and Google accounts and locked down several devices in the process.

In Honan’s case, the attack was enabled by compromised (yet publicly available) personal info, as well as failures by Amazon and Apple customer support, rather than a traditional brute-force attack or contact with malware. But a crucial part of what allowed the attackers to take down not only his Apple accounts and devices, but also his Gmail and Google stuff, was the fact that he wasn’t using Google’s two-step authentication to protect his account.

Stories like these always bring home the importance of basic digital security precautions. And one of the most basic, yet most effective steps you can take to protect your account is turning on two-step.

Read on to find out how and why you should do it.

Read more and comment

 

What does your mobile carrier know about you? Just how much information do they collect? And what the hell does it look like? German Green politician Malte Spitz has a brilliant TED talk showing what happened when he fought Deutsche Telekom to see just what was being collected under a European law -- and won. His prize? Six months of his mobile life. Some 35,830 lines of code. And an eye-opening look at what carriers, governments and, yes, private companies could learn about you.

It's far too easy to cry that the sky is falling when it comes to online privacy. (See Exhibits A, B, C and D, to note but a few.) But that doesn't mean there's not cause for concern, or that developers don't take it seriously. (They most certainly do.) Spitz, along with ZEIT ONLINE, has given us an incredible granular look at some of that data, but we each still need to be vigilant with our online lives. Be sure to hit the link below for the full infographic.

Source: TED; Infographic: ZEIT ONLINE

Read more and comment

 

The Black Hat conference takes place in Las Vegas this week, where hackers, security experts and representatives from major companies meet to discuss all things relating to information security. If you're following the news out of the conference today, you may have come across reports of a new security vulnerability in Android (and NFC-enabled Meego phones) that could allow a malicious NFC (near-field communication) tag to beam malware directly onto your phone. Sounds terrifying, right? Now hackers can take over your smartphone without you even doing anything. But as is always the case with these kinds of security issues, it's not as simple as it seems. And this NFC 'hack,' sexy and technically impressive as it is, isn't really anything particularly scary to regular smartphone users.

Read on to find out why.

Read more and comment

 

With NFC and all your personal information, its time to keep your Galaxy S3 safe from potential thieves and peeping neighbors. 

It is much more convenient not to use security options on your Samsung Galaxy S III (S3) or other Android phone. However, this is sort of like playing Russian roulette with your data and personal information.

Imagine if you lost your phone and someone was able to access everything inside. What would you lose? What would the “ripple effects” be? Could your bank information be compromises? Your credit? In today’s day and age we just can’t take a chance of our sensitive information falling into the wrong hands.

Fortunately, the Galaxy S3 offers some easy and powerful built-in tools to help keep you phone, your information and your peace of mind safe and secure.

Read more and comment

 

Is your Android phone's bootloader unlocked? Is it SIM unlocked? What's the difference?

There's been a bit of confusion in the blogs the past few days over unlocking phones. Maybe you're wondering about an unlocked bootloader. Or maybe you need something that's SIM unlocked. Or maybe you want to unlock your phone's bootloader, but you can't, because it's encrypted.

It's confusing, we know. Even bloggers have a hard time keeping it all straight. But you've come to the right place. We don't have that problem here. 

So let's have a little refresher course on what we mean when we talk about unlocking things, shall we?

Read more and comment

 

The Internet is hard at work debating the merits of the Nexus 7 tablet, and the biggest arguments are about the lack of expandable storage, or an SD card, as you likely know it. It seems like everyone and their brother has a theory about why the hottest tablet to hit Android so far will be shipping without one. The most popular reason revolves around some conspiracy that Google is to forcing you to use its cloud services. While I'm sure Google would love nothing more than users depending on Google Drive or Google Music -- and there's certainly a big push for it -- that's not the reason devices have been trending away from expandable storage.

Wanna know what it really is? Sure you do.

Read more and comment

 

That was quick! Security researchers at Microsoft and Sophos say they may have spoke a bit too soon about Android phones hosting a BotNet and spamming through Yahoo mail servers. Terry Zink, one of the discovers of the issue, said the following on his MSDN security blog:

Yes, it’s entirely possible that bot on a compromised PC connected to Yahoo Mail, inserted the the message-ID thus overriding Yahoo’s own Message-IDs and added the “Yahoo Mail for Android” tagline at the bottom of the message all in an elaborate deception to make it look like the spam was coming from Android devices.

In addition, researchers at Google and Alex Stamos, CTO of Web-security firm Artemis Internet, say it's far more likely that the people behind the attacks were spoofing the mail headers and adding the tagline, simply because it's difficult to spoof the IP on a mobile device. 

In any case, the rest of the warnings still stand. If you're not going to pay for apps, whether because you're cheap or because you're unable to, use some common sense and be careful. Malware certainly does exist, even if it's not at the proportions some members of the media try to make it out to be.

Source: WSJ

Read more and comment

 

It's been a while since we saw an Android security scare, but the word "BotNet" attached to this one makes up for it. It appears that users in Chile, Indonesia, Lebanon, Oman, the Philippines, Russia, Saudi Arabia, Thailand, Ukraine, and Venezuela have compromised Android phones are have been sending out Viagra spam through Yahoo mail servers. 

Microsoft security researcher Terry Zink discovered the whole mess, and he speculates that users are getting infected by pirating apps from unsavory websites that specialize in such. He fails to mention the millions of Microsoft Windows computers that are infected, doing the same thing, but this shows that Android phones are as powerful as yesterday's laptops. Use some common sense and this won't happen to your computer or your Android phone.

In cases like this it's easy to point the finger at folks too cheap to spend a buck or two and buy an app, but the problem goes deeper. Android is insanely popular across the globe. Some folks in some places just can't get paid apps from Google Play, and have to resort to other means to get them. It's a problem that needs a real solution, and we're sure Google is working on one, but I really can't blame anyone for not wanting to wait. If you're somewhere you can't download paid apps from Google Play, please be careful lest you get more than you bargained for.

Source: Terry Zink's Cyber Security Blog

Read more and comment

 

As soon as the schedule for Google I/O 2012's developer sessions was announced, I knew the Security and Privacy in Android Apps session was going to be a must-attend session. The Internet and its FUD machine gives Android security a lot of bad press, and while some of it is warranted, some of it is just sensationalism. Android is a big name and big names in big headlines sell papers. 

I'm so glad I felt forced to attend this one. The presenters (Android security engineer Jon Larimer, and Android framework and security engineer Kenny Root) did a wonderful job. It was developer-oriented for sure, but laid out in a way that even novice coders (or rusty old ones) would understand. The gist of it all was typically Google, and typically open -- the tools and methods to provide a very secure Android application are there, developers have to use them correctly. Android's open-market model means there is no one to review every app before it goes in Google Play, and with easy sideloading just about any code can find its way on your device. (Hopefully with your knowledge.) It's up to developers to use the tools to make a safe, secure, and useful application. It might sound like Google is passing the buck on security here, but we have to remember that the alternative is a locked-down garden of corporate evil  model like Apple where they control everything that goes in or out of a phone you paid for. I prefer the open model, and I imagine that most of you reading will agree.

The basics, like Android's sandbox, were covered, as well as some outside-the-box thinking, like the risk of Web containers and home-made encryption. We saw examples of how to use the correct app permissions (and only use the correct permissions), developer account security to keep your good name safe and untarnished in Google Play, and even the insecure nature of being online was covered. Larimer and Root did a great job telling the attendees (the room was so crowded they had to turn folks away to meet fire-safety code) about the hazards that exist and the tools to combat them. It was the perfect example of why Google I/O is important to all of us -- developers need to hear this stuff. The short of it:

  • Our mobile devices are full of very important (to us) and private data.
  • Applications must be designed to protect data.
  • Any and all data exposed to your application must be kept secure.
  • Android uses application sandboxing and the Linux security and permissions model, so you have to be wary of what other apps are going to ask your app to do for them.
  • Permissions are of the utmost importance. Learn what each one does, and only use the ones you must.
  • Intents and APIs should be used instead of global permissions.
  • Your (the developers) name is on the tin. Spend the time to make sure your product is secure and user info is kept private.

It's a relatively simple set of guidelines, with about a million ways to go wrong. Luckily Google is ready and willing to help with sessions like this as well as various code-jams and developer hangouts across the globe. 

What was initially something I thought I had to attend, like it or not, turned out to be the highlight of the entire event for me. Google is serious about application security and your privacy, and they want to help every developer write great apps that keep users data safe and sound. If you're not an Android dev, you can feel good that Google knows what the issues are, and is doing everything they can to keep you safe. If you are a developer, you need to watch this session. We've got the video (about an hour) and a gallery of some highlights after the break. 

Read more and comment

 

As concerns rise surrounding mobile security, Sprint has now taken some steps to offer their customers some of the best preventative solutions available on the market. Announced today during CTIA in New Orleans, Sprint has teamed up with Safely and Lookout to provide a suite of mobile security applications called Sprint Guardian.

  • Sprint Mobile Controls – Clearly understand your child’s talk, text and app use habits. Lock your child’s phone on demand or schedule locks – during dinner, school or late at night. Browse your child’s contacts and apps downloaded to the phone.
  • Sprint Drive First – Automatically locks your teenagers’ mobile phones when they’re traveling more than 10 mph and unlocks when they stop driving. Direct incoming calls to voicemail and silence distracting alerts while driving.
  • Sprint Family Locator – Quickly and easily locate your family members on an interactive map. Set up automatic location checks to get notified that your kids made it to school safely and on time.

The Family Safety bundle will be available for $9.99 per month for up to five lines on the same account while Lookout Family, will be available for $4.99 per month, or up to $49.99 per year, for up to five lines on the same account. The full press release can be found below for your reading pleasure.

Source: Sprint

Read more and comment

 

Thermalx, in our T-Mobile HTC One S Q&A, writes,

I thought carriers had about stopped with the whole Carrier IQ thing. But according to this T-Mo doc, the One S has Carrier IQ, any thoughts on that? Personally I'm not swayed much by it as I'll get CM9 as soon as it's available.

Ah ha! A good question, and one I'd meant to cover sooner. As part of our Ultimate Sense 4 Guide, we'd done a separate post on Privacy and the Tell HTC Experience Log. That covers analytics and other data that that Sense itself can collect. But it's not necessarily on your phone, and it's not necessarily the only analytics tool a carrier is using. 

When you first go through setup on the T-Mobile (US) HTC One S, you'll be asked whether you want T-Mobile to be able to collect diagnostics information. The section reads as follows:

Read more and comment

 

There's been a new twist uncovered by the folks at The Verge about apps with no permissions accessing the SD card, and to keep the sky from falling we're going to break down what is going on. 

If you haven't read it yet, the stock Android gallery (in versions prior to Android 3.0) decodes Geotags automatically when you sync with your online Picasa gallery, and it stores the information in a cache file on the SD card. This is done so the gallery can be sorted by location. What wasn't  mentioned is that this data is already present if you Geotag your images, it's just in a different form. Take this lovely photo:

Open it on any computer and look at the EXIF data (and yes, an app could be written to easily do this on your Android device itself):

Those are pretty exact latitude and longitude coordinates. Plug them into the Google Maps website and you'll get this in seconds:

That's within feet of where Alex was standing when he took this picture. All without this security "hole" being involved, and it took less that 60 seconds to do. 

Is this a good thing? Why, hell, no it's not, at least from a security/privacy standpoint. If you're taking pictures at home and geotagging is turned on, anyone who finds your phone (or a malicious app) would be able to find out exactly where you live. Or work. Or sleep. Or pick up your kids. Or cheat on your spouse.

But -- and this is important -- it is something you said was OK to do when you decided to mark your pictures with a location. And geotagging is hardly a new phenomenon. That's why we mentioned that you may want to turn Geotagging off in your camera

And before anyone starts saying Google should encrypt or force permissions on the pictures folder, understand that means you'll need a bloated, OEM-approved program for your computer that can decrypt and have permission to access the pictures you take. Nobody wants to have to use aTunes to see their photos. Nobody.

Removable storage was designed to be read from any other device. That means the data on it is wide open for the world to see. This isn't going to magically change as long as removable storage is included on devices. We have to take responsibility for our actions, and if we said it was OK to share location data for the pictures we take, that means it's OK to share location data for the pictures we take. It's a side-effect of having removable storage that other devices can read, and the only way to keep things in check is to understand the implications of what you're doing. You may not like it, but unless you design a better method, this is the way it's going to be.

Never store any data you feel is sensitive on removable storage, no matter what mobile device you're using. If an app is storing data on your removable storage you feel is too sensitive, then stop using that app. 

Hopefully, this helps you understand what's happening a bit better. Now go shut off the location in your camera app if you need to. 

Read more and comment

 

The latest in the never-ending story of Android security is out, and this time it's talking about what an app can access if it declares no permissions. (To put it another way, what all an application can see if it doesn't request any of the normal functionality apps request.) Some folks make it out to be nothing to worry about, others use it in their quest to damnify the world's most popular mobile phone OS, but we figure the best thing to do with it is explain what's happening. 

A group of security researchers set out to create an app that declares no permissions to find out exactly what sort of information they could get out of from the Android system it was running on. This sort of thing is done every day, and the more popular the target is, the more people are looking at it. We actually want them to do this sort of thing, and from time to time folks find things that are critical and need fixed. Everybody benefits.

This time around, they found that an app with no (as in none, nada, zilch) permissions could do three very interesting things. None are serious, but all are worth looking at a bit. We'll start with the SD card.

Any app can read data on your SD card. It's always been this way, and it will always be this way. (Writing to the SD card is what needs a permission.) Utilities are available to create secure, hidden folders and protect them from other apps, but by default any data written to the SD card is there for any app to see. This is by design, as we want to allow our computer to access all the data on shareable partitions (like SD cards) when we plug them in. Newer versions of Android use a different partitioning method and a different way to share data that moves away from this, but then we all get to bitch about using MTP. (Unless you're Phil, but he's a little nuts at likes MTP.) This is an easy fix -- don't put sensitive data on your SD card. Don't use apps that put sensitive data on your SD card. Then quit worrying about programs being able to see data they are supposed to be able to see.

The next thing they found is really interesting if you're a geek -- an can read the /data/system/packages.list file with no explicit permission. This poses no threat on its own, but knowing what applications a user has installed is a great way to know what exploits may be useful to compromise their phone or tablet. Think of vulnerabilities in other apps -- the example the researchers used was Skype. Knowing that an exploit exists it's there means an attacker could try to target it. It's worth mentioning that targeting a known insecure app would probably require some permissions to do so, though. (And it's also worth reminding folks that Skype quickly acknowledged and fixed its permissions issue.)

Finally, they discovered that the /proc directory gives a bit of data when queried. Their example shows that they can read things like the Android ID, kernel version, and ROM version. There's a lot more that can be found in the /proc directory, but we need to remember that /proc isn't a real file system. Look at yours with root explorer -- it's full of 0-byte files that are created at runtime, and is designed for apps and software to communicate with the running kernel. There is no real sensitive data stored there, and it's all erased and rewritten when the phone is power cycled. If you are worried that someone might be able to find your kernel version or 16 digit Android ID, you still have the hurdle of getting that information sent anywhere without explicit Internet permissions. 

We're glad that people are digging in deep to find these sort of issues, and while these aren't critical by any serious definition, it's good to make Google aware of them. Researchers doing this sort of work can only make things safer and better for all of us. And we need to stress the point that the fellows at Leviathan aren't talking doom and gloom, they are just presenting facts in a useful way -- the doom and gloom is coming from outside sources.

Source: Leviathan Security Group

Read more and comment

 

Research In Motion has had a rough go the past little while but they're looking to get things moving in the right direction once again and one of the tools they're deploying to help get them there is something called BlackBerry Mobile Fusion.

With BlackBerry Mobile Fusion being a mobile device management suite, those making use of BlackBerry Enterprise Servers will be able to control all devices connected to their network including those running Android and iOS with some of the following features available:

  • Support for multiple devices per user
  • Application and software management
  • Connectivity management (Wi-Fi®, VPN, certificates)
  • Centralized, easy to use, unified web-based console
  • Security and policy definition and management
  • Asset management
  • Configuration management
  • Security and protection for lost or stolen devices (remote lock, wipe)
  • User- and group-based administration
  • High scalability

In order to make use of the services, IT Admins will need to deploy the Android client that is currently available in the Google Play Store for download. If you're interested in learning more about RIM's offering for Android, you can jump past the break for the full press release as well as a link to the mobile client needed.

Source: CrackBerry

Read more and comment

 

Pages